nt8_t*)0x200000007d47 = 5; *(uint8_t*)0x200000007d48 = 0x10; *(uint16_t*)0x200000007d49 = 0x10; *(uint8_t*)0x200000007d4b = 0x95; *(uint8_t*)0x200000007d4c = 3; *(uint8_t*)0x200000007d4d = 0; *(uint8_t*)0x200000007d4e = 7; *(uint8_t*)0x200000007d4f = 0x25; *(uint8_t*)0x200000007d50 = 1; *(uint8_t*)0x200000007d51 = 0x82; *(uint8_t*)0x200000007d52 = 0xae; *(uint16_t*)0x200000007d53 = 0x12; *(uint32_t*)0x200000007ec0 = 0xa; *(uint64_t*)0x200000007ec4 = 0x200000007d80; *(uint8_t*)0x200000007d80 = 0xa; *(uint8_t*)0x200000007d81 = 6; *(uint16_t*)0x200000007d82 = 0x110; *(uint8_t*)0x200000007d84 = 4; *(uint8_t*)0x200000007d85 = 1; *(uint8_t*)0x200000007d86 = 6; *(uint8_t*)0x200000007d87 = 8; *(uint8_t*)0x200000007d88 = 0xe; *(uint8_t*)0x200000007d89 = 0; *(uint32_t*)0x200000007ecc = 0x3b; *(uint64_t*)0x200000007ed0 = 0x200000007dc0; *(uint8_t*)0x200000007dc0 = 5; *(uint8_t*)0x200000007dc1 = 0xf; *(uint16_t*)0x200000007dc2 = 0x3b; *(uint8_t*)0x200000007dc4 = 4; *(uint8_t*)0x200000007dc5 = 0x14; *(uint8_t*)0x200000007dc6 = 0x10; *(uint8_t*)0x200000007dc7 = 4; *(uint8_t*)0x200000007dc8 = 6; memcpy((void*)0x200000007dc9, "\xfd\xf4\x04\x3a\xe7\xf5\x9e\x3e\x81\xfe\x30\x3d\x4d\xe3\xea\x16", 16); *(uint8_t*)0x200000007dd9 = 7; *(uint8_t*)0x200000007dda = 0x10; *(uint8_t*)0x200000007ddb = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007ddc, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007dde, 6, 0, 16); *(uint8_t*)0x200000007de0 = 7; *(uint8_t*)0x200000007de1 = 0x10; *(uint8_t*)0x200000007de2 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007de3, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 7, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 0xd, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de5, 0x95d7, 0, 16); *(uint8_t*)0x200000007de7 = 0x14; *(uint8_t*)0x200000007de8 = 0x10; *(uint8_t*)0x200000007de9 = 4; *(uint8_t*)0x200000007dea = 3; memcpy((void*)0x200000007deb, "\xbc\x6a\x92\x66\xbf\x50\x6e\x90\x62\x0d\x9c\x90\x0e\x18\x01\x43", 16); *(uint32_t*)0x200000007ed8 = 1; *(uint32_t*)0x200000007edc = 0x98; *(uint64_t*)0x200000007ee0 = 0x200000007e00; *(uint8_t*)0x200000007e00 = 0x98; *(uint8_t*)0x200000007e01 = 3; memcpy((void*)0x200000007e02, "\xd9\x5f\x3f\xca\xaa\x58\xf9\xd3\x6d\x03\xe3\xa2\xd5\x56\x6a\x51\x91\xf7\x42\xf7\x23\xfa\x49\xe3\x64\xe0\x3b\x0d\x28\x8a\x7f\xcb\x45\x79\xb5\x8c\x56\xd8\x24\xbe\x57\xf9\xad\x0f\x87\x03\xd3\x01\x1c\xac\x46\x84\x33\xfa\x22\xc2\x3b\xfa\xf1\x5d\xad\x54\x1e\xfb\x01\x38\xc4\x6b\xb8\xf8\x86\x92\x15\x15\x5c\x26\x85\xd6\x9b\x75\xff\xe6\x8c\x0c\xbd\x6e\x71\x74\x3a\xbd\x43\x55\xe1\x2d\x9d\xcb\x7d\xff\x16\xbb\x07\x5d\xa5\x53\xc1\x78\x13\x9e\xde\x2c\x28\x5a\x4a\x28\x45\xe8\x88\x9c\x23\x45\x04\xd9\x68\xd8\x70\xb6\x08\x4a\x7b\x4a\xb0\xdc\xdb\x83\xd4\x3b\xb2\xf4\xe7\xa0\x15\x6b\x80\xa6\x89\x19\xcb\xb7\xda\x84", 150); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0x295, /*dev=*/0x200000007ac0, /*conn_descs=*/0x200000007ec0); if (res != -1) r[33] = res; break; case 52: *(uint8_t*)0x200000007f00 = 0x12; *(uint8_t*)0x200000007f01 = 1; *(uint16_t*)0x200000007f02 = 0x200; *(uint8_t*)0x200000007f04 = -1; *(uint8_t*)0x200000007f05 = -1; *(uint8_t*)0x200000007f06 = -1; *(uint8_t*)0x200000007f07 = 0x40; *(uint16_t*)0x200000007f08 = 0xcf3; *(uint16_t*)0x200000007f0a = 0x9271; *(uint16_t*)0x200000007f0c = 0x108; *(uint8_t*)0x200000007f0e = 1; *(uint8_t*)0x200000007f0f = 2; *(uint8_t*)0x200000007f10 = 3; *(uint8_t*)0x200000007f11 = 1; *(uint8_t*)0x200000007f12 = 9; *(uint8_t*)0x200000007f13 = 2; *(uint16_t*)0x200000007f14 = 0x48; *(uint8_t*)0x200000007f16 = 1; *(uint8_t*)0x200000007f17 = 1; *(uint8_t*)0x200000007f18 = 0; *(uint8_t*)0x200000007f19 = 0x80; *(uint8_t*)0x200000007f1a = 0xfa; *(uint8_t*)0x200000007f1b = 9; *(uint8_t*)0x200000007f1c = 4; *(uint8_t*)0x200000007f1d = 0; *(uint8_t*)0x200000007f1e = 0; *(uint8_t*)0x200000007f1f = 6; *(uint8_t*)0x200000007f20 = -1; *(uint8_t*)0x200000007f21 = 0; *(uint8_t*)0x200000007f22 = 0; *(uint8_t*)0x200000007f23 = 0; *(uint8_t*)0x200000007f24 = 9; *(uint8_t*)0x200000007f25 = 5; *(uint8_t*)0x200000007f26 = 1; *(uint8_t*)0x200000007f27 = 2; *(uint16_t*)0x200000007f28 = 0x200; *(uint8_t*)0x200000007f2a = 0; *(uint8_t*)0x200000007f2b = 0; *(uint8_t*)0x200000007f2c = 0; *(uint8_t*)0x200000007f2d = 9; *(uint8_t*)0x200000007f2e = 5; *(uint8_t*)0x200000007f2f = 0x82; *(uint8_t*)0x200000007f30 = 2; *(uint16_t*)0x200000007f31 = 0x200; *(uint8_t*)0x200000007f33 = 0; *(uint8_t*)0x200000007f34 = 0; *(uint8_t*)0x200000007f35 = 0; *(uint8_t*)0x200000007f36 = 9; *(uint8_t*)0x200000007f37 = 5; *(uint8_t*)0x200000007f38 = 0x83; *(uint8_t*)0x200000007f39 = 3; *(uint16_t*)0x200000007f3a = 0x40; *(uint8_t*)0x200000007f3c = 1; *(uint8_t*)0x200000007f3d = 0; *(uint8_t*)0x200000007f3e = 0; *(uint8_t*)0x200000007f3f = 9; *(uint8_t*)0x200000007f40 = 5; *(uint8_t*)0x200000007f41 = 4; *(uint8_t*)0x200000007f42 = 3; *(uint16_t*)0x200000007f43 = 0x40; *(uint8_t*)0x200000007f45 = 1; *(uint8_t*)0x200000007f46 = 0; *(uint8_t*)0x200000007f47 = 0; *(uint8_t*)0x200000007f48 = 9; *(uint8_t*)0x200000007f49 = 5; *(uint8_t*)0x200000007f4a = 5; *(uint8_t*)0x200000007f4b = 2; *(uint16_t*)0x200000007f4c = 0x200; *(uint8_t*)0x200000007f4e = 0; *(uint8_t*)0x200000007f4f = 0; *(uint8_t*)0x200000007f50 = 0; *(uint8_t*)0x200000007f51 = 9; *(uint8_t*)0x200000007f52 = 5; *(uint8_t*)0x200000007f53 = 6; *(uint8_t*)0x200000007f54 = 2; *(uint16_t*)0x200000007f55 = 0x200; *(uint8_t*)0x200000007f57 = 0; *(uint8_t*)0x200000007f58 = 0; *(uint8_t*)0x200000007f59 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000007f00, /*conn_descs=*/0); if (res != -1) r[34] = res; break; case 53: *(uint8_t*)0x200000007f80 = 0x12; *(uint8_t*)0x200000007f81 = 1; *(uint16_t*)0x200000007f82 = 0x110; *(uint8_t*)0x200000007f84 = 0; *(uint8_t*)0x200000007f85 = 0; *(uint8_t*)0x200000007f86 = 0; *(uint8_t*)0x200000007f87 = 0x40; *(uint16_t*)0x200000007f88 = 0x1d6b; *(uint16_t*)0x200000007f8a = 0x101; *(uint16_t*)0x200000007f8c = 0x40; *(uint8_t*)0x200000007f8e = 1; *(uint8_t*)0x200000007f8f = 2; *(uint8_t*)0x200000007f90 = 3; *(uint8_t*)0x200000007f91 = 1; *(uint8_t*)0x200000007f92 = 9; *(uint8_t*)0x200000007f93 = 2; *(uint16_t*)0x200000007f94 = 0xd3; *(uint8_t*)0x200000007f96 = 3; *(uint8_t*)0x200000007f97 = 1; *(uint8_t*)0x200000007f98 = 1; *(uint8_t*)0x200000007f99 = 0x80; *(uint8_t*)0x200000007f9a = 0x80; *(uint8_t*)0x200000007f9b = 9; *(uint8_t*)0x200000007f9c = 4; *(uint8_t*)0x200000007f9d = 0; *(uint8_t*)0x200000007f9e = 0; *(uint8_t*)0x200000007f9f = 0; *(uint8_t*)0x200000007fa0 = 1; *(uint8_t*)0x200000007fa1 = 1; *(uint8_t*)0x200000007fa2 = 0; *(uint8_t*)0x200000007fa3 = 0; *(uint8_t*)0x200000007fa4 = 0xa; *(uint8_t*)0x200000007fa5 = 0x24; *(uint8_t*)0x200000007fa6 = 1; *(uint16_t*)0x200000007fa7 = 0; *(uint8_t*)0x200000007fa9 = 0x7c; *(uint8_t*)0x200000007faa = 2; *(uint8_t*)0x200000007fab = 1; *(uint8_t*)0x200000007fac = 2; *(uint8_t*)0x200000007fad = 0xd; *(uint8_t*)0x200000007fae = 0x24; *(uint8_t*)0x200000007faf = 8; *(uint8_t*)0x200000007fb0 = 2; *(uint16_t*)0x200000007fb1 = 8; *(uint8_t*)0x200000007fb3 = 9; memcpy((void*)0x200000007fb4, "\x0c\xff\xda\x3f\x22\x7b", 6); *(uint8_t*)0x200000007fba = 9; *(uint8_t*)0x200000007fbb = 4; *(uint8_t*)0x200000007fbc = 1; *(uint8_t*)0x200000007fbd = 0; *(uint8_t*)0x200000007fbe = 0; *(uint8_t*)0x200000007fbf = 1; *(uint8_t*)0x200000007fc0 = 2; *(uint8_t*)0x200000007fc1 = 0; *(uint8_t*)0x200000007fc2 = 0; *(uint8_t*)0x200000007fc3 = 9; *(uint8_t*)0x200000007fc4 = 4; *(uint8_t*)0x200000007fc5 = 1; *(uint8_t*)0x200000007fc6 = 1; *(uint8_t*)0x200000007fc7 = 1; *(uint8_t*)0x200000007fc8 = 1; *(uint8_t*)0x200000007fc9 = 2; *(uint8_t*)0x200000007fca = 0; *(uint8_t*)0x200000007fcb = 0; *(uint8_t*)0x200000007fcc = 0x12; *(uint8_t*)0x200000007fcd = 0x24; *(uint8_t*)0x200000007fce = 2; *(uint8_t*)0x200000007fcf = 2; *(uint16_t*)0x200000007fd0 = 6; *(uint16_t*)0x200000007fd2 = 0x9a; *(uint8_t*)0x200000007fd4 = 0x20; memcpy((void*)0x200000007fd5, "\x2d\xa5\xee\x78\xa2\x8e\x1f\x1a\x41", 9); *(uint8_t*)0x200000007fde = 0xd; *(uint8_t*)0x200000007fdf = 0x24; *(uint8_t*)0x200000007fe0 = 2; *(uint8_t*)0x200000007fe1 = 1; *(uint8_t*)0x200000007fe2 = 0xf8; *(uint8_t*)0x200000007fe3 = 3; *(uint8_t*)0x200000007fe4 = 0x69; *(uint8_t*)0x200000007fe5 = 0x6d; memcpy((void*)0x200000007fe6, "e)", 2); memcpy((void*)0x200000007fe8, "\xbf\x07\x94", 3); *(uint8_t*)0x200000007feb = 0xb; *(uint8_t*)0x200000007fec = 0x24; *(uint8_t*)0x200000007fed = 2; *(uint8_t*)0x200000007fee = 1; *(uint8_t*)0x200000007fef = 5; *(uint8_t*)0x200000007ff0 = 4; *(uint8_t*)0x200000007ff1 = 0x5b; *(uint8_t*)0x200000007ff2 = 3; memset((void*)0x200000007ff3, 68, 1); memcpy((void*)0x200000007ff4, "\x26\x18", 2); *(uint8_t*)0x200000007ff6 = 9; *(uint8_t*)0x200000007ff7 = 0x24; *(uint8_t*)0x200000007ff8 = 2; *(uint8_t*)0x200000007ff9 = 2; *(uint16_t*)0x200000007ffa = 0x7b4; *(uint16_t*)0x200000007ffc = 8; *(uint8_t*)0x200000007ffe = 4; *(uint8_t*)0x200000007fff = 0xc; *(uint8_t*)0x200000008000 = 0x24; *(uint8_t*)0x200000008001 = 2; *(uint8_t*)0x200000008002 = 1; *(uint8_t*)0x200000008003 = 0; *(uint8_t*)0x200000008004 = 3; *(uint8_t*)0x200000008005 = 8; *(uint8_t*)0x200000008006 = 8; memset((void*)0x200000008007, 170, 1); memcpy((void*)0x200000008008, "\xe8\xe5\xb4", 3); *(uint8_t*)0x20000000800b = 9; *(uint8_t*)0x20000000800c = 5; *(uint8_t*)0x20000000800d = 1; *(uint8_t*)0x20000000800e = 9; *(uint16_t*)0x20000000800f = 0x40; *(uint8_t*)0x200000008011 = 6; *(uint8_t*)0x200000008012 = 5; *(uint8_t*)0x200000008013 = 0; *(uint8_t*)0x200000008014 = 7; *(uint8_t*)0x200000008015 = 0x25; *(uint8_t*)0x200000008016 = 1; *(uint8_t*)0x200000008017 = 0x80; *(uint8_t*)0x200000008018 = 1; *(uint16_t*)0x200000008019 = 4; *(uint8_t*)0x20000000801b = 9; *(uint8_t*)0x20000000801c = 4; *(uint8_t*)0x20000000801d = 2; *(uint8_t*)0x20000000801e = 0; *(uint8_t*)0x20000000801f = 0; *(uint8_t*)0x200000008020 = 1; *(uint8_t*)0x200000008021 = 2; *(uint8_t*)0x200000008022 = 0; *(uint8_t*)0x200000008023 = 0; *(uint8_t*)0x200000008024 = 9; *(uint8_t*)0x200000008025 = 4; *(uint8_t*)0x200000008026 = 2; *(uint8_t*)0x200000008027 = 1; *(uint8_t*)0x200000008028 = 1; *(uint8_t*)0x200000008029 = 1; *(uint8_t*)0x20000000802a = 2; *(uint8_t*)0x20000000802b = 0; *(uint8_t*)0x20000000802c = 0; *(uint8_t*)0x20000000802d = 7; *(uint8_t*)0x20000000802e = 0x24; *(uint8_t*)0x20000000802f = 1; *(uint8_t*)0x200000008030 = 3; *(uint8_t*)0x200000008031 = 0x1e; *(uint16_t*)0x200000008032 = 4; *(uint8_t*)0x200000008034 = 7; *(uint8_t*)0x200000008035 = 0x24; *(uint8_t*)0x200000008036 = 1; *(uint8_t*)0x200000008037 = 0x6f; *(uint8_t*)0x200000008038 = 7; *(uint16_t*)0x200000008039 = 0; *(uint8_t*)0x20000000803b = 0xa; *(uint8_t*)0x20000000803c = 0x24; *(uint8_t*)0x20000000803d = 2; *(uint8_t*)0x20000000803e = 2; *(uint16_t*)0x20000000803f = 8; *(uint16_t*)0x200000008041 = 2; *(uint8_t*)0x200000008043 = 8; memset((void*)0x200000008044, 102, 1); *(uint8_t*)0x200000008045 = 0x10; *(uint8_t*)0x200000008046 = 0x24; *(uint8_t*)0x200000008047 = 2; *(uint8_t*)0x200000008048 = 2; *(uint16_t*)0x200000008049 = 9; *(uint16_t*)0x20000000804b = 0x401; *(uint8_t*)0x20000000804d = 5; memcpy((void*)0x20000000804e, "\x53\xb1\x1d\xbc\x8c\xd3\x10", 7); *(uint8_t*)0x200000008055 = 9; *(uint8_t*)0x200000008056 = 5; *(uint8_t*)0x200000008057 = 0x82; *(uint8_t*)0x200000008058 = 9; *(uint16_t*)0x200000008059 = 8; *(uint8_t*)0x20000000805b = 0; *(uint8_t*)0x20000000805c = 0x28; *(uint8_t*)0x20000000805d = 6; *(uint8_t*)0x20000000805e = 7; *(uint8_t*)0x20000000805f = 0x25; *(uint8_t*)0x200000008060 = 1; *(uint8_t*)0x200000008061 = 0x80; *(uint8_t*)0x200000008062 = 5; *(uint16_t*)0x200000008063 = 0xd; *(uint32_t*)0x2000000081c0 = 0xa; *(uint64_t*)0x2000000081c4 = 0x200000008080; *(uint8_t*)0x200000008080 = 0xa; *(uint8_t*)0x200000008081 = 6; *(uint16_t*)0x200000008082 = 0x110; *(uint8_t*)0x200000008084 = 0x59; *(uint8_t*)0x200000008085 = 0xa5; *(uint8_t*)0x200000008086 = 5; *(uint8_t*)0x200000008087 = 0x10; *(uint8_t*)0x200000008088 = 1; *(uint8_t*)0x200000008089 = 0; *(uint32_t*)0x2000000081cc = 0x39; *(uint64_t*)0x2000000081d0 = 0x2000000080c0; *(uint8_t*)0x2000000080c0 = 5; *(uint8_t*)0x2000000080c1 = 0xf; *(uint16_t*)0x2000000080c2 = 0x39; *(uint8_t*)0x2000000080c4 = 5; *(uint8_t*)0x2000000080c5 = 0xb; *(uint8_t*)0x2000000080c6 = 0x10; *(uint8_t*)0x2000000080c7 = 1; *(uint8_t*)0x2000000080c8 = 4; *(uint16_t*)0x2000000080c9 = 8; *(uint8_t*)0x2000000080cb = 3; *(uint8_t*)0x2000000080cc = 0xb8; *(uint16_t*)0x2000000080cd = 9; *(uint8_t*)0x2000000080cf = 4; *(uint8_t*)0x2000000080d0 = 0x14; *(uint8_t*)0x2000000080d1 = 0x10; *(uint8_t*)0x2000000080d2 = 4; *(uint8_t*)0x2000000080d3 = 2; memcpy((void*)0x2000000080d4, "\x9d\x9a\xb0\x97\x8e\x2a\xac\xe2\x6d\xe6\x63\x06\xe6\xe2\x96\x3d", 16); *(uint8_t*)0x2000000080e4 = 0xb; *(uint8_t*)0x2000000080e5 = 0x10; *(uint8_t*)0x2000000080e6 = 1; *(uint8_t*)0x2000000080e7 = 4; *(uint16_t*)0x2000000080e8 = 0; *(uint8_t*)0x2000000080ea = 6; *(uint8_t*)0x2000000080eb = 4; *(uint16_t*)0x2000000080ec = 1; *(uint8_t*)0x2000000080ee = 5; *(uint8_t*)0x2000000080ef = 3; *(uint8_t*)0x2000000080f0 = 0x10; *(uint8_t*)0x2000000080f1 = 0xb; *(uint8_t*)0x2000000080f2 = 7; *(uint8_t*)0x2000000080f3 = 0x10; *(uint8_t*)0x2000000080f4 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000080f5, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f7, 0xfff2, 0, 16); *(uint32_t*)0x2000000081d8 = 1; *(uint32_t*)0x2000000081dc = 0x84; *(uint64_t*)0x2000000081e0 = 0x200000008100; *(uint8_t*)0x200000008100 = 0x84; *(uint8_t*)0x200000008101 = 3; memcpy((void*)0x200000008102, "\x00\x0a\x6c\x9f\x4a\x15\xea\xbc\x97\xa9\x2a\xb6\x65\x23\x1b\x2c\xf9\x05\x73\x21\xeb\x43\x0c\x65\x21\xf4\x97\xa8\xc3\xce\x81\x62\x68\xcb\x33\x7f\xa4\x8d\xee\xcf\xeb\x28\xb2\x30\x5f\xcf\x2d\x2e\x98\x8c\xc8\xb8\xb9\x80\xa1\x33\x2d\xc4\x06\xbc\x34\x69\x5f\xa2\x4d\xc3\x60\x9f\x61\x9d\x7a\xc2\x84\xcc\x3a\xe7\xf0\xaf\xe4\x44\xd5\x78\xc9\x51\xd9\xae\xdc\x4c\x68\x2e\x10\x0c\xfe\xb6\x61\x9b\x98\xa9\x6b\x19\x78\xd8\xed\xe7\x57\x4e\x96\x9f\x8a\xe8\xe3\xdf\xb8\x35\xbd\xe5\xcc\xd9\x22\x13\x3e\x53\x03\x6f\xf4\x4e\xda\x52\xa0\xa9", 130); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0xe5, /*dev=*/0x200000007f80, /*conn_descs=*/0x2000000081c0); if (res != -1) r[35] = res; break; case 54: *(uint32_t*)0x200000008380 = 0x2c; *(uint64_t*)0x200000008384 = 0x200000008200; *(uint8_t*)0x200000008200 = 0x40; *(uint8_t*)0x200000008201 = 0x22; *(uint32_t*)0x200000008202 = 0x31; *(uint8_t*)0x200000008206 = 0x31; *(uint8_t*)0x200000008207 = 5; memcpy((void*)0x200000008208, "\x74\xe8\x3d\xcf\x53\xdd\x2d\x0e\xca\xc0\xaa\x34\x67\xb1\x8d\xfa\x71\xb2\x6c\xdd\x40\x3d\x95\x5c\x0f\xfe\x22\x81\x7b\x01\xfe\x57\x95\xd5\x1c\xf2\x4a\x6a\xe3\xb8\xe3\x2f\x1b\x7a\xc5\xf8\xca", 47); *(uint64_t*)0x20000000838c = 0x200000008240; *(uint8_t*)0x200000008240 = 0; *(uint8_t*)0x200000008241 = 3; *(uint32_t*)0x200000008242 = 0x1e; *(uint8_t*)0x200000008246 = 0x1e; *(uint8_t*)0x200000008247 = 3; memcpy((void*)0x200000008248, "\x89\x57\xa5\x01\xd8\x3c\x69\xe5\x4f\x70\xf6\x2f\x93\x2a\x50\xb6\x55\x06\xc3\x88\xc1\x28\x23\x9d\x36\x22\x9e\xe2", 28); *(uint64_t*)0x200000008394 = 0x200000008280; *(uint8_t*)0x200000008280 = 0; *(uint8_t*)0x200000008281 = 0xf; *(uint32_t*)0x200000008282 = 0x4f; *(uint8_t*)0x200000008286 = 5; *(uint8_t*)0x200000008287 = 0xf; *(uint16_t*)0x200000008288 = 0x4f; *(uint8_t*)0x20000000828a = 6; *(uint8_t*)0x20000000828b = 0x1c; *(uint8_t*)0x20000000828c = 0x10; *(uint8_t*)0x20000000828d = 0xa; *(uint8_t*)0x20000000828e = 0; STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 5, 5, 27); *(uint16_t*)0x200000008293 = 0xf000; *(uint16_t*)0x200000008295 = 0x409; *(uint32_t*)0x200000008297 = 0xc000; *(uint32_t*)0x20000000829b = 0x17f; *(uint32_t*)0x20000000829f = 0xff3f30; *(uint32_t*)0x2000000082a3 = 0xffffaf; *(uint8_t*)0x2000000082a7 = 0x10; *(uint8_t*)0x2000000082a8 = 0x10; *(uint8_t*)0x2000000082a9 = 0xa; *(uint8_t*)0x2000000082aa = 9; STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 4, 5, 27); *(uint16_t*)0x2000000082af = 0xff0f; *(uint16_t*)0x2000000082b1 = 0xf87; *(uint32_t*)0x2000000082b3 = 0xc030; *(uint8_t*)0x2000000082b7 = 7; *(uint8_t*)0x2000000082b8 = 0x10; *(uint8_t*)0x2000000082b9 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000082ba, 4, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bc, 5, 0, 16); *(uint8_t*)0x2000000082be = 0xa; *(uint8_t*)0x2000000082bf = 0x10; *(uint8_t*)0x2000000082c0 = 3; *(uint8_t*)0x2000000082c1 = 0; *(uint16_t*)0x2000000082c2 = 4; *(uint8_t*)0x2000000082c4 = 0xd2; *(uint8_t*)0x2000000082c5 = 3; *(uint16_t*)0x2000000082c6 = 5; *(uint8_t*)0x2000000082c8 = 0xa; *(uint8_t*)0x2000000082c9 = 0x10; *(uint8_t*)0x2000000082ca = 3; *(uint8_t*)0x2000000082cb = 0; *(uint16_t*)0x2000000082cc = 0; *(uint8_t*)0x2000000082ce = 1; *(uint8_t*)0x2000000082cf = 7; *(uint16_t*)0x2000000082d0 = 2; *(uint8_t*)0x2000000082d2 = 3; *(uint8_t*)0x2000000082d3 = 0x10; *(uint8_t*)0x2000000082d4 = 0xb; *(uint64_t*)0x20000000839c = 0x200000008300; *(uint8_t*)0x200000008300 = 0x20; *(uint8_t*)0x200000008301 = 0x29; *(uint32_t*)0x200000008302 = 0xf; *(uint8_t*)0x200000008306 = 0xf; *(uint8_t*)0x200000008307 = 0x29; *(uint8_t*)0x200000008308 = 8; *(uint16_t*)0x200000008309 = 1; *(uint8_t*)0x20000000830b = 7; *(uint8_t*)0x20000000830c = 4; memcpy((void*)0x20000000830d, "\b\r$}", 4); memcpy((void*)0x200000008311, "\x67\x01\x6d\xee", 4); *(uint64_t*)0x2000000083a4 = 0x200000008340; *(uint8_t*)0x200000008340 = 0x20; *(uint8_t*)0x200000008341 = 0x2a; *(uint32_t*)0x200000008342 = 0xc; *(uint8_t*)0x200000008346 = 0xc; *(uint8_t*)0x200000008347 = 0x2a; *(uint8_t*)0x200000008348 = 0x16; *(uint16_t*)0x200000008349 = 0x80; *(uint8_t*)0x20000000834b = 9; *(uint8_t*)0x20000000834c = 3; *(uint8_t*)0x20000000834d = 3; *(uint16_t*)0x20000000834e = 2; *(uint16_t*)0x200000008350 = 0xf000; *(uint32_t*)0x2000000087c0 = 0x84; *(uint64_t*)0x2000000087c4 = 0x2000000083c0; *(uint8_t*)0x2000000083c0 = 0; *(uint8_t*)0x2000000083c1 = 0x11; *(uint32_t*)0x2000000083c2 = 0x1f; memcpy((void*)0x2000000083c6, "\x16\xd6\x0d\x77\x43\x50\x14\x52\xff\xd5\x73\x04\x24\xbc\x4a\x97\x0c\xc6\x49\x0b\xb9\xcc\x85\x93\x86\x99\xed\xf2\x7a\x0c\x7d", 31); *(uint64_t*)0x2000000087cc = 0x200000008400; *(uint8_t*)0x200000008400 = 0; *(uint8_t*)0x200000008401 = 0xa; *(uint32_t*)0x200000008402 = 1; *(uint8_t*)0x200000008406 = 9; *(uint64_t*)0x2000000087d4 = 0x200000008440; *(uint8_t*)0x200000008440 = 0; *(uint8_t*)0x200000008441 = 8; *(uint32_t*)0x200000008442 = 1; *(uint8_t*)0x200000008446 = 4; *(uint64_t*)0x2000000087dc = 0x200000008480; *(uint8_t*)0x200000008480 = 0x20; *(uint8_t*)0x200000008481 = 0; *(uint32_t*)0x200000008482 = 4; *(uint16_t*)0x200000008486 = 0xe554; *(uint16_t*)0x200000008488 = 1; *(uint64_t*)0x2000000087e4 = 0x2000000084c0; *(uint8_t*)0x2000000084c0 = 0x20; *(uint8_t*)0x2000000084c1 = 0; *(uint32_t*)0x2000000084c2 = 4; *(uint16_t*)0x2000000084c6 = 0x200; *(uint16_t*)0x2000000084c8 = 0x2b; *(uint64_t*)0x2000000087ec = 0x200000008500; *(uint8_t*)0x200000008500 = 0x40; *(uint8_t*)0x200000008501 = 7; *(uint32_t*)0x200000008502 = 2; *(uint16_t*)0x200000008506 = 0xfd37; *(uint64_t*)0x2000000087f4 = 0x200000008540; *(uint8_t*)0x200000008540 = 0x40; *(uint8_t*)0x200000008541 = 9; *(uint32_t*)0x200000008542 = 1; *(uint8_t*)0x200000008546 = 0; *(uint64_t*)0x2000000087fc = 0x200000008580; *(uint8_t*)0x200000008580 = 0x40; *(uint8_t*)0x200000008581 = 0xb; *(uint32_t*)0x200000008582 = 2; memcpy((void*)0x200000008586, "E\"", 2); *(uint64_t*)0x200000008804 = 0x2000000085c0; *(uint8_t*)0x2000000085c0 = 0x40; *(uint8_t*)0x2000000085c1 = 0xf; *(uint32_t*)0x2000000085c2 = 2; *(uint16_t*)0x2000000085c6 = 2; *(uint64_t*)0x20000000880c = 0x200000008600; *(uint8_t*)0x200000008600 = 0x40; *(uint8_t*)0x200000008601 = 0x13; *(uint32_t*)0x200000008602 = 6; memcpy((void*)0x200000008606, "\x2f\xa6\xdd\xe0\x3a\x0f", 6); *(uint64_t*)0x200000008814 = 0x200000008640; *(uint8_t*)0x200000008640 = 0x40; *(uint8_t*)0x200000008641 = 0x17; *(uint32_t*)0x200000008642 = 6; memcpy((void*)0x200000008646, "\xde\x1c\x10\x2b\x02\x7e", 6); *(uint64_t*)0x20000000881c = 0x200000008680; *(uint8_t*)0x200000008680 = 0x40; *(uint8_t*)0x200000008681 = 0x19; *(uint32_t*)0x200000008682 = 2; memcpy((void*)0x200000008686, "\x0d\x97", 2); *(uint64_t*)0x200000008824 = 0x2000000086c0; *(uint8_t*)0x2000000086c0 = 0x40; *(uint8_t*)0x2000000086c1 = 0x1a; *(uint32_t*)0x2000000086c2 = 2; *(uint16_t*)0x2000000086c6 = 2; *(uint64_t*)0x20000000882c = 0x200000008700; *(uint8_t*)0x200000008700 = 0x40; *(uint8_t*)0x200000008701 = 0x1c; *(uint32_t*)0x200000008702 = 1; *(uint8_t*)0x200000008706 = 0xfd; *(uint64_t*)0x200000008834 = 0x200000008740; *(uint8_t*)0x200000008740 = 0x40; *(uint8_t*)0x200000008741 = 0x1e; *(uint32_t*)0x200000008742 = 1; *(uint8_t*)0x200000008746 = 0xfd; *(uint64_t*)0x20000000883c = 0x200000008780; *(uint8_t*)0x200000008780 = 0x40; *(uint8_t*)0x200000008781 = 0x21; *(uint32_t*)0x200000008782 = 1; *(uint8_t*)0x200000008786 = 0xc9; syz_usb_control_io(/*fd=*/r[35], /*descs=*/0x200000008380, /*resps=*/0x2000000087c0); break; case 55: syz_usb_disconnect(/*fd=*/r[33]); break; case 56: syz_usb_ep_read(/*fd=*/r[34], /*ep=*/7, /*len=*/0xfc, /*data=*/0x200000008880); break; case 57: *(uint8_t*)0x200000008980 = 0x12; *(uint8_t*)0x200000008981 = 1; *(uint16_t*)0x200000008982 = 0x200; *(uint8_t*)0x200000008984 = 7; *(uint8_t*)0x200000008985 = 1; *(uint8_t*)0x200000008986 = 1; *(uint8_t*)0x200000008987 = 0x20; *(uint16_t*)0x200000008988 = 0x525; *(uint16_t*)0x20000000898a = 0xa4a8; *(uint16_t*)0x20000000898c = 0x40; *(uint8_t*)0x20000000898e = 1; *(uint8_t*)0x20000000898f = 2; *(uint8_t*)0x200000008990 = 3; *(uint8_t*)0x200000008991 = 1; *(uint8_t*)0x200000008992 = 9; *(uint8_t*)0x200000008993 = 2; *(uint16_t*)0x200000008994 = 0x24; *(uint8_t*)0x200000008996 = 1; *(uint8_t*)0x200000008997 = 1; *(uint8_t*)0x200000008998 = 0xf4; *(uint8_t*)0x200000008999 = 0x60; *(uint8_t*)0x20000000899a = 4; *(uint8_t*)0x20000000899b = 9; *(uint8_t*)0x20000000899c = 4; *(uint8_t*)0x20000000899d = 0; *(uint8_t*)0x20000000899e = 3; *(uint8_t*)0x20000000899f = 2; *(uint8_t*)0x2000000089a0 = 0; *(uint8_t*)0x2000000089a1 = 0; *(uint8_t*)0x2000000089a2 = 0; *(uint8_t*)0x2000000089a3 = 0x81; *(uint8_t*)0x2000000089a4 = 9; *(uint8_t*)0x2000000089a5 = 5; *(uint8_t*)0x2000000089a6 = 1; *(uint8_t*)0x2000000089a7 = 2; *(uint16_t*)0x2000000089a8 = 0x400; *(uint8_t*)0x2000000089aa = 0; *(uint8_t*)0x2000000089ab = 8; *(uint8_t*)0x2000000089ac = 2; *(uint8_t*)0x2000000089ad = 9; *(uint8_t*)0x2000000089ae = 5; *(uint8_t*)0x2000000089af = 0x82; *(uint8_t*)0x2000000089b0 = 2; *(uint16_t*)0x2000000089b1 = 0x3ff; *(uint8_t*)0x2000000089b3 = 4; *(uint8_t*)0x2000000089b4 = 0x48; *(uint8_t*)0x2000000089b5 = 8; *(uint32_t*)0x200000008f00 = 0xa; *(uint64_t*)0x200000008f04 = 0x2000000089c0; *(uint8_t*)0x2000000089c0 = 0xa; *(uint8_t*)0x2000000089c1 = 6; *(uint16_t*)0x2000000089c2 = 0x250; *(uint8_t*)0x2000000089c4 = 0x7d; *(uint8_t*)0x2000000089c5 = 0xdd; *(uint8_t*)0x2000000089c6 = 3; *(uint8_t*)0x2000000089c7 = 0x20; *(uint8_t*)0x2000000089c8 = 0xfa; *(uint8_t*)0x2000000089c9 = 0; *(uint32_t*)0x200000008f0c = 0x154; *(uint64_t*)0x200000008f10 = 0x200000008a00; *(uint8_t*)0x200000008a00 = 5; *(uint8_t*)0x200000008a01 = 0xf; *(uint16_t*)0x200000008a02 = 0x154; *(uint8_t*)0x200000008a04 = 6; *(uint8_t*)0x200000008a05 = 0xe8; *(uint8_t*)0x200000008a06 = 0x10; *(uint8_t*)0x200000008a07 = 1; memcpy((void*)0x200000008a08, "\xd0\x31\xa9\x16\x5b\x9e\x27\x3f\xf6\xff\xe5\x55\x84\x9a\xf6\xdc\xa6\x6e\x17\xa6\x8e\xe5\xac\x78\x4d\xca\x23\xe4\xa5\x6d\x46\x16\x9a\xd0\x6e\xad\x2b\x8b\xcd\x99\x7e\xac\x2e\xcb\x8b\x2a\x25\x26\xaa\x20\x0d\xb5\x57\x58\xd0\x86\x59\x46\x92\x83\xd6\xec\xfb\xa9\x82\xc3\x00\xae\x82\xcc\xf4\xa8\xbf\x07\x3d\xbd\xe4\x53\x76\xb4\xf6\xfc\x55\x9b\xe5\x19\xf8\x2e\x8e\x5b\x2c\xf5\x9c\x3a\x3a\xf4\xf2\x90\x70\x7e\x76\x7a\x4e\x27\x68\x51\x09\x0d\x90\xbe\x0a\xb6\x6f\x78\x8e\x77\x60\xcd\x71\xab\x86\x5e\xa8\xb6\xbc\xc5\xf3\x5f\x60\x53\x81\x54\xa0\x99\xc3\x54\xa3\x59\x34\x17\x68\x2f\xc3\x9d\x2a\x6a\x25\x5e\xf4\xbb\x65\xf8\xd9\x7a\xf2\x9b\xeb\x0f\x87\x34\xa6\x8e\xd8\x4e\xf0\x8d\xf6\x9e\x9b\x35\xfa\x2e\x3f\xe6\x5e\x99\x38\xff\x44\x1d\xc3\xe7\x98\x2a\x81\xcc\xca\xf9\x62\x1d\x5d\xbc\x66\x3b\x80\xab\x44\x8c\x97\x5c\xbc\x19\xbb\x6c\x39\x01\xa0\x2c\x16\xb3\x2d\xfa\xf9\xf5\xc2\x20\xfa\x21\x43\x49\x37\xb4\x62\x03\x81\x05\xe6\xd0\x86", 229); *(uint8_t*)0x200000008aed = 0x4b; *(uint8_t*)0x200000008aee = 0x10; *(uint8_t*)0x200000008aef = 3; memcpy((void*)0x200000008af0, "\x10\xbe\xd1\x91\x2f\x7d\xc9\x4a\xc6\xd8\x7c\xbc\x68\x96\x2c\x89\xe7\x77\xcc\x51\xa2\x57\xd0\xca\xd3\x3c\xdc\xf3\x36\xa3\x1a\xc3\x9b\x86\x71\x44\xc2\xc9\x6b\xe4\x0f\xcc\xac\x19\x63\x3a\x54\x77\x87\xbc\x6e\x4f\xe9\x1e\x91\xfa\x47\x59\xdb\x2a\x86\x7d\x85\x9c\xd5\xa6\x0c\x84\xc1\xa3\x8e\x09", 72); *(uint8_t*)0x200000008b38 = 0xb; *(uint8_t*)0x200000008b39 = 0x10; *(uint8_t*)0x200000008b3a = 1; *(uint8_t*)0x200000008b3b = 2; *(uint16_t*)0x200000008b3c = 9; *(uint8_t*)0x200000008b3e = 0x77; *(uint8_t*)0x200000008b3f = 9; *(uint16_t*)0x200000008b40 = 0x2cf; *(uint8_t*)0x200000008b42 = 0; *(uint8_t*)0x200000008b43 = 0xb; *(uint8_t*)0x200000008b44 = 0x10; *(uint8_t*)0x200000008b45 = 1; *(uint8_t*)0x200000008b46 = 0xc; *(uint16_t*)0x200000008b47 = 5; *(uint8_t*)0x200000008b49 = 8; *(uint8_t*)0x200000008b4a = 5; *(uint16_t*)0x200000008b4b = 9; *(uint8_t*)0x200000008b4d = 0x16; *(uint8_t*)0x200000008b4e = 3; *(uint8_t*)0x200000008b4f = 0x10; *(uint8_t*)0x200000008b50 = 0xb; *(uint8_t*)0x200000008b51 = 3; *(uint8_t*)0x200000008b52 = 0x10; *(uint8_t*)0x200000008b53 = 0xb; *(uint32_t*)0x200000008f18 = 0xa; *(uint32_t*)0x200000008f1c = 4; *(uint64_t*)0x200000008f20 = 0x200000008b80; *(uint8_t*)0x200000008b80 = 4; *(uint8_t*)0x200000008b81 = 3; *(uint16_t*)0x200000008b82 = 0x40e; *(uint32_t*)0x200000008f28 = 4; *(uint64_t*)0x200000008f2c = 0x200000008bc0; *(uint8_t*)0x200000008bc0 = 4; *(uint8_t*)0x200000008bc1 = 3; *(uint16_t*)0x200000008bc2 = 0x427; *(uint32_t*)0x200000008f34 = 4; *(uint64_t*)0x200000008f38 = 0x200000008c00; *(uint8_t*)0x200000008c00 = 4; *(uint8_t*)0x200000008c01 = 3; *(uint16_t*)0x200000008c02 = 0x415; *(uint32_t*)0x200000008f40 = 4; *(uint64_t*)0x200000008f44 = 0x200000008c40; *(uint8_t*)0x200000008c40 = 4; *(uint8_t*)0x200000008c41 = 3; *(uint16_t*)0x200000008c42 = 0x1c0a; *(uint32_t*)0x200000008f4c = 4; *(uint64_t*)0x200000008f50 = 0x200000008c80; *(uint8_t*)0x200000008c80 = 4; *(uint8_t*)0x200000008c81 = 3; *(uint16_t*)0x200000008c82 = 0x83e; *(uint32_t*)0x200000008f58 = 4; *(uint64_t*)0x200000008f5c = 0x200000008cc0; *(uint8_t*)0x200000008cc0 = 4; *(uint8_t*)0x200000008cc1 = 3; *(uint16_t*)0x200000008cc2 = 0x300a; *(uint32_t*)0x200000008f64 = 4; *(uint64_t*)0x200000008f68 = 0x200000008d00; *(uint8_t*)0x200000008d00 = 4; *(uint8_t*)0x200000008d01 = 3; *(uint16_t*)0x200000008d02 = 0x300a; *(uint32_t*)0x200000008f70 = 4; *(uint64_t*)0x200000008f74 = 0x200000008d40; *(uint8_t*)0x200000008d40 = 4; *(uint8_t*)0x200000008d41 = 3; *(uint16_t*)0x200000008d42 = 0x423; *(uint32_t*)0x200000008f7c = 0x9f; *(uint64_t*)0x200000008f80 = 0x200000008d80; *(uint8_t*)0x200000008d80 = 0x9f; *(uint8_t*)0x200000008d81 = 3; memcpy((void*)0x200000008d82, "\xd4\x8e\x87\x24\x64\x9a\x28\x41\x92\x3d\x48\xb8\xb2\x35\xfd\xc4\x31\x5e\x0d\xfb\xe1\xb8\xa8\xa0\x83\x53\xaf\x5b\x63\x0b\xeb\x6e\xca\x1d\x6b\xe0\x3d\x88\xd5\x58\x79\x33\xd6\xad\xe1\x22\xb2\xad\x4c\x55\x80\x40\xe7\xf2\x03\xd8\xc7\xaf\x79\x0a\xf8\x5d\xe3\x6e\x84\x1e\xb9\x48\x0a\xfa\x1a\xaf\x9a\x22\x6f\x4d\xe2\x8c\xd4\x44\x15\x57\x41\x1c\x77\x37\xf7\x4d\x7d\x60\x31\x3c\xd3\xd0\x51\x28\x4f\xce\xb5\xb3\x27\x83\x73\xf6\x3c\x72\xa8\x4e\x8d\xe4\xe2\x3b\xf6\x4e\x2a\x69\xc0\x57\x91\x06\xc9\x33\x18\x03\xe2\xef\x32\xfd\x09\x88\x9a\xdc\xe7\xbc\xd7\xeb\x61\x34\xc4\x65\xed\x17\x38\x6d\x3f\x97\xa4\xe8\xa4\xe9\xc4\x19\xf9\xc6\xeb\x2d\x32", 157); *(uint32_t*)0x200000008f88 = 0xa4; *(uint64_t*)0x200000008f8c = 0x200000008e40; *(uint8_t*)0x200000008e40 = 0xa4; *(uint8_t*)0x200000008e41 = 3; memcpy((void*)0x200000008e42, "\x81\x10\x3e\x0d\x22\x88\x43\x34\x4b\x9a\x28\x85\x67\x53\x24\xf5\x79\xdf\x27\x8e\x6d\x25\x06\x59\x98\xbd\xbb\x69\xb8\xee\xd0\xe1\xdb\x8d\xf1\x6b\x19\x64\x6d\x92\xc5\xd0\x35\x21\xf7\x73\xc1\x6c\x24\xde\xea\xe5\x56\xbe\x69\xb0\x4e\x1e\x96\x6f\xeb\xfb\xf3\x7f\x3b\xbc\x6d\xd6\x4c\x83\xf4\xc2\xa8\x7d\xaf\x95\xfb\x91\xe1\x0a\x36\xc0\x06\x9f\x4d\x51\x7b\xf3\x96\x21\x11\xd8\xf9\xc8\x45\x32\x3c\x0b\x91\xe6\x8d\xea\x34\xb2\x77\xb4\x10\x72\x0b\xdf\x4a\x58\x64\xfe\x06\x9b\xde\xe8\x4f\xa9\xe4\x46\x55\x49\x71\x3f\xb3\x33\xaa\xed\x85\x5b\xaf\x29\x53\x27\xe1\xfb\x65\x17\x29\xfe\x4a\xcf\x1d\x9e\xbf\x80\xd6\x4c\x29\xfc\xd3\x68\xee\x16\x11\xe5\x50\xd7\xb6\x7a", 162); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_SUPER*/5, /*dev_len=*/0x36, /*dev=*/0x200000008980, /*conn_descs=*/0x200000008f00); if (res != -1) r[36] = res; break; case 58: memcpy((void*)0x200000008fc0, "\x18\x15\x12\xf6\x08\x38\x97\xf1\xb9\x4a\xd0\x1c\x9d\x8c\xc9\xeb\x6d\x7c\x14\x9c\x5e\xdf\x5e\xcf\x21\xcf\x4a\x2b\x2a\x9f\xf0\x2e\x0d\x8f\x8a\x4f\x60\xf7\xb3\x1a\xd0\xb2\x55\x2e\x14\x87\x8f\x84\x0f\x51\xa9\x7c\x25\x63\xb6\x19\xb1\x01\xea\x77\x61\x3b\x97\x52\x36\x7f\x0f\x6e\x6a\x62\x37\x81\xa3\x83\xe4\x99\xdc\x26\xfe\xd6\x0a\xfe\x6f\x15\x6d\x32\x6b\xc1\x41\xd6\x61\x5d\x18\xb6\x1a\x5c\x06\xcb\x49\xd9\xe0\x08\xe0\x5f\x65\x37\x6a\xef\xb5\xec\x21\xed\xc4\x68\xb8\x43\x4a\x0c\x9e\x39\xd1\x20\xbc\xd3\x11\x32\xf0\x75\x5c\x1f\xca\xf9\x1f\xec\xb2\x73\x3f\x98\x18\x42\x56\xd2\xf7\x9e\x80\x45\x2d\xc8\x6c\xf3\x19\x85\x08\x2e\x38\x60\x17\xeb\xe8\x21\x25\xc7\x8b\xee\x42\xf9\x49\xca\x67\x98\x67\x34\x33\xfb\x0a\x20\xd9\x16\x1b\x69\x8f\x04\x66\xb0\xea\x53\x58\x7a\x3f\x08\xcc\x34\x35\xbb\x7c\x19\x3f\x4a\xdc\xd2\xe5\xe1\x04\xf3\x3e\x3e\x1c\xdd\x33\xba\x95\x1f\xc9\xf7\x6b\x10\x8a\x40\x74\xc8\x07\x2b\x16\x46\x59\x62\xeb\x28\xe1\x38\xc9\x18\x8c\x3e\x54\xa0\x0a\xfb\x4f\xb1\x71\x0a\x27\x3a\x1f\x1c\x53\x0a\xda\x0d\x50", 251); syz_usb_ep_write(/*fd=*/r[36], /*ep=*/0xf9, /*len=*/0xfb, /*data=*/0x200000008fc0); break; case 59: syz_usbip_server_init(/*speed=USB_SPEED_FULL*/2); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :6063:17: error: '__NR_socketcall' undeclared (first use in this function) :6063:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor3154526724 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/3 (1.13s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:10 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$IMCTRLREQ(0xffffffffffffffff, 0x80044945, &(0x7f0000000000)={0x4006, 0xd, 0x2, 0x8}) (fail_nth: 1) ioctl$SNDRV_TIMER_IOCTL_GINFO(0xffffffffffffffff, 0xc0f85403, &(0x7f0000000040)={{0x0, 0x1, 0x4, 0x2, 0x5}, 0x81, 0x0, 'id1\x00', 'timer0\x00', 0x0, 0x6, 0x3, 0x70a, 0x9}) (async) r0 = syz_open_dev$ircomm(&(0x7f0000000140), 0x0, 0x0) (rerun: 4) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTA3D_RGXCREATERENDERCONTEXT(0xffffffffffffffff, 0xc0206440, &(0x7f0000000340)={0x82, 0x8, &(0x7f0000000280)={0x1, 0x0, 0xc0, &(0x7f0000000180)="5b58ac0ed1d27b217d3fdc6299cdde4d85321f7bbaa064d361519cdde43b225cf00658ddbfbd914cf79eceb348f18692315c3c69ec148e2dd928ac7ee62f5111b9dccaca88524912341955f79b0f2206b80e6e5a7e681a629694a34f9b0e39877eefde60a068cdc44545d6fe45d0000c9961a1ff168747447e346b16460875c691de1183b2d7b032cfae85497d0d8848d4baa9adc6caaccd9af6019ea2ba6f3b4e6018df94cacabeddec7b600230ea7790019399d0beb61f427df8359cc34893", 0x0, 0x0, &(0x7f0000000240), 0x10000, 0x0, 0x0, 0x81, 0xe}, &(0x7f0000000300)={0x0}, 0x44, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXCMP_RGXGETLASTCOMPUTECONTEXTRESETREASON(r0, 0xc0206440, &(0x7f0000000400)={0x81, 0x4, &(0x7f0000000380)={r1}, &(0x7f00000003c0), 0x8, 0xc}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r0, 0xc08c5335, &(0x7f0000000440)={0x3, 0x6, 0x1, 'queue1\x00', 0xdae}) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000540), r0) sendmsg$TIPC_NL_BEARER_GET(r0, &(0x7f0000000880)={&(0x7f0000000500)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000840)={&(0x7f0000000580)={0x2b4, r2, 0x400, 0x70bd2d, 0x25dfdbfb, {}, [@TIPC_NLA_PUBL={0x44, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3f}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x2}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x4c00000}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x67c}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x7}]}, @TIPC_NLA_LINK={0x3c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_PROP={0x2c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x220a}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9c0}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x101}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x8}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x6}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}]}, @TIPC_NLA_BEARER={0xb8, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_PROP={0x24, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8}]}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz2\x00'}, @TIPC_NLA_BEARER_PROP={0xc, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}]}, @TIPC_NLA_BEARER_PROP={0x1c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}]}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @multicast2}}, {0x14, 0x2, @in={0x2, 0x4e20, @broadcast}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0xb}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz1\x00'}]}, @TIPC_NLA_NET={0x20, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x8}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x6}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x80}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK={0x10c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x187}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x40}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x10}]}, @TIPC_NLA_LINK_PROP={0x24, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xc0fb}, @TIPC_NLA_PROP_TOL={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x18}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x80000000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xfffffff2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xd0}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xf}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x401}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK_PROP={0x54, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0xe6a9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x10000}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x81}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3ff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x79}]}]}, 0x2b4}, 0x1, 0x0, 0x0, 0x4040811}, 0x0) read$snddsp(r0, &(0x7f00000008c0)=""/29, 0x1d) ioctl$KBASE_IOCTL_STICKY_RESOURCE_MAP(0xffffffffffffffff, 0x4010801d, &(0x7f0000000980)={0x6, &(0x7f0000000940)=[0x904e, 0x1, 0x9, 0x6, 0xe, 0x5]}) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@mgmt_frame=@deauth={{{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x4}, @device_a, @broadcast, @from_mac=@device_b, {0x1, 0x7f}}, 0x1f, @val={0x8c, 0x18, {0x5d9, "8e85144c6433", @long="e023fbed513011c5707e452472e2055d"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@random="3a386465f389380e26b0cb13f98a36e2214f099ee0d0b29b754e31d6efc82c04", 0x20, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_path_truncate\x00') r3 = syz_clone(0x4004000, &(0x7f0000000140)="daa4ed40f7cf4da86377e864d8e6c6d4fc5486af4a6f23dea58b3243a291b0180dbaf5c92758af73f9", 0x29, &(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)="40f276856b8191c4f312759d795a22c3c7edc91678794f4eeac45746fcc9930722c8189ba59565f7327cbcd4506164eb9f6ff175f1f08d60247091772c185ac38304e9b5b3") r4 = getpgrp(r3) r5 = syz_clone3(&(0x7f0000000500)={0x800, &(0x7f0000000280)=0xffffffffffffffff, &(0x7f00000002c0)=0x0, &(0x7f0000000300)=0x0, {0x12}, &(0x7f0000000340)=""/102, 0x66, &(0x7f00000003c0)=""/198, &(0x7f00000004c0)=[r3, r3, r3, r4], 0x4}, 0x58) syz_create_resource$binfmt(&(0x7f0000000580)='./file0\x00') syz_emit_ethernet(0x101a, &(0x7f00000005c0)={@remote, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}, @val={@void, {0x8100, 0x7, 0x0, 0x3}}, {@llc_tr={0x11, {@snap={0xab, 0x1fe, "fe", "1622d0", 0x1b, "e65515bded2366eb29e120fec39b24808c92d09c78d7f5b7b11d8a64fe8fb0e0ea7a265610503e40fe69ea35f6a592cca6605cbab30ca2b6e81defbfa8975d3233a7b511fa76cb1b755c8d00c96c16443f2b1682d6f197dea702f3216131e4d76b49c13ecc66674fc2fe47ae163527636f868d604cca513f5112bb56c3ab4ba6aea3059e1a484546566112328bdd5ba37697af7f361913e718bf091a66aed625deb89ea8c63fb756c958819dd3d2467301b0cd35eafbcc0f96ca0aaf82d82c8156f5fa27ea2d1d298f564f94160fd4b81af8f9e62eaffd504a2cd9412d4b6df66b447e1029b1a015a3f9207dbf1957660c19a6e0e73660325510e34133ffc4275e4e1d6d7acab29f9b371d0217382faee8c77911aa3f5378b09a5f6523357d2adec78972e15295abedbaa9969f37f316d474b2347dc11b523a88a0cd5745ae30ad7612f830013d78a6b149f3b332e6e7c5fb13bb95845924c3f180c3c6f347bb328022e5d07f540ec60bdbd9e8352d385e1b943062aa0bf38206a1d95e2f42e15838ade610c0c44e038b790096b521d1112f35c9922cbee2bfb184d6f979a7721cf0e6fd69fa705ae3e253113d2fc772ca741e96db42fc8ca72abd6d3d43c4bb64f13d2e5a5a8c433baf25ce3286c2e2355fc130e86841cde79482c3539d57122eecf25f3e35751e81980de375a713c18f9bcd952bde4bf36610a52ae2317c8b6689deb1810a091169200b2a9eeebeff191dafc5bc32b774cad960c8414ff0eee708563daefbfb26f59f6a8f289ea5fcba17412119f3faf53001a0f5a44f9c6dd6ac8d3380273e07c6ffdba5a224636ded1974137a40175f4944941ede7117cd3ddbb800defc6f8306e3f0435eeb74d44e021c9abdc636052b5170da68981617b28471a581a1eb095c6d3c977ef0fce842b5f260f2b276ac6cf24b2297f3e75479c7412f405e48343f4db14e4210bee79d3273bdef00d8175dd603b442210632bc8cb2ebfc4392bf8aefd9d4a264a63341f15189f8ac9add56f605e8797e2d70863afedb792eaf982ffac60ea0af41ceaadd6b2878511c8edd8bb273914bccf17a2d4393d4e235144be8ae79fd28a47d3c33bfc8ac4d199fdc73cf8e03cb6f15f4134599f2d95c46cb1a6e77d816080ae7e1ef85edab4b4553cee197da9594104139276ad2b9099def507e600efbb6a9877d8d7569e0599318aa400ea4674cc2bc0b86efdd2ddfb3966647ab570d200094b6ec63403274201d65481378db16529bd775feed537223c0d4e710125cafea8b65b9ef669cf32592fc3a93dd2d21a95e54ad2362302b1d5db5e6fe547edbac508c82d6b39a820b25bf1078418accf067c018443c430f9f2338afebe9705a654d50bc1595073615c52bc93703e446fe6befd76149bdfa9d69cff69b9d9b4f3fa0bb04900737116e49b4d0c08848215dbf90dbd523e9abff71319cf0a358be976598c41fd6d16edc3f0856ebbcc1e4086e79621a233991554e01420215c5ada574b6442e0134a744db4eddc1142f2936f7d9412dbb63cacddd60b2563fee5623ab0ece52481dac6fae957b61918a871c32652e0e7f73f2c2b424d4dffd636665e06bd0422195a1aa8cf62e89fb47fc0708ebf49a5f3b586ac088f570b11ed8d069dcf88ef1e849a22560ca8b60aec9859719983916a4a4b9246ea2ddb8409b0ec2d36728647a8f7462f2d4c4706c4b1888098d61d3231d89ee15026e63b55e1af3845bd60a72493af19313188400870de9bff53eb68011928201c34828ffcd88b35e4fca14c06a6790b5f28e8f85f0c906e1ea44ef4f6c50bcfa0213d0462fbf90324dcad6fc0008d575e5df11a98b7b231884c0626890f9cb18dcf85063f426fac0025bc6bd16e74c53eabb81423633df7391be5cb1ccd73ea25c7e7055fed3146202b97fd7f1a85890d444a20ce0d051efa2a3357d32f8585c0f798a3607c350f22ddb5c9912ce3684b2d7aa6c785b792504c31c7edb6dc5fa6d069f0352e3e9f771e146ab80ac39a120d005452e190a9147cb48fa8539f3a3c1d88716575003248e021a7038bd63657d46440402571949c24555432d26dbaa9d2cd2906ce0cf746dcd9348433bef36297b4a7a07faf2688249297c960a0fd8a3257534ea1372a3af5cdba9a6a48fbc95a07549a82bdd6181b1fa3fddc71d77b3460c6a32405589b89edf715a910fcc72449d9c36967fa9768a0ee59b23418561cf4f6b0fd9cbe02d19c7997e55259550dfdd97616015d2224c18c15a80b743ef8857d181d7efe40499f66d20158c0f62e4c692b3bd64ef3825a32bd662d9f580779d60a34669150e7874a45a7101af48cb3a6e3f763db20c5014edef61d07887c79d5711ed11be5306f7c4c2b7bba2bc8236c93a49bd2a252c4510785e0cebf75fbe5c69d928d8e48fe9f56a33ce6e0552630f338ab632320e750c32ede137447aa9aa69e3c3ea8ce4daf6eeb91d0a339974ce9875ccc30fcc08ecb203c3e4a7da99224b71d6ebf77331721fbb6ada6403d43eba812c0bddc6018062ca1231994de110586bff4589e52b8ab440baf13c24b35883ba4ae2ea8cc1fcfb49a7123bd6fafbb7291adb7f81fc58208cb7559ee5cfd779f899c11ee49ad92b0057e8dd79dfaa1f15bf659c360c8228eb36a9d17e0d479a88b9da28f3e962bedc108e22332bf55144f0b2ba0e21a334acd8bed5922128dbc75eeed571e1049e2689dda8992e2f9539373f0dd20e2bd43cb5ba34080ad38bf160a37cb0b7c39c015918202dd8349c4eacc0e4a40436b8d1eee12f9a6b9e2dbac9ca7c190c1bedc390dde78f896bd2837ce30d8ea888db6971930feee72206e308c7ada862b664b4b48b11d39dc7b1816d3da555778998eca5e3b4ac20c83c55021db6406eb6ab125f2bb2ec1a2c8fbda5bb0df736393dc62f9078de52e46872b4c18bde2959b18fea581e0eb42038522fb7af7ed40538ea7fd08e865102f5a9929c24a9fe936230655a7b131ab9eaeb9c491ef98d407dbbbded8852c387d6fd7741179775ea4a4562eaf0dee83f87ef117178086544f4cda982d3c0cf618bd1ed663cc9f4bdc77632398d24fe3002a7a78c079d0a5f5ac3bbdabd85309090aa0b5a8c269468ac8b7fa4428bd98bab7bd5643c721dd7d92810bbfde6bf8bf2013ee5e587d0da9991c66f58ccfa0fe497d0d743f0be668cef72d8a922fec8e10f368934227c98e9abe1f85bac46f80f17a15ccea46d256e1f56710e489cd7106fac936aea65f0e8a5d79d43730989a2642ee7ad9f35d8ea7a80647e15fb4db645efd8ca830469261efe740a2288bcc72b5c40a665d51812ce9a1df192dc4d9604153e84b86b8709fbce27aa27a99c73cc948a10561c1d4fcd0aca5e4f52d43b17f6790f1f79f00b90ed573b6a621bf3d64200274321292a04379e0ea3366bfad2d1fcfe3a05608d9be0e459cebc878ba6ad6de83922154a7ecbd01f5cfc77299c69c670a2763660b2ab98539c3050a64f10a89099a8bc54e234512250d273136455fe5825d5dbb4e9b733ee28dc11d0e2b3f9f4072b048771509c017af5d6d64385a54924f55c8d16cc1a72d8519301194f445c424e51d49f6616016580d2ea70ba1e0c86670926c738779ee67c3926bd2f90376e211ec1d7860737af1136446b2faa01baba239b7a5868f40780cdd13329fd67730bdfd298b20d63f1448e9fcff309e9091c39ccc75aabf18e598ecf0342ba94fc420373aedf83d4cbf0e5f176ea4bca7f0cc72faef9bdb6797be191e1d304704659b6b63b2066358d4eca8ea898cdde509cd2b9145c55adc3c46fbd2989817ad2403d4a0d6b6e6aaad0b2311d43d216e6cc8446b0d946e43916e662c5e687bffee3f3f21d9f34ea1624074d1d90273f0683f202b6cc24300b8f5a6325d6ce06bd69c9a95d6c8af3be8967e3bd49efc3e9c5f27ab9aaddc0ffabf87e7ed08d4253844f1f48f08a9fa268e13e0d73dc6af0abfadc5443a9a1daf12b4dbfd5f7902a5d41313683355d5e716f3a65a315170749bbaf8846dfd332bef6cd1443729abf2147120e53018bf2d062dd07bd5e20e30bf58bb4900db9aaea54a6402cc1ad562e8a59233868f38d666afd7b96aca5f9ec2aa94b4c22f6dd54924a1f5d98eaff57f742b01378d3b1c6322781b99d8774b07fd5b4af2b88bd4915f6eae83e33b469afa153324ee889105a74d3680d39e55a4a39183416961346447fc5a8532832031c52517a3896360d51fe593ef5a639eeee83df74db9e4d3218dd901db76a6130aef73955dbc866778a2c3421d4090b1df7648a42c558af46150e902b3129e5fe1071458ac93abc76d495e744412fb98ae401cbe04427d0f30e314eb6047513adffdd11a566f9734e058fa3bd2d1d6506122ae869725e3a6f4252ee5e971c430cd02cff254759c908943953ba8c978f1cae5ddf28c5d9dc85d27c2d4c19a16e34e094f1ca9172397cd4c5615e384715605452919ad74e70c78c282c0cce1bc618ae012f5283d1081399fd79c95e52a523f3729a180780547f9766507e21109254831787c1131ccd4ce8e5e9f3d24750ed3676fbff23dd4218e05eb68efc0a7be9cef8189c08e186f938ba691172d235fa32ca4b0e30b111189f32d15daf3cfff0a429a446aa68ec18c0c0755efc080733e9c3548f029e8dd634b3b6b69ba749486704d0f9ad702961773251624117f56945c04b8c6f0350a3d99a7b6e033f13ac7c01a1ffcb5a4cd7412bc176f50af905b0b6aa36d67289ceb12a6572c4eb872fb06f96735d31e8a153ff9bde2181e235868ad7dde54705c187130ae0fce01bdf3bf64e6ac86842bec3e0ef09b60a4c691134d89b6c6c6465ca949b58ef63a556918bd5c7f835c0e002f2cb4123d66481c737470f26b590fee1ad40eb641e73ec3501c69ca4fa50b75d9f23ae9e041c88df37a8947bbd0722f22911aba12976db4759af63f2b143ac155bf56333f6f6a69219453b92e5361843581802fb722a2c3ce2dec3e1e278444020ec6ee424ec7fc559d9cfcf68b2010eaaa9b391b071b6d53df5a2788cafe84a081bc3f0810194818039e68fc1b76de13ddba48a741b11bc963b8422a510a1a132d870153c2d01305c767c9d188c64b5d14979e1563aa7fdea0b85ff3de913fae64b3a7ccf087e933ab15ccc0c77fdafe42acd070780f2a7cc15a117a2bdd9576e574b10b56a00e007d69291985b50ef1296f37ec9b74c4623da3f94e0bb69f46e52c8765569b8817af5482532a50232f050635e67e235aec75c8f69efbe25383467cc82f43a214a142a8b76817f22338aeb3d4f0d39fc1dd1023a07b53adbe754884af3b789cb2dd9f386b26378d0d54267c47efa0ea5a7c26cc80d9bf9cf16bd217754a1951e9fd7fbe64335610faa909f0d7f77786f974c1becec9cb49be7f79e7bfbe29ea82cd13c197fbaa48f46019617ce6c6ad08c9a1d41c716baef284a4e4d77c06e4ddc07a46c3534beafd3729088ad142cd22bd5a220e589314c242a304581e88a246b51790d238c131ec7b09de7e1c618708363335fccf56eee3000466ce5fd70c5b3f35884a467469673d2dd5a8a2362e6028206a2ecde709d7cb1888bfe78cf6803f05ab0b11eae6d935ae116b3fd841a2717ed52790dd4f802cdcf72e4409d68c086a542d66eb14538421564ac9ed37617987ef2f4b83f43022394a2479c764b30f56c6ea76c1a056f82ad78ad980d1b5603a0ecbb72437bc2a1838b9ae37cd6ddefd2927e9d9adb7d56a98695c78ecb1f65739fe094edbfafce3f"}}}}}, 0x0) syz_emit_vhci(&(0x7f0000001600)=@HCI_VENDOR_PKT, 0x2) syz_extract_tcp_res(&(0x7f0000001640), 0x401, 0x8001) r9 = socketcall$auto_SYS_ACCEPT(0x5, &(0x7f0000001680)=0x4) shmctl$auto_SHM_UNLOCK(0x6, 0xc, &(0x7f0000004a80)={{0x80000000, 0xee01, 0xee01, 0x5, 0xfffffff8, 0x1, 0x6bc1}, 0x40, 0xffff, 0x2265, 0xfffffffffffffff8, @inferred=r3, @inferred=r8, 0xfffa, 0x0, &(0x7f0000003a40)="8917f96eff001e006491da948f25c3ac3665392d077a2878a0c47186fbb59600e8725c574893c0d645651cd496d4d6c43dd8d9e3ceca2e2a35fd60785cd77ec5c5eed5ea44a853769a52cb3e89d06c0995f77e9b7ecc68fa521ac4b193ee67dccec0a7d13f3c068ee046a9a142011cd4ba8e67f381e16745d81a2b5bf11f4ef0014330c95f0f5bc89d00f16129a9637782e5a6f4d922e0f07457ee515e1bbf5654906d887ba02bee664da72a51b5dcdf4becca2d8067e35753c0312359efb6da86149afc1010d0c6c86cc9c8831ca1276ca968811c87baab121c9d817273196e97ae66f397667e023fc23319c24fa823572226fb748ac54ff528236b0781a20ed52e116927a22b11e0b8aceb36d2cf4a78eb3465fcb9c9493eadd44686766fb26d4d0a54d028273a5c605388534e4937f18ca90532445f946651f3634e9b365bb8ed7242b91231ba06347eab1f320096374fbd8a7a94c2fa7154415c923fd66cd626489e7c79cad39b66b0674b9439b57b79ec7903d35ec314db9d7e415df3c4f75514b1c83e9b6b271dabebd3b793a78ad5baef25393934bc1b4969eb6128d3521490470f25e7a47b13ee0c4772d0473da518441b7bd362bc99b09cf696beb9e5f9d3d5e88e9e960e259e4fe67cfa3b2abde10010f3c6a60d269ad13e59052e8ab951401dde345c4fed4fea6d91b84daeeebf45fa7998ee41da06875e7bc48d9de54de36d9e27495fe7e88e024e7dd3587dcbc71cd433b71a4d972b026559efbf17c2b02b2357b9d913a764c95c5aa7b32fd2c0b62b47f27e4785e76d8562b4e43edc6d610d2b97dd1a1ee65bd1ef89e0110b14c2025b04b8cf16f0c2c1ab89ad30bdbd8b9894278b4be8d08155ec0cd20f544f18a4f26a980decac1ce2942127d8d0350dc4a9a32930af33531822319dd139e27cf769d068879608c2517d59965fbffe9879afd487875ad239586bbecad1b00e1377203abe3fc582faaf4f9e08e57658812209b3a8653bf39e126b79474ced54b74fd477b03a80906e346dfc7f5a86410f6bbc64a7ff88c37aa1d1871331ad2a63fecea9b43d3fad062de70ddd1c773ae62568ff3be804583d3a5a10796813cd4b51f67b09910b427eb92804e7f27adcd8ec9afb24e3151b48a38cc5992799df37e5cf6ad577941ad7e2caf15619236927342e87b5b260473716a9bad70b3951f7265c20c000852667fde0c4b7f27a32b7ee133cbc65ba4dc3910c2375e195ba7654e2d2d45f916e47f107595adc63247840df4ecaeb9640fb661986add0dd02796d5810f51c93fdcf8974da1f1014f2f4adb16f04e733b53ac2e8b4a853e93a935a732028c8e3ec120fc541e5126f2d88dd4bbca06fa610163464cb17f45e7a2be0e51d8e45e37c5091d762ce5bfdb69353bafb955c25544702dcf7d1394aac7a49a0787ff1687425a375249ca378bc4f4aa24abca24a871fd67425b2f66093b5b9872499ec85faeffbf43f0a4d3efb5ceae705a1a8e1f2bf79f553c1c9f38bd09f93a822beb454744dd1177eea67b7bd6c421e58246202ab902f79e0155f1de2bf226f61bb39bfc2fba3479f25eea7f01f70bc08a98e8874e5d1384283b99607eaa52e895490bdb21c81cb3b3791c1dece0ebce67cc45bcba299bb892c9d1950bf335e954fd303c65e1afec48a3d3e10a404352a1302efcebe1254eb2b25d6f450b26a3f1bd7f577e54c95e5661174d32782fe6b11996542fe1b9751396288d27a47e3c98d1cc3f3ab558ba3e82a6c3ed4840f4e3d79369573c37534073e79adfd2323832b65e7a6c45b72579138e226291d2700dac3a1cc916140f54cb28b3470856189812544366f757c0a294ee2b5bf6c308ad4df230d5a743b8cf7a1f64a3061983f223850262c7574ae480a02f68c043ba7aa822ff645d4e4482c14cbb58c15f65c98d1692f939d0d95585045424abe5e58651477f91d0c1dafb3f33af9e69b794e13eb0c429de9b92bbc5f9282a2e6c9119f6fd8603fe11af2d516c9a7ad38e3337b969c3d9593f0d4ac95c44e7f47e810f6970a1a6f18f209fedc35656dc5c536b0396aedaf83ca46655edcc4088c6fcffa689a878309c1767b2187c9b5fa575efd80e0574a577673b45edac8b1c912ce60cd18290d31025c80eba3d997e4792be23a49c0094ee28548fa33275e6c280bb6e0a0aa8e7904c641cbcb3d994946f0e4c6d6b191d3465364793a697f2c25d130923c799a3a8d7169a37ac29bddfb766d5130b5e4bd43978aad3549052cf6f564768052032346aef8f5844b9704842c0f1fa7d26c697188c0e8641658d6d299a61ff140a4b94f04f6ec06ffca6e574bdd600372ed5d166aeeae4f24e1ec3c212f05aa8537f0ab831e472f32164a0887c6f4e42532565f055a8cd435e9cc9108967e422c6d0e740633c9778471efa8a44ab55a06bdb6b817f8a6cc55d52ace6ec438ad4fbee7c64e00fc65c76a3616c35fb71bb6084f44f8083dff56d771e1d323584b82f105e0a211ceae9afc0f5e61a2649476440cf68d9abffb48decd0e8d2ed10907d35e390daa1eef83dac8ab44e2ac5886f6235f6bd7b69ff3c098b558894908d4cd28247fb6ec4bb5b163f6b2eef386e7ce26de759bd6e24e46aa2b38f0a4e6a4785af14bd6035a326c29af215a4c1c45ae767bd7e6db1bae69be045ef0b1eb3934ac5ebe3a4c1dd59bb96053beeb5561b521c47852d9a2c66cfaf82c2a016e5de729ea0e0ce4f98085792b5e5a802cd7fbac9ef38e203ebb3651f1b30af6ea29fa179f8b192641604be02929daffadd6c97ba4cd56790cc243d0470eb8c1ae7812da666b0b329fb3f04f78e25ad17b4b39781382ad937e08ad3448b63238185b982242190fd1e4ad8fbba55d6abf96e016e1d98d37d51c2ee1e41f54f8ac7e038e3616f569d024690ea303bec698beb98b9ea49f6b87e3f7104997a6ad7d33db8fb79ada8c5f7f54ee17f7b3d86aa1532b439cd8de90b5fd7fc3325680061d9319d1835e603faf7933bfd60d733965f0f25adf3945092bb99e95346602faf6aabeb33cbca3b219b4f8afafe825c6627c0c7b00c33875b69d01c08b90e6fa64f09b42932e1ccc9b3da36771667d5bb7531a2ac174bc412dffad7c6f8fd4dad330fb415a97e8136cd5c0bb7d00d2b2c956936c9f5f747e3c9a361d79d048cb3f528f187f9bba5d78d7309b1b256fbb349cd52945541a5a57809f2d71a8e80557b23be4fb31caddc59553b6bc0faa165e4ab1f8279ca6e307ce7920c43bdbadec04ef8be70d57af598d1d8a896a0952b23cba464e0e9b3625f993dc12c8f774e87da051eca49bd14e4e2e270cf75dc8343b2ad4b0a2178cb557c6d0eb1a0b23ed92580ce5ada78c2bb10ddd25d4bb147d61a00f5e1d1d5c888d47424c04de7d41384e2c688a57358d05814ad917135a80eccd1d1f147242a5da4dad0838322e9a2fa531fbb6b0832b6700f87279846ce2331679b82f04fe1be1e8ce9f610b63ff30ad0b76977817739a295c9ec9dcf11f81a67619407304c1d594c5196db1bdebfe03f22adaac9253d753967138bc9d2cf4735491d2745c23e5d229c74627dd191bc6c038513914dbdcfacb8bcb2814dc525edad889520999fce64469c60694405961518441c3e84453afa3499e3a8983b57f94593e8664719d5e6598422bb8cbc51620b259413bea16490bbe6c9a72bf21f6b4d499371ad9fc8277dd3f2f7523cc5e6ceebf74fc3944136b2d56daa2040374319a1c83c3bb0c962d321d8039170b98b604c8ed42c596314a01139c9d36ccd6f2cbd3113b2c9d4e19f08694463610a368f8ac74f29794f14560e0a3d481c673410ad9466581aa2a334ff380a100fb049ad8196eb4784ea1bedc139a7054f18a8d44bca0a3d0122f5dc3a1c4d29bde35e332bdf28cb9b98543ad3e33143af87903b5624f62305598de275833208ec8370682ad9f0f9ac64c439044a2de3033468734f49266138859695b60a6fb45d794b871c19cbedf59b764453b78cfead4c501b1f8c0ff827b70297392697adb13ceff2f139bff3ba238798a07fe5f55a0ef5b75ccb498bb8943bab4a671f125fb06f2e59f77fdb02cb23e8687568dc0d5c4860994a37ccab365d7a70803c6a6f48f5b3ff1cbdd51d8961f973c703375d252e6c5a0ff133b59724313f988841bd61ec29767a4608a5bc45b104e4fc98261e4540a10382a495d64dd5f6c039066d9d358efb16671178e884f070a07fd02a00b63b7f575f642bf91eec3bb90dba9a21df3179cf12ea9525d0974d6fc44bf69fc54f8a5ff986706678d7ce06cce44df2974b966e67aca314e0b58acc41554a442ef3587abbaf18295eca59ca8a10edd3fbd1fac0b06013de5f7333751c57deb4daef9e4c55e93741ed1d2f7f963cdedc6efdb5d8b14d7d612e2612f30966f4e6760d1a46fbee50dccffc0b2e5177b1c6027adaee09075b655cf85ddbb4e4483d5de7b38a910f996711c058c1b97e6212748c8cc7de8cf7a56af75e291867c2688e999c6553d7aaf3d2f62c2f53bf88cf2044007dbe929856531b0ad6b48a6118bf35cce827e5d0cd2a19b3fc37395e1ced2137f0c726f5cc991333a0f0794da0b6d757374217eaebcbb6d87431f089a57102ca5373b8d730a92026059c6a88094e9c629d81eccf86b4e8f091d325563d1f4016c97972c584bc76d1fb4ed94b721344d00cc6724f5649dfed84dc511583e1a08a43c2409934172ff3f0dfc93996b8479c050dc19309aa998f709eda3b3cf806bec717e1718b8cc10060b335c46f17c522ac0bb696fb4393a9450be5fa755ea0d71b30a8431515c446390154bc2a4951b3f15f419ce20b0302bd90025d83c47a018f6886ab1fbb7577d5c066bab23d84189ccff6340a3ca41df5c6d994b26b8fc34c690dfb229c83760224bdce8e867d1f5a097736d3f19d8229f9143ac037093d4cc32ab104b5828f1cc84495a68d767b7fbd725d434719a3601b5fb23364a5e4151c6f915ce53f7debbb9f15b811cb02bb87394ffb61e8b8ae5749dc7432b516b8a627990537b9cdfd2a09439b7dc043997e0f59036ab3470af1bc7671011e5b472e3f6ad456ba706d550661cbcf6107e9b7ee49a82052d901bb79fb18d82216aeefa2e76390f80943cc856a008c7256b84d8857fa634ad7dd4501386bbabe238a58aecb77a0de5ffaaa563a1968b72b92ba58d1a1ef6f9ed049ff38b7fc34227461631fec653e781f157ec7386362b66778afc8982cdae50e129f4329bfe35cd9da3d5752204fa7275ccbc01abf85c6cf3ab9eabb2ea7a1c779e673d0f9516b185154dc83cc5f69370e314198b7fa83ce5c5c91c2c50e54489b3a670a330a4e49fca517c83a9532cbc7edc840cd010b37ecc7537453016ed1ab445e45fc1238b14e2f8f93166cbf7d38b8528baa0fad3e9e76f4b32eebb60526881620bca5b11ac063dbe2169e5437843f6d2d486855ad5f192b268b2f3eb25deeabd2de89c48ba28f1ee2c84658656c337339b53acf988baf29ac5c9199ec7912b28940934bc02b131d1461354626b690835ba09abafa0ca7f515579e533c4bbfda2bc9f2faedd3538ce8c1e3606ea98395e0ff88492045f47cca85f4af16f950abbf3f2229de58ea2b45692d4ba843e70e5aeed29f68807138aaf5c994b30d47311ebb969107677dcf007f64d0b32c3600cd32bd42ca69ee46d786cf0cf9496bc51602c989fc54f76c4d383ce414af45fc948e5b971e3020af447c589b09956c9033d0904d6445d7e9fff7c903939f79c2d4c30b6", &(0x7f0000004a40)="884f381309896a88173889994e74c60694f7baa45be088e59bc3e939728257e8d2db71"}) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000004c40)={{{@in, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast1}, 0x0, @in=@remote}}, &(0x7f0000004d40)=0xe8) shmctl$auto(0x5, 0x2, &(0x7f0000004e00)={{0x7, 0xee00, 0xffffffffffffffff, 0x8, 0x80, 0x5, 0xfffc}, 0x1, 0x7, 0x5, 0xbed1, @inferred=r5, @inferred=r7, 0x1, 0x0, &(0x7f0000004d80), &(0x7f0000004dc0)="05c9215687a3ff1747cae5c18cb186ed5c62984337f90f0ab5948e21c63d1686f1da1459a89718a9f84930b892c2ad4de61f714ab8"}) msgctl$auto_IPC_RMID(0x4, 0x0, &(0x7f0000004f00)={{0x7, 0xffffffffffffffff, 0xffffffffffffffff, 0x1, 0x0, 0x98, 0x4}, &(0x7f0000004e80)=0x6, &(0x7f0000004ec0)=0x5, 0xc, 0x1ff800000, 0x8, 0x7f, 0x3, 0x101, 0x8, 0x1000, @inferred=r5, @inferred=r8}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000004f80)={{{@in6=@mcast1, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@multicast2}}, &(0x7f0000005080)=0xe8) shmctl$auto(0x2, 0x5, &(0x7f00000052c0)={{0x8, 0x0, 0x0, 0x7f, 0x5, 0x80000001, 0x43}, 0x7, 0x2, 0x0, 0xffffffffffffffff, @raw=0xf, @inferred=r7, 0x2, 0x0, &(0x7f00000050c0)="bcc4b5d86e91b02b73e16c4665dc3088f7cc9826da7807f9a8300d9d8980de67a1a2a153e95466e76d2c38c41558c08efe37ee81d9904674ced86dda9b2b6cc7c97b199758bef8d92dd20e0e69864d6fcd03a80ca012019cf41e5166475038fcd360338436e7827ef730469187e6a495f5bf018ee7caa71c804a386756c3242b30eca0b841166d7839e94a5639d08fbc06dac1f861494456d8d153de7fc30387d452304e7c3069bbfb424391d04fab12037c6d6ae6025df869fa3a45e03148c2dd052c", &(0x7f00000051c0)="0b7d67852a6f3d8968f476adad1672e6dcfcebe8e6249d8cc72d1a05c28acd3deda6431481c88ee1c2c09944ee7333d9d16b3f9bd186be36210e7e52fdac24099773c07af6f1a940e4baec3ada4766e38014ad527a5df77c9061c5a4caccc48bcf1562207f8db04d608a823c71979bdaf702b9a6ec8f62f23d316b69a8e40f1cd792585f34d8ff6c705641dbc09a0245efad326ca84d8ca39d29cc33a4a3fbe76c240d055e261e16d6bb5d9c231fe3c9e84fe59565befc53fe9d119eb50ce04e6e3c1df216ae69c313d80bb6a77e219b94516572eeaa398bfea649335ae8114cb0574236f4613167d9758b53b66cb6ba75d75af92f3c6e638b82"}) stat$auto(&(0x7f0000005340)='./file0\x00', &(0x7f0000005380)={0x355, 0x100000001, 0x5, 0x7, 0xffffffffffffffff, 0xee01, 0x0, 0x7, 0x2, 0x2, 0x6, 0xfffffffffffffff7, 0x7, 0x4, 0xfff, 0x17b, 0xffffffffffff27a1}) shmctl$auto(0x8001, 0xfffffee8, &(0x7f0000006480)={{0x7, 0xee00, 0x0, 0x0, 0x7, 0x8, 0x3ff}, 0x10, 0x2, 0x8, 0x7fffffff, @inferred=r8, @raw=0xffff, 0xffff, 0x0, &(0x7f0000005440)="4cf77c89a8a36d9b71d16c43ca99caec6590564d8951864cccc348102a7779cd97d951003ae876a9a0301c11867ff6432c9c54bd04ee433fce5f5db9eb71b76221d284c78dc7db27840ca0b1e9a5a119f0d74ff6485b52a986a6717f3cfd726d0a6a038bed2189344a3d14c2f119bf2e543fe4e716bc4c5bec83767da2f97d1cce4b2696bc5f9989fd42dc97a0c16cdc2fa967adaaa2bac730e2cbda744dc3121e3f015b66eae89156b262639f95bb014aba78bf2a4801499bf38268d77d99494aef486b9b388a1ebacb4b771a52bfa29990e93618af03762f953e3480fe01dde92ca7835ccd5e8864dbc9100d25c4fa632c9febddfdb1e77f1bcd7679ea4689d2c8504e50af6952c889d328c12c66c90d8ead369270d94e5aa342fb2387dc7cfe6ede705464985f301feb34b002ccefb80fde10d9fc1cb39b5f877524986dd12447a7c96f63507cb4d88068edfd7748fb2b667ae1aedbb416377574d70a3f6de46e4a3e5c149a64a4364666bd99fdb0e413a1335ba932575d1e9228508d614b663ab17acb21b2ac4d3618a65943804d5ba52cbb043a9619861202b505140e4844b8ceb6faf5024223d9636cb0be384a4cc1dd3d4f357629521a07698418dd1a97c39417196f861afb05bd702f4ccdc3d44b5a4193378b936f53c5c4b09c9858be95e349baeb7eb4da309400a4dbb08a24d0bb3772bee7a3873cf8d76e06df6f7ce591f40bdc849ea04cade886f075e1458f021f1b730b0cb5c328b911412aee9616ab5fdc831e34cea69de1a40806aafd4e64d3cd70c1a6c6f636d3bb94c995977c594f0f4e90d7aec43fec4c8aa707d00dfa26ff9db8a45e6ac65b5e5ceac43f78b50f1e4f494c85827b3f0ea1f7a4fe3bbbd390e3616628ed4770dd366694893513dc1cd252d3887a2f19a846d18ee7baf8b5680e61800baaf0041810a5a21fe06cba83e0621b2626c3ec5ba62dfe1f94ae16114c9f89e89458a069222b43b4504dca5fd969c06666dcf982434631597babaad465cb739e72835f69ad699b0efbe216a12cc188d54beb66861c78c80225438deb75b3af96a60a084e68edceca252c22225b4f3e56e99f976c2a082a29f4a5bc3d0c251f9122b584661f39bfd18dfb9d57a591c6d7013b420bd1e4c47e804cc40edffa4dc90cda1de0a6e5f0d7a4d1c0a02bf92582900643f97f8f2cc13768374cc13610f27c3ab9d6931479d0215c4ad669ef802e32928788c525f752edae477ff89ea3f0c87d9ec7eb1ef512dcab1037284291861322f872aa261fa46746edd83985ee320fef53b11518f5d58f846819b88b16588c13dd019058a1ce865b4e685e9478539b9b9af69a13126d6ad30b2bacb144c02ffb153966d20f565684a8749131c7def88f2c87e48eac6c0af576cc861118a9b718dca2eafbc5413bb6e7513746479bd801f07b9465bd80d0dc3d83eeb7d688f913bbc787b23a90a8637c579884a1585d5323b04a449feebd0cbe2bc32721244e92e5d033e20d0b2ccf8ed5e23900199dc5ecdea429a25961c907af8d93d57d5d0d7ff990310ac092dc447e88cf81617b67754ad8ee0b12532c7313d15fd65c9f65c0a94b755a09d24078bde275a44457eca4c8b2b3bc0dfd4c8acb9d2c6c4a8daa22a6cd961b4476b07880f8cf0988bce7dd8d3c3fbd9cfdb6563b681034b272fb3cde591de803d0b68405d25dea801ee8713aeb5498198395799db2ab19fbcedbaa3ced3e124d293d63ee8c12d931079fd94ca0fb5c456932a07ac665b9410d1237735872766764c05e852e061dc399bb31ed488d1ba5aef53ac7b4536c6e5fc45c96a99385512fe6ee8a2278a06be19a7cddf3ca678bdd73c255c159ea073557d666f67b9d1b9968e023f636c693a8adfc923acff108ed4370bb966b0f4c05034b08576c2bc89ceeb57c633d2a7c87665be7e75ffb30edb5fe9fcdc7256a0112d49f52031800b70f698038f0f1f81223cbe0e30b47e80570971d4fa84da58099f875ac76323c5ac25b69c5eaf67825ab8ac98cbd6dc0163751a47a1e52998e00e05c1c6901f504340318727902b1ed2bd2cff2d2ed09601a8cedf4528c1c13a670375fe3a685c7cb14723b559ce2786ca2955ae351eff839758c311e99ed53ff128372bf9fc38c570bd900b497c93161c34d8b4e4806ebccda1611445ea9d676bdc146ea5ba100fc5d995b2ca60709fabbf6aabb01ef243a129a3c6738cf66f6d3e3b00320be0f85e754878937e39762debbf5a3e7a811103566340fdf7dac8450e68eff102cbfd495a801de06e74df57fe06e15edfba4da71a43339c5248f422ee29a22efa493690d97246e2083be24c21ee4f2f1d60d753b2da75a15408af7f4ffc3f11673b89345795750c2ea6b6c789c9e4ed093056171e9fd9a675486a4a51afa967e009c5ab5da74fb7fcd00044ab94b287b54217848d47848d6a116aed41d454cdcbf4ad8d86e629997e308b86e23ea1bf1a4d25296b19fa79f2a8c9b13702b7628c89f71ba6d5c3aa656d4318c4ec3305b9d7ae29374e9356709c46d401c6b745118bc70d1ac74fbc57d9248b1a915de03df367a9a1044752775e3b336a935bc082a2c88299fad16993f6e3f4373de0c488af1af00adb940cb45f5cfd5372d6c0a4c696f96636d52d27939de729974a9a5be21f99b49fc6d4c65aca98c2874f3671de29264941cd4a4a6be0b2021ac02adcd1756bfcff10e7655db958bb999810d8b3fee9832646dedbeee86892eceb4fa04b7284fdce5669dc7eeb775d009ca176d82bbddd4262716efbbe18c8c79f6c76cb59bfa82a19a6681e0d5a49dbd642933648af881c56940e8c5e18fb8288c35e130e1f62817af3f187d002d1b9a1d584b662ebc5c9c9520c4d516649f2d99363efff116348caed43556b58ea9b7c4255fd27efb05edece75535963d32ef597eb133495dc6ff0117d923027f108dbc64cbaa4bedd565e057a0e28649908d87ab0164a1155abe4603ec3f81c3b5327ed0d5e1fc890162510afca7b91d61857573f6184386a7a7cbfba8eff79fb883d04aa6bb7f93f776a375565f67a037e475e28b57f42ca0fc54a30b9d91eed124cdc1bc53feaa475828f20db8ba50815c812a1e9c7454cd4144eb9a423e6d172edee0bad94cd150bbeb4deabc6e98e3e5f7c6bb47f35f110eec4ba632e9c426af699a5bd6c2331ef0c11d24a5a3f3888fae3a36a89fb8a0dbdba9cadfb9e052a93f00ed75755b4d78d99aaa84f69dcc6a6ab05eadd817b9f704e9a7697a315f36ac99d299b5cb8a2f0c7cd53aa16fdad2331947d81a52734dc38efd0309b4837fcc18c88a0cb8bf5f96e4209192266a2c7f60371d41fc8c7d050ae43bf5f67407b54f4b731e0f7195659cd71ecccf87e68e1b4bb874707336ca5bce6ae7d588d6d68e2f66eaf0faa26d488ef0a1a0b59686af8120558fd76c9d19590a9611d5f3eca00e148194d9b69594124be005cdde6d57b26c53ac6488236de7dc8ef17eee67cd948e32d8c11f14bd2478b5d7e2c1d39d02b47595cebe0851f99448960dd64c14a84dac887ce5b39309b1530b71295c36b1b19592242d6617f9ba315c8d0a9d39792541d11c0ec999975169e8af06a444b716c45240b315a08961fac6a69681d832198aad3de10ef3a488f507ab56fd194f6d94376d24968d5caadf3f2c3efb667dd1d19b18dc8dab53df92c2dc0fb4ad49aa8034cf6f9eae6220beaec08784cac765da9e98219ecae0fba094240d3df34f3c89539b206a9af38dac75874b0beeedc9b3795d5f1d1f9065a81ac5e15588c179c4b0effcba466b9170b12e72fb525acc0e2bf5b8c43efbdf53279e5c9fee04b029db5220ba82d4930e96374baf4338aef5550fb5922015a1f9f076f3615ee6d814da808d1bbcad1b176d5bb20b795882476c0c72345eb16134807a82b9d86c9d7a4d84d189be309ba025303eea1889b05cdcea4c2073cfb30bb3b90f35bcd6ee790f1360f963dcd6be81168de75e1d04e8150d2c00005df7fadeac9e5c3d2026799cbb2a2db4268e4d1cb614f158ef12a0b2282e42ba33ff9d67ceda79320f1d897277f486588a0dc0e46c1c0fa223be06cdaca909483358be8b182b37e3789f7c93959c0b45335b2c00cad1a70f8d04081383a79c3fd595fc8647bb6552c6081c26c720ed1b229a192b9a91fa1e12cd31840f86e0dad7feb7dadeadd232709bc99aa8fbc3a87af0d5c82e53aceb6122bf9b71b7bc92a0a063957cc666fafbad1f688bd911608bfc7681c64d8191c5d0c80f7dedd5a9ad4ebccd04e2618d9aad121fd9aa8b8d6848720a736722c7eced31540419659c0911a06e039e959c84dd5cc1640eba08505ea489a121ddca4a09c63b2e271d1edb91aea042e92bea12939ab6d4157efa94a68d07b5f9b2058bccaef5826ebd37657a99be45134aa30a84a4c4e08e463b75645c2b726c14f35750efa680408d1ea9f3f56feb1060c7b8e8114681c24992aa2e1e65219a036afc034dba75a390afce2963d756c7eaf67d213c75371935f9eab4d428c54322e32498a4340254cc41fbb55cf63b4f3f43c8930101f3ae3542fb96ac776263789a984a3a62bb46c5a4a41b85f9d66b47fb28ea765bbcdb52b01f4c15ebe188b454c3ae277dc8a9f8a1c634163c631bd5430a8a80b80b3733413a1e00eb3fff34bc5aa8d907d79de8866cbc6f10661356277716c88474be9b393018a7d8b9b3e1ce4b7a326b77f62fcfa9494e1b7c0280c3a25ee346c94ae4cb3af3fe09534e63836d5a00a62808742f5cc926088a6ed11ea2051a33c60b2dedd2069fc9fc2f2cd45366618e11000216ef8017163aa828eae1d15f02067aa46af467750cfdd36f7ecba0fd1f7382c2a78aa40ccb037ed72490759f08e4a257b73e1b4519ec4720d9081dd464a47ad468f8881ca3023e753100ae0a1b2989ac574ebb9ac9134bf16202ce61aeaafdf7689bb921c4a39a46f03a14decffec78cf9ffd01b4fca7d7bd40030fefa02591a28451bd35da746db7b5cdfd5ee9eb6c51b3be05fb0cd5d39e8103b0e903eec110b3ff1f9df981232a558234281039b46637641849d6412feb74a37b1393c31513cd994ad239e20addc7b6be2be448857bacb20cb1469fe9446946b6d60349ff39219f7c002ecb4dbfd317f79d950b395dd77cfd49a6fad36be0bd4591e4d2ca837fe7374a36792ccb0b2b027c69dcb0852749309b937177272f4a80d8e2a24997ffca208b7f528be82116556d235f17d574d17acc1c4b58363f03f6b2177a2d9bd31d7da8b2d37ea2a5eace2b4f3eab549cc55b38e0f1731cc82ef548a5cb6a7564b442a86da7312a94a1315e270f390a197b91e435fa70443f387cf53738f775a2362a87217b574f8f63ca63613375205dc194498a0c929ff130014d7426af7c0d098d69aff0da1027b123c023e732e0ca1eb695b4210adcaef9285fec8c83fea7efb3b5a09ab0e26a2c0926e158ee17089ef7f8eab5375718ba2e8ab683d2a1eefe25c2e303f419ed01423799867e02eb01ae20002207136a60a875077393a019ae7df3aadc5d4aed4d459cedde966d84fa64c2e564860172be41b9fbdcc9bb29cc2af86bcb8da14d1d7efd6d90fefd473fbac5b0559ac2bdc110c7fdaa921d920731f362f95d426680b73312da58facc4d0a1d7ba590b3e91c03bf3b5f500a5cae46bed373702129ee2f25b0500219bbec050285949f2de4948328964329b1a46a38421c137cb95b99290b4f6cb46b576697c95b9378e7c15caa04ab0e8a04b8df8bc46d615fa29", &(0x7f0000006440)="1c3d61efc1467b6b61e9e5f06fa3d1dcc0e70035dcc9c6c3b00df58900"}) r21 = getgid() r22 = geteuid() ioctl$auto_XFS_IOC_SWAPEXT(0xffffffffffffffff, 0xc0c0586d, &(0x7f0000006a80)={0xfff, @raw=0xd, @inferred=r6, 0x7, 0x2, '\x00', {0xf, 0x0, 0x46, 0xffffffffffffffff, 0x0, 0xfffffffd, 0xf7, 0x7f, {0x8, 0x9}, {0x3, 0x200}, {0x4, 0x5}, 0x62, 0x5, 0xff, 0x6cbf, 0x48, 0x0, 0x8001, 0x7f, 0x6, 0x8, '\x00', 0x40, 0xffff, 0xa, 0xb04b}}) syz_fuse_handle_req(r9, &(0x7f00000016c0)="27fe2ffe47404c4ac0a1ecab30bbcb864ead78fed0c0e175ac9994f22c05a47188988b3ff7cddec1f6f39e606160f4f199d3745e26e2748d68e35a99f1bc4ac32084634f2c0ba5d1e0000e2d5bee777a2ab509e7c94c43f297b825934378ffa3bb7942256fc52a69e23820cd520e7559ed9a31a954df955de5bc7c1855d974b95ff00a84dc2d9ad67964334434d528bce5934808b48f8e251a179eb47dee2a108b50092f559816136cffe9bd6e0a34004e62d50f73c14b23ce17518f954c4bc61e6175756c1204e2f27c182b9e3a7e3b823dc2d210e5232c7ad0e8d8e049f0e92060b620499b0b8f4b4b971d29a97ae94ce3cea6fb4e4296f72e3deabff562e79243933cfc5300e3c41c6ab9c0559ae24b21ce45bc69b7a1eb56c08b822ba10fbcb0bd238f6fcd60ed24092b3f47f1900e3d3373379649daa3959bcb319d7a74ab3e62bb5fbdfa42f9d3b3e7340efd12d9db738b9a7a581d914f4deb34005aacaee865dd595ad5f007c48b5168e699e52decc666509f0bac516d5d8b1ecc1c99e601b8f85af1c67623fd2cff7b883841aecddf3a85239980d3ea2ae6378d59cc242b2abcda91e918487cfea037839017eefbed85e0de24148b3c67ecadc8bbe51ffdd0696a55d8ff21523178a6829ec4d3f25977433b85e9238fe5d8b1437c54a93382fa152549cfca4e4700705f3ce5a260a4b943dd3e532cc196c8129518225566e93e29a8c6f02f054a94ee5fe21e5ad5bf55dd7fde9ac641f347a992e8197fe5fc4b9c65ef4d687921dff0f6cb82a3a96f6df1cfaedffced7cb06b21de9b83cde5f96bdad6ee4c617b9da766cc443712f84ef7c38708070bd19db90abe251009d9bbcce7c419bf7efa7ea70086a95a27e7359d3bcf81899bb6b7560c58227db92bbe342e60019ff0cdbeec13bdb56c5b5fdfdbce7e2f5a7d971dbbc64c59c5111d0b452af57980e21785d5af0884822d12f4081e8381d16e0f411936274b9030215c4b0b47074dab09b9fa2322a88050a62448ffb2bdbb9d6b87521b3bfeb5de7736a4de11ff4e56d41aaed90061e8f13c3789a44a63e76902c4ee9b6fc735ab8ff9525af0ab52167e04d3479667852b755d0074cc95078094dfe03926007fcf4b2b68e262d117df6c918127cd6a5642b80c30bf916a1e51520229e1e0ece35ac9b909fd5ff92b930aa55ae60a2a7f5274e047ae70cd1d894c3a93094d5e88ca4ff4a1f7a74c2572c591f254ec0946de4f96248388b06f7f0a7daa490f4359184a76a56a9bbca593c6f6fe479c675fb02c63547d0804963bbbfe5c668769f3cf16be9cd51178030d64cc2bb9d82634399db8859e4887c8cece4c852f5cb76ce70a6c4edd0e8a465cbf7827b21b5538579771fb56b79974aa36288516bd08a9394900160f75d6bbe89de70f8b5ceacc9419fc5a3d5ee5ea783d0ca808a6248c13ad17c873bc93e0e50a39487fb25ec3233070d7776e7ce8ba022ccd8e2db5645594e0b2d874ede739f93b617ffefaf3d8468e66eecc8561fdb81dd4fe7c779dd93cce317a8f5cb86551c26166c7824c87140d9647508cbbc15c1d3b7208609168909e890e9e9fd2671d3a9a7527a734471f2c7480926d8d18ba6e24da6d6cee422aebfb14d1f12a915ffb7375ccb3ecc9863c45534a97a922433217dde2203545aa983e2a6c546511d8626428aabe7cec1d0e8124de1983d5ab1ed6e9dee82f0df4699f4ab70706c34c754d0cd8b6de541ca8a71d5f9825fc13158480d5980e6415cca05c5757894169223b43cc2963091824cf953fcf54530558ad5ce422fce99f5f2650b7dec702fe12bbb08c28519f08b6354cf58d01f027237070cb438fe4807b7b1f7ebc27f274fd50ef37ad060a7adcdf65962f8a52c04b569d7db3d86a0feb6c78ed1adb361866f7d5606569d910c6727cdd76c6bb2a405ed12dfc2edc81666787f3a3a239c62f65d2d98d8b07c5911355a3a6206646fe74c075a6778072870fd652aa4df9aa3b96f145c3afa74f5aaa8d7ff0427c9389dd5462af0eb6828f3aa54c752bb4c89d1821076172a925f146aef789deb14c6b6cb2873388cbe0be062871048c49679d72c3f325c77ea319ed28fa27861040f6be5d4f32cf29cac11243da042becf2125d21e735493ac7694aa961ee92443fc588c2adc0f97ac7b5fae10d43ddb81f31128582185b9aa124fe6ed780ac954f84421767f90f5c0b569443d63beac0684ed68bc5039a27567bd233b8f2675e1afa140df8e1e64f0a90ec553b52172739d0d6b3884947f2666929cb5dd7931942c06e9df9ec7917f1d93a2f0fbe5cd0f573c0102ff0205e4d59ddd603db5da56694bd92873ee21fe7786a87428bdf19a1a87d72ba697fbe0ed975db5bb3a705177f3a1369e29dec7581d43aea3855943ff4efa4d7af3622c319d78b31083788d20310208299ca0347afffe54ecaf1fbece6e0935abc7aa8f8553f9996ff1d46b88b78df2fe267f1699f2ebf1925b8e50cb46c8a103cfb556510155ddb84276e1e0aef3f411c7af3d20593b6fec7006aa7a4ee33802aad168949dad9fa911888d7f61bf16db2265003416fb576de44f80b9c901ace454d2b04b374f3dcfc38fdd6edcfab24d367aff3f6d8298a4133d081563de1365beaff74da252b248fa61d80e72cbbd58533e7518dbae1a925d9912bfe70fbc64b8c81ce262530bd11ae83f366e38c53bfd5a0dac9785b922bcdd1a3b683f43f8d485dfcc6dd00b6cddea064f846fb2693d48fa97b5263f537eabf6c0e549a78d2bcadb2e8fdb2b1b0f47fd49dc61ca1058bb8882aa1ca2ed341feb737d5eaae0ea08f945a04a38b6e3137f961a7563ad13cec30072b9143e4f9c7824e7cbda2df89b74c142dadaf5ca24b6fe909ce3a1ff37ee5a0b661d30739ef0c372cf7a1b4c6a0e519b48b40dc794cd61356756609f68dd58f724bdd86db7f2649b90e163530ca69f0696addfcef84efc9f9e04d9d6e18ed17f74ff807e92b0f330fb6e06e0e2f193ea03a181c8673950a19eba22fd6b1b56ebb336e0248c64f936cafd3311fd50c50fc916156bb28156d15d7f4d5a798d8626afc6ba7d217d2c9f1a98fede62b1bacfc314dfa89e8cbb8c37bd526dd53ede81b1953cef517703babce446e863bf9d246b03b88502c7fdbac4d87f1eaad86ed170d710d81eaf395aef60dc164d9116601a5a58c79a89275c95d28912e8708fee2472e6b87d2e077d362c0ba8f4bc6a5e38745eae91046bc61e6a040cbfe38204f17e604f0e1405e8ee07d7141b698bc2be7690a8f0bf31d58ae906cb70e4fe5fe035631d76533b7a7b032e1b1eee21428084afbcc930a9f28e9f17e269a6997af838f95e2fb395b540a1d49f3d4290274d2d31f760835ff7351d25b62e135adf59e0118872d17843d99154f4660fa8f48b6c4868b1fbc6b84da61f98123167b067370a54fc6c5a688e31d4201ac4c4d5646f9a4a4a804a175167cf79dda22f4d6867281cb0b3e0999fad7bf26512d131440a8f9ec75fe9df680547855d8c9b3b3f0d514197c2af0d672991373b8d4ac1dd51e1f907450d62101b5e2613ea289c194d0735e1c5e166909eb71ee2a4ee5ff99140c0becca2672faf6944938c61809d8bf2faa561f9b56dab85ded7ee735d300c8da84c57f067b2fe50929cae139875abbab084742c90706bc31fc4c68538889718769d1c6da0ee1826ecde1f60ea66ced44c24fe2875dcbc87a3572af96455edf31e051e5422a8e2910c7d975df6448da0c0f833f61f7150598fb47fae938357a7b645e406df9a4a30cdd1cef6ddb263c9f06b268767a9a0f92c4ea1380e5e36f5f2a3e90bf87d6818c5aefc3439c4f4de2cfb4db145756848b27b618c22feea3f9f4601557f53c2aae71dbc0e9468243f1bf3b086b4dcab2734d6128c5441546903d2fea40c7ca4840ac4b1b3ea8897cf037623e427fb1ef9c0e7deb9eba0f8e5a5b29d422923f2fc8c5dc1369fe526709247c2776f5b7687ccf420b0dc84461105c2a31cce9decca30b746bfe43440d49c4775a2dfc88f049e23a30e2de2ce634549bbc0c263097ebb8044b4b9bb6f5f95a4a499a3dce9c11b99487d996eb57d654090b436dfe0b94796e93feae2b63d01320af7323a8006bc75f95a0c6ce53691802a097108881bda64a2cf8ed8f6752e19815e71e2b8554fac0301875262109331151915f6b19362c2d82c3047478525a649ae4c9a41f756083f138156f6ec4ea04b44f652ab1e66c5c630e6130062a260be553f10b8b700e6c6b089f0b09ce117ca78d45aec4339764dc2e39b5bb955602d57323e40d49ecf8987184a12d21993c03b458fca98c773071c2242d90596599336e1c69ff551af3ef27aaa74c547f231a1ef64a2fbe5498f5bffd9e597b8d871a073e82f13f5bdf2189d361649dbe144e7c2fb26a518884c4f276afa04450b3b1261511a1861507e94be4b0c301e62471bb953363e54a80ac90b2551b012d74a5621e265bf91260a467fe7606e79592272aa208b12935a8991dfb817a5cb05acba79dccb97d0a0f9eb5825e16d124a77224c9a09a5335f1ced785636ae3581598af5c28e54ea8dcc4c722e4a658a33fa7c473f3b5e74ed5625680f07c7d472966ab646ac3ac2d67469c43dbab6b886779def79417698cfed9472fdcab0f8079f221285441881eaae4c211a814e6d4e6c25d49a5706738b03b35c0d284fcd675505b0adc88d04390f3a1b0c82785ba7bf029aa46187131dbdc36aaed980b90888e67e8a8be7c1f7c5e3ad4442e97aa77c7e1d286c29d8b761ec91250529bfffc56ce2d1f4e79cf74237f02050afb6e25d5436545da66622970e89e4cb9e77e0e9a6672feb03328568d75d51465772b5e408e40ebc9676e7e5ee7ab0cbfca5ff0c023b393529464668b774ae1b5cef76d67f1d735b87281555b396c7858701c6d42b0f365b253e7bccb64c2dc39bfed645906ae68bc5ebc3cda73f386b4b97953b3ca6c735f7c47e4762925d3599480e7c17633e5276af75a60332bab2d8c039e4f980a7de81229bd174f6e50e5de20d20b518c418b6eb6a06ee93789fb6f4a6ecb8b01691ad1eb2ae951a42f976e018ac4b585bbc3f42da79e55d1b7f24e909fcee23436b727dd9ce47b41b3bcaa883715d316acdc55e0fcab97ef90da859a80ebebc6dfd0af9524e8a36b3f71ebd703b0afcbd7acc6aa413648ad935e7094a293f1ad659bf55951511b8feaa0390b982c91b1a1bc04cb1e158b132e8ff2fe46667f10312a25468f07324810a97ddfad6df0d61ee5db1929580227ea260682a8937d0379bbcd796aa13fe92f793e958d28d8e4564bfdd4944d7ebadddd673392c6772d0961cebe60a3d9e9f96e4a4ca07e55d31e9d9425e00171aba02f0aef4b8f5e43ec62327a950fe292427d513476c31839a5d11e03f7949cb2d8343ef4b98268797190344a7a6891cddde29faef1333f7fb75069a74e806a4121addf986835281f4868f15c7343e1307d237bb50a7ec6764b9f4325b6e41357edc33d247a583e285735faffc5bebc400476af6c5cdd349137470860d159a976ef3c4761285ebb8c53a7ef569ee2e710d41819eb85cb3e38c6d6ccd03587fb0828f631c19900153a6f1edb812a58ead041c63a6ac6283806d3cfb69b65591a829baba97a367c9b0f2497b44f3ca85a0731e5942b57ecf9c2dee01ef7ea533f8ba317f74c30f49bd69489735361092292205509c574200663f771cf4d1d484fe5a9c4cd3b0cc432e925b302fab0574b53606f2777563d6794fb5fe487d5ce7b5beab399bf7727b67eebf9b9dacf5c5678ec9821a34dc030d036d04d7025ed5b1782965cf262bba0b3de34974d1e77a63e9bb52dc659de690e47b35f4bbca66f8d5e0a271a04a289435f5dc9013c0652633dcce4102fcbe47fb4c5eb9a6eaff5463c73c11e37e8df9dab0932334922fed80d5e3ed125dde3764f48d496f4f3b49f0322a9b9b968ff75efedb369b4b1c9afc5d27e68d76d17c216c4fed82dc2487aabc660bb55b2ee17d68365da8408c45af38783ac2be54772bbea41f5868456ee66a27a36be499a5e5dd3396f4805e22a2cdc229079c2a53c9299559269ed1c512213544f2bf331388e1cb85e5550915f8f27a47ba9fc9a50ce01cd2b53b37f357966f1d00bd340e050c9d84f2914b8abd4294826e7500b0dcae9cd4d284d17345653ccb469c5ee3a31058eae14fed75585cde2fd71b88ebf517359774e9023466ea5a47956b8225671792df45b9f38b10ab03f9ede1ddb2e157d61c095d9b82b977cc09d929745560fe8106503ff7dd228db22b251776897ee15b180b4b4631f85ecf6a6074efd2cdf40a448dad62331c27ed8b3377fde4b1533126a4dc708b77202f6f8c015966ef711c4c496e9034cf15a33bc998a43265edfe436342d7eb4973be8ab0ae6719a1aaa41e0d76d952b06808dff02fd81603429a36ff7440e0b215d9ebc908efc145b6e1b7feb53bd5e175c7d1a7764f9040744b81db86fd22c0a38a2daf7440bbfe8835009d4aebbb11a0e9148bc04951fc06ec1c2a268a05cc2cc76791b82269f963d3d2f564ae03789601940d56f28e5ab0152acf663e481195209efc1a3a1b472536e0acf9ae383b5951dfbb6bd4d1eb5550102c3d7fa2365a36fb7c5949cc727ce57311dec52a4c3b91f0d5ec3677c265d5835535f16006985ce846ef12a46cb8662cff85af2ffd4b3b35085705d45df3e8c60ee4963823cea99dd55c0c33da9de354f709f2a4583561325c4a5954a34e2ab32738c2f3fbfb2786aa57828ef3091122e5932058c12d50d0e89ee5dc1e3ee4135d38c0c984daf3947670272714de8935720c1f3d3dd9fc57529a75013d85946484233ce69257718d3cd667cd0886d1f3c257ccac6b48ee5cdc03eb6c6aa2a78d68e2a9c2253954450915762f3f2fade0ac78593cc38e55cef3bc0bfb938ebd0a61c739c024addaf443406a7b6026360a7fc87c274a9bdcdb2eb5cf470b53f7fc1bd4ed05ceaa66528cef79e9de78da42b167c82cf4dadca5707d0a166b0f41b7f7e3421a8f88f6d88d24cfd9981b50b6c342bb49cce4b823f3cfdb17bba24fdb1601ba060a4792c0909a7c7cebf0c33e8ff27fb6e327c8877fb31efd8bb0b9fca2829cac2c143f4a5bd0afba4324548af32f05f581ae264c9e20d0f1604e112c6e2bc518b78097c145d871a3c0287371b0cf6bdcf17266371c7464d87a55f52e01e297866d6d498868ac01648249c1edd314580bfc35834b15d108ddbaf6ca3536aa43161019c3af0b331d9d071eb0a50442355a2a2e195474e13b7971d956ad54ed590b429d6a1ec7e38d41a27536bbbfadad1b35fc8f827a92e0baffabb811816cfb4cdac4b98c5f6f71cdcf30649536f7800eb6b7cee222d64165e0ca9504693b6d8459bc327e5da2e6f38a4ee2472ca5e6caa0811d042f8fb32a99bd36101cf19acceeed73b44e3deb223cf282ecd4c439f55f5c274e2c756c67c23c00ef7bffa4b6012a1334d0c97f816a6123cbcb77ace8e7be0515269248622028b7a9c0e49f1c8dde866d3bb0c53db9c67b10b20d4bb263f2c5a0185baccfa7b8fe825657078fabab003b9318a84f765daafc37f496efbbce9fa5d2c1f0a4b2ad0cf9269618440713bc3d92985ffbd6cc19afc86703044370eabc4de11f3bcbfb221dddc51bba352dc28fd49c084047fb0ed8b9742a96e53ef4ccb94ce4cad746e9caeeec843f72b779cc58d25fe931c1af8a795e195685c92185803adbec6066cddd87e0b9a5380afcd80798f580859eab317cb2783112af7b362a59ae7a824749440e66661b788b8560549a0b1350dfb7a5e88928d558cbc8a26a0d74e67634ee9ec1c1ca08afc5beb43da65f4ae0ac7eb257442c9990edcf93b1dadfea90bc292bbf1d823c61ee969249f67be07d70df8afc7c3e5bf145f28a2d06c880eff9a181127c13460a06b3664a94c888b07af77e84d60deab764228ffea21633f0204a5d7ec4a0b303fb08fb76728c43d9073800183c8b99e22d605a5e6399c049f7f887cb9d7fba94db323084bf94df544f6ce2dd49a21d2cab54df04397482a64d2900bb40fa87f42ec75d68bab17714a934bcdf36f87074f6028f9d61a00adffc06d624bc64297059682cc8adc7e2fb210bd22fbd4ad3d3515f71b933126759ec4c001ed5cdbace7cce4319b7ab50ffc8f2f8f1bb81ac07f81dfff335450acf08e13912d3c5f3aa12581811ebdb4416eada259651c070b06ea7e18a8f0c400575a0e7fdc4c88645d35c2d36a8ce6a2972f355d1a5d832cd7ef2c611fd11059da390ec8c87491d4964fa40b80839057362e676455c7172a23154efeba6fc9ab4c15a737e299c1f14daa8f3497e3370a523ec15c52bad987109003f8dcee4ac6c90b0f8e4b7491978788a9c1b23a14396b508aa95175fe3bd6a8b4a9c217f4c9842c1c339d4d95db83ce6e7e7ac88eae0413961055220b65693d49a2f696f641421925b42f77b0f9431239527fd6d86d6f9abdf3d27c0a79a6b05a61dd7d993de2d4ee9973b778ff195d1240db1836a5258b4f574497ca2f9b34977800e728297d983e1e585faf45381b476d2531e86cc6e835a972c3a5bbccba7d852edc83bbad4c852064007087bbd36bf8a800f91eea0a72d9a75f5db35b1098686d51340a172c701bc47b140ce52ef47502d0071e545597975a55ca1e91217645e3cfebf4a6201a8481f65113860f592863af1dd473383b1b79ab32cfcd46e6ace2958d42cce5f9b2347681f7707ab4a35f9af521d4c1bad7513033a5f7af2b7a2d3a4914d38462b16b85d69fa60c0c5ef54ba2fb78fb156a947cf80b1daccd589fdd0791b3a9eb835b61534a16f8f4b1cabbd386b4c21ba97de916d2cf48b7208c1bda77ecf81677cbce25582ccab9a65a2b73dd34b002c234948a42b5664d56d824429a78b6970367ec170d1b110b2223175872bdc866318de066fea560151d8825dee82d344b816fb55aaa524e860862ac0c36cb6b6e81f4123da59cb3effe29ce7698e2aa0c6036820c457f404233e32261319a46bc8bd3de3c948dc52e27ca527df7ad68e6c4d4ba8f6b4313a29402981059a148797fa0880257fe0427011928af752f81b8186802108f0590195039c838257202421410b8a359e69ddcd47470f4d05ae289834be304caf49bbbacfdbe927f423be9b87882b0fab4f50bc7cdbff6ef101f33f703556d45b6ace1643cd7e75acf74063e3e34e963db19f0d19f14829c91c450661d0e809d5b7909695ba15446c876a167ecca09fc00e1737cbd4ef4f70a50e3a00fc96f0e1023e5c81e67d247ae0ec7ec267252804a65b301b91a599b8ce37d95a93dd9a911dfb395f361924e82ea281efd7a2e015aadaf6485fceaee0ab905e1396c125603aff4ca165f749c23310250f800b2a87917b9421b0b4cdec9d86414eb822374b0d4325358b2bf43e0e312588879765c25c098d1718653bea52768dd7f100fbd2b6afccf0213469a7fa25b5f77c6b56ca09df886a16ed24f51e21d078f25c48887da12dea57c8f4825f27ae3d9160196eb6be09f7be8b239a05dbf6aaeca9637090d1e6f76eb9369274c3aada336243b8b9c59c3f9c91ab43fc9273bb5bf2b59de8fbc506c9436565e4c9ba29650b3784d87f337a4a4b528ca2a280cedc369b0090c3f69c7604a6df31fba781c07d58dbadd7c85a626f885f09a91224e79bd68793f167ebd8da10e5da78cfa7ebf10a8f2c9003fb1cdd87e469861f3ed23d25bcb14530a8ff8d91e9e0c7c3976c3afc7bd5005ccef59faec52ba35693d0f0dceba843add5a747e0aa72f09f2f45281c9d4c6f1bb78379aec782c64810de323c8abacc9fb7e7dbc1e2913a85df0bdb6ac701a68269e79ab28458c0291e1840b34ace2d0dca9029f6d950e6ef1e5cbb9524db501dc3022733cb10bb74e9e698245a98dffe2378c42548119dd60f2b021953b300f38972661c3ebdf64a3afb3c629cca5ec938c31ee8cb682dd38f3581812f7ba6431c160659039e7cfe7859b1aa8130833f1f63724f863b3e2a18f9ebd1ea614d30d28bd4f5b8c2617becd8a4d8b3a9b42b85d8e80c8faf7d9cf5637dd98826a10b692402933d2ae0ea908ff5d6c22fc335be00614a0f5e7004ebef71fd23d3f90115984f0e46e82ac8b03e5d2bfeaa2192333c1a0a9fb19a75bdc8f9058336e86f3f7b30f0bed24c4b230cdfc92a9885be51c0b851cd7a04a62fb3ce47e765a114ef7686bc7d82ef5e1ca0214b95b64e57f851215ce5a47ddfb91932c854c6525ebe7f6e16845fa225a74093f6a2680085a8fef66541fc3643fc814c5a806415f70688a4be77beaf75d71026e4dff3800124bdec0e065463edc69641f67c7c42b8e025f81406fd4896d5db8e19fec099809ad50a98a83b3caa8fd87310514f4a7afd9a970c456231d916b26d5c62bc4834af9bc2777a7c7d3bbf5f2c6d828935f3b827743c09222328e8e8291bb283eba7d4bc897877f6e50a5fabc77abf31534d700962edecb1df4ee1228a729df7da85771a3f1e30429fac993d9738d9d6728bf492b4791438c3cf6d59af809974aec448098c26cb3791e43724076ef5ca9c70cb3f58accb539943786ce98b092c965a147d1870ad454686ba579c9d10a6131d4d980ff68898fb11a0a9f61e60a86427f60660088984eed16acf6d31430183b81912adcde8084457122ecdd7054cf3dddee25a975fb2448e71a27aedf68685e9e8bf607056d68d720607599cb4997a1d591a1cc174eddc66f39160a2e55eee6c82b218c5b963a0268117fccda9314d7de3b1bfdf1de338310418dbb11f73bfc1a705a7f12560c6a836ebc1c927d1427eb6d7104f942705a25e7a79488768c707cddb059d06f4f55d64114658bb327072a0f248f9191aebf838ccf464e3db38bd015c1fe7e0a1ce8c854e064ad28df20854ecaf442881d5b922db3327a73a8007f84aacb941bc1232742d0ad98eb8f05a812c7957fb4b688522ea6a1d5ef22dabf2537b5f68d81e06b517839b474238564967929fa8231eb8eaa9bf79554917939336f71edad5c011de4a9887c9d8bfe588c1747b47ecae641ae076a53cb661d344659ed82a4f10612ea2ee00a444de7e4b1a0c5614d4a6369b48cfae5316e8389cb720a111171383a78798031af5e4976b89175ac1efa79ca7dd728d21cf2853f69870379dcd691f412b0dabb49f74d48f9313be45895e8d4e78e23e357a9a2294befb173ceccddb7dec84781920e951ecc863bdc843af7535e721a7a7f5bd6e0d37fe9e5b5af3f2aaa62967112c0fe848d3c38a646ded7deba1ab98d40881ba2fc918a8664bbabea14be6f5bb92e254c471b324a026c661de4b97ba0ae1f67063f41a5619da8a49a7ad6cf8153977a4c63171bba20884b7344c405d61b9ce3ce90dd0b6d86be27c028a2a48fe040d6f9d2f5dc2466cb9f745e5a98e5266498b14d16e3fcee12026c0f46b7fd1d30076505cd64c1d60c5cac8cb400ea6b7522c165b0094ff0ff656d081673056b73eee3efcbfba260ff87e4304c8eb14aeadfdaa09570f630646c", 0x2000, &(0x7f0000006c80)={&(0x7f00000036c0)={0x50, 0x0, 0x8, {0x7, 0x2d, 0x7, 0x8000008, 0x7, 0xfc00, 0x3ff, 0x59, 0x0, 0x0, 0xe0, 0x10000}}, &(0x7f0000003740)={0x18, 0x0, 0x6, {0x80000001}}, &(0x7f0000003780)={0x18, 0x0, 0x4, {0x2}}, &(0x7f00000037c0)={0x18, 0xffffffffffffffda, 0x37}, &(0x7f0000003800)={0x18, 0x0, 0x1, {0xff}}, &(0x7f0000003840)={0x28, 0x26, 0x7fffffffffffffff, {{0x7a, 0x8}}}, &(0x7f0000003880)={0x60, 0xfffffffffffffff5, 0x1, {{0x81, 0x6, 0x3ff, 0x2, 0x4, 0x4, 0x8, 0x2}}}, &(0x7f0000003900)={0x18, 0x0, 0x0, {0xb}}, &(0x7f0000003940)={0x12, 0xf92c178daeab5fde, 0x9, {'^\x00'}}, &(0x7f0000003980)={0x20, 0x0, 0x0, {0x0, 0x2}}, &(0x7f00000039c0)={0x78, 0x0, 0xfffffffffffffff7, {0x3, 0x67, 0x0, {0x3, 0x2, 0x5, 0x2, 0x0, 0x5b, 0x200, 0x6, 0xf0b7, 0x1000, 0x1, 0xffffffffffffffff, 0xffffffffffffffff, 0x4, 0x6}}}, &(0x7f0000004b00)={0x90, 0x0, 0x7, {0x1, 0x3, 0x10000, 0x200, 0x8, 0xa87, {0x4, 0x1, 0x7, 0x1, 0xfffffffffffffffd, 0x4, 0x9, 0xffff, 0x10000000, 0x0, 0xf40, 0x0, r10, 0x8001, 0x9}}}, &(0x7f0000004bc0)={0x48, 0x0, 0x5c, [{0x1, 0x4, 0x6, 0x8, '\xff\xff\xff\xff\xff\xff'}, {0x1, 0x8, 0x0, 0xb}]}, &(0x7f0000006500)={0x478, 0x0, 0x2, [{{0x1, 0x1, 0xf, 0x9, 0x7fffffff, 0x3ff, {0x5, 0xb3fc, 0x3, 0xa2d9, 0x3, 0x80000000, 0x4, 0x5, 0x2, 0x6000, 0xfff, 0xffffffffffffffff, 0xee01, 0x5, 0x6}}, {0x5, 0x9, 0x6, 0x6, 'wlan1\x00'}}, {{0x3, 0x1, 0x4, 0xf, 0x1, 0x5, {0x4, 0xffc, 0x2, 0xffffffffffffdbca, 0x35, 0x5fa, 0x8, 0x5, 0x16d, 0x6000, 0x8000, r11, 0xee00, 0x8, 0x2}}, {0x2, 0x3e8, 0x16, 0x5, 'bpf_lsm_path_truncate\x00'}}, {{0x6, 0x3, 0xcff0, 0xfffffffffffffbff, 0x3, 0x3, {0x5, 0x4, 0x8, 0x9, 0x10, 0x5, 0x91, 0xfff, 0xfffffffd, 0xc000, 0x3, r12, 0xee00, 0x80, 0x40}}, {0x0, 0x8, 0x6, 0x80000001, 'wlan1\x00'}}, {{0x3, 0x2, 0x8, 0x9, 0x80000000, 0xd149, {0x3, 0x4, 0x5, 0xe, 0x7a, 0xd52, 0x0, 0x5, 0x6, 0xa000, 0x2, r14, 0x0, 0x7fffffff, 0x5}}, {0x4, 0x7ff, 0x2, 0x78d, '\xc0\''}}, {{0x2, 0x0, 0x6, 0x7fffffff, 0x5, 0x5, {0x2, 0xc, 0xbde5, 0x5, 0x8, 0x10, 0x9, 0x6, 0xe31, 0x2000, 0x5b8, r16, r18, 0x6, 0x8}}, {0x2, 0x80, 0x0, 0xb6}}, {{0x5, 0x2, 0x80000001, 0x2, 0x6, 0xff, {0x3, 0x5, 0x8, 0x3, 0x8001, 0x5, 0x1, 0x7, 0x2, 0x1000, 0x1, 0xee01, r19, 0x10001, 0x6}}, {0x0, 0x6, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}, {{0x3, 0x1, 0x8000000000000000, 0x2e, 0x5, 0x7, {0x6, 0x5, 0x5, 0xb, 0x0, 0x2, 0xffff, 0x0, 0x8, 0x2000, 0x9, r20, r21, 0x2, 0x7}}, {0x6, 0xfffffffffffffffb, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000006980)={0xa0, 0x0, 0xd05, {{0x5, 0x3, 0x8000000000000001, 0x7, 0x5, 0x2, {0x3, 0x4, 0x5, 0x3, 0x8, 0x1, 0x8001, 0x0, 0xfff, 0x8000, 0x101, r22, 0xee00, 0x7, 0xac}}, {0x0, 0x10}}}, &(0x7f0000006a40)={0x20, 0x0, 0xffffffff, {0x4, 0x0, 0x9, 0xa}}, &(0x7f0000006b40)={0x130, 0x0, 0x1ff, {0x6276287e, 0x7, 0x0, '\x00', {0x800, 0x2, 0x3, 0x1e, 0xffffffffffffffff, r24, 0x4000, '\x00', 0x800, 0x9, 0x8, 0x32f3fcde, {0x6, 0x1}, {0x4, 0xe30}, {0x4d, 0x3}, {0x6, 0x8}, 0x6, 0x2, 0xfb, 0x2}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000006d40), r23) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) syz_io_uring_setup(0x28c2, &(0x7f0000006d80)={0x0, 0xd0f0, 0x20, 0x0, 0x1e5}, &(0x7f0000006e00)=0x0, &(0x7f0000006e40)) syz_io_uring_complete(r25) r26 = syz_io_uring_setup(0x7c1f, &(0x7f0000006e80)={0x0, 0x979d, 0x4, 0x1, 0x206, 0x0, r9}, &(0x7f0000006f00)=0x0, &(0x7f0000006f40)=0x0) r29 = io_uring_register$IORING_REGISTER_PERSONALITY(r26, 0x9, 0x0, 0x0) syz_io_uring_submit(r27, r28, &(0x7f0000007000)=@IORING_OP_OPENAT2={0x1c, 0x14, 0x0, r23, &(0x7f0000006f80)={0x818480, 0x0, 0x35}, &(0x7f0000006fc0)='./file0\x00', 0x18, 0x0, 0x23456, {0x0, r29}}) r30 = syz_kvm_setup_syzos_vm$x86(r9, &(0x7f0000bfd000/0x400000)=nil) syz_kvm_add_vcpu$x86(r30, &(0x7f0000007400)={0x0, &(0x7f0000007040)=[@wrmsr={0x65, 0x20, {0x92e, 0x8}}, @nested_vmresume={0x130, 0x18, 0x1}, @wr_drn={0x68, 0x20, {0x1}}, @nested_amd_invlpga={0x17d, 0x20, {0xffffffff, 0xbd0d}}, @nested_amd_vmsave={0x183, 0x18, 0x1}, @code={0xa, 0x6a, {"36490fc7aad66197c026660f3880945e008000000f01ba008000008fc9b89b29470fc7ae20000000450f09c4e2d13967c4360f017f0566642e643ed8f1c744240025fd0000c744240254000000c7442406000000000f011424"}}, @nested_amd_inject_event={0x180, 0x38, {0x0, 0xb5, 0x7, 0x5}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @enable_nested={0x12c, 0x18}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x3, @control16=0x4, 0x5, 0x1ff, 0x8}}, @nested_vmresume={0x130, 0x18}, @out_dx={0x6a, 0x28, {0xc636, 0x5, 0x4}}, @enable_nested={0x12c, 0x18}, @nested_vmlaunch={0x12f, 0x18, 0x1}, @wrmsr={0x65, 0x20, {0x8a3, 0x9}}, @wr_drn={0x68, 0x20, {0x4, 0x6}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @nested_create_vm={0x12d, 0x18, 0x2}, @nested_amd_invlpga={0x17d, 0x20, {0x8080000, 0x943e}}, @nested_amd_vmcb_write_mask={0x17c, 0x38, {0x3, @control_area=0x31, 0xc, 0x6, 0x8}}, @nested_amd_inject_event={0x180, 0x38, {0x2, 0x36, 0x1, 0x2, 0x3}}, @nested_vmresume={0x130, 0x18, 0x1}, @nested_vmresume={0x130, 0x18}, @nested_amd_inject_event={0x180, 0x38, {0x3, 0x72, 0x2, 0x5, 0x2}}, @nested_vmlaunch={0x12f, 0x18, 0x2}, @nested_vmlaunch={0x12f, 0x18, 0x2}], 0x3a2}) r31 = ioctl$KVM_CREATE_VM(r9, 0xae01, 0x5) syz_kvm_setup_cpu$ppc64(r31, r23, &(0x7f0000fe5000/0x18000)=nil, &(0x7f0000007680)=[{0x0, &(0x7f0000007440)="cdfaef130000003e000010620400107a00001066c1001062a603007eb9f0003ee90e10620400107aa330106688261062a603007e2400004c0000603c0000636004006378000063640cf66360baaa803c42ab846004008478a5a48464dbea8460c7b2a03c4ed4a5600400a5788ed5a564c9c4a560f627c03c0e37c6600400c6781050c664f33cc66064aee03c0fe0e7600400e778f833e76427e1e760f9fe003d883a086104000879f66c0865cb9b0861e722203da35b296104002979bbbc29655e832961d975403d52944a6104004a79db254a65f35e4a61020000440000603c00006360040063780000636450f36360420000440d0bc03ea1dad6620400d67aeb5ad6666296d6629cb0007cec06007ca400004c3d6aa03e171bb5620400b57a7293b5663454b562a603a07ed48da03e12d2b5620400b57af6f5b56615e0b562a603a07e2400004c0000a03f0000bd630400bd7b4930bd67f278bd630005c03f0000de630000dd930000a03f0000bd630400bd7b4930bd67f278bd630000c03f218cde630000dd930000a03f0000bd630400bd7b4930bd67f678bd630000c03f0a00de630000dd930000a03f0000bd630400bd7b4930bd67fa78bd63974bc03f5c3bde630000dd930000603c00006360040063780000636400f063600000803c000084600400847849308464f2788460220000440000803f00009c6304009c7b00009c671a009c632401c07f", 0x20c}], 0x1, 0x2, &(0x7f00000076c0)=[@featur2={0x1, 0x6}], 0x1) syz_kvm_setup_syzos_vm$x86(r23, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(0x0, 0x114, &(0x7f0000007700), 0x0, 0x4) syz_mount_image$fuse(&(0x7f0000007740), &(0x7f0000007780)='./file0\x00', 0x40000, &(0x7f00000077c0)={{'fd', 0x3d, r23}, 0x2c, {'rootmode', 0x3d, 0x6000}, 0x2c, {'user_id', 0x3d, r22}, 0x2c, {'group_id', 0x3d, r13}, 0x2c, {[{@max_read={'max_read', 0x3d, 0x3}}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@default_permissions}, {@allow_other}], [{@permit_directio}, {@uid_lt={'uid<', r17}}, {@appraise}, {@smackfshat={'smackfshat', 0x3d, '\xc0\''}}, {@appraise}]}}, 0x1, 0x0, &(0x7f0000007940)="a4b222df2ba10df24f5481e0dc5e93b81b1b82e9a214cabce344800ad54de610fa1eda44b9040526f2dc7c731c5473c8c6dc94192a03484e6d62bb49128612543a9d016ed9a3730e51080f5c860d03a77ed50164bcf99c42d3568a974a927a879de41edc2f5552365886121a31095b97aa08ee2977111f7cc56a77c0f2a16b32b19df50a249cd3058e60a6ae8c96349d5e5c0097594ce01c1fbee5ee94606fef673231e65700bc715f1f0119c84ed27b8af38ed153d394d6b22cca54db55a31bc25b45e81deca7bedb696691ae6b92f09eea3e2b5e8af2f996339dec592edec5897e94eb") syz_open_dev$I2C(&(0x7f0000007a40), 0x7, 0x0) syz_open_procfs(r4, &(0x7f0000007a80)='net/psched\x00') syz_open_pts(r9, 0x292c02) syz_pidfd_open(r15, 0x0) r32 = pkey_alloc(0x0, 0x0) syz_pkey_set(r32, 0x3) syz_socket_connect_nvme_tcp() r33 = syz_usb_connect(0x1, 0x295, &(0x7f0000007ac0)={{0x12, 0x1, 0x250, 0x58, 0x6, 0x54, 0x8, 0x13d3, 0x3348, 0x15b2, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x283, 0x2, 0x9, 0x2, 0x10, 0x8, [{{0x9, 0x4, 0x26, 0xb, 0x5, 0x83, 0x18, 0x74, 0xee, [], [{{0x9, 0x5, 0xb, 0x3, 0x8, 0x4, 0xfb, 0x6a, [@generic={0xbd, 0xc, "8b82bd3fc8137d3d259ce7bc140de0823de2222eed4c570edcb84553cd1efd649dd352dd375d81da8da8e6863fb482ecb3a16f122210bff25c59a3afc6542848c06e1b983fbc8dd0de627cfddf9f905f5cb6ed4a25ec5947599b15b538c7bb0b0d65d4a31b319f7383955ce766ef4c66d18bc75d69b2dd7d136c78eaec1e2203eb918dd61609de40f4f693917eeb17fc387bb427341f6416e0b8c46a2445a5c49bd9c86dfe21c598acf17ea98ffece202a21dc93a0b830d29af87c"}, @generic={0xc7, 0x6, "f5459e117800d22a25a486d1442f5cbd4d3d776cd061d2c185f9924eae6a4d7b14c58b599863d321e3ea80a25f6d8be51d5ca70c276ce0e6d9038f88776b9614287db7ee2113f0e7e1f01873b613d763da5f87f86cd1860bd623463fc6d93d9f948d0d4d70d72a8ac1dec1adceb8716729906428d5b6e24b01499bfa6a0aa0482eed8c7751a1c7ec944db19254a74b61142e725a7a290c4142875d347b3e483f4e2db8373ef8fead8118ce07d812332b211da9733d444f7d706a6439c29aeaedd03000a2a8"}]}}, {{0x9, 0x5, 0xa, 0xc, 0x400, 0xc, 0x0, 0xb5, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0xb, 0x7}]}}, {{0x9, 0x5, 0x2, 0x10, 0x20, 0x7, 0x5, 0x5, [@generic={0x24, 0x7, "ad98314a82d7aebbfce85178752271b158c05dea1bf5a2459c431df180c1f3b2be3b"}]}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x7, 0xf3, 0x4}}, {{0x9, 0x5, 0x5, 0x0, 0x40, 0x2, 0x3, 0x2, [@generic={0x6a, 0xa, "f7dd67505d353d93b6e1f3ac2d8f9f766012d204e558a7076c6a1dd6648b2928acaf801710c8555067e0715e60772d9a84c714f63d527b9f1532a5ac6511627f9e8400e62ad6bd25ec51ec630afc10e1f0f2fe01c9588e2897ef26d5ea8bcf970e51fc28d84a628c"}]}}]}}, {{0x9, 0x4, 0x48, 0xe, 0x3, 0xca, 0x1e, 0x4a, 0xf5, [], [{{0x9, 0x5, 0xb, 0x4, 0x400, 0x5, 0xf7, 0xf6}}, {{0x9, 0x5, 0xe, 0x10, 0x3ff, 0x1, 0xd, 0x80}}, {{0x9, 0x5, 0x5, 0x10, 0x10, 0x95, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xae, 0x12}]}}]}}]}}]}}, &(0x7f0000007ec0)={0xa, &(0x7f0000007d80)={0xa, 0x6, 0x110, 0x4, 0x1, 0x6, 0x8, 0xe}, 0x3b, &(0x7f0000007dc0)={0x5, 0xf, 0x3b, 0x4, [@ss_container_id={0x14, 0x10, 0x4, 0x6, "fdf4043ae7f59e3e81fe303d4de3ea16"}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x8, 0x6, 0x6}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x7, 0xd, 0x95d7}, @ss_container_id={0x14, 0x10, 0x4, 0x3, "bc6a9266bf506e90620d9c900e180143"}]}, 0x1, [{0x98, &(0x7f0000007e00)=@string={0x98, 0x3, "d95f3fcaaa58f9d36d03e3a2d5566a5191f742f723fa49e364e03b0d288a7fcb4579b58c56d824be57f9ad0f8703d3011cac468433fa22c23bfaf15dad541efb0138c46bb8f8869215155c2685d69b75ffe68c0cbd6e71743abd4355e12d9dcb7dff16bb075da553c178139ede2c285a4a2845e8889c234504d968d870b6084a7b4ab0dcdb83d43bb2f4e7a0156b80a68919cbb7da84"}}]}) r34 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007f00)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r35 = syz_usb_connect$uac1(0x3, 0xe5, &(0x7f0000007f80)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xd3, 0x3, 0x1, 0x1, 0x80, 0x80, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x0, 0x7c}, [@extension_unit={0xd, 0x24, 0x8, 0x2, 0x8, 0x9, "0cffda3f227b"}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x6, 0x9a, 0x20, "2da5ee78a28e1f1a41"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0xf8, 0x3, 0x69, 0x6d, 'e)', "bf0794"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x5, 0x4, 0x5b, 0x3, 'D', "2618"}, @format_type_ii_discrete={0x9, 0x24, 0x2, 0x2, 0x7b4, 0x8, 0x4}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x0, 0x3, 0x8, 0x8, "aa", "e8e5b4"}]}, {{0x9, 0x5, 0x1, 0x9, 0x40, 0x6, 0x5, 0x0, {0x7, 0x25, 0x1, 0x80, 0x1, 0x4}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@as_header={0x7, 0x24, 0x1, 0x3, 0x1e, 0x4}, @as_header={0x7, 0x24, 0x1, 0x6f, 0x7}, @format_type_ii_discrete={0xa, 0x24, 0x2, 0x2, 0x8, 0x2, 0x8, 'f'}, @format_type_ii_discrete={0x10, 0x24, 0x2, 0x2, 0x9, 0x401, 0x5, "53b11dbc8cd310"}]}, {{0x9, 0x5, 0x82, 0x9, 0x8, 0x0, 0x28, 0x6, {0x7, 0x25, 0x1, 0x80, 0x5, 0xd}}}}}}}]}}, &(0x7f00000081c0)={0xa, &(0x7f0000008080)={0xa, 0x6, 0x110, 0x59, 0xa5, 0x5, 0x10, 0x1}, 0x39, &(0x7f00000080c0)={0x5, 0xf, 0x39, 0x5, [@wireless={0xb, 0x10, 0x1, 0x4, 0x8, 0x3, 0xb8, 0x9, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0x2, "9d9ab0978e2aace26de66306e6e2963d"}, @wireless={0xb, 0x10, 0x1, 0x4, 0x0, 0x6, 0x4, 0x1, 0x5}, @ptm_cap={0x3}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x5, 0x6, 0xfff2}]}, 0x1, [{0x84, &(0x7f0000008100)=@string={0x84, 0x3, "000a6c9f4a15eabc97a92ab665231b2cf9057321eb430c6521f497a8c3ce816268cb337fa48deecfeb28b2305fcf2d2e988cc8b8b980a1332dc406bc34695fa24dc3609f619d7ac284cc3ae7f0afe444d578c951d9aedc4c682e100cfeb6619b98a96b1978d8ede7574e969f8ae8e3dfb835bde5ccd922133e53036ff44eda52a0a9"}}]}) syz_usb_control_io(r35, &(0x7f0000008380)={0x2c, &(0x7f0000008200)={0x40, 0x22, 0x31, {0x31, 0x5, "74e83dcf53dd2d0ecac0aa3467b18dfa71b26cdd403d955c0ffe22817b01fe5795d51cf24a6ae3b8e32f1b7ac5f8ca"}}, &(0x7f0000008240)={0x0, 0x3, 0x1e, @string={0x1e, 0x3, "8957a501d83c69e54f70f62f932a50b65506c388c128239d36229ee2"}}, &(0x7f0000008280)={0x0, 0xf, 0x4f, {0x5, 0xf, 0x4f, 0x6, [@ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x5, 0xf000, 0x409, [0xc000, 0x17f, 0xff3f30, 0xffffaf]}, @ssp_cap={0x10, 0x10, 0xa, 0x9, 0x1, 0x4, 0xff0f, 0xf87, [0xc030]}, @ext_cap={0x7, 0x10, 0x2, 0x4, 0x1, 0x4, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x4, 0xd2, 0x3, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x1, 0x7, 0x2}, @ptm_cap={0x3}]}}, &(0x7f0000008300)={0x20, 0x29, 0xf, {0xf, 0x29, 0x8, 0x1, 0x7, 0x4, '\b\r$}', "67016dee"}}, &(0x7f0000008340)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x16, 0x80, 0x9, 0x3, 0x3, 0x2, 0xf000}}}, &(0x7f00000087c0)={0x84, &(0x7f00000083c0)={0x0, 0x11, 0x1f, "16d60d7743501452ffd5730424bc4a970cc6490bb9cc85938699edf27a0c7d"}, &(0x7f0000008400)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000008440)={0x0, 0x8, 0x1, 0x4}, &(0x7f0000008480)={0x20, 0x0, 0x4, {0x2f1050d721a8e554, 0x1}}, &(0x7f00000084c0)={0x20, 0x0, 0x4, {0x200, 0x2b}}, &(0x7f0000008500)={0x40, 0x7, 0x2, 0xfd37}, &(0x7f0000008540)={0x40, 0x9, 0x1}, &(0x7f0000008580)={0x40, 0xb, 0x2, 'E\"'}, &(0x7f00000085c0)={0x40, 0xf, 0x2, 0x2}, &(0x7f0000008600)={0x40, 0x13, 0x6, @random="2fa6dde03a0f"}, &(0x7f0000008640)={0x40, 0x17, 0x6, @random="de1c102b027e"}, &(0x7f0000008680)={0x40, 0x19, 0x2, "0d97"}, &(0x7f00000086c0)={0x40, 0x1a, 0x2, 0x2}, &(0x7f0000008700)={0x40, 0x1c, 0x1, 0xfd}, &(0x7f0000008740)={0x40, 0x1e, 0x1, 0xfd}, &(0x7f0000008780)={0x40, 0x21, 0x1, 0xc9}}) syz_usb_disconnect(r33) syz_usb_ep_read(r34, 0x7, 0xfc, &(0x7f0000008880)=""/252) r36 = syz_usb_connect$printer(0x5, 0x36, &(0x7f0000008980)={{0x12, 0x1, 0x200, 0x7, 0x1, 0x1, 0x20, 0x525, 0xa4a8, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0xf4, 0x60, 0x4, [{{0x9, 0x4, 0x0, 0x3, 0x2, 0x0, 0x0, 0x0, 0x81, "", {{{0x9, 0x5, 0x1, 0x2, 0x400, 0x0, 0x8, 0x2}}, [{{0x9, 0x5, 0x82, 0x2, 0x3ff, 0x4, 0x48, 0x8}}]}}}]}}]}}, &(0x7f0000008f00)={0xa, &(0x7f00000089c0)={0xa, 0x6, 0x250, 0x7d, 0xdd, 0x3, 0x20, 0xfa}, 0x154, &(0x7f0000008a00)={0x5, 0xf, 0x154, 0x6, [@generic={0xe8, 0x10, 0x1, "d031a9165b9e273ff6ffe555849af6dca66e17a68ee5ac784dca23e4a56d46169ad06ead2b8bcd997eac2ecb8b2a2526aa200db55758d08659469283d6ecfba982c300ae82ccf4a8bf073dbde45376b4f6fc559be519f82e8e5b2cf59c3a3af4f290707e767a4e276851090d90be0ab66f788e7760cd71ab865ea8b6bcc5f35f60538154a099c354a3593417682fc39d2a6a255ef4bb65f8d97af29beb0f8734a68ed84ef08df69e9b35fa2e3fe65e9938ff441dc3e7982a81cccaf9621d5dbc663b80ab448c975cbc19bb6c3901a02c16b32dfaf9f5c220fa21434937b462038105e6d086"}, @generic={0x4b, 0x10, 0x3, "10bed1912f7dc94ac6d87cbc68962c89e777cc51a257d0cad33cdcf336a31ac39b867144c2c96be40fccac19633a547787bc6e4fe91e91fa4759db2a867d859cd5a60c84c1a38e09"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x9, 0x77, 0x9, 0x2cf}, @wireless={0xb, 0x10, 0x1, 0xc, 0x5, 0x8, 0x5, 0x9, 0x16}, @ptm_cap={0x3}, @ptm_cap={0x3}]}, 0xa, [{0x4, &(0x7f0000008b80)=@lang_id={0x4, 0x3, 0x40e}}, {0x4, &(0x7f0000008bc0)=@lang_id={0x4, 0x3, 0x427}}, {0x4, &(0x7f0000008c00)=@lang_id={0x4, 0x3, 0x415}}, {0x4, &(0x7f0000008c40)=@lang_id={0x4, 0x3, 0x1c0a}}, {0x4, &(0x7f0000008c80)=@lang_id={0x4, 0x3, 0x83e}}, {0x4, &(0x7f0000008cc0)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d00)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d40)=@lang_id={0x4, 0x3, 0x423}}, {0x9f, &(0x7f0000008d80)=@string={0x9f, 0x3, "d48e8724649a2841923d48b8b235fdc4315e0dfbe1b8a8a08353af5b630beb6eca1d6be03d88d5587933d6ade122b2ad4c558040e7f203d8c7af790af85de36e841eb9480afa1aaf9a226f4de28cd4441557411c7737f74d7d60313cd3d051284fceb5b3278373f63c72a84e8de4e23bf64e2a69c0579106c9331803e2ef32fd09889adce7bcd7eb6134c465ed17386d3f97a4e8a4e9c419f9c6eb2d32"}}, {0xa4, &(0x7f0000008e40)=@string={0xa4, 0x3, "81103e0d228843344b9a2885675324f579df278e6d25065998bdbb69b8eed0e1db8df16b19646d92c5d03521f773c16c24deeae556be69b04e1e966febfbf37f3bbc6dd64c83f4c2a87daf95fb91e10a36c0069f4d517bf3962111d8f9c845323c0b91e68dea34b277b410720bdf4a5864fe069bdee84fa9e4465549713fb333aaed855baf295327e1fb651729fe4acf1d9ebf80d64c29fcd368ee1611e550d7b67a"}}]}) syz_usb_ep_write(r36, 0xf9, 0xfb, &(0x7f0000008fc0)="181512f6083897f1b94ad01c9d8cc9eb6d7c149c5edf5ecf21cf4a2b2a9ff02e0d8f8a4f60f7b31ad0b2552e14878f840f51a97c2563b619b101ea77613b9752367f0f6e6a623781a383e499dc26fed60afe6f156d326bc141d6615d18b61a5c06cb49d9e008e05f65376aefb5ec21edc468b8434a0c9e39d120bcd31132f0755c1fcaf91fecb2733f98184256d2f79e80452dc86cf31985082e386017ebe82125c78bee42f949ca6798673433fb0a20d9161b698f0466b0ea53587a3f08cc3435bb7c193f4adcd2e5e104f33e3e1cdd33ba951fc9f76b108a4074c8072b16465962eb28e138c9188c3e54a00afb4fb1710a273a1f1c530ada0d50") syz_usbip_server_init(0x2) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_PT_POOL 0x5000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x70000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x200000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 8) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t size, uint64_t cpu) { uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; if (cmd->call >= SYZOS_API_STOP) return; if (cmd->size > size) return; volatile uint64_t call = cmd->call; if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit((uint64_t)-1); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; *ptr = exit_code; } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_pdpt_addr = l2_pml4_addr + KVM_PAGE_SIZE; uint64_t l2_pd_addr = l2_pml4_addr + 2 * KVM_PAGE_SIZE; uint64_t l2_pt_addr = l2_pml4_addr + 3 * KVM_PAGE_SIZE; volatile uint64_t* pml4 = (volatile uint64_t*)l2_pml4_addr; volatile uint64_t* pdpt = (volatile uint64_t*)l2_pdpt_addr; volatile uint64_t* pd = (volatile uint64_t*)l2_pd_addr; volatile uint64_t* pt = (volatile uint64_t*)l2_pt_addr; guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pdpt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pd_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id), 0, KVM_PAGE_SIZE); uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; pml4[0] = l2_pdpt_addr | flags; pdpt[0] = l2_pd_addr | flags; pd[0] = l2_pt_addr | flags; uint64_t pt_flags = flags; if (vendor == CPU_VENDOR_INTEL) { pt_flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { pt_flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } for (int i = 0; i < 512; i++) pt[i] = (i * KVM_PAGE_SIZE) | pt_flags; } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%rax push %%rbx push %%rcx push %%rdx push %%rsi push %%rdi push %%rbp push %%r8 push %%r9 push %%r10 push %%r11 push %%r12 push %%r13 push %%r14 push %%r15 mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[stack_cleanup_size], %%rsp jmp after_vmentry_label )" : : [stack_cleanup_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, 0); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); uint64_t tmpreg = 0; asm volatile("mov %%rsp, %0" : "=r"(tmpreg)); vmwrite(VMCS_HOST_RSP, tmpreg); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, VMX_AR_TSS_AVAILABLE); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_DEBUGCTL, 0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR6, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR7, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, efer & ~X86_EFER_SCE); vmcb_write64(vmcb_addr, VMCB_GUEST_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_addr, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline __optnone void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { uint64_t vmx_error_code = 0; uint8_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); if (is_launch) { asm volatile(R"( vmlaunch setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } else { asm volatile(R"( vmresume setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } asm volatile(".globl after_vmentry_label\nafter_vmentry_label:"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile uint8_t* vmcb_ptr = (volatile uint8_t*)vmcb_addr; uint8_t fail_flag = 0; asm volatile( "mov %1, %%rax\n\t" "vmrun\n\t" "setc %0\n\t" : "=q"(fail_flag) : "m"(vmcb_addr) : "rax", "cc", "memory"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } uint64_t exit_reason = vmcb_read64(vmcb_ptr, VMCB_EXIT_CODE); nested_vm_exit_handler_amd(exit_reason, cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 48, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, }; struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; }; #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)((uint64_t)vm->host_mem + sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static void map_4k_page(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)(host_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = (uint64_t*)(host_mem + (pml4[pml4_idx] & PAGE_MASK)); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = (uint64_t*)(host_mem + (pdpt[pdpt_idx] & PAGE_MASK)); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = (uint64_t*)(host_mem + (pd[pd_idx] & PAGE_MASK)); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(host_mem, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; uint64_t host_mem = (uint64_t)vm->gpa0_mem; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + 32 * KVM_PAGE_SIZE}; for (uint64_t i = 0; i < (alloc.last_page - alloc.next_page); i += KVM_PAGE_SIZE) memset((void*)(host_mem + alloc.next_page + i), 0, KVM_PAGE_SIZE); for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) total -= map_4k_region(host_mem, &alloc, syzos_mem_regions[i].gpa, syzos_mem_regions[i].pages); map_4k_region(host_mem, &alloc, X86_SYZOS_ADDR_UNUSED, total); } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = 0, .base_mid = 0, .access = 0x89, .limit_high_and_flags = 0x00, .base_high = 0}; } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)((uint64_t)vm->host_mem + sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)((uint64_t)vm->host_mem + X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); setup_pg_table(vm); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, int cpu_id, size_t text_size) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = executor_fn_guest_addr(guest_main); regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = text_size; regs.rsi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd); setup_cpuid(cpufd); reset_cpu_regs(cpufd, cpu_id, text_size); } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; struct addr_size next = alloc_guest_mem(&allocator, r->pages * KVM_PAGE_SIZE); uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); } struct addr_size next = alloc_guest_mem(&allocator, allocator.size); vm_set_user_memory_region(vmfd, slot++, 0, X86_SYZOS_ADDR_UNUSED, next.size, (uintptr_t)next.addr); } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 60; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 51 ? 3000 : 0) + (call == 52 ? 3000 : 0) + (call == 53 ? 3000 : 0) + (call == 54 ? 300 : 0) + (call == 55 ? 300 : 0) + (call == 56 ? 300 : 0) + (call == 57 ? 3000 : 0) + (call == 58 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (; iter < 10; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[37] = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x200000000000 = 0x4006; *(uint32_t*)0x200000000004 = 0xd; *(uint32_t*)0x200000000008 = 2; *(uint32_t*)0x20000000000c = 8; inject_fault(1); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x80044945, /*arg=*/0x200000000000ul); break; case 1: *(uint32_t*)0x200000000040 = 0; *(uint32_t*)0x200000000044 = 1; *(uint32_t*)0x200000000048 = 4; *(uint32_t*)0x20000000004c = 2; *(uint32_t*)0x200000000050 = 5; *(uint32_t*)0x200000000054 = 0x81; *(uint32_t*)0x200000000058 = 0; memcpy((void*)0x20000000005c, "id1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); memcpy((void*)0x20000000009c, "timer0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 80); *(uint64_t*)0x2000000000f0 = 0; *(uint64_t*)0x2000000000f8 = 6; *(uint64_t*)0x200000000100 = 3; *(uint64_t*)0x200000000108 = 0x70a; *(uint32_t*)0x200000000110 = 9; memset((void*)0x200000000114, 0, 32); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0f85403, /*arg=*/0x200000000040ul); break; case 2: memcpy((void*)0x200000000140, "/dev/ircomm#\000", 13); res = -1; res = syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); for (int i = 0; i < 4; i++) { syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); } if (res != -1) r[0] = res; break; case 3: *(uint32_t*)0x200000000340 = 0x82; *(uint32_t*)0x200000000344 = 8; *(uint64_t*)0x200000000348 = 0x200000000280; *(uint32_t*)0x200000000280 = 1; *(uint64_t*)0x200000000284 = 0; *(uint32_t*)0x20000000028c = 0xc0; *(uint64_t*)0x200000000290 = 0x200000000180; memcpy((void*)0x200000000180, "\x5b\x58\xac\x0e\xd1\xd2\x7b\x21\x7d\x3f\xdc\x62\x99\xcd\xde\x4d\x85\x32\x1f\x7b\xba\xa0\x64\xd3\x61\x51\x9c\xdd\xe4\x3b\x22\x5c\xf0\x06\x58\xdd\xbf\xbd\x91\x4c\xf7\x9e\xce\xb3\x48\xf1\x86\x92\x31\x5c\x3c\x69\xec\x14\x8e\x2d\xd9\x28\xac\x7e\xe6\x2f\x51\x11\xb9\xdc\xca\xca\x88\x52\x49\x12\x34\x19\x55\xf7\x9b\x0f\x22\x06\xb8\x0e\x6e\x5a\x7e\x68\x1a\x62\x96\x94\xa3\x4f\x9b\x0e\x39\x87\x7e\xef\xde\x60\xa0\x68\xcd\xc4\x45\x45\xd6\xfe\x45\xd0\x00\x0c\x99\x61\xa1\xff\x16\x87\x47\x44\x7e\x34\x6b\x16\x46\x08\x75\xc6\x91\xde\x11\x83\xb2\xd7\xb0\x32\xcf\xae\x85\x49\x7d\x0d\x88\x48\xd4\xba\xa9\xad\xc6\xca\xac\xcd\x9a\xf6\x01\x9e\xa2\xba\x6f\x3b\x4e\x60\x18\xdf\x94\xca\xca\xbe\xdd\xec\x7b\x60\x02\x30\xea\x77\x90\x01\x93\x99\xd0\xbe\xb6\x1f\x42\x7d\xf8\x35\x9c\xc3\x48\x93", 192); *(uint64_t*)0x200000000298 = 0; *(uint32_t*)0x2000000002a0 = 0; *(uint64_t*)0x2000000002a4 = 0x200000000240; *(uint32_t*)0x2000000002ac = 0x10000; *(uint32_t*)0x2000000002b0 = 0; *(uint64_t*)0x2000000002b4 = 0; *(uint32_t*)0x2000000002bc = 0x81; *(uint32_t*)0x2000000002c0 = 0xe; *(uint64_t*)0x200000000350 = 0x200000000300; *(uint32_t*)0x200000000358 = 0x44; *(uint32_t*)0x20000000035c = 0xc; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0206440, /*arg=*/0x200000000340ul); if (res != -1) r[1] = *(uint64_t*)0x200000000300; break; case 4: *(uint32_t*)0x200000000400 = 0x81; *(uint32_t*)0x200000000404 = 4; *(uint64_t*)0x200000000408 = 0x200000000380; *(uint64_t*)0x200000000380 = r[1]; *(uint64_t*)0x200000000410 = 0x2000000003c0; *(uint32_t*)0x200000000418 = 8; *(uint32_t*)0x20000000041c = 0xc; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000400ul); break; case 5: *(uint32_t*)0x200000000440 = 3; *(uint32_t*)0x200000000444 = 6; STORE_BY_BITMASK(uint32_t, , 0x200000000448, 1, 0, 1); memcpy((void*)0x200000000449, "queue1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); *(uint32_t*)0x20000000048c = 0xdae; memset((void*)0x200000000490, 0, 60); syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc08c5335, /*arg=*/0x200000000440ul); break; case 6: memcpy((void*)0x200000000540, "TIPCv2\000", 7); res = -1; res = syz_genetlink_get_family_id(/*name=*/0x200000000540, /*fd=*/r[0]); if (res != -1) r[2] = res; break; case 7: *(uint64_t*)0x200000000880 = 0x200000000500; *(uint16_t*)0x200000000500 = 0x10; *(uint16_t*)0x200000000502 = 0; *(uint32_t*)0x200000000504 = 0; *(uint32_t*)0x200000000508 = 0x1000000; *(uint32_t*)0x200000000888 = 0xc; *(uint64_t*)0x200000000890 = 0x200000000840; *(uint64_t*)0x200000000840 = 0x200000000580; *(uint32_t*)0x200000000580 = 0x2b4; *(uint16_t*)0x200000000584 = r[2]; *(uint16_t*)0x200000000586 = 0x400; *(uint32_t*)0x200000000588 = 0x70bd2d; *(uint32_t*)0x20000000058c = 0x25dfdbfb; *(uint8_t*)0x200000000590 = 4; *(uint8_t*)0x200000000591 = 0; *(uint16_t*)0x200000000592 = 0; *(uint16_t*)0x200000000594 = 0x44; STORE_BY_BITMASK(uint16_t, , 0x200000000596, 3, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 1, 7, 1); *(uint16_t*)0x200000000598 = 8; *(uint16_t*)0x20000000059a = 1; *(uint32_t*)0x20000000059c = 6; *(uint16_t*)0x2000000005a0 = 8; *(uint16_t*)0x2000000005a2 = 1; *(uint32_t*)0x2000000005a4 = 0x3f; *(uint16_t*)0x2000000005a8 = 8; *(uint16_t*)0x2000000005aa = 1; *(uint32_t*)0x2000000005ac = 2; *(uint16_t*)0x2000000005b0 = 8; *(uint16_t*)0x2000000005b2 = 1; *(uint32_t*)0x2000000005b4 = 0x4c00000; *(uint16_t*)0x2000000005b8 = 8; *(uint16_t*)0x2000000005ba = 1; *(uint32_t*)0x2000000005bc = 3; *(uint16_t*)0x2000000005c0 = 8; *(uint16_t*)0x2000000005c2 = 1; *(uint32_t*)0x2000000005c4 = 6; *(uint16_t*)0x2000000005c8 = 8; *(uint16_t*)0x2000000005ca = 3; *(uint32_t*)0x2000000005cc = 0x67c; *(uint16_t*)0x2000000005d0 = 8; *(uint16_t*)0x2000000005d2 = 1; *(uint32_t*)0x2000000005d4 = 7; *(uint16_t*)0x2000000005d8 = 0x3c; STORE_BY_BITMASK(uint16_t, , 0x2000000005da, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 1, 7, 1); *(uint16_t*)0x2000000005dc = 9; *(uint16_t*)0x2000000005de = 1; memcpy((void*)0x2000000005e0, "syz1\000", 5); *(uint16_t*)0x2000000005e8 = 0x2c; STORE_BY_BITMASK(uint16_t, , 0x2000000005ea, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 1, 7, 1); *(uint16_t*)0x2000000005ec = 8; *(uint16_t*)0x2000000005ee = 3; *(uint32_t*)0x2000000005f0 = 0x220a; *(uint16_t*)0x2000000005f4 = 8; *(uint16_t*)0x2000000005f6 = 4; *(uint32_t*)0x2000000005f8 = 0x9c0; *(uint16_t*)0x2000000005fc = 8; *(uint16_t*)0x2000000005fe = 2; *(uint32_t*)0x200000000600 = 0x101; *(uint16_t*)0x200000000604 = 8; *(uint16_t*)0x200000000606 = 4; *(uint32_t*)0x200000000608 = 3; *(uint16_t*)0x20000000060c = 8; *(uint16_t*)0x20000000060e = 1; *(uint32_t*)0x200000000610 = 8; *(uint16_t*)0x200000000614 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000616, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 1, 7, 1); *(uint16_t*)0x200000000618 = 8; *(uint16_t*)0x20000000061a = 2; *(uint32_t*)0x20000000061c = 6; *(uint16_t*)0x200000000620 = 8; *(uint16_t*)0x200000000622 = 1; *(uint32_t*)0x200000000624 = 1; *(uint16_t*)0x200000000628 = 0xb8; STORE_BY_BITMASK(uint16_t, , 0x20000000062a, 1, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 1, 7, 1); *(uint16_t*)0x20000000062c = 0x24; STORE_BY_BITMASK(uint16_t, , 0x20000000062e, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 1, 7, 1); *(uint16_t*)0x200000000630 = 8; *(uint16_t*)0x200000000632 = 2; *(uint32_t*)0x200000000634 = 9; *(uint16_t*)0x200000000638 = 8; *(uint16_t*)0x20000000063a = 4; *(uint32_t*)0x20000000063c = 7; *(uint16_t*)0x200000000640 = 8; *(uint16_t*)0x200000000642 = 2; *(uint32_t*)0x200000000644 = 5; *(uint16_t*)0x200000000648 = 8; *(uint16_t*)0x20000000064a = 2; *(uint32_t*)0x20000000064c = 2; *(uint16_t*)0x200000000650 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000652, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 1, 7, 1); *(uint16_t*)0x200000000654 = 8; *(uint16_t*)0x200000000656 = 3; *(uint32_t*)0x200000000658 = 6; *(uint16_t*)0x20000000065c = 8; *(uint16_t*)0x20000000065e = 4; *(uint32_t*)0x200000000660 = 0; *(uint16_t*)0x200000000664 = 0xd; *(uint16_t*)0x200000000666 = 1; memcpy((void*)0x200000000668, "udp:syz2\000", 9); *(uint16_t*)0x200000000674 = 0xc; STORE_BY_BITMASK(uint16_t, , 0x200000000676, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 1, 7, 1); *(uint16_t*)0x200000000678 = 8; *(uint16_t*)0x20000000067a = 4; *(uint32_t*)0x20000000067c = 7; *(uint16_t*)0x200000000680 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000682, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 1, 7, 1); *(uint16_t*)0x200000000684 = 8; *(uint16_t*)0x200000000686 = 1; *(uint32_t*)0x200000000688 = 0x17; *(uint16_t*)0x20000000068c = 8; *(uint16_t*)0x20000000068e = 1; *(uint32_t*)0x200000000690 = 0x17; *(uint16_t*)0x200000000694 = 8; *(uint16_t*)0x200000000696 = 1; *(uint32_t*)0x200000000698 = 0x12; *(uint16_t*)0x20000000069c = 0x2c; *(uint16_t*)0x20000000069e = 4; *(uint16_t*)0x2000000006a0 = 0x14; *(uint16_t*)0x2000000006a2 = 1; *(uint16_t*)0x2000000006a4 = 2; *(uint16_t*)0x2000000006a6 = htobe16(0x4e21); *(uint32_t*)0x2000000006a8 = htobe32(0xe0000002); *(uint16_t*)0x2000000006b4 = 0x14; *(uint16_t*)0x2000000006b6 = 2; *(uint16_t*)0x2000000006b8 = 2; *(uint16_t*)0x2000000006ba = htobe16(0x4e20); *(uint32_t*)0x2000000006bc = htobe32(-1); *(uint16_t*)0x2000000006c8 = 8; *(uint16_t*)0x2000000006ca = 3; *(uint32_t*)0x2000000006cc = 0xb; *(uint16_t*)0x2000000006d0 = 0xd; *(uint16_t*)0x2000000006d2 = 1; memcpy((void*)0x2000000006d4, "udp:syz1\000", 9); *(uint16_t*)0x2000000006e0 = 0x20; STORE_BY_BITMASK(uint16_t, , 0x2000000006e2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 1, 7, 1); *(uint16_t*)0x2000000006e4 = 8; *(uint16_t*)0x2000000006e6 = 1; *(uint32_t*)0x2000000006e8 = 8; *(uint16_t*)0x2000000006ec = 0xc; *(uint16_t*)0x2000000006ee = 3; *(uint64_t*)0x2000000006f0 = 6; *(uint16_t*)0x2000000006f8 = 8; *(uint16_t*)0x2000000006fa = 1; *(uint32_t*)0x2000000006fc = 0x80; *(uint16_t*)0x200000000700 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000702, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 1, 7, 1); *(uint16_t*)0x200000000704 = 8; *(uint16_t*)0x200000000706 = 1; *(uint32_t*)0x200000000708 = 2; *(uint16_t*)0x20000000070c = 8; *(uint16_t*)0x20000000070e = 1; *(uint32_t*)0x200000000710 = 9; *(uint16_t*)0x200000000714 = 0x10c; STORE_BY_BITMASK(uint16_t, , 0x200000000716, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 1, 7, 1); *(uint16_t*)0x200000000718 = 9; *(uint16_t*)0x20000000071a = 1; memcpy((void*)0x20000000071c, "syz1\000", 5); *(uint16_t*)0x200000000724 = 0x13; *(uint16_t*)0x200000000726 = 1; memcpy((void*)0x200000000728, "broadcast-link\000", 15); *(uint16_t*)0x200000000738 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000073a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 1, 7, 1); *(uint16_t*)0x20000000073c = 8; *(uint16_t*)0x20000000073e = 2; *(uint32_t*)0x200000000740 = 0x187; *(uint16_t*)0x200000000744 = 8; *(uint16_t*)0x200000000746 = 4; *(uint32_t*)0x200000000748 = 0x40; *(uint16_t*)0x20000000074c = 8; *(uint16_t*)0x20000000074e = 1; *(uint32_t*)0x200000000750 = 0x10; *(uint16_t*)0x200000000754 = 0x24; STORE_BY_BITMASK(uint16_t, , 0x200000000756, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 1, 7, 1); *(uint16_t*)0x200000000758 = 8; *(uint16_t*)0x20000000075a = 2; *(uint32_t*)0x20000000075c = 0xc0fb; *(uint16_t*)0x200000000760 = 8; *(uint16_t*)0x200000000762 = 2; *(uint32_t*)0x200000000764 = 0; *(uint16_t*)0x200000000768 = 8; *(uint16_t*)0x20000000076a = 2; *(uint32_t*)0x20000000076c = 3; *(uint16_t*)0x200000000770 = 8; *(uint16_t*)0x200000000772 = 4; *(uint32_t*)0x200000000774 = 6; *(uint16_t*)0x200000000778 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000077a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 1, 7, 1); *(uint16_t*)0x20000000077c = 8; *(uint16_t*)0x20000000077e = 1; *(uint32_t*)0x200000000780 = 0x18; *(uint16_t*)0x200000000784 = 8; *(uint16_t*)0x200000000786 = 2; *(uint32_t*)0x200000000788 = 0x80000000; *(uint16_t*)0x20000000078c = 8; *(uint16_t*)0x20000000078e = 2; *(uint32_t*)0x200000000790 = 2; *(uint16_t*)0x200000000794 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000796, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 1, 7, 1); *(uint16_t*)0x200000000798 = 8; *(uint16_t*)0x20000000079a = 4; *(uint32_t*)0x20000000079c = 0xfffffff2; *(uint16_t*)0x2000000007a0 = 8; *(uint16_t*)0x2000000007a2 = 3; *(uint32_t*)0x2000000007a4 = 7; *(uint16_t*)0x2000000007a8 = 8; *(uint16_t*)0x2000000007aa = 3; *(uint32_t*)0x2000000007ac = 0xd0; *(uint16_t*)0x2000000007b0 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x2000000007b2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 1, 7, 1); *(uint16_t*)0x2000000007b4 = 8; *(uint16_t*)0x2000000007b6 = 1; *(uint32_t*)0x2000000007b8 = 0xf; *(uint16_t*)0x2000000007bc = 8; *(uint16_t*)0x2000000007be = 4; *(uint32_t*)0x2000000007c0 = 0x401; *(uint16_t*)0x2000000007c4 = 8; *(uint16_t*)0x2000000007c6 = 1; *(uint32_t*)0x2000000007c8 = 9; *(uint16_t*)0x2000000007cc = 0x54; STORE_BY_BITMASK(uint16_t, , 0x2000000007ce, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 1, 7, 1); *(uint16_t*)0x2000000007d0 = 8; *(uint16_t*)0x2000000007d2 = 3; *(uint32_t*)0x2000000007d4 = 0xe6a9; *(uint16_t*)0x2000000007d8 = 8; *(uint16_t*)0x2000000007da = 4; *(uint32_t*)0x2000000007dc = 7; *(uint16_t*)0x2000000007e0 = 8; *(uint16_t*)0x2000000007e2 = 3; *(uint32_t*)0x2000000007e4 = 0x10000; *(uint16_t*)0x2000000007e8 = 8; *(uint16_t*)0x2000000007ea = 3; *(uint32_t*)0x2000000007ec = 0x2000; *(uint16_t*)0x2000000007f0 = 8; *(uint16_t*)0x2000000007f2 = 2; *(uint32_t*)0x2000000007f4 = 9; *(uint16_t*)0x2000000007f8 = 8; *(uint16_t*)0x2000000007fa = 3; *(uint32_t*)0x2000000007fc = 6; *(uint16_t*)0x200000000800 = 8; *(uint16_t*)0x200000000802 = 4; *(uint32_t*)0x200000000804 = 0x81; *(uint16_t*)0x200000000808 = 8; *(uint16_t*)0x20000000080a = 3; *(uint32_t*)0x20000000080c = 0x3ff; *(uint16_t*)0x200000000810 = 8; *(uint16_t*)0x200000000812 = 1; *(uint32_t*)0x200000000814 = 0x19; *(uint16_t*)0x200000000818 = 8; *(uint16_t*)0x20000000081a = 1; *(uint32_t*)0x20000000081c = 0x1a; *(uint16_t*)0x200000000820 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000822, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 1, 7, 1); *(uint16_t*)0x200000000824 = 8; *(uint16_t*)0x200000000826 = 1; *(uint32_t*)0x200000000828 = 1; *(uint16_t*)0x20000000082c = 8; *(uint16_t*)0x20000000082e = 2; *(uint32_t*)0x200000000830 = 0x79; *(uint64_t*)0x200000000848 = 0x2b4; *(uint64_t*)0x200000000898 = 1; *(uint64_t*)0x2000000008a0 = 0; *(uint64_t*)0x2000000008a8 = 0; *(uint32_t*)0x2000000008b0 = 0x4040811; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x200000000880ul, /*f=*/0ul); break; case 8: syscall(__NR_read, /*fd=*/r[0], /*data=*/0x2000000008c0ul, /*len=*/0x1dul); break; case 9: *(uint64_t*)0x200000000980 = 6; *(uint64_t*)0x200000000988 = 0x200000000940; *(uint64_t*)0x200000000940 = 0x904e; *(uint64_t*)0x200000000948 = 1; *(uint64_t*)0x200000000950 = 9; *(uint64_t*)0x200000000958 = 6; *(uint64_t*)0x200000000960 = 0xe; *(uint64_t*)0x200000000968 = 5; syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x4010801d, /*arg=*/0x200000000980ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 4, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 0; memset((void*)0x20000000004a, 255, 6); *(uint8_t*)0x200000000050 = 8; *(uint8_t*)0x200000000051 = 2; *(uint8_t*)0x200000000052 = 0x11; *(uint8_t*)0x200000000053 = 0; *(uint8_t*)0x200000000054 = 0; *(uint8_t*)0x200000000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x200000000056, 1, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 0x7f, 4, 12); *(uint16_t*)0x200000000058 = 0x1f; *(uint8_t*)0x20000000005a = 0x8c; *(uint8_t*)0x20000000005b = 0x18; *(uint16_t*)0x20000000005c = 0x5d9; memcpy((void*)0x20000000005e, "\x8e\x85\x14\x4c\x64\x33", 6); memcpy((void*)0x200000000064, "\xe0\x23\xfb\xed\x51\x30\x11\xc5\x70\x7e\x45\x24\x72\xe2\x05\x5d", 16); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x34); break; case 11: memcpy((void*)0x200000000080, "wlan1\000", 6); memcpy((void*)0x2000000000c0, "\x3a\x38\x64\x65\xf3\x89\x38\x0e\x26\xb0\xcb\x13\xf9\x8a\x36\xe2\x21\x4f\x09\x9e\xe0\xd0\xb2\x9b\x75\x4e\x31\xd6\xef\xc8\x2c\x04", 32); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/0x20, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_path_truncate\000", 22); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\xda\xa4\xed\x40\xf7\xcf\x4d\xa8\x63\x77\xe8\x64\xd8\xe6\xc6\xd4\xfc\x54\x86\xaf\x4a\x6f\x23\xde\xa5\x8b\x32\x43\xa2\x91\xb0\x18\x0d\xba\xf5\xc9\x27\x58\xaf\x73\xf9", 41); memcpy((void*)0x200000000200, "\x40\xf2\x76\x85\x6b\x81\x91\xc4\xf3\x12\x75\x9d\x79\x5a\x22\xc3\xc7\xed\xc9\x16\x78\x79\x4f\x4e\xea\xc4\x57\x46\xfc\xc9\x93\x07\x22\xc8\x18\x9b\xa5\x95\x65\xf7\x32\x7c\xbc\xd4\x50\x61\x64\xeb\x9f\x6f\xf1\x75\xf1\xf0\x8d\x60\x24\x70\x91\x77\x2c\x18\x5a\xc3\x83\x04\xe9\xb5\xb3", 69); res = -1; res = syz_clone(/*flags=CLONE_NEWUTS|CLONE_VFORK*/0x4004000, /*stack=*/0x200000000140, /*stack_len=*/0x29, /*parentid=*/0x200000000180, /*childtid=*/0x2000000001c0, /*tls=*/0x200000000200); if (res != -1) r[3] = res; break; case 14: res = syscall(__NR_getpgrp, /*pid=*/r[3]); if (res != -1) r[4] = res; break; case 15: *(uint64_t*)0x200000000500 = 0x800; *(uint64_t*)0x200000000508 = 0x200000000280; *(uint64_t*)0x200000000510 = 0x2000000002c0; *(uint64_t*)0x200000000518 = 0x200000000300; *(uint32_t*)0x200000000520 = 0x12; *(uint64_t*)0x200000000528 = 0x200000000340; *(uint64_t*)0x200000000530 = 0x66; *(uint64_t*)0x200000000538 = 0x2000000003c0; *(uint64_t*)0x200000000540 = 0x2000000004c0; *(uint32_t*)0x2000000004c0 = r[3]; *(uint32_t*)0x2000000004c4 = r[3]; *(uint32_t*)0x2000000004c8 = r[3]; *(uint32_t*)0x2000000004cc = r[4]; *(uint64_t*)0x200000000548 = 4; *(uint32_t*)0x200000000550 = -1; res = -1; res = syz_clone3(/*args=*/0x200000000500, /*size=*/0x58); if (res != -1) { r[5] = res; r[6] = *(uint32_t*)0x200000000280; r[7] = *(uint32_t*)0x2000000002c0; r[8] = *(uint32_t*)0x200000000300; } break; case 16: memcpy((void*)0x200000000580, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000580); break; case 17: *(uint64_t*)0x200000001680 = 4; res = syscall(__NR_socketcall, /*call=*/5ul, /*args=*/0x200000001680ul); if (res != -1) r[9] = res; break; case 18: *(uint32_t*)0x200000004a80 = 0x80000000; *(uint32_t*)0x200000004a84 = 0xee01; *(uint32_t*)0x200000004a88 = 0xee01; *(uint32_t*)0x200000004a8c = 5; *(uint32_t*)0x200000004a90 = 0xfffffff8; *(uint32_t*)0x200000004a94 = 1; *(uint16_t*)0x200000004a98 = 0x6bc1; *(uint32_t*)0x200000004a9c = 0x40; *(uint64_t*)0x200000004aa0 = 0xffff; *(uint64_t*)0x200000004aa8 = 0x2265; *(uint64_t*)0x200000004ab0 = 0xfffffffffffffff8; *(uint32_t*)0x200000004ab8 = r[3]; *(uint32_t*)0x200000004abc = r[8]; *(uint16_t*)0x200000004ac0 = 0xfffa; *(uint16_t*)0x200000004ac2 = 0; *(uint64_t*)0x200000004ac8 = 0x200000003a40; memcpy((void*)0x200000003a40, "\x89\x17\xf9\x6e\xff\x00\x1e\x00\x64\x91\xda\x94\x8f\x25\xc3\xac\x36\x65\x39\x2d\x07\x7a\x28\x78\xa0\xc4\x71\x86\xfb\xb5\x96\x00\xe8\x72\x5c\x57\x48\x93\xc0\xd6\x45\x65\x1c\xd4\x96\xd4\xd6\xc4\x3d\xd8\xd9\xe3\xce\xca\x2e\x2a\x35\xfd\x60\x78\x5c\xd7\x7e\xc5\xc5\xee\xd5\xea\x44\xa8\x53\x76\x9a\x52\xcb\x3e\x89\xd0\x6c\x09\x95\xf7\x7e\x9b\x7e\xcc\x68\xfa\x52\x1a\xc4\xb1\x93\xee\x67\xdc\xce\xc0\xa7\xd1\x3f\x3c\x06\x8e\xe0\x46\xa9\xa1\x42\x01\x1c\xd4\xba\x8e\x67\xf3\x81\xe1\x67\x45\xd8\x1a\x2b\x5b\xf1\x1f\x4e\xf0\x01\x43\x30\xc9\x5f\x0f\x5b\xc8\x9d\x00\xf1\x61\x29\xa9\x63\x77\x82\xe5\xa6\xf4\xd9\x22\xe0\xf0\x74\x57\xee\x51\x5e\x1b\xbf\x56\x54\x90\x6d\x88\x7b\xa0\x2b\xee\x66\x4d\xa7\x2a\x51\xb5\xdc\xdf\x4b\xec\xca\x2d\x80\x67\xe3\x57\x53\xc0\x31\x23\x59\xef\xb6\xda\x86\x14\x9a\xfc\x10\x10\xd0\xc6\xc8\x6c\xc9\xc8\x83\x1c\xa1\x27\x6c\xa9\x68\x81\x1c\x87\xba\xab\x12\x1c\x9d\x81\x72\x73\x19\x6e\x97\xae\x66\xf3\x97\x66\x7e\x02\x3f\xc2\x33\x19\xc2\x4f\xa8\x23\x57\x22\x26\xfb\x74\x8a\xc5\x4f\xf5\x28\x23\x6b\x07\x81\xa2\x0e\xd5\x2e\x11\x69\x27\xa2\x2b\x11\xe0\xb8\xac\xeb\x36\xd2\xcf\x4a\x78\xeb\x34\x65\xfc\xb9\xc9\x49\x3e\xad\xd4\x46\x86\x76\x6f\xb2\x6d\x4d\x0a\x54\xd0\x28\x27\x3a\x5c\x60\x53\x88\x53\x4e\x49\x37\xf1\x8c\xa9\x05\x32\x44\x5f\x94\x66\x51\xf3\x63\x4e\x9b\x36\x5b\xb8\xed\x72\x42\xb9\x12\x31\xba\x06\x34\x7e\xab\x1f\x32\x00\x96\x37\x4f\xbd\x8a\x7a\x94\xc2\xfa\x71\x54\x41\x5c\x92\x3f\xd6\x6c\xd6\x26\x48\x9e\x7c\x79\xca\xd3\x9b\x66\xb0\x67\x4b\x94\x39\xb5\x7b\x79\xec\x79\x03\xd3\x5e\xc3\x14\xdb\x9d\x7e\x41\x5d\xf3\xc4\xf7\x55\x14\xb1\xc8\x3e\x9b\x6b\x27\x1d\xab\xeb\xd3\xb7\x93\xa7\x8a\xd5\xba\xef\x25\x39\x39\x34\xbc\x1b\x49\x69\xeb\x61\x28\xd3\x52\x14\x90\x47\x0f\x25\xe7\xa4\x7b\x13\xee\x0c\x47\x72\xd0\x47\x3d\xa5\x18\x44\x1b\x7b\xd3\x62\xbc\x99\xb0\x9c\xf6\x96\xbe\xb9\xe5\xf9\xd3\xd5\xe8\x8e\x9e\x96\x0e\x25\x9e\x4f\xe6\x7c\xfa\x3b\x2a\xbd\xe1\x00\x10\xf3\xc6\xa6\x0d\x26\x9a\xd1\x3e\x59\x05\x2e\x8a\xb9\x51\x40\x1d\xde\x34\x5c\x4f\xed\x4f\xea\x6d\x91\xb8\x4d\xae\xee\xbf\x45\xfa\x79\x98\xee\x41\xda\x06\x87\x5e\x7b\xc4\x8d\x9d\xe5\x4d\xe3\x6d\x9e\x27\x49\x5f\xe7\xe8\x8e\x02\x4e\x7d\xd3\x58\x7d\xcb\xc7\x1c\xd4\x33\xb7\x1a\x4d\x97\x2b\x02\x65\x59\xef\xbf\x17\xc2\xb0\x2b\x23\x57\xb9\xd9\x13\xa7\x64\xc9\x5c\x5a\xa7\xb3\x2f\xd2\xc0\xb6\x2b\x47\xf2\x7e\x47\x85\xe7\x6d\x85\x62\xb4\xe4\x3e\xdc\x6d\x61\x0d\x2b\x97\xdd\x1a\x1e\xe6\x5b\xd1\xef\x89\xe0\x11\x0b\x14\xc2\x02\x5b\x04\xb8\xcf\x16\xf0\xc2\xc1\xab\x89\xad\x30\xbd\xbd\x8b\x98\x94\x27\x8b\x4b\xe8\xd0\x81\x55\xec\x0c\xd2\x0f\x54\x4f\x18\xa4\xf2\x6a\x98\x0d\xec\xac\x1c\xe2\x94\x21\x27\xd8\xd0\x35\x0d\xc4\xa9\xa3\x29\x30\xaf\x33\x53\x18\x22\x31\x9d\xd1\x39\xe2\x7c\xf7\x69\xd0\x68\x87\x96\x08\xc2\x51\x7d\x59\x96\x5f\xbf\xfe\x98\x79\xaf\xd4\x87\x87\x5a\xd2\x39\x58\x6b\xbe\xca\xd1\xb0\x0e\x13\x77\x20\x3a\xbe\x3f\xc5\x82\xfa\xaf\x4f\x9e\x08\xe5\x76\x58\x81\x22\x09\xb3\xa8\x65\x3b\xf3\x9e\x12\x6b\x79\x47\x4c\xed\x54\xb7\x4f\xd4\x77\xb0\x3a\x80\x90\x6e\x34\x6d\xfc\x7f\x5a\x86\x41\x0f\x6b\xbc\x64\xa7\xff\x88\xc3\x7a\xa1\xd1\x87\x13\x31\xad\x2a\x63\xfe\xce\xa9\xb4\x3d\x3f\xad\x06\x2d\xe7\x0d\xdd\x1c\x77\x3a\xe6\x25\x68\xff\x3b\xe8\x04\x58\x3d\x3a\x5a\x10\x79\x68\x13\xcd\x4b\x51\xf6\x7b\x09\x91\x0b\x42\x7e\xb9\x28\x04\xe7\xf2\x7a\xdc\xd8\xec\x9a\xfb\x24\xe3\x15\x1b\x48\xa3\x8c\xc5\x99\x27\x99\xdf\x37\xe5\xcf\x6a\xd5\x77\x94\x1a\xd7\xe2\xca\xf1\x56\x19\x23\x69\x27\x34\x2e\x87\xb5\xb2\x60\x47\x37\x16\xa9\xba\xd7\x0b\x39\x51\xf7\x26\x5c\x20\xc0\x00\x85\x26\x67\xfd\xe0\xc4\xb7\xf2\x7a\x32\xb7\xee\x13\x3c\xbc\x65\xba\x4d\xc3\x91\x0c\x23\x75\xe1\x95\xba\x76\x54\xe2\xd2\xd4\x5f\x91\x6e\x47\xf1\x07\x59\x5a\xdc\x63\x24\x78\x40\xdf\x4e\xca\xeb\x96\x40\xfb\x66\x19\x86\xad\xd0\xdd\x02\x79\x6d\x58\x10\xf5\x1c\x93\xfd\xcf\x89\x74\xda\x1f\x10\x14\xf2\xf4\xad\xb1\x6f\x04\xe7\x33\xb5\x3a\xc2\xe8\xb4\xa8\x53\xe9\x3a\x93\x5a\x73\x20\x28\xc8\xe3\xec\x12\x0f\xc5\x41\xe5\x12\x6f\x2d\x88\xdd\x4b\xbc\xa0\x6f\xa6\x10\x16\x34\x64\xcb\x17\xf4\x5e\x7a\x2b\xe0\xe5\x1d\x8e\x45\xe3\x7c\x50\x91\xd7\x62\xce\x5b\xfd\xb6\x93\x53\xba\xfb\x95\x5c\x25\x54\x47\x02\xdc\xf7\xd1\x39\x4a\xac\x7a\x49\xa0\x78\x7f\xf1\x68\x74\x25\xa3\x75\x24\x9c\xa3\x78\xbc\x4f\x4a\xa2\x4a\xbc\xa2\x4a\x87\x1f\xd6\x74\x25\xb2\xf6\x60\x93\xb5\xb9\x87\x24\x99\xec\x85\xfa\xef\xfb\xf4\x3f\x0a\x4d\x3e\xfb\x5c\xea\xe7\x05\xa1\xa8\xe1\xf2\xbf\x79\xf5\x53\xc1\xc9\xf3\x8b\xd0\x9f\x93\xa8\x22\xbe\xb4\x54\x74\x4d\xd1\x17\x7e\xea\x67\xb7\xbd\x6c\x42\x1e\x58\x24\x62\x02\xab\x90\x2f\x79\xe0\x15\x5f\x1d\xe2\xbf\x22\x6f\x61\xbb\x39\xbf\xc2\xfb\xa3\x47\x9f\x25\xee\xa7\xf0\x1f\x70\xbc\x08\xa9\x8e\x88\x74\xe5\xd1\x38\x42\x83\xb9\x96\x07\xea\xa5\x2e\x89\x54\x90\xbd\xb2\x1c\x81\xcb\x3b\x37\x91\xc1\xde\xce\x0e\xbc\xe6\x7c\xc4\x5b\xcb\xa2\x99\xbb\x89\x2c\x9d\x19\x50\xbf\x33\x5e\x95\x4f\xd3\x03\xc6\x5e\x1a\xfe\xc4\x8a\x3d\x3e\x10\xa4\x04\x35\x2a\x13\x02\xef\xce\xbe\x12\x54\xeb\x2b\x25\xd6\xf4\x50\xb2\x6a\x3f\x1b\xd7\xf5\x77\xe5\x4c\x95\xe5\x66\x11\x74\xd3\x27\x82\xfe\x6b\x11\x99\x65\x42\xfe\x1b\x97\x51\x39\x62\x88\xd2\x7a\x47\xe3\xc9\x8d\x1c\xc3\xf3\xab\x55\x8b\xa3\xe8\x2a\x6c\x3e\xd4\x84\x0f\x4e\x3d\x79\x36\x95\x73\xc3\x75\x34\x07\x3e\x79\xad\xfd\x23\x23\x83\x2b\x65\xe7\xa6\xc4\x5b\x72\x57\x91\x38\xe2\x26\x29\x1d\x27\x00\xda\xc3\xa1\xcc\x91\x61\x40\xf5\x4c\xb2\x8b\x34\x70\x85\x61\x89\x81\x25\x44\x36\x6f\x75\x7c\x0a\x29\x4e\xe2\xb5\xbf\x6c\x30\x8a\xd4\xdf\x23\x0d\x5a\x74\x3b\x8c\xf7\xa1\xf6\x4a\x30\x61\x98\x3f\x22\x38\x50\x26\x2c\x75\x74\xae\x48\x0a\x02\xf6\x8c\x04\x3b\xa7\xaa\x82\x2f\xf6\x45\xd4\xe4\x48\x2c\x14\xcb\xb5\x8c\x15\xf6\x5c\x98\xd1\x69\x2f\x93\x9d\x0d\x95\x58\x50\x45\x42\x4a\xbe\x5e\x58\x65\x14\x77\xf9\x1d\x0c\x1d\xaf\xb3\xf3\x3a\xf9\xe6\x9b\x79\x4e\x13\xeb\x0c\x42\x9d\xe9\xb9\x2b\xbc\x5f\x92\x82\xa2\xe6\xc9\x11\x9f\x6f\xd8\x60\x3f\xe1\x1a\xf2\xd5\x16\xc9\xa7\xad\x38\xe3\x33\x7b\x96\x9c\x3d\x95\x93\xf0\xd4\xac\x95\xc4\x4e\x7f\x47\xe8\x10\xf6\x97\x0a\x1a\x6f\x18\xf2\x09\xfe\xdc\x35\x65\x6d\xc5\xc5\x36\xb0\x39\x6a\xed\xaf\x83\xca\x46\x65\x5e\xdc\xc4\x08\x8c\x6f\xcf\xfa\x68\x9a\x87\x83\x09\xc1\x76\x7b\x21\x87\xc9\xb5\xfa\x57\x5e\xfd\x80\xe0\x57\x4a\x57\x76\x73\xb4\x5e\xda\xc8\xb1\xc9\x12\xce\x60\xcd\x18\x29\x0d\x31\x02\x5c\x80\xeb\xa3\xd9\x97\xe4\x79\x2b\xe2\x3a\x49\xc0\x09\x4e\xe2\x85\x48\xfa\x33\x27\x5e\x6c\x28\x0b\xb6\xe0\xa0\xaa\x8e\x79\x04\xc6\x41\xcb\xcb\x3d\x99\x49\x46\xf0\xe4\xc6\xd6\xb1\x91\xd3\x46\x53\x64\x79\x3a\x69\x7f\x2c\x25\xd1\x30\x92\x3c\x79\x9a\x3a\x8d\x71\x69\xa3\x7a\xc2\x9b\xdd\xfb\x76\x6d\x51\x30\xb5\xe4\xbd\x43\x97\x8a\xad\x35\x49\x05\x2c\xf6\xf5\x64\x76\x80\x52\x03\x23\x46\xae\xf8\xf5\x84\x4b\x97\x04\x84\x2c\x0f\x1f\xa7\xd2\x6c\x69\x71\x88\xc0\xe8\x64\x16\x58\xd6\xd2\x99\xa6\x1f\xf1\x40\xa4\xb9\x4f\x04\xf6\xec\x06\xff\xca\x6e\x57\x4b\xdd\x60\x03\x72\xed\x5d\x16\x6a\xee\xae\x4f\x24\xe1\xec\x3c\x21\x2f\x05\xaa\x85\x37\xf0\xab\x83\x1e\x47\x2f\x32\x16\x4a\x08\x87\xc6\xf4\xe4\x25\x32\x56\x5f\x05\x5a\x8c\xd4\x35\xe9\xcc\x91\x08\x96\x7e\x42\x2c\x6d\x0e\x74\x06\x33\xc9\x77\x84\x71\xef\xa8\xa4\x4a\xb5\x5a\x06\xbd\xb6\xb8\x17\xf8\xa6\xcc\x55\xd5\x2a\xce\x6e\xc4\x38\xad\x4f\xbe\xe7\xc6\x4e\x00\xfc\x65\xc7\x6a\x36\x16\xc3\x5f\xb7\x1b\xb6\x08\x4f\x44\xf8\x08\x3d\xff\x56\xd7\x71\xe1\xd3\x23\x58\x4b\x82\xf1\x05\xe0\xa2\x11\xce\xae\x9a\xfc\x0f\x5e\x61\xa2\x64\x94\x76\x44\x0c\xf6\x8d\x9a\xbf\xfb\x48\xde\xcd\x0e\x8d\x2e\xd1\x09\x07\xd3\x5e\x39\x0d\xaa\x1e\xef\x83\xda\xc8\xab\x44\xe2\xac\x58\x86\xf6\x23\x5f\x6b\xd7\xb6\x9f\xf3\xc0\x98\xb5\x58\x89\x49\x08\xd4\xcd\x28\x24\x7f\xb6\xec\x4b\xb5\xb1\x63\xf6\xb2\xee\xf3\x86\xe7\xce\x26\xde\x75\x9b\xd6\xe2\x4e\x46\xaa\x2b\x38\xf0\xa4\xe6\xa4\x78\x5a\xf1\x4b\xd6\x03\x5a\x32\x6c\x29\xaf\x21\x5a\x4c\x1c\x45\xae\x76\x7b\xd7\xe6\xdb\x1b\xae\x69\xbe\x04\x5e\xf0\xb1\xeb\x39\x34\xac\x5e\xbe\x3a\x4c\x1d\xd5\x9b\xb9\x60\x53\xbe\xeb\x55\x61\xb5\x21\xc4\x78\x52\xd9\xa2\xc6\x6c\xfa\xf8\x2c\x2a\x01\x6e\x5d\xe7\x29\xea\x0e\x0c\xe4\xf9\x80\x85\x79\x2b\x5e\x5a\x80\x2c\xd7\xfb\xac\x9e\xf3\x8e\x20\x3e\xbb\x36\x51\xf1\xb3\x0a\xf6\xea\x29\xfa\x17\x9f\x8b\x19\x26\x41\x60\x4b\xe0\x29\x29\xda\xff\xad\xd6\xc9\x7b\xa4\xcd\x56\x79\x0c\xc2\x43\xd0\x47\x0e\xb8\xc1\xae\x78\x12\xda\x66\x6b\x0b\x32\x9f\xb3\xf0\x4f\x78\xe2\x5a\xd1\x7b\x4b\x39\x78\x13\x82\xad\x93\x7e\x08\xad\x34\x48\xb6\x32\x38\x18\x5b\x98\x22\x42\x19\x0f\xd1\xe4\xad\x8f\xbb\xa5\x5d\x6a\xbf\x96\xe0\x16\xe1\xd9\x8d\x37\xd5\x1c\x2e\xe1\xe4\x1f\x54\xf8\xac\x7e\x03\x8e\x36\x16\xf5\x69\xd0\x24\x69\x0e\xa3\x03\xbe\xc6\x98\xbe\xb9\x8b\x9e\xa4\x9f\x6b\x87\xe3\xf7\x10\x49\x97\xa6\xad\x7d\x33\xdb\x8f\xb7\x9a\xda\x8c\x5f\x7f\x54\xee\x17\xf7\xb3\xd8\x6a\xa1\x53\x2b\x43\x9c\xd8\xde\x90\xb5\xfd\x7f\xc3\x32\x56\x80\x06\x1d\x93\x19\xd1\x83\x5e\x60\x3f\xaf\x79\x33\xbf\xd6\x0d\x73\x39\x65\xf0\xf2\x5a\xdf\x39\x45\x09\x2b\xb9\x9e\x95\x34\x66\x02\xfa\xf6\xaa\xbe\xb3\x3c\xbc\xa3\xb2\x19\xb4\xf8\xaf\xaf\xe8\x25\xc6\x62\x7c\x0c\x7b\x00\xc3\x38\x75\xb6\x9d\x01\xc0\x8b\x90\xe6\xfa\x64\xf0\x9b\x42\x93\x2e\x1c\xcc\x9b\x3d\xa3\x67\x71\x66\x7d\x5b\xb7\x53\x1a\x2a\xc1\x74\xbc\x41\x2d\xff\xad\x7c\x6f\x8f\xd4\xda\xd3\x30\xfb\x41\x5a\x97\xe8\x13\x6c\xd5\xc0\xbb\x7d\x00\xd2\xb2\xc9\x56\x93\x6c\x9f\x5f\x74\x7e\x3c\x9a\x36\x1d\x79\xd0\x48\xcb\x3f\x52\x8f\x18\x7f\x9b\xba\x5d\x78\xd7\x30\x9b\x1b\x25\x6f\xbb\x34\x9c\xd5\x29\x45\x54\x1a\x5a\x57\x80\x9f\x2d\x71\xa8\xe8\x05\x57\xb2\x3b\xe4\xfb\x31\xca\xdd\xc5\x95\x53\xb6\xbc\x0f\xaa\x16\x5e\x4a\xb1\xf8\x27\x9c\xa6\xe3\x07\xce\x79\x20\xc4\x3b\xdb\xad\xec\x04\xef\x8b\xe7\x0d\x57\xaf\x59\x8d\x1d\x8a\x89\x6a\x09\x52\xb2\x3c\xba\x46\x4e\x0e\x9b\x36\x25\xf9\x93\xdc\x12\xc8\xf7\x74\xe8\x7d\xa0\x51\xec\xa4\x9b\xd1\x4e\x4e\x2e\x27\x0c\xf7\x5d\xc8\x34\x3b\x2a\xd4\xb0\xa2\x17\x8c\xb5\x57\xc6\xd0\xeb\x1a\x0b\x23\xed\x92\x58\x0c\xe5\xad\xa7\x8c\x2b\xb1\x0d\xdd\x25\xd4\xbb\x14\x7d\x61\xa0\x0f\x5e\x1d\x1d\x5c\x88\x8d\x47\x42\x4c\x04\xde\x7d\x41\x38\x4e\x2c\x68\x8a\x57\x35\x8d\x05\x81\x4a\xd9\x17\x13\x5a\x80\xec\xcd\x1d\x1f\x14\x72\x42\xa5\xda\x4d\xad\x08\x38\x32\x2e\x9a\x2f\xa5\x31\xfb\xb6\xb0\x83\x2b\x67\x00\xf8\x72\x79\x84\x6c\xe2\x33\x16\x79\xb8\x2f\x04\xfe\x1b\xe1\xe8\xce\x9f\x61\x0b\x63\xff\x30\xad\x0b\x76\x97\x78\x17\x73\x9a\x29\x5c\x9e\xc9\xdc\xf1\x1f\x81\xa6\x76\x19\x40\x73\x04\xc1\xd5\x94\xc5\x19\x6d\xb1\xbd\xeb\xfe\x03\xf2\x2a\xda\xac\x92\x53\xd7\x53\x96\x71\x38\xbc\x9d\x2c\xf4\x73\x54\x91\xd2\x74\x5c\x23\xe5\xd2\x29\xc7\x46\x27\xdd\x19\x1b\xc6\xc0\x38\x51\x39\x14\xdb\xdc\xfa\xcb\x8b\xcb\x28\x14\xdc\x52\x5e\xda\xd8\x89\x52\x09\x99\xfc\xe6\x44\x69\xc6\x06\x94\x40\x59\x61\x51\x84\x41\xc3\xe8\x44\x53\xaf\xa3\x49\x9e\x3a\x89\x83\xb5\x7f\x94\x59\x3e\x86\x64\x71\x9d\x5e\x65\x98\x42\x2b\xb8\xcb\xc5\x16\x20\xb2\x59\x41\x3b\xea\x16\x49\x0b\xbe\x6c\x9a\x72\xbf\x21\xf6\xb4\xd4\x99\x37\x1a\xd9\xfc\x82\x77\xdd\x3f\x2f\x75\x23\xcc\x5e\x6c\xee\xbf\x74\xfc\x39\x44\x13\x6b\x2d\x56\xda\xa2\x04\x03\x74\x31\x9a\x1c\x83\xc3\xbb\x0c\x96\x2d\x32\x1d\x80\x39\x17\x0b\x98\xb6\x04\xc8\xed\x42\xc5\x96\x31\x4a\x01\x13\x9c\x9d\x36\xcc\xd6\xf2\xcb\xd3\x11\x3b\x2c\x9d\x4e\x19\xf0\x86\x94\x46\x36\x10\xa3\x68\xf8\xac\x74\xf2\x97\x94\xf1\x45\x60\xe0\xa3\xd4\x81\xc6\x73\x41\x0a\xd9\x46\x65\x81\xaa\x2a\x33\x4f\xf3\x80\xa1\x00\xfb\x04\x9a\xd8\x19\x6e\xb4\x78\x4e\xa1\xbe\xdc\x13\x9a\x70\x54\xf1\x8a\x8d\x44\xbc\xa0\xa3\xd0\x12\x2f\x5d\xc3\xa1\xc4\xd2\x9b\xde\x35\xe3\x32\xbd\xf2\x8c\xb9\xb9\x85\x43\xad\x3e\x33\x14\x3a\xf8\x79\x03\xb5\x62\x4f\x62\x30\x55\x98\xde\x27\x58\x33\x20\x8e\xc8\x37\x06\x82\xad\x9f\x0f\x9a\xc6\x4c\x43\x90\x44\xa2\xde\x30\x33\x46\x87\x34\xf4\x92\x66\x13\x88\x59\x69\x5b\x60\xa6\xfb\x45\xd7\x94\xb8\x71\xc1\x9c\xbe\xdf\x59\xb7\x64\x45\x3b\x78\xcf\xea\xd4\xc5\x01\xb1\xf8\xc0\xff\x82\x7b\x70\x29\x73\x92\x69\x7a\xdb\x13\xce\xff\x2f\x13\x9b\xff\x3b\xa2\x38\x79\x8a\x07\xfe\x5f\x55\xa0\xef\x5b\x75\xcc\xb4\x98\xbb\x89\x43\xba\xb4\xa6\x71\xf1\x25\xfb\x06\xf2\xe5\x9f\x77\xfd\xb0\x2c\xb2\x3e\x86\x87\x56\x8d\xc0\xd5\xc4\x86\x09\x94\xa3\x7c\xca\xb3\x65\xd7\xa7\x08\x03\xc6\xa6\xf4\x8f\x5b\x3f\xf1\xcb\xdd\x51\xd8\x96\x1f\x97\x3c\x70\x33\x75\xd2\x52\xe6\xc5\xa0\xff\x13\x3b\x59\x72\x43\x13\xf9\x88\x84\x1b\xd6\x1e\xc2\x97\x67\xa4\x60\x8a\x5b\xc4\x5b\x10\x4e\x4f\xc9\x82\x61\xe4\x54\x0a\x10\x38\x2a\x49\x5d\x64\xdd\x5f\x6c\x03\x90\x66\xd9\xd3\x58\xef\xb1\x66\x71\x17\x8e\x88\x4f\x07\x0a\x07\xfd\x02\xa0\x0b\x63\xb7\xf5\x75\xf6\x42\xbf\x91\xee\xc3\xbb\x90\xdb\xa9\xa2\x1d\xf3\x17\x9c\xf1\x2e\xa9\x52\x5d\x09\x74\xd6\xfc\x44\xbf\x69\xfc\x54\xf8\xa5\xff\x98\x67\x06\x67\x8d\x7c\xe0\x6c\xce\x44\xdf\x29\x74\xb9\x66\xe6\x7a\xca\x31\x4e\x0b\x58\xac\xc4\x15\x54\xa4\x42\xef\x35\x87\xab\xba\xf1\x82\x95\xec\xa5\x9c\xa8\xa1\x0e\xdd\x3f\xbd\x1f\xac\x0b\x06\x01\x3d\xe5\xf7\x33\x37\x51\xc5\x7d\xeb\x4d\xae\xf9\xe4\xc5\x5e\x93\x74\x1e\xd1\xd2\xf7\xf9\x63\xcd\xed\xc6\xef\xdb\x5d\x8b\x14\xd7\xd6\x12\xe2\x61\x2f\x30\x96\x6f\x4e\x67\x60\xd1\xa4\x6f\xbe\xe5\x0d\xcc\xff\xc0\xb2\xe5\x17\x7b\x1c\x60\x27\xad\xae\xe0\x90\x75\xb6\x55\xcf\x85\xdd\xbb\x4e\x44\x83\xd5\xde\x7b\x38\xa9\x10\xf9\x96\x71\x1c\x05\x8c\x1b\x97\xe6\x21\x27\x48\xc8\xcc\x7d\xe8\xcf\x7a\x56\xaf\x75\xe2\x91\x86\x7c\x26\x88\xe9\x99\xc6\x55\x3d\x7a\xaf\x3d\x2f\x62\xc2\xf5\x3b\xf8\x8c\xf2\x04\x40\x07\xdb\xe9\x29\x85\x65\x31\xb0\xad\x6b\x48\xa6\x11\x8b\xf3\x5c\xce\x82\x7e\x5d\x0c\xd2\xa1\x9b\x3f\xc3\x73\x95\xe1\xce\xd2\x13\x7f\x0c\x72\x6f\x5c\xc9\x91\x33\x3a\x0f\x07\x94\xda\x0b\x6d\x75\x73\x74\x21\x7e\xae\xbc\xbb\x6d\x87\x43\x1f\x08\x9a\x57\x10\x2c\xa5\x37\x3b\x8d\x73\x0a\x92\x02\x60\x59\xc6\xa8\x80\x94\xe9\xc6\x29\xd8\x1e\xcc\xf8\x6b\x4e\x8f\x09\x1d\x32\x55\x63\xd1\xf4\x01\x6c\x97\x97\x2c\x58\x4b\xc7\x6d\x1f\xb4\xed\x94\xb7\x21\x34\x4d\x00\xcc\x67\x24\xf5\x64\x9d\xfe\xd8\x4d\xc5\x11\x58\x3e\x1a\x08\xa4\x3c\x24\x09\x93\x41\x72\xff\x3f\x0d\xfc\x93\x99\x6b\x84\x79\xc0\x50\xdc\x19\x30\x9a\xa9\x98\xf7\x09\xed\xa3\xb3\xcf\x80\x6b\xec\x71\x7e\x17\x18\xb8\xcc\x10\x06\x0b\x33\x5c\x46\xf1\x7c\x52\x2a\xc0\xbb\x69\x6f\xb4\x39\x3a\x94\x50\xbe\x5f\xa7\x55\xea\x0d\x71\xb3\x0a\x84\x31\x51\x5c\x44\x63\x90\x15\x4b\xc2\xa4\x95\x1b\x3f\x15\xf4\x19\xce\x20\xb0\x30\x2b\xd9\x00\x25\xd8\x3c\x47\xa0\x18\xf6\x88\x6a\xb1\xfb\xb7\x57\x7d\x5c\x06\x6b\xab\x23\xd8\x41\x89\xcc\xff\x63\x40\xa3\xca\x41\xdf\x5c\x6d\x99\x4b\x26\xb8\xfc\x34\xc6\x90\xdf\xb2\x29\xc8\x37\x60\x22\x4b\xdc\xe8\xe8\x67\xd1\xf5\xa0\x97\x73\x6d\x3f\x19\xd8\x22\x9f\x91\x43\xac\x03\x70\x93\xd4\xcc\x32\xab\x10\x4b\x58\x28\xf1\xcc\x84\x49\x5a\x68\xd7\x67\xb7\xfb\xd7\x25\xd4\x34\x71\x9a\x36\x01\xb5\xfb\x23\x36\x4a\x5e\x41\x51\xc6\xf9\x15\xce\x53\xf7\xde\xbb\xb9\xf1\x5b\x81\x1c\xb0\x2b\xb8\x73\x94\xff\xb6\x1e\x8b\x8a\xe5\x74\x9d\xc7\x43\x2b\x51\x6b\x8a\x62\x79\x90\x53\x7b\x9c\xdf\xd2\xa0\x94\x39\xb7\xdc\x04\x39\x97\xe0\xf5\x90\x36\xab\x34\x70\xaf\x1b\xc7\x67\x10\x11\xe5\xb4\x72\xe3\xf6\xad\x45\x6b\xa7\x06\xd5\x50\x66\x1c\xbc\xf6\x10\x7e\x9b\x7e\xe4\x9a\x82\x05\x2d\x90\x1b\xb7\x9f\xb1\x8d\x82\x21\x6a\xee\xfa\x2e\x76\x39\x0f\x80\x94\x3c\xc8\x56\xa0\x08\xc7\x25\x6b\x84\xd8\x85\x7f\xa6\x34\xad\x7d\xd4\x50\x13\x86\xbb\xab\xe2\x38\xa5\x8a\xec\xb7\x7a\x0d\xe5\xff\xaa\xa5\x63\xa1\x96\x8b\x72\xb9\x2b\xa5\x8d\x1a\x1e\xf6\xf9\xed\x04\x9f\xf3\x8b\x7f\xc3\x42\x27\x46\x16\x31\xfe\xc6\x53\xe7\x81\xf1\x57\xec\x73\x86\x36\x2b\x66\x77\x8a\xfc\x89\x82\xcd\xae\x50\xe1\x29\xf4\x32\x9b\xfe\x35\xcd\x9d\xa3\xd5\x75\x22\x04\xfa\x72\x75\xcc\xbc\x01\xab\xf8\x5c\x6c\xf3\xab\x9e\xab\xb2\xea\x7a\x1c\x77\x9e\x67\x3d\x0f\x95\x16\xb1\x85\x15\x4d\xc8\x3c\xc5\xf6\x93\x70\xe3\x14\x19\x8b\x7f\xa8\x3c\xe5\xc5\xc9\x1c\x2c\x50\xe5\x44\x89\xb3\xa6\x70\xa3\x30\xa4\xe4\x9f\xca\x51\x7c\x83\xa9\x53\x2c\xbc\x7e\xdc\x84\x0c\xd0\x10\xb3\x7e\xcc\x75\x37\x45\x30\x16\xed\x1a\xb4\x45\xe4\x5f\xc1\x23\x8b\x14\xe2\xf8\xf9\x31\x66\xcb\xf7\xd3\x8b\x85\x28\xba\xa0\xfa\xd3\xe9\xe7\x6f\x4b\x32\xee\xbb\x60\x52\x68\x81\x62\x0b\xca\x5b\x11\xac\x06\x3d\xbe\x21\x69\xe5\x43\x78\x43\xf6\xd2\xd4\x86\x85\x5a\xd5\xf1\x92\xb2\x68\xb2\xf3\xeb\x25\xde\xea\xbd\x2d\xe8\x9c\x48\xba\x28\xf1\xee\x2c\x84\x65\x86\x56\xc3\x37\x33\x9b\x53\xac\xf9\x88\xba\xf2\x9a\xc5\xc9\x19\x9e\xc7\x91\x2b\x28\x94\x09\x34\xbc\x02\xb1\x31\xd1\x46\x13\x54\x62\x6b\x69\x08\x35\xba\x09\xab\xaf\xa0\xca\x7f\x51\x55\x79\xe5\x33\xc4\xbb\xfd\xa2\xbc\x9f\x2f\xae\xdd\x35\x38\xce\x8c\x1e\x36\x06\xea\x98\x39\x5e\x0f\xf8\x84\x92\x04\x5f\x47\xcc\xa8\x5f\x4a\xf1\x6f\x95\x0a\xbb\xf3\xf2\x22\x9d\xe5\x8e\xa2\xb4\x56\x92\xd4\xba\x84\x3e\x70\xe5\xae\xed\x29\xf6\x88\x07\x13\x8a\xaf\x5c\x99\x4b\x30\xd4\x73\x11\xeb\xb9\x69\x10\x76\x77\xdc\xf0\x07\xf6\x4d\x0b\x32\xc3\x60\x0c\xd3\x2b\xd4\x2c\xa6\x9e\xe4\x6d\x78\x6c\xf0\xcf\x94\x96\xbc\x51\x60\x2c\x98\x9f\xc5\x4f\x76\xc4\xd3\x83\xce\x41\x4a\xf4\x5f\xc9\x48\xe5\xb9\x71\xe3\x02\x0a\xf4\x47\xc5\x89\xb0\x99\x56\xc9\x03\x3d\x09\x04\xd6\x44\x5d\x7e\x9f\xff\x7c\x90\x39\x39\xf7\x9c\x2d\x4c\x30\xb6", 4096); *(uint64_t*)0x200000004ad0 = 0x200000004a40; memcpy((void*)0x200000004a40, "\x88\x4f\x38\x13\x09\x89\x6a\x88\x17\x38\x89\x99\x4e\x74\xc6\x06\x94\xf7\xba\xa4\x5b\xe0\x88\xe5\x9b\xc3\xe9\x39\x72\x82\x57\xe8\xd2\xdb\x71", 35); res = syscall(__NR_shmctl, /*shmid=*/6, /*cmd=*/0xcul, /*buf=*/0x200000004a80ul); if (res != -1) r[10] = *(uint32_t*)0x200000004a88; break; case 19: *(uint32_t*)0x200000004d40 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x23, /*optval=*/0x200000004c40ul, /*optlen=*/0x200000004d40ul); if (res != -1) r[11] = *(uint32_t*)0x200000004c74; break; case 20: *(uint32_t*)0x200000004e00 = 7; *(uint32_t*)0x200000004e04 = 0xee00; *(uint32_t*)0x200000004e08 = -1; *(uint32_t*)0x200000004e0c = 8; *(uint32_t*)0x200000004e10 = 0x80; *(uint32_t*)0x200000004e14 = 5; *(uint16_t*)0x200000004e18 = 0xfffc; *(uint32_t*)0x200000004e1c = 1; *(uint64_t*)0x200000004e20 = 7; *(uint64_t*)0x200000004e28 = 5; *(uint64_t*)0x200000004e30 = 0xbed1; *(uint32_t*)0x200000004e38 = r[5]; *(uint32_t*)0x200000004e3c = r[7]; *(uint16_t*)0x200000004e40 = 1; *(uint16_t*)0x200000004e42 = 0; *(uint64_t*)0x200000004e48 = 0x200000004d80; *(uint64_t*)0x200000004e50 = 0x200000004dc0; memcpy((void*)0x200000004dc0, "\x05\xc9\x21\x56\x87\xa3\xff\x17\x47\xca\xe5\xc1\x8c\xb1\x86\xed\x5c\x62\x98\x43\x37\xf9\x0f\x0a\xb5\x94\x8e\x21\xc6\x3d\x16\x86\xf1\xda\x14\x59\xa8\x97\x18\xa9\xf8\x49\x30\xb8\x92\xc2\xad\x4d\xe6\x1f\x71\x4a\xb8", 53); res = syscall(__NR_shmctl, /*shmid=*/5, /*cmd=*/2, /*buf=*/0x200000004e00ul); if (res != -1) { r[12] = *(uint32_t*)0x200000004e04; r[13] = *(uint32_t*)0x200000004e08; } break; case 21: *(uint32_t*)0x200000004f00 = 7; *(uint32_t*)0x200000004f04 = -1; *(uint32_t*)0x200000004f08 = -1; *(uint32_t*)0x200000004f0c = 1; *(uint32_t*)0x200000004f10 = 0; *(uint32_t*)0x200000004f14 = 0x98; *(uint16_t*)0x200000004f18 = 4; *(uint64_t*)0x200000004f20 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 6; *(uint64_t*)0x200000004f28 = 0x200000004ec0; *(uint8_t*)0x200000004ec0 = 5; *(uint64_t*)0x200000004f30 = 0xc; *(uint64_t*)0x200000004f38 = 0x1ff800000; *(uint64_t*)0x200000004f40 = 8; *(uint64_t*)0x200000004f48 = 0x7f; *(uint64_t*)0x200000004f50 = 3; *(uint16_t*)0x200000004f58 = 0x101; *(uint16_t*)0x200000004f5a = 8; *(uint16_t*)0x200000004f5c = 0x1000; *(uint32_t*)0x200000004f60 = r[5]; *(uint32_t*)0x200000004f64 = r[8]; res = syscall(__NR_msgctl, /*msqid=*/4, /*cmd=*/0ul, /*buf=*/0x200000004f00ul); if (res != -1) { r[14] = *(uint32_t*)0x200000004f04; r[15] = *(uint32_t*)0x200000004f60; } break; case 22: *(uint32_t*)0x200000005080 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x22, /*optval=*/0x200000004f80ul, /*optlen=*/0x200000005080ul); if (res != -1) r[16] = *(uint32_t*)0x200000004fb4; break; case 23: *(uint32_t*)0x2000000052c0 = 8; *(uint32_t*)0x2000000052c4 = 0; *(uint32_t*)0x2000000052c8 = 0; *(uint32_t*)0x2000000052cc = 0x7f; *(uint32_t*)0x2000000052d0 = 5; *(uint32_t*)0x2000000052d4 = 0x80000001; *(uint16_t*)0x2000000052d8 = 0x43; *(uint32_t*)0x2000000052dc = 7; *(uint64_t*)0x2000000052e0 = 2; *(uint64_t*)0x2000000052e8 = 0; *(uint64_t*)0x2000000052f0 = -1; *(uint32_t*)0x2000000052f8 = 0xf; *(uint32_t*)0x2000000052fc = r[7]; *(uint16_t*)0x200000005300 = 2; *(uint16_t*)0x200000005302 = 0; *(uint64_t*)0x200000005308 = 0x2000000050c0; memcpy((void*)0x2000000050c0, "\xbc\xc4\xb5\xd8\x6e\x91\xb0\x2b\x73\xe1\x6c\x46\x65\xdc\x30\x88\xf7\xcc\x98\x26\xda\x78\x07\xf9\xa8\x30\x0d\x9d\x89\x80\xde\x67\xa1\xa2\xa1\x53\xe9\x54\x66\xe7\x6d\x2c\x38\xc4\x15\x58\xc0\x8e\xfe\x37\xee\x81\xd9\x90\x46\x74\xce\xd8\x6d\xda\x9b\x2b\x6c\xc7\xc9\x7b\x19\x97\x58\xbe\xf8\xd9\x2d\xd2\x0e\x0e\x69\x86\x4d\x6f\xcd\x03\xa8\x0c\xa0\x12\x01\x9c\xf4\x1e\x51\x66\x47\x50\x38\xfc\xd3\x60\x33\x84\x36\xe7\x82\x7e\xf7\x30\x46\x91\x87\xe6\xa4\x95\xf5\xbf\x01\x8e\xe7\xca\xa7\x1c\x80\x4a\x38\x67\x56\xc3\x24\x2b\x30\xec\xa0\xb8\x41\x16\x6d\x78\x39\xe9\x4a\x56\x39\xd0\x8f\xbc\x06\xda\xc1\xf8\x61\x49\x44\x56\xd8\xd1\x53\xde\x7f\xc3\x03\x87\xd4\x52\x30\x4e\x7c\x30\x69\xbb\xfb\x42\x43\x91\xd0\x4f\xab\x12\x03\x7c\x6d\x6a\xe6\x02\x5d\xf8\x69\xfa\x3a\x45\xe0\x31\x48\xc2\xdd\x05\x2c", 195); *(uint64_t*)0x200000005310 = 0x2000000051c0; memcpy((void*)0x2000000051c0, "\x0b\x7d\x67\x85\x2a\x6f\x3d\x89\x68\xf4\x76\xad\xad\x16\x72\xe6\xdc\xfc\xeb\xe8\xe6\x24\x9d\x8c\xc7\x2d\x1a\x05\xc2\x8a\xcd\x3d\xed\xa6\x43\x14\x81\xc8\x8e\xe1\xc2\xc0\x99\x44\xee\x73\x33\xd9\xd1\x6b\x3f\x9b\xd1\x86\xbe\x36\x21\x0e\x7e\x52\xfd\xac\x24\x09\x97\x73\xc0\x7a\xf6\xf1\xa9\x40\xe4\xba\xec\x3a\xda\x47\x66\xe3\x80\x14\xad\x52\x7a\x5d\xf7\x7c\x90\x61\xc5\xa4\xca\xcc\xc4\x8b\xcf\x15\x62\x20\x7f\x8d\xb0\x4d\x60\x8a\x82\x3c\x71\x97\x9b\xda\xf7\x02\xb9\xa6\xec\x8f\x62\xf2\x3d\x31\x6b\x69\xa8\xe4\x0f\x1c\xd7\x92\x58\x5f\x34\xd8\xff\x6c\x70\x56\x41\xdb\xc0\x9a\x02\x45\xef\xad\x32\x6c\xa8\x4d\x8c\xa3\x9d\x29\xcc\x33\xa4\xa3\xfb\xe7\x6c\x24\x0d\x05\x5e\x26\x1e\x16\xd6\xbb\x5d\x9c\x23\x1f\xe3\xc9\xe8\x4f\xe5\x95\x65\xbe\xfc\x53\xfe\x9d\x11\x9e\xb5\x0c\xe0\x4e\x6e\x3c\x1d\xf2\x16\xae\x69\xc3\x13\xd8\x0b\xb6\xa7\x7e\x21\x9b\x94\x51\x65\x72\xee\xaa\x39\x8b\xfe\xa6\x49\x33\x5a\xe8\x11\x4c\xb0\x57\x42\x36\xf4\x61\x31\x67\xd9\x75\x8b\x53\xb6\x6c\xb6\xba\x75\xd7\x5a\xf9\x2f\x3c\x6e\x63\x8b\x82", 250); res = syscall(__NR_shmctl, /*shmid=*/2, /*cmd=*/5, /*buf=*/0x2000000052c0ul); if (res != -1) { r[17] = *(uint32_t*)0x2000000052c4; r[18] = *(uint32_t*)0x2000000052c8; } break; case 24: memcpy((void*)0x200000005340, "./file0\000", 8); *(uint64_t*)0x200000005380 = 0x355; *(uint64_t*)0x200000005388 = 0x100000001; *(uint64_t*)0x200000005390 = 5; *(uint32_t*)0x200000005398 = 7; *(uint32_t*)0x20000000539c = -1; *(uint32_t*)0x2000000053a0 = 0xee01; *(uint32_t*)0x2000000053a4 = 0; *(uint64_t*)0x2000000053a8 = 7; *(uint64_t*)0x2000000053b0 = 2; *(uint64_t*)0x2000000053b8 = 2; *(uint64_t*)0x2000000053c0 = 6; *(uint64_t*)0x2000000053c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000053d0 = 7; *(uint64_t*)0x2000000053d8 = 4; *(uint64_t*)0x2000000053e0 = 0xfff; *(uint64_t*)0x2000000053e8 = 0x17b; *(uint64_t*)0x2000000053f0 = 0xffffffffffff27a1; memset((void*)0x2000000053f8, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000005340ul, /*statbuf=*/0x200000005380ul); if (res != -1) r[19] = *(uint32_t*)0x2000000053a0; break; case 25: *(uint32_t*)0x200000006480 = 7; *(uint32_t*)0x200000006484 = 0xee00; *(uint32_t*)0x200000006488 = 0; *(uint32_t*)0x20000000648c = 0; *(uint32_t*)0x200000006490 = 7; *(uint32_t*)0x200000006494 = 8; *(uint16_t*)0x200000006498 = 0x3ff; *(uint32_t*)0x20000000649c = 0x10; *(uint64_t*)0x2000000064a0 = 2; *(uint64_t*)0x2000000064a8 = 8; *(uint64_t*)0x2000000064b0 = 0x7fffffff; *(uint32_t*)0x2000000064b8 = r[8]; *(uint32_t*)0x2000000064bc = 0xffff; *(uint16_t*)0x2000000064c0 = -1; *(uint16_t*)0x2000000064c2 = 0; *(uint64_t*)0x2000000064c8 = 0x200000005440; memcpy((void*)0x200000005440, "\x4c\xf7\x7c\x89\xa8\xa3\x6d\x9b\x71\xd1\x6c\x43\xca\x99\xca\xec\x65\x90\x56\x4d\x89\x51\x86\x4c\xcc\xc3\x48\x10\x2a\x77\x79\xcd\x97\xd9\x51\x00\x3a\xe8\x76\xa9\xa0\x30\x1c\x11\x86\x7f\xf6\x43\x2c\x9c\x54\xbd\x04\xee\x43\x3f\xce\x5f\x5d\xb9\xeb\x71\xb7\x62\x21\xd2\x84\xc7\x8d\xc7\xdb\x27\x84\x0c\xa0\xb1\xe9\xa5\xa1\x19\xf0\xd7\x4f\xf6\x48\x5b\x52\xa9\x86\xa6\x71\x7f\x3c\xfd\x72\x6d\x0a\x6a\x03\x8b\xed\x21\x89\x34\x4a\x3d\x14\xc2\xf1\x19\xbf\x2e\x54\x3f\xe4\xe7\x16\xbc\x4c\x5b\xec\x83\x76\x7d\xa2\xf9\x7d\x1c\xce\x4b\x26\x96\xbc\x5f\x99\x89\xfd\x42\xdc\x97\xa0\xc1\x6c\xdc\x2f\xa9\x67\xad\xaa\xa2\xba\xc7\x30\xe2\xcb\xda\x74\x4d\xc3\x12\x1e\x3f\x01\x5b\x66\xea\xe8\x91\x56\xb2\x62\x63\x9f\x95\xbb\x01\x4a\xba\x78\xbf\x2a\x48\x01\x49\x9b\xf3\x82\x68\xd7\x7d\x99\x49\x4a\xef\x48\x6b\x9b\x38\x8a\x1e\xba\xcb\x4b\x77\x1a\x52\xbf\xa2\x99\x90\xe9\x36\x18\xaf\x03\x76\x2f\x95\x3e\x34\x80\xfe\x01\xdd\xe9\x2c\xa7\x83\x5c\xcd\x5e\x88\x64\xdb\xc9\x10\x0d\x25\xc4\xfa\x63\x2c\x9f\xeb\xdd\xfd\xb1\xe7\x7f\x1b\xcd\x76\x79\xea\x46\x89\xd2\xc8\x50\x4e\x50\xaf\x69\x52\xc8\x89\xd3\x28\xc1\x2c\x66\xc9\x0d\x8e\xad\x36\x92\x70\xd9\x4e\x5a\xa3\x42\xfb\x23\x87\xdc\x7c\xfe\x6e\xde\x70\x54\x64\x98\x5f\x30\x1f\xeb\x34\xb0\x02\xcc\xef\xb8\x0f\xde\x10\xd9\xfc\x1c\xb3\x9b\x5f\x87\x75\x24\x98\x6d\xd1\x24\x47\xa7\xc9\x6f\x63\x50\x7c\xb4\xd8\x80\x68\xed\xfd\x77\x48\xfb\x2b\x66\x7a\xe1\xae\xdb\xb4\x16\x37\x75\x74\xd7\x0a\x3f\x6d\xe4\x6e\x4a\x3e\x5c\x14\x9a\x64\xa4\x36\x46\x66\xbd\x99\xfd\xb0\xe4\x13\xa1\x33\x5b\xa9\x32\x57\x5d\x1e\x92\x28\x50\x8d\x61\x4b\x66\x3a\xb1\x7a\xcb\x21\xb2\xac\x4d\x36\x18\xa6\x59\x43\x80\x4d\x5b\xa5\x2c\xbb\x04\x3a\x96\x19\x86\x12\x02\xb5\x05\x14\x0e\x48\x44\xb8\xce\xb6\xfa\xf5\x02\x42\x23\xd9\x63\x6c\xb0\xbe\x38\x4a\x4c\xc1\xdd\x3d\x4f\x35\x76\x29\x52\x1a\x07\x69\x84\x18\xdd\x1a\x97\xc3\x94\x17\x19\x6f\x86\x1a\xfb\x05\xbd\x70\x2f\x4c\xcd\xc3\xd4\x4b\x5a\x41\x93\x37\x8b\x93\x6f\x53\xc5\xc4\xb0\x9c\x98\x58\xbe\x95\xe3\x49\xba\xeb\x7e\xb4\xda\x30\x94\x00\xa4\xdb\xb0\x8a\x24\xd0\xbb\x37\x72\xbe\xe7\xa3\x87\x3c\xf8\xd7\x6e\x06\xdf\x6f\x7c\xe5\x91\xf4\x0b\xdc\x84\x9e\xa0\x4c\xad\xe8\x86\xf0\x75\xe1\x45\x8f\x02\x1f\x1b\x73\x0b\x0c\xb5\xc3\x28\xb9\x11\x41\x2a\xee\x96\x16\xab\x5f\xdc\x83\x1e\x34\xce\xa6\x9d\xe1\xa4\x08\x06\xaa\xfd\x4e\x64\xd3\xcd\x70\xc1\xa6\xc6\xf6\x36\xd3\xbb\x94\xc9\x95\x97\x7c\x59\x4f\x0f\x4e\x90\xd7\xae\xc4\x3f\xec\x4c\x8a\xa7\x07\xd0\x0d\xfa\x26\xff\x9d\xb8\xa4\x5e\x6a\xc6\x5b\x5e\x5c\xea\xc4\x3f\x78\xb5\x0f\x1e\x4f\x49\x4c\x85\x82\x7b\x3f\x0e\xa1\xf7\xa4\xfe\x3b\xbb\xd3\x90\xe3\x61\x66\x28\xed\x47\x70\xdd\x36\x66\x94\x89\x35\x13\xdc\x1c\xd2\x52\xd3\x88\x7a\x2f\x19\xa8\x46\xd1\x8e\xe7\xba\xf8\xb5\x68\x0e\x61\x80\x0b\xaa\xf0\x04\x18\x10\xa5\xa2\x1f\xe0\x6c\xba\x83\xe0\x62\x1b\x26\x26\xc3\xec\x5b\xa6\x2d\xfe\x1f\x94\xae\x16\x11\x4c\x9f\x89\xe8\x94\x58\xa0\x69\x22\x2b\x43\xb4\x50\x4d\xca\x5f\xd9\x69\xc0\x66\x66\xdc\xf9\x82\x43\x46\x31\x59\x7b\xab\xaa\xd4\x65\xcb\x73\x9e\x72\x83\x5f\x69\xad\x69\x9b\x0e\xfb\xe2\x16\xa1\x2c\xc1\x88\xd5\x4b\xeb\x66\x86\x1c\x78\xc8\x02\x25\x43\x8d\xeb\x75\xb3\xaf\x96\xa6\x0a\x08\x4e\x68\xed\xce\xca\x25\x2c\x22\x22\x5b\x4f\x3e\x56\xe9\x9f\x97\x6c\x2a\x08\x2a\x29\xf4\xa5\xbc\x3d\x0c\x25\x1f\x91\x22\xb5\x84\x66\x1f\x39\xbf\xd1\x8d\xfb\x9d\x57\xa5\x91\xc6\xd7\x01\x3b\x42\x0b\xd1\xe4\xc4\x7e\x80\x4c\xc4\x0e\xdf\xfa\x4d\xc9\x0c\xda\x1d\xe0\xa6\xe5\xf0\xd7\xa4\xd1\xc0\xa0\x2b\xf9\x25\x82\x90\x06\x43\xf9\x7f\x8f\x2c\xc1\x37\x68\x37\x4c\xc1\x36\x10\xf2\x7c\x3a\xb9\xd6\x93\x14\x79\xd0\x21\x5c\x4a\xd6\x69\xef\x80\x2e\x32\x92\x87\x88\xc5\x25\xf7\x52\xed\xae\x47\x7f\xf8\x9e\xa3\xf0\xc8\x7d\x9e\xc7\xeb\x1e\xf5\x12\xdc\xab\x10\x37\x28\x42\x91\x86\x13\x22\xf8\x72\xaa\x26\x1f\xa4\x67\x46\xed\xd8\x39\x85\xee\x32\x0f\xef\x53\xb1\x15\x18\xf5\xd5\x8f\x84\x68\x19\xb8\x8b\x16\x58\x8c\x13\xdd\x01\x90\x58\xa1\xce\x86\x5b\x4e\x68\x5e\x94\x78\x53\x9b\x9b\x9a\xf6\x9a\x13\x12\x6d\x6a\xd3\x0b\x2b\xac\xb1\x44\xc0\x2f\xfb\x15\x39\x66\xd2\x0f\x56\x56\x84\xa8\x74\x91\x31\xc7\xde\xf8\x8f\x2c\x87\xe4\x8e\xac\x6c\x0a\xf5\x76\xcc\x86\x11\x18\xa9\xb7\x18\xdc\xa2\xea\xfb\xc5\x41\x3b\xb6\xe7\x51\x37\x46\x47\x9b\xd8\x01\xf0\x7b\x94\x65\xbd\x80\xd0\xdc\x3d\x83\xee\xb7\xd6\x88\xf9\x13\xbb\xc7\x87\xb2\x3a\x90\xa8\x63\x7c\x57\x98\x84\xa1\x58\x5d\x53\x23\xb0\x4a\x44\x9f\xee\xbd\x0c\xbe\x2b\xc3\x27\x21\x24\x4e\x92\xe5\xd0\x33\xe2\x0d\x0b\x2c\xcf\x8e\xd5\xe2\x39\x00\x19\x9d\xc5\xec\xde\xa4\x29\xa2\x59\x61\xc9\x07\xaf\x8d\x93\xd5\x7d\x5d\x0d\x7f\xf9\x90\x31\x0a\xc0\x92\xdc\x44\x7e\x88\xcf\x81\x61\x7b\x67\x75\x4a\xd8\xee\x0b\x12\x53\x2c\x73\x13\xd1\x5f\xd6\x5c\x9f\x65\xc0\xa9\x4b\x75\x5a\x09\xd2\x40\x78\xbd\xe2\x75\xa4\x44\x57\xec\xa4\xc8\xb2\xb3\xbc\x0d\xfd\x4c\x8a\xcb\x9d\x2c\x6c\x4a\x8d\xaa\x22\xa6\xcd\x96\x1b\x44\x76\xb0\x78\x80\xf8\xcf\x09\x88\xbc\xe7\xdd\x8d\x3c\x3f\xbd\x9c\xfd\xb6\x56\x3b\x68\x10\x34\xb2\x72\xfb\x3c\xde\x59\x1d\xe8\x03\xd0\xb6\x84\x05\xd2\x5d\xea\x80\x1e\xe8\x71\x3a\xeb\x54\x98\x19\x83\x95\x79\x9d\xb2\xab\x19\xfb\xce\xdb\xaa\x3c\xed\x3e\x12\x4d\x29\x3d\x63\xee\x8c\x12\xd9\x31\x07\x9f\xd9\x4c\xa0\xfb\x5c\x45\x69\x32\xa0\x7a\xc6\x65\xb9\x41\x0d\x12\x37\x73\x58\x72\x76\x67\x64\xc0\x5e\x85\x2e\x06\x1d\xc3\x99\xbb\x31\xed\x48\x8d\x1b\xa5\xae\xf5\x3a\xc7\xb4\x53\x6c\x6e\x5f\xc4\x5c\x96\xa9\x93\x85\x51\x2f\xe6\xee\x8a\x22\x78\xa0\x6b\xe1\x9a\x7c\xdd\xf3\xca\x67\x8b\xdd\x73\xc2\x55\xc1\x59\xea\x07\x35\x57\xd6\x66\xf6\x7b\x9d\x1b\x99\x68\xe0\x23\xf6\x36\xc6\x93\xa8\xad\xfc\x92\x3a\xcf\xf1\x08\xed\x43\x70\xbb\x96\x6b\x0f\x4c\x05\x03\x4b\x08\x57\x6c\x2b\xc8\x9c\xee\xb5\x7c\x63\x3d\x2a\x7c\x87\x66\x5b\xe7\xe7\x5f\xfb\x30\xed\xb5\xfe\x9f\xcd\xc7\x25\x6a\x01\x12\xd4\x9f\x52\x03\x18\x00\xb7\x0f\x69\x80\x38\xf0\xf1\xf8\x12\x23\xcb\xe0\xe3\x0b\x47\xe8\x05\x70\x97\x1d\x4f\xa8\x4d\xa5\x80\x99\xf8\x75\xac\x76\x32\x3c\x5a\xc2\x5b\x69\xc5\xea\xf6\x78\x25\xab\x8a\xc9\x8c\xbd\x6d\xc0\x16\x37\x51\xa4\x7a\x1e\x52\x99\x8e\x00\xe0\x5c\x1c\x69\x01\xf5\x04\x34\x03\x18\x72\x79\x02\xb1\xed\x2b\xd2\xcf\xf2\xd2\xed\x09\x60\x1a\x8c\xed\xf4\x52\x8c\x1c\x13\xa6\x70\x37\x5f\xe3\xa6\x85\xc7\xcb\x14\x72\x3b\x55\x9c\xe2\x78\x6c\xa2\x95\x5a\xe3\x51\xef\xf8\x39\x75\x8c\x31\x1e\x99\xed\x53\xff\x12\x83\x72\xbf\x9f\xc3\x8c\x57\x0b\xd9\x00\xb4\x97\xc9\x31\x61\xc3\x4d\x8b\x4e\x48\x06\xeb\xcc\xda\x16\x11\x44\x5e\xa9\xd6\x76\xbd\xc1\x46\xea\x5b\xa1\x00\xfc\x5d\x99\x5b\x2c\xa6\x07\x09\xfa\xbb\xf6\xaa\xbb\x01\xef\x24\x3a\x12\x9a\x3c\x67\x38\xcf\x66\xf6\xd3\xe3\xb0\x03\x20\xbe\x0f\x85\xe7\x54\x87\x89\x37\xe3\x97\x62\xde\xbb\xf5\xa3\xe7\xa8\x11\x10\x35\x66\x34\x0f\xdf\x7d\xac\x84\x50\xe6\x8e\xff\x10\x2c\xbf\xd4\x95\xa8\x01\xde\x06\xe7\x4d\xf5\x7f\xe0\x6e\x15\xed\xfb\xa4\xda\x71\xa4\x33\x39\xc5\x24\x8f\x42\x2e\xe2\x9a\x22\xef\xa4\x93\x69\x0d\x97\x24\x6e\x20\x83\xbe\x24\xc2\x1e\xe4\xf2\xf1\xd6\x0d\x75\x3b\x2d\xa7\x5a\x15\x40\x8a\xf7\xf4\xff\xc3\xf1\x16\x73\xb8\x93\x45\x79\x57\x50\xc2\xea\x6b\x6c\x78\x9c\x9e\x4e\xd0\x93\x05\x61\x71\xe9\xfd\x9a\x67\x54\x86\xa4\xa5\x1a\xfa\x96\x7e\x00\x9c\x5a\xb5\xda\x74\xfb\x7f\xcd\x00\x04\x4a\xb9\x4b\x28\x7b\x54\x21\x78\x48\xd4\x78\x48\xd6\xa1\x16\xae\xd4\x1d\x45\x4c\xdc\xbf\x4a\xd8\xd8\x6e\x62\x99\x97\xe3\x08\xb8\x6e\x23\xea\x1b\xf1\xa4\xd2\x52\x96\xb1\x9f\xa7\x9f\x2a\x8c\x9b\x13\x70\x2b\x76\x28\xc8\x9f\x71\xba\x6d\x5c\x3a\xa6\x56\xd4\x31\x8c\x4e\xc3\x30\x5b\x9d\x7a\xe2\x93\x74\xe9\x35\x67\x09\xc4\x6d\x40\x1c\x6b\x74\x51\x18\xbc\x70\xd1\xac\x74\xfb\xc5\x7d\x92\x48\xb1\xa9\x15\xde\x03\xdf\x36\x7a\x9a\x10\x44\x75\x27\x75\xe3\xb3\x36\xa9\x35\xbc\x08\x2a\x2c\x88\x29\x9f\xad\x16\x99\x3f\x6e\x3f\x43\x73\xde\x0c\x48\x8a\xf1\xaf\x00\xad\xb9\x40\xcb\x45\xf5\xcf\xd5\x37\x2d\x6c\x0a\x4c\x69\x6f\x96\x63\x6d\x52\xd2\x79\x39\xde\x72\x99\x74\xa9\xa5\xbe\x21\xf9\x9b\x49\xfc\x6d\x4c\x65\xac\xa9\x8c\x28\x74\xf3\x67\x1d\xe2\x92\x64\x94\x1c\xd4\xa4\xa6\xbe\x0b\x20\x21\xac\x02\xad\xcd\x17\x56\xbf\xcf\xf1\x0e\x76\x55\xdb\x95\x8b\xb9\x99\x81\x0d\x8b\x3f\xee\x98\x32\x64\x6d\xed\xbe\xee\x86\x89\x2e\xce\xb4\xfa\x04\xb7\x28\x4f\xdc\xe5\x66\x9d\xc7\xee\xb7\x75\xd0\x09\xca\x17\x6d\x82\xbb\xdd\xd4\x26\x27\x16\xef\xbb\xe1\x8c\x8c\x79\xf6\xc7\x6c\xb5\x9b\xfa\x82\xa1\x9a\x66\x81\xe0\xd5\xa4\x9d\xbd\x64\x29\x33\x64\x8a\xf8\x81\xc5\x69\x40\xe8\xc5\xe1\x8f\xb8\x28\x8c\x35\xe1\x30\xe1\xf6\x28\x17\xaf\x3f\x18\x7d\x00\x2d\x1b\x9a\x1d\x58\x4b\x66\x2e\xbc\x5c\x9c\x95\x20\xc4\xd5\x16\x64\x9f\x2d\x99\x36\x3e\xff\xf1\x16\x34\x8c\xae\xd4\x35\x56\xb5\x8e\xa9\xb7\xc4\x25\x5f\xd2\x7e\xfb\x05\xed\xec\xe7\x55\x35\x96\x3d\x32\xef\x59\x7e\xb1\x33\x49\x5d\xc6\xff\x01\x17\xd9\x23\x02\x7f\x10\x8d\xbc\x64\xcb\xaa\x4b\xed\xd5\x65\xe0\x57\xa0\xe2\x86\x49\x90\x8d\x87\xab\x01\x64\xa1\x15\x5a\xbe\x46\x03\xec\x3f\x81\xc3\xb5\x32\x7e\xd0\xd5\xe1\xfc\x89\x01\x62\x51\x0a\xfc\xa7\xb9\x1d\x61\x85\x75\x73\xf6\x18\x43\x86\xa7\xa7\xcb\xfb\xa8\xef\xf7\x9f\xb8\x83\xd0\x4a\xa6\xbb\x7f\x93\xf7\x76\xa3\x75\x56\x5f\x67\xa0\x37\xe4\x75\xe2\x8b\x57\xf4\x2c\xa0\xfc\x54\xa3\x0b\x9d\x91\xee\xd1\x24\xcd\xc1\xbc\x53\xfe\xaa\x47\x58\x28\xf2\x0d\xb8\xba\x50\x81\x5c\x81\x2a\x1e\x9c\x74\x54\xcd\x41\x44\xeb\x9a\x42\x3e\x6d\x17\x2e\xde\xe0\xba\xd9\x4c\xd1\x50\xbb\xeb\x4d\xea\xbc\x6e\x98\xe3\xe5\xf7\xc6\xbb\x47\xf3\x5f\x11\x0e\xec\x4b\xa6\x32\xe9\xc4\x26\xaf\x69\x9a\x5b\xd6\xc2\x33\x1e\xf0\xc1\x1d\x24\xa5\xa3\xf3\x88\x8f\xae\x3a\x36\xa8\x9f\xb8\xa0\xdb\xdb\xa9\xca\xdf\xb9\xe0\x52\xa9\x3f\x00\xed\x75\x75\x5b\x4d\x78\xd9\x9a\xaa\x84\xf6\x9d\xcc\x6a\x6a\xb0\x5e\xad\xd8\x17\xb9\xf7\x04\xe9\xa7\x69\x7a\x31\x5f\x36\xac\x99\xd2\x99\xb5\xcb\x8a\x2f\x0c\x7c\xd5\x3a\xa1\x6f\xda\xd2\x33\x19\x47\xd8\x1a\x52\x73\x4d\xc3\x8e\xfd\x03\x09\xb4\x83\x7f\xcc\x18\xc8\x8a\x0c\xb8\xbf\x5f\x96\xe4\x20\x91\x92\x26\x6a\x2c\x7f\x60\x37\x1d\x41\xfc\x8c\x7d\x05\x0a\xe4\x3b\xf5\xf6\x74\x07\xb5\x4f\x4b\x73\x1e\x0f\x71\x95\x65\x9c\xd7\x1e\xcc\xcf\x87\xe6\x8e\x1b\x4b\xb8\x74\x70\x73\x36\xca\x5b\xce\x6a\xe7\xd5\x88\xd6\xd6\x8e\x2f\x66\xea\xf0\xfa\xa2\x6d\x48\x8e\xf0\xa1\xa0\xb5\x96\x86\xaf\x81\x20\x55\x8f\xd7\x6c\x9d\x19\x59\x0a\x96\x11\xd5\xf3\xec\xa0\x0e\x14\x81\x94\xd9\xb6\x95\x94\x12\x4b\xe0\x05\xcd\xde\x6d\x57\xb2\x6c\x53\xac\x64\x88\x23\x6d\xe7\xdc\x8e\xf1\x7e\xee\x67\xcd\x94\x8e\x32\xd8\xc1\x1f\x14\xbd\x24\x78\xb5\xd7\xe2\xc1\xd3\x9d\x02\xb4\x75\x95\xce\xbe\x08\x51\xf9\x94\x48\x96\x0d\xd6\x4c\x14\xa8\x4d\xac\x88\x7c\xe5\xb3\x93\x09\xb1\x53\x0b\x71\x29\x5c\x36\xb1\xb1\x95\x92\x24\x2d\x66\x17\xf9\xba\x31\x5c\x8d\x0a\x9d\x39\x79\x25\x41\xd1\x1c\x0e\xc9\x99\x97\x51\x69\xe8\xaf\x06\xa4\x44\xb7\x16\xc4\x52\x40\xb3\x15\xa0\x89\x61\xfa\xc6\xa6\x96\x81\xd8\x32\x19\x8a\xad\x3d\xe1\x0e\xf3\xa4\x88\xf5\x07\xab\x56\xfd\x19\x4f\x6d\x94\x37\x6d\x24\x96\x8d\x5c\xaa\xdf\x3f\x2c\x3e\xfb\x66\x7d\xd1\xd1\x9b\x18\xdc\x8d\xab\x53\xdf\x92\xc2\xdc\x0f\xb4\xad\x49\xaa\x80\x34\xcf\x6f\x9e\xae\x62\x20\xbe\xae\xc0\x87\x84\xca\xc7\x65\xda\x9e\x98\x21\x9e\xca\xe0\xfb\xa0\x94\x24\x0d\x3d\xf3\x4f\x3c\x89\x53\x9b\x20\x6a\x9a\xf3\x8d\xac\x75\x87\x4b\x0b\xee\xed\xc9\xb3\x79\x5d\x5f\x1d\x1f\x90\x65\xa8\x1a\xc5\xe1\x55\x88\xc1\x79\xc4\xb0\xef\xfc\xba\x46\x6b\x91\x70\xb1\x2e\x72\xfb\x52\x5a\xcc\x0e\x2b\xf5\xb8\xc4\x3e\xfb\xdf\x53\x27\x9e\x5c\x9f\xee\x04\xb0\x29\xdb\x52\x20\xba\x82\xd4\x93\x0e\x96\x37\x4b\xaf\x43\x38\xae\xf5\x55\x0f\xb5\x92\x20\x15\xa1\xf9\xf0\x76\xf3\x61\x5e\xe6\xd8\x14\xda\x80\x8d\x1b\xbc\xad\x1b\x17\x6d\x5b\xb2\x0b\x79\x58\x82\x47\x6c\x0c\x72\x34\x5e\xb1\x61\x34\x80\x7a\x82\xb9\xd8\x6c\x9d\x7a\x4d\x84\xd1\x89\xbe\x30\x9b\xa0\x25\x30\x3e\xea\x18\x89\xb0\x5c\xdc\xea\x4c\x20\x73\xcf\xb3\x0b\xb3\xb9\x0f\x35\xbc\xd6\xee\x79\x0f\x13\x60\xf9\x63\xdc\xd6\xbe\x81\x16\x8d\xe7\x5e\x1d\x04\xe8\x15\x0d\x2c\x00\x00\x5d\xf7\xfa\xde\xac\x9e\x5c\x3d\x20\x26\x79\x9c\xbb\x2a\x2d\xb4\x26\x8e\x4d\x1c\xb6\x14\xf1\x58\xef\x12\xa0\xb2\x28\x2e\x42\xba\x33\xff\x9d\x67\xce\xda\x79\x32\x0f\x1d\x89\x72\x77\xf4\x86\x58\x8a\x0d\xc0\xe4\x6c\x1c\x0f\xa2\x23\xbe\x06\xcd\xac\xa9\x09\x48\x33\x58\xbe\x8b\x18\x2b\x37\xe3\x78\x9f\x7c\x93\x95\x9c\x0b\x45\x33\x5b\x2c\x00\xca\xd1\xa7\x0f\x8d\x04\x08\x13\x83\xa7\x9c\x3f\xd5\x95\xfc\x86\x47\xbb\x65\x52\xc6\x08\x1c\x26\xc7\x20\xed\x1b\x22\x9a\x19\x2b\x9a\x91\xfa\x1e\x12\xcd\x31\x84\x0f\x86\xe0\xda\xd7\xfe\xb7\xda\xde\xad\xd2\x32\x70\x9b\xc9\x9a\xa8\xfb\xc3\xa8\x7a\xf0\xd5\xc8\x2e\x53\xac\xeb\x61\x22\xbf\x9b\x71\xb7\xbc\x92\xa0\xa0\x63\x95\x7c\xc6\x66\xfa\xfb\xad\x1f\x68\x8b\xd9\x11\x60\x8b\xfc\x76\x81\xc6\x4d\x81\x91\xc5\xd0\xc8\x0f\x7d\xed\xd5\xa9\xad\x4e\xbc\xcd\x04\xe2\x61\x8d\x9a\xad\x12\x1f\xd9\xaa\x8b\x8d\x68\x48\x72\x0a\x73\x67\x22\xc7\xec\xed\x31\x54\x04\x19\x65\x9c\x09\x11\xa0\x6e\x03\x9e\x95\x9c\x84\xdd\x5c\xc1\x64\x0e\xba\x08\x50\x5e\xa4\x89\xa1\x21\xdd\xca\x4a\x09\xc6\x3b\x2e\x27\x1d\x1e\xdb\x91\xae\xa0\x42\xe9\x2b\xea\x12\x93\x9a\xb6\xd4\x15\x7e\xfa\x94\xa6\x8d\x07\xb5\xf9\xb2\x05\x8b\xcc\xae\xf5\x82\x6e\xbd\x37\x65\x7a\x99\xbe\x45\x13\x4a\xa3\x0a\x84\xa4\xc4\xe0\x8e\x46\x3b\x75\x64\x5c\x2b\x72\x6c\x14\xf3\x57\x50\xef\xa6\x80\x40\x8d\x1e\xa9\xf3\xf5\x6f\xeb\x10\x60\xc7\xb8\xe8\x11\x46\x81\xc2\x49\x92\xaa\x2e\x1e\x65\x21\x9a\x03\x6a\xfc\x03\x4d\xba\x75\xa3\x90\xaf\xce\x29\x63\xd7\x56\xc7\xea\xf6\x7d\x21\x3c\x75\x37\x19\x35\xf9\xea\xb4\xd4\x28\xc5\x43\x22\xe3\x24\x98\xa4\x34\x02\x54\xcc\x41\xfb\xb5\x5c\xf6\x3b\x4f\x3f\x43\xc8\x93\x01\x01\xf3\xae\x35\x42\xfb\x96\xac\x77\x62\x63\x78\x9a\x98\x4a\x3a\x62\xbb\x46\xc5\xa4\xa4\x1b\x85\xf9\xd6\x6b\x47\xfb\x28\xea\x76\x5b\xbc\xdb\x52\xb0\x1f\x4c\x15\xeb\xe1\x88\xb4\x54\xc3\xae\x27\x7d\xc8\xa9\xf8\xa1\xc6\x34\x16\x3c\x63\x1b\xd5\x43\x0a\x8a\x80\xb8\x0b\x37\x33\x41\x3a\x1e\x00\xeb\x3f\xff\x34\xbc\x5a\xa8\xd9\x07\xd7\x9d\xe8\x86\x6c\xbc\x6f\x10\x66\x13\x56\x27\x77\x16\xc8\x84\x74\xbe\x9b\x39\x30\x18\xa7\xd8\xb9\xb3\xe1\xce\x4b\x7a\x32\x6b\x77\xf6\x2f\xcf\xa9\x49\x4e\x1b\x7c\x02\x80\xc3\xa2\x5e\xe3\x46\xc9\x4a\xe4\xcb\x3a\xf3\xfe\x09\x53\x4e\x63\x83\x6d\x5a\x00\xa6\x28\x08\x74\x2f\x5c\xc9\x26\x08\x8a\x6e\xd1\x1e\xa2\x05\x1a\x33\xc6\x0b\x2d\xed\xd2\x06\x9f\xc9\xfc\x2f\x2c\xd4\x53\x66\x61\x8e\x11\x00\x02\x16\xef\x80\x17\x16\x3a\xa8\x28\xea\xe1\xd1\x5f\x02\x06\x7a\xa4\x6a\xf4\x67\x75\x0c\xfd\xd3\x6f\x7e\xcb\xa0\xfd\x1f\x73\x82\xc2\xa7\x8a\xa4\x0c\xcb\x03\x7e\xd7\x24\x90\x75\x9f\x08\xe4\xa2\x57\xb7\x3e\x1b\x45\x19\xec\x47\x20\xd9\x08\x1d\xd4\x64\xa4\x7a\xd4\x68\xf8\x88\x1c\xa3\x02\x3e\x75\x31\x00\xae\x0a\x1b\x29\x89\xac\x57\x4e\xbb\x9a\xc9\x13\x4b\xf1\x62\x02\xce\x61\xae\xaa\xfd\xf7\x68\x9b\xb9\x21\xc4\xa3\x9a\x46\xf0\x3a\x14\xde\xcf\xfe\xc7\x8c\xf9\xff\xd0\x1b\x4f\xca\x7d\x7b\xd4\x00\x30\xfe\xfa\x02\x59\x1a\x28\x45\x1b\xd3\x5d\xa7\x46\xdb\x7b\x5c\xdf\xd5\xee\x9e\xb6\xc5\x1b\x3b\xe0\x5f\xb0\xcd\x5d\x39\xe8\x10\x3b\x0e\x90\x3e\xec\x11\x0b\x3f\xf1\xf9\xdf\x98\x12\x32\xa5\x58\x23\x42\x81\x03\x9b\x46\x63\x76\x41\x84\x9d\x64\x12\xfe\xb7\x4a\x37\xb1\x39\x3c\x31\x51\x3c\xd9\x94\xad\x23\x9e\x20\xad\xdc\x7b\x6b\xe2\xbe\x44\x88\x57\xba\xcb\x20\xcb\x14\x69\xfe\x94\x46\x94\x6b\x6d\x60\x34\x9f\xf3\x92\x19\xf7\xc0\x02\xec\xb4\xdb\xfd\x31\x7f\x79\xd9\x50\xb3\x95\xdd\x77\xcf\xd4\x9a\x6f\xad\x36\xbe\x0b\xd4\x59\x1e\x4d\x2c\xa8\x37\xfe\x73\x74\xa3\x67\x92\xcc\xb0\xb2\xb0\x27\xc6\x9d\xcb\x08\x52\x74\x93\x09\xb9\x37\x17\x72\x72\xf4\xa8\x0d\x8e\x2a\x24\x99\x7f\xfc\xa2\x08\xb7\xf5\x28\xbe\x82\x11\x65\x56\xd2\x35\xf1\x7d\x57\x4d\x17\xac\xc1\xc4\xb5\x83\x63\xf0\x3f\x6b\x21\x77\xa2\xd9\xbd\x31\xd7\xda\x8b\x2d\x37\xea\x2a\x5e\xac\xe2\xb4\xf3\xea\xb5\x49\xcc\x55\xb3\x8e\x0f\x17\x31\xcc\x82\xef\x54\x8a\x5c\xb6\xa7\x56\x4b\x44\x2a\x86\xda\x73\x12\xa9\x4a\x13\x15\xe2\x70\xf3\x90\xa1\x97\xb9\x1e\x43\x5f\xa7\x04\x43\xf3\x87\xcf\x53\x73\x8f\x77\x5a\x23\x62\xa8\x72\x17\xb5\x74\xf8\xf6\x3c\xa6\x36\x13\x37\x52\x05\xdc\x19\x44\x98\xa0\xc9\x29\xff\x13\x00\x14\xd7\x42\x6a\xf7\xc0\xd0\x98\xd6\x9a\xff\x0d\xa1\x02\x7b\x12\x3c\x02\x3e\x73\x2e\x0c\xa1\xeb\x69\x5b\x42\x10\xad\xca\xef\x92\x85\xfe\xc8\xc8\x3f\xea\x7e\xfb\x3b\x5a\x09\xab\x0e\x26\xa2\xc0\x92\x6e\x15\x8e\xe1\x70\x89\xef\x7f\x8e\xab\x53\x75\x71\x8b\xa2\xe8\xab\x68\x3d\x2a\x1e\xef\xe2\x5c\x2e\x30\x3f\x41\x9e\xd0\x14\x23\x79\x98\x67\xe0\x2e\xb0\x1a\xe2\x00\x02\x20\x71\x36\xa6\x0a\x87\x50\x77\x39\x3a\x01\x9a\xe7\xdf\x3a\xad\xc5\xd4\xae\xd4\xd4\x59\xce\xdd\xe9\x66\xd8\x4f\xa6\x4c\x2e\x56\x48\x60\x17\x2b\xe4\x1b\x9f\xbd\xcc\x9b\xb2\x9c\xc2\xaf\x86\xbc\xb8\xda\x14\xd1\xd7\xef\xd6\xd9\x0f\xef\xd4\x73\xfb\xac\x5b\x05\x59\xac\x2b\xdc\x11\x0c\x7f\xda\xa9\x21\xd9\x20\x73\x1f\x36\x2f\x95\xd4\x26\x68\x0b\x73\x31\x2d\xa5\x8f\xac\xc4\xd0\xa1\xd7\xba\x59\x0b\x3e\x91\xc0\x3b\xf3\xb5\xf5\x00\xa5\xca\xe4\x6b\xed\x37\x37\x02\x12\x9e\xe2\xf2\x5b\x05\x00\x21\x9b\xbe\xc0\x50\x28\x59\x49\xf2\xde\x49\x48\x32\x89\x64\x32\x9b\x1a\x46\xa3\x84\x21\xc1\x37\xcb\x95\xb9\x92\x90\xb4\xf6\xcb\x46\xb5\x76\x69\x7c\x95\xb9\x37\x8e\x7c\x15\xca\xa0\x4a\xb0\xe8\xa0\x4b\x8d\xf8\xbc\x46\xd6\x15\xfa\x29", 4096); *(uint64_t*)0x2000000064d0 = 0x200000006440; memcpy((void*)0x200000006440, "\x1c\x3d\x61\xef\xc1\x46\x7b\x6b\x61\xe9\xe5\xf0\x6f\xa3\xd1\xdc\xc0\xe7\x00\x35\xdc\xc9\xc6\xc3\xb0\x0d\xf5\x89\x00", 29); res = syscall(__NR_shmctl, /*shmid=*/0x8001, /*cmd=*/0xfffffee8, /*buf=*/0x200000006480ul); if (res != -1) r[20] = *(uint32_t*)0x200000006484; break; case 26: res = syscall(__NR_getgid); if (res != -1) r[21] = res; break; case 27: res = syscall(__NR_geteuid); if (res != -1) r[22] = res; break; case 28: *(uint64_t*)0x200000006a80 = 0xfff; *(uint64_t*)0x200000006a88 = 0xd; *(uint32_t*)0x200000006a90 = r[6]; *(uint64_t*)0x200000006a98 = 7; *(uint64_t*)0x200000006aa0 = 2; memset((void*)0x200000006aa8, 0, 16); *(uint64_t*)0x200000006ab8 = 0xf; *(uint16_t*)0x200000006ac0 = 0; *(uint16_t*)0x200000006ac2 = 0x46; *(uint32_t*)0x200000006ac4 = -1; *(uint32_t*)0x200000006ac8 = 0; *(uint32_t*)0x200000006acc = 0xfffffffd; *(uint32_t*)0x200000006ad0 = 0xf7; *(uint64_t*)0x200000006ad8 = 0x7f; *(uint64_t*)0x200000006ae0 = 8; *(uint32_t*)0x200000006ae8 = 9; *(uint64_t*)0x200000006af0 = 3; *(uint32_t*)0x200000006af8 = 0x200; *(uint64_t*)0x200000006b00 = 4; *(uint32_t*)0x200000006b08 = 5; *(uint64_t*)0x200000006b10 = 0x62; *(uint32_t*)0x200000006b18 = 5; *(uint32_t*)0x200000006b1c = 0xff; *(uint32_t*)0x200000006b20 = 0x6cbf; *(uint32_t*)0x200000006b24 = 0x48; *(uint16_t*)0x200000006b28 = 0; *(uint16_t*)0x200000006b2a = 0x8001; *(uint16_t*)0x200000006b2c = 0x7f; *(uint16_t*)0x200000006b2e = 6; *(uint16_t*)0x200000006b30 = 8; memset((void*)0x200000006b32, 0, 2); *(uint32_t*)0x200000006b34 = 0x40; *(uint32_t*)0x200000006b38 = 0xffff; *(uint16_t*)0x200000006b3c = 0xa; *(uint16_t*)0x200000006b3e = 0xb04b; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0c0586d, /*arg=*/0x200000006a80ul); if (res != -1) { r[23] = *(uint32_t*)0x200000006a90; r[24] = *(uint32_t*)0x200000006ac8; } break; case 29: memcpy((void*)0x2000000016c0, "\x27\xfe\x2f\xfe\x47\x40\x4c\x4a\xc0\xa1\xec\xab\x30\xbb\xcb\x86\x4e\xad\x78\xfe\xd0\xc0\xe1\x75\xac\x99\x94\xf2\x2c\x05\xa4\x71\x88\x98\x8b\x3f\xf7\xcd\xde\xc1\xf6\xf3\x9e\x60\x61\x60\xf4\xf1\x99\xd3\x74\x5e\x26\xe2\x74\x8d\x68\xe3\x5a\x99\xf1\xbc\x4a\xc3\x20\x84\x63\x4f\x2c\x0b\xa5\xd1\xe0\x00\x0e\x2d\x5b\xee\x77\x7a\x2a\xb5\x09\xe7\xc9\x4c\x43\xf2\x97\xb8\x25\x93\x43\x78\xff\xa3\xbb\x79\x42\x25\x6f\xc5\x2a\x69\xe2\x38\x20\xcd\x52\x0e\x75\x59\xed\x9a\x31\xa9\x54\xdf\x95\x5d\xe5\xbc\x7c\x18\x55\xd9\x74\xb9\x5f\xf0\x0a\x84\xdc\x2d\x9a\xd6\x79\x64\x33\x44\x34\xd5\x28\xbc\xe5\x93\x48\x08\xb4\x8f\x8e\x25\x1a\x17\x9e\xb4\x7d\xee\x2a\x10\x8b\x50\x09\x2f\x55\x98\x16\x13\x6c\xff\xe9\xbd\x6e\x0a\x34\x00\x4e\x62\xd5\x0f\x73\xc1\x4b\x23\xce\x17\x51\x8f\x95\x4c\x4b\xc6\x1e\x61\x75\x75\x6c\x12\x04\xe2\xf2\x7c\x18\x2b\x9e\x3a\x7e\x3b\x82\x3d\xc2\xd2\x10\xe5\x23\x2c\x7a\xd0\xe8\xd8\xe0\x49\xf0\xe9\x20\x60\xb6\x20\x49\x9b\x0b\x8f\x4b\x4b\x97\x1d\x29\xa9\x7a\xe9\x4c\xe3\xce\xa6\xfb\x4e\x42\x96\xf7\x2e\x3d\xea\xbf\xf5\x62\xe7\x92\x43\x93\x3c\xfc\x53\x00\xe3\xc4\x1c\x6a\xb9\xc0\x55\x9a\xe2\x4b\x21\xce\x45\xbc\x69\xb7\xa1\xeb\x56\xc0\x8b\x82\x2b\xa1\x0f\xbc\xb0\xbd\x23\x8f\x6f\xcd\x60\xed\x24\x09\x2b\x3f\x47\xf1\x90\x0e\x3d\x33\x73\x37\x96\x49\xda\xa3\x95\x9b\xcb\x31\x9d\x7a\x74\xab\x3e\x62\xbb\x5f\xbd\xfa\x42\xf9\xd3\xb3\xe7\x34\x0e\xfd\x12\xd9\xdb\x73\x8b\x9a\x7a\x58\x1d\x91\x4f\x4d\xeb\x34\x00\x5a\xac\xae\xe8\x65\xdd\x59\x5a\xd5\xf0\x07\xc4\x8b\x51\x68\xe6\x99\xe5\x2d\xec\xc6\x66\x50\x9f\x0b\xac\x51\x6d\x5d\x8b\x1e\xcc\x1c\x99\xe6\x01\xb8\xf8\x5a\xf1\xc6\x76\x23\xfd\x2c\xff\x7b\x88\x38\x41\xae\xcd\xdf\x3a\x85\x23\x99\x80\xd3\xea\x2a\xe6\x37\x8d\x59\xcc\x24\x2b\x2a\xbc\xda\x91\xe9\x18\x48\x7c\xfe\xa0\x37\x83\x90\x17\xee\xfb\xed\x85\xe0\xde\x24\x14\x8b\x3c\x67\xec\xad\xc8\xbb\xe5\x1f\xfd\xd0\x69\x6a\x55\xd8\xff\x21\x52\x31\x78\xa6\x82\x9e\xc4\xd3\xf2\x59\x77\x43\x3b\x85\xe9\x23\x8f\xe5\xd8\xb1\x43\x7c\x54\xa9\x33\x82\xfa\x15\x25\x49\xcf\xca\x4e\x47\x00\x70\x5f\x3c\xe5\xa2\x60\xa4\xb9\x43\xdd\x3e\x53\x2c\xc1\x96\xc8\x12\x95\x18\x22\x55\x66\xe9\x3e\x29\xa8\xc6\xf0\x2f\x05\x4a\x94\xee\x5f\xe2\x1e\x5a\xd5\xbf\x55\xdd\x7f\xde\x9a\xc6\x41\xf3\x47\xa9\x92\xe8\x19\x7f\xe5\xfc\x4b\x9c\x65\xef\x4d\x68\x79\x21\xdf\xf0\xf6\xcb\x82\xa3\xa9\x6f\x6d\xf1\xcf\xae\xdf\xfc\xed\x7c\xb0\x6b\x21\xde\x9b\x83\xcd\xe5\xf9\x6b\xda\xd6\xee\x4c\x61\x7b\x9d\xa7\x66\xcc\x44\x37\x12\xf8\x4e\xf7\xc3\x87\x08\x07\x0b\xd1\x9d\xb9\x0a\xbe\x25\x10\x09\xd9\xbb\xcc\xe7\xc4\x19\xbf\x7e\xfa\x7e\xa7\x00\x86\xa9\x5a\x27\xe7\x35\x9d\x3b\xcf\x81\x89\x9b\xb6\xb7\x56\x0c\x58\x22\x7d\xb9\x2b\xbe\x34\x2e\x60\x01\x9f\xf0\xcd\xbe\xec\x13\xbd\xb5\x6c\x5b\x5f\xdf\xdb\xce\x7e\x2f\x5a\x7d\x97\x1d\xbb\xc6\x4c\x59\xc5\x11\x1d\x0b\x45\x2a\xf5\x79\x80\xe2\x17\x85\xd5\xaf\x08\x84\x82\x2d\x12\xf4\x08\x1e\x83\x81\xd1\x6e\x0f\x41\x19\x36\x27\x4b\x90\x30\x21\x5c\x4b\x0b\x47\x07\x4d\xab\x09\xb9\xfa\x23\x22\xa8\x80\x50\xa6\x24\x48\xff\xb2\xbd\xbb\x9d\x6b\x87\x52\x1b\x3b\xfe\xb5\xde\x77\x36\xa4\xde\x11\xff\x4e\x56\xd4\x1a\xae\xd9\x00\x61\xe8\xf1\x3c\x37\x89\xa4\x4a\x63\xe7\x69\x02\xc4\xee\x9b\x6f\xc7\x35\xab\x8f\xf9\x52\x5a\xf0\xab\x52\x16\x7e\x04\xd3\x47\x96\x67\x85\x2b\x75\x5d\x00\x74\xcc\x95\x07\x80\x94\xdf\xe0\x39\x26\x00\x7f\xcf\x4b\x2b\x68\xe2\x62\xd1\x17\xdf\x6c\x91\x81\x27\xcd\x6a\x56\x42\xb8\x0c\x30\xbf\x91\x6a\x1e\x51\x52\x02\x29\xe1\xe0\xec\xe3\x5a\xc9\xb9\x09\xfd\x5f\xf9\x2b\x93\x0a\xa5\x5a\xe6\x0a\x2a\x7f\x52\x74\xe0\x47\xae\x70\xcd\x1d\x89\x4c\x3a\x93\x09\x4d\x5e\x88\xca\x4f\xf4\xa1\xf7\xa7\x4c\x25\x72\xc5\x91\xf2\x54\xec\x09\x46\xde\x4f\x96\x24\x83\x88\xb0\x6f\x7f\x0a\x7d\xaa\x49\x0f\x43\x59\x18\x4a\x76\xa5\x6a\x9b\xbc\xa5\x93\xc6\xf6\xfe\x47\x9c\x67\x5f\xb0\x2c\x63\x54\x7d\x08\x04\x96\x3b\xbb\xfe\x5c\x66\x87\x69\xf3\xcf\x16\xbe\x9c\xd5\x11\x78\x03\x0d\x64\xcc\x2b\xb9\xd8\x26\x34\x39\x9d\xb8\x85\x9e\x48\x87\xc8\xce\xce\x4c\x85\x2f\x5c\xb7\x6c\xe7\x0a\x6c\x4e\xdd\x0e\x8a\x46\x5c\xbf\x78\x27\xb2\x1b\x55\x38\x57\x97\x71\xfb\x56\xb7\x99\x74\xaa\x36\x28\x85\x16\xbd\x08\xa9\x39\x49\x00\x16\x0f\x75\xd6\xbb\xe8\x9d\xe7\x0f\x8b\x5c\xea\xcc\x94\x19\xfc\x5a\x3d\x5e\xe5\xea\x78\x3d\x0c\xa8\x08\xa6\x24\x8c\x13\xad\x17\xc8\x73\xbc\x93\xe0\xe5\x0a\x39\x48\x7f\xb2\x5e\xc3\x23\x30\x70\xd7\x77\x6e\x7c\xe8\xba\x02\x2c\xcd\x8e\x2d\xb5\x64\x55\x94\xe0\xb2\xd8\x74\xed\xe7\x39\xf9\x3b\x61\x7f\xfe\xfa\xf3\xd8\x46\x8e\x66\xee\xcc\x85\x61\xfd\xb8\x1d\xd4\xfe\x7c\x77\x9d\xd9\x3c\xce\x31\x7a\x8f\x5c\xb8\x65\x51\xc2\x61\x66\xc7\x82\x4c\x87\x14\x0d\x96\x47\x50\x8c\xbb\xc1\x5c\x1d\x3b\x72\x08\x60\x91\x68\x90\x9e\x89\x0e\x9e\x9f\xd2\x67\x1d\x3a\x9a\x75\x27\xa7\x34\x47\x1f\x2c\x74\x80\x92\x6d\x8d\x18\xba\x6e\x24\xda\x6d\x6c\xee\x42\x2a\xeb\xfb\x14\xd1\xf1\x2a\x91\x5f\xfb\x73\x75\xcc\xb3\xec\xc9\x86\x3c\x45\x53\x4a\x97\xa9\x22\x43\x32\x17\xdd\xe2\x20\x35\x45\xaa\x98\x3e\x2a\x6c\x54\x65\x11\xd8\x62\x64\x28\xaa\xbe\x7c\xec\x1d\x0e\x81\x24\xde\x19\x83\xd5\xab\x1e\xd6\xe9\xde\xe8\x2f\x0d\xf4\x69\x9f\x4a\xb7\x07\x06\xc3\x4c\x75\x4d\x0c\xd8\xb6\xde\x54\x1c\xa8\xa7\x1d\x5f\x98\x25\xfc\x13\x15\x84\x80\xd5\x98\x0e\x64\x15\xcc\xa0\x5c\x57\x57\x89\x41\x69\x22\x3b\x43\xcc\x29\x63\x09\x18\x24\xcf\x95\x3f\xcf\x54\x53\x05\x58\xad\x5c\xe4\x22\xfc\xe9\x9f\x5f\x26\x50\xb7\xde\xc7\x02\xfe\x12\xbb\xb0\x8c\x28\x51\x9f\x08\xb6\x35\x4c\xf5\x8d\x01\xf0\x27\x23\x70\x70\xcb\x43\x8f\xe4\x80\x7b\x7b\x1f\x7e\xbc\x27\xf2\x74\xfd\x50\xef\x37\xad\x06\x0a\x7a\xdc\xdf\x65\x96\x2f\x8a\x52\xc0\x4b\x56\x9d\x7d\xb3\xd8\x6a\x0f\xeb\x6c\x78\xed\x1a\xdb\x36\x18\x66\xf7\xd5\x60\x65\x69\xd9\x10\xc6\x72\x7c\xdd\x76\xc6\xbb\x2a\x40\x5e\xd1\x2d\xfc\x2e\xdc\x81\x66\x67\x87\xf3\xa3\xa2\x39\xc6\x2f\x65\xd2\xd9\x8d\x8b\x07\xc5\x91\x13\x55\xa3\xa6\x20\x66\x46\xfe\x74\xc0\x75\xa6\x77\x80\x72\x87\x0f\xd6\x52\xaa\x4d\xf9\xaa\x3b\x96\xf1\x45\xc3\xaf\xa7\x4f\x5a\xaa\x8d\x7f\xf0\x42\x7c\x93\x89\xdd\x54\x62\xaf\x0e\xb6\x82\x8f\x3a\xa5\x4c\x75\x2b\xb4\xc8\x9d\x18\x21\x07\x61\x72\xa9\x25\xf1\x46\xae\xf7\x89\xde\xb1\x4c\x6b\x6c\xb2\x87\x33\x88\xcb\xe0\xbe\x06\x28\x71\x04\x8c\x49\x67\x9d\x72\xc3\xf3\x25\xc7\x7e\xa3\x19\xed\x28\xfa\x27\x86\x10\x40\xf6\xbe\x5d\x4f\x32\xcf\x29\xca\xc1\x12\x43\xda\x04\x2b\xec\xf2\x12\x5d\x21\xe7\x35\x49\x3a\xc7\x69\x4a\xa9\x61\xee\x92\x44\x3f\xc5\x88\xc2\xad\xc0\xf9\x7a\xc7\xb5\xfa\xe1\x0d\x43\xdd\xb8\x1f\x31\x12\x85\x82\x18\x5b\x9a\xa1\x24\xfe\x6e\xd7\x80\xac\x95\x4f\x84\x42\x17\x67\xf9\x0f\x5c\x0b\x56\x94\x43\xd6\x3b\xea\xc0\x68\x4e\xd6\x8b\xc5\x03\x9a\x27\x56\x7b\xd2\x33\xb8\xf2\x67\x5e\x1a\xfa\x14\x0d\xf8\xe1\xe6\x4f\x0a\x90\xec\x55\x3b\x52\x17\x27\x39\xd0\xd6\xb3\x88\x49\x47\xf2\x66\x69\x29\xcb\x5d\xd7\x93\x19\x42\xc0\x6e\x9d\xf9\xec\x79\x17\xf1\xd9\x3a\x2f\x0f\xbe\x5c\xd0\xf5\x73\xc0\x10\x2f\xf0\x20\x5e\x4d\x59\xdd\xd6\x03\xdb\x5d\xa5\x66\x94\xbd\x92\x87\x3e\xe2\x1f\xe7\x78\x6a\x87\x42\x8b\xdf\x19\xa1\xa8\x7d\x72\xba\x69\x7f\xbe\x0e\xd9\x75\xdb\x5b\xb3\xa7\x05\x17\x7f\x3a\x13\x69\xe2\x9d\xec\x75\x81\xd4\x3a\xea\x38\x55\x94\x3f\xf4\xef\xa4\xd7\xaf\x36\x22\xc3\x19\xd7\x8b\x31\x08\x37\x88\xd2\x03\x10\x20\x82\x99\xca\x03\x47\xaf\xff\xe5\x4e\xca\xf1\xfb\xec\xe6\xe0\x93\x5a\xbc\x7a\xa8\xf8\x55\x3f\x99\x96\xff\x1d\x46\xb8\x8b\x78\xdf\x2f\xe2\x67\xf1\x69\x9f\x2e\xbf\x19\x25\xb8\xe5\x0c\xb4\x6c\x8a\x10\x3c\xfb\x55\x65\x10\x15\x5d\xdb\x84\x27\x6e\x1e\x0a\xef\x3f\x41\x1c\x7a\xf3\xd2\x05\x93\xb6\xfe\xc7\x00\x6a\xa7\xa4\xee\x33\x80\x2a\xad\x16\x89\x49\xda\xd9\xfa\x91\x18\x88\xd7\xf6\x1b\xf1\x6d\xb2\x26\x50\x03\x41\x6f\xb5\x76\xde\x44\xf8\x0b\x9c\x90\x1a\xce\x45\x4d\x2b\x04\xb3\x74\xf3\xdc\xfc\x38\xfd\xd6\xed\xcf\xab\x24\xd3\x67\xaf\xf3\xf6\xd8\x29\x8a\x41\x33\xd0\x81\x56\x3d\xe1\x36\x5b\xea\xff\x74\xda\x25\x2b\x24\x8f\xa6\x1d\x80\xe7\x2c\xbb\xd5\x85\x33\xe7\x51\x8d\xba\xe1\xa9\x25\xd9\x91\x2b\xfe\x70\xfb\xc6\x4b\x8c\x81\xce\x26\x25\x30\xbd\x11\xae\x83\xf3\x66\xe3\x8c\x53\xbf\xd5\xa0\xda\xc9\x78\x5b\x92\x2b\xcd\xd1\xa3\xb6\x83\xf4\x3f\x8d\x48\x5d\xfc\xc6\xdd\x00\xb6\xcd\xde\xa0\x64\xf8\x46\xfb\x26\x93\xd4\x8f\xa9\x7b\x52\x63\xf5\x37\xea\xbf\x6c\x0e\x54\x9a\x78\xd2\xbc\xad\xb2\xe8\xfd\xb2\xb1\xb0\xf4\x7f\xd4\x9d\xc6\x1c\xa1\x05\x8b\xb8\x88\x2a\xa1\xca\x2e\xd3\x41\xfe\xb7\x37\xd5\xea\xae\x0e\xa0\x8f\x94\x5a\x04\xa3\x8b\x6e\x31\x37\xf9\x61\xa7\x56\x3a\xd1\x3c\xec\x30\x07\x2b\x91\x43\xe4\xf9\xc7\x82\x4e\x7c\xbd\xa2\xdf\x89\xb7\x4c\x14\x2d\xad\xaf\x5c\xa2\x4b\x6f\xe9\x09\xce\x3a\x1f\xf3\x7e\xe5\xa0\xb6\x61\xd3\x07\x39\xef\x0c\x37\x2c\xf7\xa1\xb4\xc6\xa0\xe5\x19\xb4\x8b\x40\xdc\x79\x4c\xd6\x13\x56\x75\x66\x09\xf6\x8d\xd5\x8f\x72\x4b\xdd\x86\xdb\x7f\x26\x49\xb9\x0e\x16\x35\x30\xca\x69\xf0\x69\x6a\xdd\xfc\xef\x84\xef\xc9\xf9\xe0\x4d\x9d\x6e\x18\xed\x17\xf7\x4f\xf8\x07\xe9\x2b\x0f\x33\x0f\xb6\xe0\x6e\x0e\x2f\x19\x3e\xa0\x3a\x18\x1c\x86\x73\x95\x0a\x19\xeb\xa2\x2f\xd6\xb1\xb5\x6e\xbb\x33\x6e\x02\x48\xc6\x4f\x93\x6c\xaf\xd3\x31\x1f\xd5\x0c\x50\xfc\x91\x61\x56\xbb\x28\x15\x6d\x15\xd7\xf4\xd5\xa7\x98\xd8\x62\x6a\xfc\x6b\xa7\xd2\x17\xd2\xc9\xf1\xa9\x8f\xed\xe6\x2b\x1b\xac\xfc\x31\x4d\xfa\x89\xe8\xcb\xb8\xc3\x7b\xd5\x26\xdd\x53\xed\xe8\x1b\x19\x53\xce\xf5\x17\x70\x3b\xab\xce\x44\x6e\x86\x3b\xf9\xd2\x46\xb0\x3b\x88\x50\x2c\x7f\xdb\xac\x4d\x87\xf1\xea\xad\x86\xed\x17\x0d\x71\x0d\x81\xea\xf3\x95\xae\xf6\x0d\xc1\x64\xd9\x11\x66\x01\xa5\xa5\x8c\x79\xa8\x92\x75\xc9\x5d\x28\x91\x2e\x87\x08\xfe\xe2\x47\x2e\x6b\x87\xd2\xe0\x77\xd3\x62\xc0\xba\x8f\x4b\xc6\xa5\xe3\x87\x45\xea\xe9\x10\x46\xbc\x61\xe6\xa0\x40\xcb\xfe\x38\x20\x4f\x17\xe6\x04\xf0\xe1\x40\x5e\x8e\xe0\x7d\x71\x41\xb6\x98\xbc\x2b\xe7\x69\x0a\x8f\x0b\xf3\x1d\x58\xae\x90\x6c\xb7\x0e\x4f\xe5\xfe\x03\x56\x31\xd7\x65\x33\xb7\xa7\xb0\x32\xe1\xb1\xee\xe2\x14\x28\x08\x4a\xfb\xcc\x93\x0a\x9f\x28\xe9\xf1\x7e\x26\x9a\x69\x97\xaf\x83\x8f\x95\xe2\xfb\x39\x5b\x54\x0a\x1d\x49\xf3\xd4\x29\x02\x74\xd2\xd3\x1f\x76\x08\x35\xff\x73\x51\xd2\x5b\x62\xe1\x35\xad\xf5\x9e\x01\x18\x87\x2d\x17\x84\x3d\x99\x15\x4f\x46\x60\xfa\x8f\x48\xb6\xc4\x86\x8b\x1f\xbc\x6b\x84\xda\x61\xf9\x81\x23\x16\x7b\x06\x73\x70\xa5\x4f\xc6\xc5\xa6\x88\xe3\x1d\x42\x01\xac\x4c\x4d\x56\x46\xf9\xa4\xa4\xa8\x04\xa1\x75\x16\x7c\xf7\x9d\xda\x22\xf4\xd6\x86\x72\x81\xcb\x0b\x3e\x09\x99\xfa\xd7\xbf\x26\x51\x2d\x13\x14\x40\xa8\xf9\xec\x75\xfe\x9d\xf6\x80\x54\x78\x55\xd8\xc9\xb3\xb3\xf0\xd5\x14\x19\x7c\x2a\xf0\xd6\x72\x99\x13\x73\xb8\xd4\xac\x1d\xd5\x1e\x1f\x90\x74\x50\xd6\x21\x01\xb5\xe2\x61\x3e\xa2\x89\xc1\x94\xd0\x73\x5e\x1c\x5e\x16\x69\x09\xeb\x71\xee\x2a\x4e\xe5\xff\x99\x14\x0c\x0b\xec\xca\x26\x72\xfa\xf6\x94\x49\x38\xc6\x18\x09\xd8\xbf\x2f\xaa\x56\x1f\x9b\x56\xda\xb8\x5d\xed\x7e\xe7\x35\xd3\x00\xc8\xda\x84\xc5\x7f\x06\x7b\x2f\xe5\x09\x29\xca\xe1\x39\x87\x5a\xbb\xab\x08\x47\x42\xc9\x07\x06\xbc\x31\xfc\x4c\x68\x53\x88\x89\x71\x87\x69\xd1\xc6\xda\x0e\xe1\x82\x6e\xcd\xe1\xf6\x0e\xa6\x6c\xed\x44\xc2\x4f\xe2\x87\x5d\xcb\xc8\x7a\x35\x72\xaf\x96\x45\x5e\xdf\x31\xe0\x51\xe5\x42\x2a\x8e\x29\x10\xc7\xd9\x75\xdf\x64\x48\xda\x0c\x0f\x83\x3f\x61\xf7\x15\x05\x98\xfb\x47\xfa\xe9\x38\x35\x7a\x7b\x64\x5e\x40\x6d\xf9\xa4\xa3\x0c\xdd\x1c\xef\x6d\xdb\x26\x3c\x9f\x06\xb2\x68\x76\x7a\x9a\x0f\x92\xc4\xea\x13\x80\xe5\xe3\x6f\x5f\x2a\x3e\x90\xbf\x87\xd6\x81\x8c\x5a\xef\xc3\x43\x9c\x4f\x4d\xe2\xcf\xb4\xdb\x14\x57\x56\x84\x8b\x27\xb6\x18\xc2\x2f\xee\xa3\xf9\xf4\x60\x15\x57\xf5\x3c\x2a\xae\x71\xdb\xc0\xe9\x46\x82\x43\xf1\xbf\x3b\x08\x6b\x4d\xca\xb2\x73\x4d\x61\x28\xc5\x44\x15\x46\x90\x3d\x2f\xea\x40\xc7\xca\x48\x40\xac\x4b\x1b\x3e\xa8\x89\x7c\xf0\x37\x62\x3e\x42\x7f\xb1\xef\x9c\x0e\x7d\xeb\x9e\xba\x0f\x8e\x5a\x5b\x29\xd4\x22\x92\x3f\x2f\xc8\xc5\xdc\x13\x69\xfe\x52\x67\x09\x24\x7c\x27\x76\xf5\xb7\x68\x7c\xcf\x42\x0b\x0d\xc8\x44\x61\x10\x5c\x2a\x31\xcc\xe9\xde\xcc\xa3\x0b\x74\x6b\xfe\x43\x44\x0d\x49\xc4\x77\x5a\x2d\xfc\x88\xf0\x49\xe2\x3a\x30\xe2\xde\x2c\xe6\x34\x54\x9b\xbc\x0c\x26\x30\x97\xeb\xb8\x04\x4b\x4b\x9b\xb6\xf5\xf9\x5a\x4a\x49\x9a\x3d\xce\x9c\x11\xb9\x94\x87\xd9\x96\xeb\x57\xd6\x54\x09\x0b\x43\x6d\xfe\x0b\x94\x79\x6e\x93\xfe\xae\x2b\x63\xd0\x13\x20\xaf\x73\x23\xa8\x00\x6b\xc7\x5f\x95\xa0\xc6\xce\x53\x69\x18\x02\xa0\x97\x10\x88\x81\xbd\xa6\x4a\x2c\xf8\xed\x8f\x67\x52\xe1\x98\x15\xe7\x1e\x2b\x85\x54\xfa\xc0\x30\x18\x75\x26\x21\x09\x33\x11\x51\x91\x5f\x6b\x19\x36\x2c\x2d\x82\xc3\x04\x74\x78\x52\x5a\x64\x9a\xe4\xc9\xa4\x1f\x75\x60\x83\xf1\x38\x15\x6f\x6e\xc4\xea\x04\xb4\x4f\x65\x2a\xb1\xe6\x6c\x5c\x63\x0e\x61\x30\x06\x2a\x26\x0b\xe5\x53\xf1\x0b\x8b\x70\x0e\x6c\x6b\x08\x9f\x0b\x09\xce\x11\x7c\xa7\x8d\x45\xae\xc4\x33\x97\x64\xdc\x2e\x39\xb5\xbb\x95\x56\x02\xd5\x73\x23\xe4\x0d\x49\xec\xf8\x98\x71\x84\xa1\x2d\x21\x99\x3c\x03\xb4\x58\xfc\xa9\x8c\x77\x30\x71\xc2\x24\x2d\x90\x59\x65\x99\x33\x6e\x1c\x69\xff\x55\x1a\xf3\xef\x27\xaa\xa7\x4c\x54\x7f\x23\x1a\x1e\xf6\x4a\x2f\xbe\x54\x98\xf5\xbf\xfd\x9e\x59\x7b\x8d\x87\x1a\x07\x3e\x82\xf1\x3f\x5b\xdf\x21\x89\xd3\x61\x64\x9d\xbe\x14\x4e\x7c\x2f\xb2\x6a\x51\x88\x84\xc4\xf2\x76\xaf\xa0\x44\x50\xb3\xb1\x26\x15\x11\xa1\x86\x15\x07\xe9\x4b\xe4\xb0\xc3\x01\xe6\x24\x71\xbb\x95\x33\x63\xe5\x4a\x80\xac\x90\xb2\x55\x1b\x01\x2d\x74\xa5\x62\x1e\x26\x5b\xf9\x12\x60\xa4\x67\xfe\x76\x06\xe7\x95\x92\x27\x2a\xa2\x08\xb1\x29\x35\xa8\x99\x1d\xfb\x81\x7a\x5c\xb0\x5a\xcb\xa7\x9d\xcc\xb9\x7d\x0a\x0f\x9e\xb5\x82\x5e\x16\xd1\x24\xa7\x72\x24\xc9\xa0\x9a\x53\x35\xf1\xce\xd7\x85\x63\x6a\xe3\x58\x15\x98\xaf\x5c\x28\xe5\x4e\xa8\xdc\xc4\xc7\x22\xe4\xa6\x58\xa3\x3f\xa7\xc4\x73\xf3\xb5\xe7\x4e\xd5\x62\x56\x80\xf0\x7c\x7d\x47\x29\x66\xab\x64\x6a\xc3\xac\x2d\x67\x46\x9c\x43\xdb\xab\x6b\x88\x67\x79\xde\xf7\x94\x17\x69\x8c\xfe\xd9\x47\x2f\xdc\xab\x0f\x80\x79\xf2\x21\x28\x54\x41\x88\x1e\xaa\xe4\xc2\x11\xa8\x14\xe6\xd4\xe6\xc2\x5d\x49\xa5\x70\x67\x38\xb0\x3b\x35\xc0\xd2\x84\xfc\xd6\x75\x50\x5b\x0a\xdc\x88\xd0\x43\x90\xf3\xa1\xb0\xc8\x27\x85\xba\x7b\xf0\x29\xaa\x46\x18\x71\x31\xdb\xdc\x36\xaa\xed\x98\x0b\x90\x88\x8e\x67\xe8\xa8\xbe\x7c\x1f\x7c\x5e\x3a\xd4\x44\x2e\x97\xaa\x77\xc7\xe1\xd2\x86\xc2\x9d\x8b\x76\x1e\xc9\x12\x50\x52\x9b\xff\xfc\x56\xce\x2d\x1f\x4e\x79\xcf\x74\x23\x7f\x02\x05\x0a\xfb\x6e\x25\xd5\x43\x65\x45\xda\x66\x62\x29\x70\xe8\x9e\x4c\xb9\xe7\x7e\x0e\x9a\x66\x72\xfe\xb0\x33\x28\x56\x8d\x75\xd5\x14\x65\x77\x2b\x5e\x40\x8e\x40\xeb\xc9\x67\x6e\x7e\x5e\xe7\xab\x0c\xbf\xca\x5f\xf0\xc0\x23\xb3\x93\x52\x94\x64\x66\x8b\x77\x4a\xe1\xb5\xce\xf7\x6d\x67\xf1\xd7\x35\xb8\x72\x81\x55\x5b\x39\x6c\x78\x58\x70\x1c\x6d\x42\xb0\xf3\x65\xb2\x53\xe7\xbc\xcb\x64\xc2\xdc\x39\xbf\xed\x64\x59\x06\xae\x68\xbc\x5e\xbc\x3c\xda\x73\xf3\x86\xb4\xb9\x79\x53\xb3\xca\x6c\x73\x5f\x7c\x47\xe4\x76\x29\x25\xd3\x59\x94\x80\xe7\xc1\x76\x33\xe5\x27\x6a\xf7\x5a\x60\x33\x2b\xab\x2d\x8c\x03\x9e\x4f\x98\x0a\x7d\xe8\x12\x29\xbd\x17\x4f\x6e\x50\xe5\xde\x20\xd2\x0b\x51\x8c\x41\x8b\x6e\xb6\xa0\x6e\xe9\x37\x89\xfb\x6f\x4a\x6e\xcb\x8b\x01\x69\x1a\xd1\xeb\x2a\xe9\x51\xa4\x2f\x97\x6e\x01\x8a\xc4\xb5\x85\xbb\xc3\xf4\x2d\xa7\x9e\x55\xd1\xb7\xf2\x4e\x90\x9f\xce\xe2\x34\x36\xb7\x27\xdd\x9c\xe4\x7b\x41\xb3\xbc\xaa\x88\x37\x15\xd3\x16\xac\xdc\x55\xe0\xfc\xab\x97\xef\x90\xda\x85\x9a\x80\xeb\xeb\xc6\xdf\xd0\xaf\x95\x24\xe8\xa3\x6b\x3f\x71\xeb\xd7\x03\xb0\xaf\xcb\xd7\xac\xc6\xaa\x41\x36\x48\xad\x93\x5e\x70\x94\xa2\x93\xf1\xad\x65\x9b\xf5\x59\x51\x51\x1b\x8f\xea\xa0\x39\x0b\x98\x2c\x91\xb1\xa1\xbc\x04\xcb\x1e\x15\x8b\x13\x2e\x8f\xf2\xfe\x46\x66\x7f\x10\x31\x2a\x25\x46\x8f\x07\x32\x48\x10\xa9\x7d\xdf\xad\x6d\xf0\xd6\x1e\xe5\xdb\x19\x29\x58\x02\x27\xea\x26\x06\x82\xa8\x93\x7d\x03\x79\xbb\xcd\x79\x6a\xa1\x3f\xe9\x2f\x79\x3e\x95\x8d\x28\xd8\xe4\x56\x4b\xfd\xd4\x94\x4d\x7e\xba\xdd\xdd\x67\x33\x92\xc6\x77\x2d\x09\x61\xce\xbe\x60\xa3\xd9\xe9\xf9\x6e\x4a\x4c\xa0\x7e\x55\xd3\x1e\x9d\x94\x25\xe0\x01\x71\xab\xa0\x2f\x0a\xef\x4b\x8f\x5e\x43\xec\x62\x32\x7a\x95\x0f\xe2\x92\x42\x7d\x51\x34\x76\xc3\x18\x39\xa5\xd1\x1e\x03\xf7\x94\x9c\xb2\xd8\x34\x3e\xf4\xb9\x82\x68\x79\x71\x90\x34\x4a\x7a\x68\x91\xcd\xdd\xe2\x9f\xae\xf1\x33\x3f\x7f\xb7\x50\x69\xa7\x4e\x80\x6a\x41\x21\xad\xdf\x98\x68\x35\x28\x1f\x48\x68\xf1\x5c\x73\x43\xe1\x30\x7d\x23\x7b\xb5\x0a\x7e\xc6\x76\x4b\x9f\x43\x25\xb6\xe4\x13\x57\xed\xc3\x3d\x24\x7a\x58\x3e\x28\x57\x35\xfa\xff\xc5\xbe\xbc\x40\x04\x76\xaf\x6c\x5c\xdd\x34\x91\x37\x47\x08\x60\xd1\x59\xa9\x76\xef\x3c\x47\x61\x28\x5e\xbb\x8c\x53\xa7\xef\x56\x9e\xe2\xe7\x10\xd4\x18\x19\xeb\x85\xcb\x3e\x38\xc6\xd6\xcc\xd0\x35\x87\xfb\x08\x28\xf6\x31\xc1\x99\x00\x15\x3a\x6f\x1e\xdb\x81\x2a\x58\xea\xd0\x41\xc6\x3a\x6a\xc6\x28\x38\x06\xd3\xcf\xb6\x9b\x65\x59\x1a\x82\x9b\xab\xa9\x7a\x36\x7c\x9b\x0f\x24\x97\xb4\x4f\x3c\xa8\x5a\x07\x31\xe5\x94\x2b\x57\xec\xf9\xc2\xde\xe0\x1e\xf7\xea\x53\x3f\x8b\xa3\x17\xf7\x4c\x30\xf4\x9b\xd6\x94\x89\x73\x53\x61\x09\x22\x92\x20\x55\x09\xc5\x74\x20\x06\x63\xf7\x71\xcf\x4d\x1d\x48\x4f\xe5\xa9\xc4\xcd\x3b\x0c\xc4\x32\xe9\x25\xb3\x02\xfa\xb0\x57\x4b\x53\x60\x6f\x27\x77\x56\x3d\x67\x94\xfb\x5f\xe4\x87\xd5\xce\x7b\x5b\xea\xb3\x99\xbf\x77\x27\xb6\x7e\xeb\xf9\xb9\xda\xcf\x5c\x56\x78\xec\x98\x21\xa3\x4d\xc0\x30\xd0\x36\xd0\x4d\x70\x25\xed\x5b\x17\x82\x96\x5c\xf2\x62\xbb\xa0\xb3\xde\x34\x97\x4d\x1e\x77\xa6\x3e\x9b\xb5\x2d\xc6\x59\xde\x69\x0e\x47\xb3\x5f\x4b\xbc\xa6\x6f\x8d\x5e\x0a\x27\x1a\x04\xa2\x89\x43\x5f\x5d\xc9\x01\x3c\x06\x52\x63\x3d\xcc\xe4\x10\x2f\xcb\xe4\x7f\xb4\xc5\xeb\x9a\x6e\xaf\xf5\x46\x3c\x73\xc1\x1e\x37\xe8\xdf\x9d\xab\x09\x32\x33\x49\x22\xfe\xd8\x0d\x5e\x3e\xd1\x25\xdd\xe3\x76\x4f\x48\xd4\x96\xf4\xf3\xb4\x9f\x03\x22\xa9\xb9\xb9\x68\xff\x75\xef\xed\xb3\x69\xb4\xb1\xc9\xaf\xc5\xd2\x7e\x68\xd7\x6d\x17\xc2\x16\xc4\xfe\xd8\x2d\xc2\x48\x7a\xab\xc6\x60\xbb\x55\xb2\xee\x17\xd6\x83\x65\xda\x84\x08\xc4\x5a\xf3\x87\x83\xac\x2b\xe5\x47\x72\xbb\xea\x41\xf5\x86\x84\x56\xee\x66\xa2\x7a\x36\xbe\x49\x9a\x5e\x5d\xd3\x39\x6f\x48\x05\xe2\x2a\x2c\xdc\x22\x90\x79\xc2\xa5\x3c\x92\x99\x55\x92\x69\xed\x1c\x51\x22\x13\x54\x4f\x2b\xf3\x31\x38\x8e\x1c\xb8\x5e\x55\x50\x91\x5f\x8f\x27\xa4\x7b\xa9\xfc\x9a\x50\xce\x01\xcd\x2b\x53\xb3\x7f\x35\x79\x66\xf1\xd0\x0b\xd3\x40\xe0\x50\xc9\xd8\x4f\x29\x14\xb8\xab\xd4\x29\x48\x26\xe7\x50\x0b\x0d\xca\xe9\xcd\x4d\x28\x4d\x17\x34\x56\x53\xcc\xb4\x69\xc5\xee\x3a\x31\x05\x8e\xae\x14\xfe\xd7\x55\x85\xcd\xe2\xfd\x71\xb8\x8e\xbf\x51\x73\x59\x77\x4e\x90\x23\x46\x6e\xa5\xa4\x79\x56\xb8\x22\x56\x71\x79\x2d\xf4\x5b\x9f\x38\xb1\x0a\xb0\x3f\x9e\xde\x1d\xdb\x2e\x15\x7d\x61\xc0\x95\xd9\xb8\x2b\x97\x7c\xc0\x9d\x92\x97\x45\x56\x0f\xe8\x10\x65\x03\xff\x7d\xd2\x28\xdb\x22\xb2\x51\x77\x68\x97\xee\x15\xb1\x80\xb4\xb4\x63\x1f\x85\xec\xf6\xa6\x07\x4e\xfd\x2c\xdf\x40\xa4\x48\xda\xd6\x23\x31\xc2\x7e\xd8\xb3\x37\x7f\xde\x4b\x15\x33\x12\x6a\x4d\xc7\x08\xb7\x72\x02\xf6\xf8\xc0\x15\x96\x6e\xf7\x11\xc4\xc4\x96\xe9\x03\x4c\xf1\x5a\x33\xbc\x99\x8a\x43\x26\x5e\xdf\xe4\x36\x34\x2d\x7e\xb4\x97\x3b\xe8\xab\x0a\xe6\x71\x9a\x1a\xaa\x41\xe0\xd7\x6d\x95\x2b\x06\x80\x8d\xff\x02\xfd\x81\x60\x34\x29\xa3\x6f\xf7\x44\x0e\x0b\x21\x5d\x9e\xbc\x90\x8e\xfc\x14\x5b\x6e\x1b\x7f\xeb\x53\xbd\x5e\x17\x5c\x7d\x1a\x77\x64\xf9\x04\x07\x44\xb8\x1d\xb8\x6f\xd2\x2c\x0a\x38\xa2\xda\xf7\x44\x0b\xbf\xe8\x83\x50\x09\xd4\xae\xbb\xb1\x1a\x0e\x91\x48\xbc\x04\x95\x1f\xc0\x6e\xc1\xc2\xa2\x68\xa0\x5c\xc2\xcc\x76\x79\x1b\x82\x26\x9f\x96\x3d\x3d\x2f\x56\x4a\xe0\x37\x89\x60\x19\x40\xd5\x6f\x28\xe5\xab\x01\x52\xac\xf6\x63\xe4\x81\x19\x52\x09\xef\xc1\xa3\xa1\xb4\x72\x53\x6e\x0a\xcf\x9a\xe3\x83\xb5\x95\x1d\xfb\xb6\xbd\x4d\x1e\xb5\x55\x01\x02\xc3\xd7\xfa\x23\x65\xa3\x6f\xb7\xc5\x94\x9c\xc7\x27\xce\x57\x31\x1d\xec\x52\xa4\xc3\xb9\x1f\x0d\x5e\xc3\x67\x7c\x26\x5d\x58\x35\x53\x5f\x16\x00\x69\x85\xce\x84\x6e\xf1\x2a\x46\xcb\x86\x62\xcf\xf8\x5a\xf2\xff\xd4\xb3\xb3\x50\x85\x70\x5d\x45\xdf\x3e\x8c\x60\xee\x49\x63\x82\x3c\xea\x99\xdd\x55\xc0\xc3\x3d\xa9\xde\x35\x4f\x70\x9f\x2a\x45\x83\x56\x13\x25\xc4\xa5\x95\x4a\x34\xe2\xab\x32\x73\x8c\x2f\x3f\xbf\xb2\x78\x6a\xa5\x78\x28\xef\x30\x91\x12\x2e\x59\x32\x05\x8c\x12\xd5\x0d\x0e\x89\xee\x5d\xc1\xe3\xee\x41\x35\xd3\x8c\x0c\x98\x4d\xaf\x39\x47\x67\x02\x72\x71\x4d\xe8\x93\x57\x20\xc1\xf3\xd3\xdd\x9f\xc5\x75\x29\xa7\x50\x13\xd8\x59\x46\x48\x42\x33\xce\x69\x25\x77\x18\xd3\xcd\x66\x7c\xd0\x88\x6d\x1f\x3c\x25\x7c\xca\xc6\xb4\x8e\xe5\xcd\xc0\x3e\xb6\xc6\xaa\x2a\x78\xd6\x8e\x2a\x9c\x22\x53\x95\x44\x50\x91\x57\x62\xf3\xf2\xfa\xde\x0a\xc7\x85\x93\xcc\x38\xe5\x5c\xef\x3b\xc0\xbf\xb9\x38\xeb\xd0\xa6\x1c\x73\x9c\x02\x4a\xdd\xaf\x44\x34\x06\xa7\xb6\x02\x63\x60\xa7\xfc\x87\xc2\x74\xa9\xbd\xcd\xb2\xeb\x5c\xf4\x70\xb5\x3f\x7f\xc1\xbd\x4e\xd0\x5c\xea\xa6\x65\x28\xce\xf7\x9e\x9d\xe7\x8d\xa4\x2b\x16\x7c\x82\xcf\x4d\xad\xca\x57\x07\xd0\xa1\x66\xb0\xf4\x1b\x7f\x7e\x34\x21\xa8\xf8\x8f\x6d\x88\xd2\x4c\xfd\x99\x81\xb5\x0b\x6c\x34\x2b\xb4\x9c\xce\x4b\x82\x3f\x3c\xfd\xb1\x7b\xba\x24\xfd\xb1\x60\x1b\xa0\x60\xa4\x79\x2c\x09\x09\xa7\xc7\xce\xbf\x0c\x33\xe8\xff\x27\xfb\x6e\x32\x7c\x88\x77\xfb\x31\xef\xd8\xbb\x0b\x9f\xca\x28\x29\xca\xc2\xc1\x43\xf4\xa5\xbd\x0a\xfb\xa4\x32\x45\x48\xaf\x32\xf0\x5f\x58\x1a\xe2\x64\xc9\xe2\x0d\x0f\x16\x04\xe1\x12\xc6\xe2\xbc\x51\x8b\x78\x09\x7c\x14\x5d\x87\x1a\x3c\x02\x87\x37\x1b\x0c\xf6\xbd\xcf\x17\x26\x63\x71\xc7\x46\x4d\x87\xa5\x5f\x52\xe0\x1e\x29\x78\x66\xd6\xd4\x98\x86\x8a\xc0\x16\x48\x24\x9c\x1e\xdd\x31\x45\x80\xbf\xc3\x58\x34\xb1\x5d\x10\x8d\xdb\xaf\x6c\xa3\x53\x6a\xa4\x31\x61\x01\x9c\x3a\xf0\xb3\x31\xd9\xd0\x71\xeb\x0a\x50\x44\x23\x55\xa2\xa2\xe1\x95\x47\x4e\x13\xb7\x97\x1d\x95\x6a\xd5\x4e\xd5\x90\xb4\x29\xd6\xa1\xec\x7e\x38\xd4\x1a\x27\x53\x6b\xbb\xfa\xda\xd1\xb3\x5f\xc8\xf8\x27\xa9\x2e\x0b\xaf\xfa\xbb\x81\x18\x16\xcf\xb4\xcd\xac\x4b\x98\xc5\xf6\xf7\x1c\xdc\xf3\x06\x49\x53\x6f\x78\x00\xeb\x6b\x7c\xee\x22\x2d\x64\x16\x5e\x0c\xa9\x50\x46\x93\xb6\xd8\x45\x9b\xc3\x27\xe5\xda\x2e\x6f\x38\xa4\xee\x24\x72\xca\x5e\x6c\xaa\x08\x11\xd0\x42\xf8\xfb\x32\xa9\x9b\xd3\x61\x01\xcf\x19\xac\xce\xee\xd7\x3b\x44\xe3\xde\xb2\x23\xcf\x28\x2e\xcd\x4c\x43\x9f\x55\xf5\xc2\x74\xe2\xc7\x56\xc6\x7c\x23\xc0\x0e\xf7\xbf\xfa\x4b\x60\x12\xa1\x33\x4d\x0c\x97\xf8\x16\xa6\x12\x3c\xbc\xb7\x7a\xce\x8e\x7b\xe0\x51\x52\x69\x24\x86\x22\x02\x8b\x7a\x9c\x0e\x49\xf1\xc8\xdd\xe8\x66\xd3\xbb\x0c\x53\xdb\x9c\x67\xb1\x0b\x20\xd4\xbb\x26\x3f\x2c\x5a\x01\x85\xba\xcc\xfa\x7b\x8f\xe8\x25\x65\x70\x78\xfa\xba\xb0\x03\xb9\x31\x8a\x84\xf7\x65\xda\xaf\xc3\x7f\x49\x6e\xfb\xbc\xe9\xfa\x5d\x2c\x1f\x0a\x4b\x2a\xd0\xcf\x92\x69\x61\x84\x40\x71\x3b\xc3\xd9\x29\x85\xff\xbd\x6c\xc1\x9a\xfc\x86\x70\x30\x44\x37\x0e\xab\xc4\xde\x11\xf3\xbc\xbf\xb2\x21\xdd\xdc\x51\xbb\xa3\x52\xdc\x28\xfd\x49\xc0\x84\x04\x7f\xb0\xed\x8b\x97\x42\xa9\x6e\x53\xef\x4c\xcb\x94\xce\x4c\xad\x74\x6e\x9c\xae\xee\xc8\x43\xf7\x2b\x77\x9c\xc5\x8d\x25\xfe\x93\x1c\x1a\xf8\xa7\x95\xe1\x95\x68\x5c\x92\x18\x58\x03\xad\xbe\xc6\x06\x6c\xdd\xd8\x7e\x0b\x9a\x53\x80\xaf\xcd\x80\x79\x8f\x58\x08\x59\xea\xb3\x17\xcb\x27\x83\x11\x2a\xf7\xb3\x62\xa5\x9a\xe7\xa8\x24\x74\x94\x40\xe6\x66\x61\xb7\x88\xb8\x56\x05\x49\xa0\xb1\x35\x0d\xfb\x7a\x5e\x88\x92\x8d\x55\x8c\xbc\x8a\x26\xa0\xd7\x4e\x67\x63\x4e\xe9\xec\x1c\x1c\xa0\x8a\xfc\x5b\xeb\x43\xda\x65\xf4\xae\x0a\xc7\xeb\x25\x74\x42\xc9\x99\x0e\xdc\xf9\x3b\x1d\xad\xfe\xa9\x0b\xc2\x92\xbb\xf1\xd8\x23\xc6\x1e\xe9\x69\x24\x9f\x67\xbe\x07\xd7\x0d\xf8\xaf\xc7\xc3\xe5\xbf\x14\x5f\x28\xa2\xd0\x6c\x88\x0e\xff\x9a\x18\x11\x27\xc1\x34\x60\xa0\x6b\x36\x64\xa9\x4c\x88\x8b\x07\xaf\x77\xe8\x4d\x60\xde\xab\x76\x42\x28\xff\xea\x21\x63\x3f\x02\x04\xa5\xd7\xec\x4a\x0b\x30\x3f\xb0\x8f\xb7\x67\x28\xc4\x3d\x90\x73\x80\x01\x83\xc8\xb9\x9e\x22\xd6\x05\xa5\xe6\x39\x9c\x04\x9f\x7f\x88\x7c\xb9\xd7\xfb\xa9\x4d\xb3\x23\x08\x4b\xf9\x4d\xf5\x44\xf6\xce\x2d\xd4\x9a\x21\xd2\xca\xb5\x4d\xf0\x43\x97\x48\x2a\x64\xd2\x90\x0b\xb4\x0f\xa8\x7f\x42\xec\x75\xd6\x8b\xab\x17\x71\x4a\x93\x4b\xcd\xf3\x6f\x87\x07\x4f\x60\x28\xf9\xd6\x1a\x00\xad\xff\xc0\x6d\x62\x4b\xc6\x42\x97\x05\x96\x82\xcc\x8a\xdc\x7e\x2f\xb2\x10\xbd\x22\xfb\xd4\xad\x3d\x35\x15\xf7\x1b\x93\x31\x26\x75\x9e\xc4\xc0\x01\xed\x5c\xdb\xac\xe7\xcc\xe4\x31\x9b\x7a\xb5\x0f\xfc\x8f\x2f\x8f\x1b\xb8\x1a\xc0\x7f\x81\xdf\xff\x33\x54\x50\xac\xf0\x8e\x13\x91\x2d\x3c\x5f\x3a\xa1\x25\x81\x81\x1e\xbd\xb4\x41\x6e\xad\xa2\x59\x65\x1c\x07\x0b\x06\xea\x7e\x18\xa8\xf0\xc4\x00\x57\x5a\x0e\x7f\xdc\x4c\x88\x64\x5d\x35\xc2\xd3\x6a\x8c\xe6\xa2\x97\x2f\x35\x5d\x1a\x5d\x83\x2c\xd7\xef\x2c\x61\x1f\xd1\x10\x59\xda\x39\x0e\xc8\xc8\x74\x91\xd4\x96\x4f\xa4\x0b\x80\x83\x90\x57\x36\x2e\x67\x64\x55\xc7\x17\x2a\x23\x15\x4e\xfe\xba\x6f\xc9\xab\x4c\x15\xa7\x37\xe2\x99\xc1\xf1\x4d\xaa\x8f\x34\x97\xe3\x37\x0a\x52\x3e\xc1\x5c\x52\xba\xd9\x87\x10\x90\x03\xf8\xdc\xee\x4a\xc6\xc9\x0b\x0f\x8e\x4b\x74\x91\x97\x87\x88\xa9\xc1\xb2\x3a\x14\x39\x6b\x50\x8a\xa9\x51\x75\xfe\x3b\xd6\xa8\xb4\xa9\xc2\x17\xf4\xc9\x84\x2c\x1c\x33\x9d\x4d\x95\xdb\x83\xce\x6e\x7e\x7a\xc8\x8e\xae\x04\x13\x96\x10\x55\x22\x0b\x65\x69\x3d\x49\xa2\xf6\x96\xf6\x41\x42\x19\x25\xb4\x2f\x77\xb0\xf9\x43\x12\x39\x52\x7f\xd6\xd8\x6d\x6f\x9a\xbd\xf3\xd2\x7c\x0a\x79\xa6\xb0\x5a\x61\xdd\x7d\x99\x3d\xe2\xd4\xee\x99\x73\xb7\x78\xff\x19\x5d\x12\x40\xdb\x18\x36\xa5\x25\x8b\x4f\x57\x44\x97\xca\x2f\x9b\x34\x97\x78\x00\xe7\x28\x29\x7d\x98\x3e\x1e\x58\x5f\xaf\x45\x38\x1b\x47\x6d\x25\x31\xe8\x6c\xc6\xe8\x35\xa9\x72\xc3\xa5\xbb\xcc\xba\x7d\x85\x2e\xdc\x83\xbb\xad\x4c\x85\x20\x64\x00\x70\x87\xbb\xd3\x6b\xf8\xa8\x00\xf9\x1e\xea\x0a\x72\xd9\xa7\x5f\x5d\xb3\x5b\x10\x98\x68\x6d\x51\x34\x0a\x17\x2c\x70\x1b\xc4\x7b\x14\x0c\xe5\x2e\xf4\x75\x02\xd0\x07\x1e\x54\x55\x97\x97\x5a\x55\xca\x1e\x91\x21\x76\x45\xe3\xcf\xeb\xf4\xa6\x20\x1a\x84\x81\xf6\x51\x13\x86\x0f\x59\x28\x63\xaf\x1d\xd4\x73\x38\x3b\x1b\x79\xab\x32\xcf\xcd\x46\xe6\xac\xe2\x95\x8d\x42\xcc\xe5\xf9\xb2\x34\x76\x81\xf7\x70\x7a\xb4\xa3\x5f\x9a\xf5\x21\xd4\xc1\xba\xd7\x51\x30\x33\xa5\xf7\xaf\x2b\x7a\x2d\x3a\x49\x14\xd3\x84\x62\xb1\x6b\x85\xd6\x9f\xa6\x0c\x0c\x5e\xf5\x4b\xa2\xfb\x78\xfb\x15\x6a\x94\x7c\xf8\x0b\x1d\xac\xcd\x58\x9f\xdd\x07\x91\xb3\xa9\xeb\x83\x5b\x61\x53\x4a\x16\xf8\xf4\xb1\xca\xbb\xd3\x86\xb4\xc2\x1b\xa9\x7d\xe9\x16\xd2\xcf\x48\xb7\x20\x8c\x1b\xda\x77\xec\xf8\x16\x77\xcb\xce\x25\x58\x2c\xca\xb9\xa6\x5a\x2b\x73\xdd\x34\xb0\x02\xc2\x34\x94\x8a\x42\xb5\x66\x4d\x56\xd8\x24\x42\x9a\x78\xb6\x97\x03\x67\xec\x17\x0d\x1b\x11\x0b\x22\x23\x17\x58\x72\xbd\xc8\x66\x31\x8d\xe0\x66\xfe\xa5\x60\x15\x1d\x88\x25\xde\xe8\x2d\x34\x4b\x81\x6f\xb5\x5a\xaa\x52\x4e\x86\x08\x62\xac\x0c\x36\xcb\x6b\x6e\x81\xf4\x12\x3d\xa5\x9c\xb3\xef\xfe\x29\xce\x76\x98\xe2\xaa\x0c\x60\x36\x82\x0c\x45\x7f\x40\x42\x33\xe3\x22\x61\x31\x9a\x46\xbc\x8b\xd3\xde\x3c\x94\x8d\xc5\x2e\x27\xca\x52\x7d\xf7\xad\x68\xe6\xc4\xd4\xba\x8f\x6b\x43\x13\xa2\x94\x02\x98\x10\x59\xa1\x48\x79\x7f\xa0\x88\x02\x57\xfe\x04\x27\x01\x19\x28\xaf\x75\x2f\x81\xb8\x18\x68\x02\x10\x8f\x05\x90\x19\x50\x39\xc8\x38\x25\x72\x02\x42\x14\x10\xb8\xa3\x59\xe6\x9d\xdc\xd4\x74\x70\xf4\xd0\x5a\xe2\x89\x83\x4b\xe3\x04\xca\xf4\x9b\xbb\xac\xfd\xbe\x92\x7f\x42\x3b\xe9\xb8\x78\x82\xb0\xfa\xb4\xf5\x0b\xc7\xcd\xbf\xf6\xef\x10\x1f\x33\xf7\x03\x55\x6d\x45\xb6\xac\xe1\x64\x3c\xd7\xe7\x5a\xcf\x74\x06\x3e\x3e\x34\xe9\x63\xdb\x19\xf0\xd1\x9f\x14\x82\x9c\x91\xc4\x50\x66\x1d\x0e\x80\x9d\x5b\x79\x09\x69\x5b\xa1\x54\x46\xc8\x76\xa1\x67\xec\xca\x09\xfc\x00\xe1\x73\x7c\xbd\x4e\xf4\xf7\x0a\x50\xe3\xa0\x0f\xc9\x6f\x0e\x10\x23\xe5\xc8\x1e\x67\xd2\x47\xae\x0e\xc7\xec\x26\x72\x52\x80\x4a\x65\xb3\x01\xb9\x1a\x59\x9b\x8c\xe3\x7d\x95\xa9\x3d\xd9\xa9\x11\xdf\xb3\x95\xf3\x61\x92\x4e\x82\xea\x28\x1e\xfd\x7a\x2e\x01\x5a\xad\xaf\x64\x85\xfc\xea\xee\x0a\xb9\x05\xe1\x39\x6c\x12\x56\x03\xaf\xf4\xca\x16\x5f\x74\x9c\x23\x31\x02\x50\xf8\x00\xb2\xa8\x79\x17\xb9\x42\x1b\x0b\x4c\xde\xc9\xd8\x64\x14\xeb\x82\x23\x74\xb0\xd4\x32\x53\x58\xb2\xbf\x43\xe0\xe3\x12\x58\x88\x79\x76\x5c\x25\xc0\x98\xd1\x71\x86\x53\xbe\xa5\x27\x68\xdd\x7f\x10\x0f\xbd\x2b\x6a\xfc\xcf\x02\x13\x46\x9a\x7f\xa2\x5b\x5f\x77\xc6\xb5\x6c\xa0\x9d\xf8\x86\xa1\x6e\xd2\x4f\x51\xe2\x1d\x07\x8f\x25\xc4\x88\x87\xda\x12\xde\xa5\x7c\x8f\x48\x25\xf2\x7a\xe3\xd9\x16\x01\x96\xeb\x6b\xe0\x9f\x7b\xe8\xb2\x39\xa0\x5d\xbf\x6a\xae\xca\x96\x37\x09\x0d\x1e\x6f\x76\xeb\x93\x69\x27\x4c\x3a\xad\xa3\x36\x24\x3b\x8b\x9c\x59\xc3\xf9\xc9\x1a\xb4\x3f\xc9\x27\x3b\xb5\xbf\x2b\x59\xde\x8f\xbc\x50\x6c\x94\x36\x56\x5e\x4c\x9b\xa2\x96\x50\xb3\x78\x4d\x87\xf3\x37\xa4\xa4\xb5\x28\xca\x2a\x28\x0c\xed\xc3\x69\xb0\x09\x0c\x3f\x69\xc7\x60\x4a\x6d\xf3\x1f\xba\x78\x1c\x07\xd5\x8d\xba\xdd\x7c\x85\xa6\x26\xf8\x85\xf0\x9a\x91\x22\x4e\x79\xbd\x68\x79\x3f\x16\x7e\xbd\x8d\xa1\x0e\x5d\xa7\x8c\xfa\x7e\xbf\x10\xa8\xf2\xc9\x00\x3f\xb1\xcd\xd8\x7e\x46\x98\x61\xf3\xed\x23\xd2\x5b\xcb\x14\x53\x0a\x8f\xf8\xd9\x1e\x9e\x0c\x7c\x39\x76\xc3\xaf\xc7\xbd\x50\x05\xcc\xef\x59\xfa\xec\x52\xba\x35\x69\x3d\x0f\x0d\xce\xba\x84\x3a\xdd\x5a\x74\x7e\x0a\xa7\x2f\x09\xf2\xf4\x52\x81\xc9\xd4\xc6\xf1\xbb\x78\x37\x9a\xec\x78\x2c\x64\x81\x0d\xe3\x23\xc8\xab\xac\xc9\xfb\x7e\x7d\xbc\x1e\x29\x13\xa8\x5d\xf0\xbd\xb6\xac\x70\x1a\x68\x26\x9e\x79\xab\x28\x45\x8c\x02\x91\xe1\x84\x0b\x34\xac\xe2\xd0\xdc\xa9\x02\x9f\x6d\x95\x0e\x6e\xf1\xe5\xcb\xb9\x52\x4d\xb5\x01\xdc\x30\x22\x73\x3c\xb1\x0b\xb7\x4e\x9e\x69\x82\x45\xa9\x8d\xff\xe2\x37\x8c\x42\x54\x81\x19\xdd\x60\xf2\xb0\x21\x95\x3b\x30\x0f\x38\x97\x26\x61\xc3\xeb\xdf\x64\xa3\xaf\xb3\xc6\x29\xcc\xa5\xec\x93\x8c\x31\xee\x8c\xb6\x82\xdd\x38\xf3\x58\x18\x12\xf7\xba\x64\x31\xc1\x60\x65\x90\x39\xe7\xcf\xe7\x85\x9b\x1a\xa8\x13\x08\x33\xf1\xf6\x37\x24\xf8\x63\xb3\xe2\xa1\x8f\x9e\xbd\x1e\xa6\x14\xd3\x0d\x28\xbd\x4f\x5b\x8c\x26\x17\xbe\xcd\x8a\x4d\x8b\x3a\x9b\x42\xb8\x5d\x8e\x80\xc8\xfa\xf7\xd9\xcf\x56\x37\xdd\x98\x82\x6a\x10\xb6\x92\x40\x29\x33\xd2\xae\x0e\xa9\x08\xff\x5d\x6c\x22\xfc\x33\x5b\xe0\x06\x14\xa0\xf5\xe7\x00\x4e\xbe\xf7\x1f\xd2\x3d\x3f\x90\x11\x59\x84\xf0\xe4\x6e\x82\xac\x8b\x03\xe5\xd2\xbf\xea\xa2\x19\x23\x33\xc1\xa0\xa9\xfb\x19\xa7\x5b\xdc\x8f\x90\x58\x33\x6e\x86\xf3\xf7\xb3\x0f\x0b\xed\x24\xc4\xb2\x30\xcd\xfc\x92\xa9\x88\x5b\xe5\x1c\x0b\x85\x1c\xd7\xa0\x4a\x62\xfb\x3c\xe4\x7e\x76\x5a\x11\x4e\xf7\x68\x6b\xc7\xd8\x2e\xf5\xe1\xca\x02\x14\xb9\x5b\x64\xe5\x7f\x85\x12\x15\xce\x5a\x47\xdd\xfb\x91\x93\x2c\x85\x4c\x65\x25\xeb\xe7\xf6\xe1\x68\x45\xfa\x22\x5a\x74\x09\x3f\x6a\x26\x80\x08\x5a\x8f\xef\x66\x54\x1f\xc3\x64\x3f\xc8\x14\xc5\xa8\x06\x41\x5f\x70\x68\x8a\x4b\xe7\x7b\xea\xf7\x5d\x71\x02\x6e\x4d\xff\x38\x00\x12\x4b\xde\xc0\xe0\x65\x46\x3e\xdc\x69\x64\x1f\x67\xc7\xc4\x2b\x8e\x02\x5f\x81\x40\x6f\xd4\x89\x6d\x5d\xb8\xe1\x9f\xec\x09\x98\x09\xad\x50\xa9\x8a\x83\xb3\xca\xa8\xfd\x87\x31\x05\x14\xf4\xa7\xaf\xd9\xa9\x70\xc4\x56\x23\x1d\x91\x6b\x26\xd5\xc6\x2b\xc4\x83\x4a\xf9\xbc\x27\x77\xa7\xc7\xd3\xbb\xf5\xf2\xc6\xd8\x28\x93\x5f\x3b\x82\x77\x43\xc0\x92\x22\x32\x8e\x8e\x82\x91\xbb\x28\x3e\xba\x7d\x4b\xc8\x97\x87\x7f\x6e\x50\xa5\xfa\xbc\x77\xab\xf3\x15\x34\xd7\x00\x96\x2e\xde\xcb\x1d\xf4\xee\x12\x28\xa7\x29\xdf\x7d\xa8\x57\x71\xa3\xf1\xe3\x04\x29\xfa\xc9\x93\xd9\x73\x8d\x9d\x67\x28\xbf\x49\x2b\x47\x91\x43\x8c\x3c\xf6\xd5\x9a\xf8\x09\x97\x4a\xec\x44\x80\x98\xc2\x6c\xb3\x79\x1e\x43\x72\x40\x76\xef\x5c\xa9\xc7\x0c\xb3\xf5\x8a\xcc\xb5\x39\x94\x37\x86\xce\x98\xb0\x92\xc9\x65\xa1\x47\xd1\x87\x0a\xd4\x54\x68\x6b\xa5\x79\xc9\xd1\x0a\x61\x31\xd4\xd9\x80\xff\x68\x89\x8f\xb1\x1a\x0a\x9f\x61\xe6\x0a\x86\x42\x7f\x60\x66\x00\x88\x98\x4e\xed\x16\xac\xf6\xd3\x14\x30\x18\x3b\x81\x91\x2a\xdc\xde\x80\x84\x45\x71\x22\xec\xdd\x70\x54\xcf\x3d\xdd\xee\x25\xa9\x75\xfb\x24\x48\xe7\x1a\x27\xae\xdf\x68\x68\x5e\x9e\x8b\xf6\x07\x05\x6d\x68\xd7\x20\x60\x75\x99\xcb\x49\x97\xa1\xd5\x91\xa1\xcc\x17\x4e\xdd\xc6\x6f\x39\x16\x0a\x2e\x55\xee\xe6\xc8\x2b\x21\x8c\x5b\x96\x3a\x02\x68\x11\x7f\xcc\xda\x93\x14\xd7\xde\x3b\x1b\xfd\xf1\xde\x33\x83\x10\x41\x8d\xbb\x11\xf7\x3b\xfc\x1a\x70\x5a\x7f\x12\x56\x0c\x6a\x83\x6e\xbc\x1c\x92\x7d\x14\x27\xeb\x6d\x71\x04\xf9\x42\x70\x5a\x25\xe7\xa7\x94\x88\x76\x8c\x70\x7c\xdd\xb0\x59\xd0\x6f\x4f\x55\xd6\x41\x14\x65\x8b\xb3\x27\x07\x2a\x0f\x24\x8f\x91\x91\xae\xbf\x83\x8c\xcf\x46\x4e\x3d\xb3\x8b\xd0\x15\xc1\xfe\x7e\x0a\x1c\xe8\xc8\x54\xe0\x64\xad\x28\xdf\x20\x85\x4e\xca\xf4\x42\x88\x1d\x5b\x92\x2d\xb3\x32\x7a\x73\xa8\x00\x7f\x84\xaa\xcb\x94\x1b\xc1\x23\x27\x42\xd0\xad\x98\xeb\x8f\x05\xa8\x12\xc7\x95\x7f\xb4\xb6\x88\x52\x2e\xa6\xa1\xd5\xef\x22\xda\xbf\x25\x37\xb5\xf6\x8d\x81\xe0\x6b\x51\x78\x39\xb4\x74\x23\x85\x64\x96\x79\x29\xfa\x82\x31\xeb\x8e\xaa\x9b\xf7\x95\x54\x91\x79\x39\x33\x6f\x71\xed\xad\x5c\x01\x1d\xe4\xa9\x88\x7c\x9d\x8b\xfe\x58\x8c\x17\x47\xb4\x7e\xca\xe6\x41\xae\x07\x6a\x53\xcb\x66\x1d\x34\x46\x59\xed\x82\xa4\xf1\x06\x12\xea\x2e\xe0\x0a\x44\x4d\xe7\xe4\xb1\xa0\xc5\x61\x4d\x4a\x63\x69\xb4\x8c\xfa\xe5\x31\x6e\x83\x89\xcb\x72\x0a\x11\x11\x71\x38\x3a\x78\x79\x80\x31\xaf\x5e\x49\x76\xb8\x91\x75\xac\x1e\xfa\x79\xca\x7d\xd7\x28\xd2\x1c\xf2\x85\x3f\x69\x87\x03\x79\xdc\xd6\x91\xf4\x12\xb0\xda\xbb\x49\xf7\x4d\x48\xf9\x31\x3b\xe4\x58\x95\xe8\xd4\xe7\x8e\x23\xe3\x57\xa9\xa2\x29\x4b\xef\xb1\x73\xce\xcc\xdd\xb7\xde\xc8\x47\x81\x92\x0e\x95\x1e\xcc\x86\x3b\xdc\x84\x3a\xf7\x53\x5e\x72\x1a\x7a\x7f\x5b\xd6\xe0\xd3\x7f\xe9\xe5\xb5\xaf\x3f\x2a\xaa\x62\x96\x71\x12\xc0\xfe\x84\x8d\x3c\x38\xa6\x46\xde\xd7\xde\xba\x1a\xb9\x8d\x40\x88\x1b\xa2\xfc\x91\x8a\x86\x64\xbb\xab\xea\x14\xbe\x6f\x5b\xb9\x2e\x25\x4c\x47\x1b\x32\x4a\x02\x6c\x66\x1d\xe4\xb9\x7b\xa0\xae\x1f\x67\x06\x3f\x41\xa5\x61\x9d\xa8\xa4\x9a\x7a\xd6\xcf\x81\x53\x97\x7a\x4c\x63\x17\x1b\xba\x20\x88\x4b\x73\x44\xc4\x05\xd6\x1b\x9c\xe3\xce\x90\xdd\x0b\x6d\x86\xbe\x27\xc0\x28\xa2\xa4\x8f\xe0\x40\xd6\xf9\xd2\xf5\xdc\x24\x66\xcb\x9f\x74\x5e\x5a\x98\xe5\x26\x64\x98\xb1\x4d\x16\xe3\xfc\xee\x12\x02\x6c\x0f\x46\xb7\xfd\x1d\x30\x07\x65\x05\xcd\x64\xc1\xd6\x0c\x5c\xac\x8c\xb4\x00\xea\x6b\x75\x22\xc1\x65\xb0\x09\x4f\xf0\xff\x65\x6d\x08\x16\x73\x05\x6b\x73\xee\xe3\xef\xcb\xfb\xa2\x60\xff\x87\xe4\x30\x4c\x8e\xb1\x4a\xea\xdf\xda\xa0\x95\x70\xf6\x30\x64\x6c", 8192); *(uint64_t*)0x200000006c80 = 0x2000000036c0; *(uint32_t*)0x2000000036c0 = 0x50; *(uint32_t*)0x2000000036c4 = 0; *(uint64_t*)0x2000000036c8 = 8; *(uint32_t*)0x2000000036d0 = 7; *(uint32_t*)0x2000000036d4 = 0x2d; *(uint32_t*)0x2000000036d8 = 7; *(uint32_t*)0x2000000036dc = 0x8000008; *(uint16_t*)0x2000000036e0 = 7; *(uint16_t*)0x2000000036e2 = 0xfc00; *(uint32_t*)0x2000000036e4 = 0x3ff; *(uint32_t*)0x2000000036e8 = 0x59; *(uint16_t*)0x2000000036ec = 0; *(uint16_t*)0x2000000036ee = 0; *(uint32_t*)0x2000000036f0 = 0xe0; *(uint32_t*)0x2000000036f4 = 0x10000; memset((void*)0x2000000036f8, 0, 24); *(uint64_t*)0x200000006c88 = 0x200000003740; *(uint32_t*)0x200000003740 = 0x18; *(uint32_t*)0x200000003744 = 0; *(uint64_t*)0x200000003748 = 6; *(uint64_t*)0x200000003750 = 0x80000001; *(uint64_t*)0x200000006c90 = 0x200000003780; *(uint32_t*)0x200000003780 = 0x18; *(uint32_t*)0x200000003784 = 0; *(uint64_t*)0x200000003788 = 4; *(uint64_t*)0x200000003790 = 2; *(uint64_t*)0x200000006c98 = 0x2000000037c0; *(uint32_t*)0x2000000037c0 = 0x18; *(uint32_t*)0x2000000037c4 = 0xffffffda; *(uint64_t*)0x2000000037c8 = 0x37; *(uint32_t*)0x2000000037d0 = 0; *(uint32_t*)0x2000000037d4 = 0; *(uint64_t*)0x200000006ca0 = 0x200000003800; *(uint32_t*)0x200000003800 = 0x18; *(uint32_t*)0x200000003804 = 0; *(uint64_t*)0x200000003808 = 1; *(uint32_t*)0x200000003810 = 0xff; *(uint32_t*)0x200000003814 = 0; *(uint64_t*)0x200000006ca8 = 0x200000003840; *(uint32_t*)0x200000003840 = 0x28; *(uint32_t*)0x200000003844 = 0x26; *(uint64_t*)0x200000003848 = 0x7fffffffffffffff; *(uint64_t*)0x200000003850 = 0x7a; *(uint64_t*)0x200000003858 = 8; *(uint32_t*)0x200000003860 = 0; *(uint32_t*)0x200000003864 = 0; *(uint64_t*)0x200000006cb0 = 0x200000003880; *(uint32_t*)0x200000003880 = 0x60; *(uint32_t*)0x200000003884 = 0xfffffff5; *(uint64_t*)0x200000003888 = 1; *(uint64_t*)0x200000003890 = 0x81; *(uint64_t*)0x200000003898 = 6; *(uint64_t*)0x2000000038a0 = 0x3ff; *(uint64_t*)0x2000000038a8 = 2; *(uint64_t*)0x2000000038b0 = 4; *(uint32_t*)0x2000000038b8 = 4; *(uint32_t*)0x2000000038bc = 8; *(uint32_t*)0x2000000038c0 = 2; *(uint32_t*)0x2000000038c4 = 0; memset((void*)0x2000000038c8, 0, 24); *(uint64_t*)0x200000006cb8 = 0x200000003900; *(uint32_t*)0x200000003900 = 0x18; *(uint32_t*)0x200000003904 = 0; *(uint64_t*)0x200000003908 = 0; *(uint32_t*)0x200000003910 = 0xb; *(uint32_t*)0x200000003914 = 0; *(uint64_t*)0x200000006cc0 = 0x200000003940; *(uint32_t*)0x200000003940 = 0x12; *(uint32_t*)0x200000003944 = 0xaeab5fde; *(uint64_t*)0x200000003948 = 9; memcpy((void*)0x200000003950, "^\000", 2); *(uint64_t*)0x200000006cc8 = 0x200000003980; *(uint32_t*)0x200000003980 = 0x20; *(uint32_t*)0x200000003984 = 0; *(uint64_t*)0x200000003988 = 0; *(uint64_t*)0x200000003990 = 0; *(uint32_t*)0x200000003998 = 2; *(uint32_t*)0x20000000399c = 0; *(uint64_t*)0x200000006cd0 = 0x2000000039c0; *(uint32_t*)0x2000000039c0 = 0x78; *(uint32_t*)0x2000000039c4 = 0; *(uint64_t*)0x2000000039c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000039d0 = 3; *(uint32_t*)0x2000000039d8 = 0x67; *(uint32_t*)0x2000000039dc = 0; *(uint64_t*)0x2000000039e0 = 3; *(uint64_t*)0x2000000039e8 = 2; *(uint64_t*)0x2000000039f0 = 5; *(uint64_t*)0x2000000039f8 = 2; *(uint64_t*)0x200000003a00 = 0; *(uint64_t*)0x200000003a08 = 0x5b; *(uint32_t*)0x200000003a10 = 0x200; *(uint32_t*)0x200000003a14 = 6; *(uint32_t*)0x200000003a18 = 0xf0b7; *(uint32_t*)0x200000003a1c = 0x1000; *(uint32_t*)0x200000003a20 = 1; *(uint32_t*)0x200000003a24 = -1; *(uint32_t*)0x200000003a28 = -1; *(uint32_t*)0x200000003a2c = 4; *(uint32_t*)0x200000003a30 = 6; *(uint32_t*)0x200000003a34 = 0; *(uint64_t*)0x200000006cd8 = 0x200000004b00; *(uint32_t*)0x200000004b00 = 0x90; *(uint32_t*)0x200000004b04 = 0; *(uint64_t*)0x200000004b08 = 7; *(uint64_t*)0x200000004b10 = 1; *(uint64_t*)0x200000004b18 = 3; *(uint64_t*)0x200000004b20 = 0x10000; *(uint64_t*)0x200000004b28 = 0x200; *(uint32_t*)0x200000004b30 = 8; *(uint32_t*)0x200000004b34 = 0xa87; *(uint64_t*)0x200000004b38 = 4; *(uint64_t*)0x200000004b40 = 1; *(uint64_t*)0x200000004b48 = 7; *(uint64_t*)0x200000004b50 = 1; *(uint64_t*)0x200000004b58 = 0xfffffffffffffffd; *(uint64_t*)0x200000004b60 = 4; *(uint32_t*)0x200000004b68 = 9; *(uint32_t*)0x200000004b6c = 0xffff; *(uint32_t*)0x200000004b70 = 0x10000000; *(uint32_t*)0x200000004b74 = 0; *(uint32_t*)0x200000004b78 = 0xf40; *(uint32_t*)0x200000004b7c = 0; *(uint32_t*)0x200000004b80 = r[10]; *(uint32_t*)0x200000004b84 = 0x8001; *(uint32_t*)0x200000004b88 = 9; *(uint32_t*)0x200000004b8c = 0; *(uint64_t*)0x200000006ce0 = 0x200000004bc0; *(uint32_t*)0x200000004bc0 = 0x48; *(uint32_t*)0x200000004bc4 = 0; *(uint64_t*)0x200000004bc8 = 0x5c; *(uint64_t*)0x200000004bd0 = 1; *(uint64_t*)0x200000004bd8 = 4; *(uint32_t*)0x200000004be0 = 6; *(uint32_t*)0x200000004be4 = 8; memset((void*)0x200000004be8, 255, 6); *(uint64_t*)0x200000004bf0 = 1; *(uint64_t*)0x200000004bf8 = 8; *(uint32_t*)0x200000004c00 = 0; *(uint32_t*)0x200000004c04 = 0xb; *(uint64_t*)0x200000006ce8 = 0x200000006500; *(uint32_t*)0x200000006500 = 0x478; *(uint32_t*)0x200000006504 = 0; *(uint64_t*)0x200000006508 = 2; *(uint64_t*)0x200000006510 = 1; *(uint64_t*)0x200000006518 = 1; *(uint64_t*)0x200000006520 = 0xf; *(uint64_t*)0x200000006528 = 9; *(uint32_t*)0x200000006530 = 0x7fffffff; *(uint32_t*)0x200000006534 = 0x3ff; *(uint64_t*)0x200000006538 = 5; *(uint64_t*)0x200000006540 = 0xb3fc; *(uint64_t*)0x200000006548 = 3; *(uint64_t*)0x200000006550 = 0xa2d9; *(uint64_t*)0x200000006558 = 3; *(uint64_t*)0x200000006560 = 0x80000000; *(uint32_t*)0x200000006568 = 4; *(uint32_t*)0x20000000656c = 5; *(uint32_t*)0x200000006570 = 2; *(uint32_t*)0x200000006574 = 0x6000; *(uint32_t*)0x200000006578 = 0xfff; *(uint32_t*)0x20000000657c = -1; *(uint32_t*)0x200000006580 = 0xee01; *(uint32_t*)0x200000006584 = 5; *(uint32_t*)0x200000006588 = 6; *(uint32_t*)0x20000000658c = 0; *(uint64_t*)0x200000006590 = 5; *(uint64_t*)0x200000006598 = 9; *(uint32_t*)0x2000000065a0 = 6; *(uint32_t*)0x2000000065a4 = 6; memcpy((void*)0x2000000065a8, "wlan1\000", 6); *(uint64_t*)0x2000000065b0 = 3; *(uint64_t*)0x2000000065b8 = 1; *(uint64_t*)0x2000000065c0 = 4; *(uint64_t*)0x2000000065c8 = 0xf; *(uint32_t*)0x2000000065d0 = 1; *(uint32_t*)0x2000000065d4 = 5; *(uint64_t*)0x2000000065d8 = 4; *(uint64_t*)0x2000000065e0 = 0xffc; *(uint64_t*)0x2000000065e8 = 2; *(uint64_t*)0x2000000065f0 = 0xffffffffffffdbca; *(uint64_t*)0x2000000065f8 = 0x35; *(uint64_t*)0x200000006600 = 0x5fa; *(uint32_t*)0x200000006608 = 8; *(uint32_t*)0x20000000660c = 5; *(uint32_t*)0x200000006610 = 0x16d; *(uint32_t*)0x200000006614 = 0x6000; *(uint32_t*)0x200000006618 = 0x8000; *(uint32_t*)0x20000000661c = r[11]; *(uint32_t*)0x200000006620 = 0xee00; *(uint32_t*)0x200000006624 = 8; *(uint32_t*)0x200000006628 = 2; *(uint32_t*)0x20000000662c = 0; *(uint64_t*)0x200000006630 = 2; *(uint64_t*)0x200000006638 = 0x3e8; *(uint32_t*)0x200000006640 = 0x16; *(uint32_t*)0x200000006644 = 5; memcpy((void*)0x200000006648, "bpf_lsm_path_truncate\000", 22); *(uint64_t*)0x200000006660 = 6; *(uint64_t*)0x200000006668 = 3; *(uint64_t*)0x200000006670 = 0xcff0; *(uint64_t*)0x200000006678 = 0xfffffffffffffbff; *(uint32_t*)0x200000006680 = 3; *(uint32_t*)0x200000006684 = 3; *(uint64_t*)0x200000006688 = 5; *(uint64_t*)0x200000006690 = 4; *(uint64_t*)0x200000006698 = 8; *(uint64_t*)0x2000000066a0 = 9; *(uint64_t*)0x2000000066a8 = 0x10; *(uint64_t*)0x2000000066b0 = 5; *(uint32_t*)0x2000000066b8 = 0x91; *(uint32_t*)0x2000000066bc = 0xfff; *(uint32_t*)0x2000000066c0 = 0xfffffffd; *(uint32_t*)0x2000000066c4 = 0xc000; *(uint32_t*)0x2000000066c8 = 3; *(uint32_t*)0x2000000066cc = r[12]; *(uint32_t*)0x2000000066d0 = 0xee00; *(uint32_t*)0x2000000066d4 = 0x80; *(uint32_t*)0x2000000066d8 = 0x40; *(uint32_t*)0x2000000066dc = 0; *(uint64_t*)0x2000000066e0 = 0; *(uint64_t*)0x2000000066e8 = 8; *(uint32_t*)0x2000000066f0 = 6; *(uint32_t*)0x2000000066f4 = 0x80000001; memcpy((void*)0x2000000066f8, "wlan1\000", 6); *(uint64_t*)0x200000006700 = 3; *(uint64_t*)0x200000006708 = 2; *(uint64_t*)0x200000006710 = 8; *(uint64_t*)0x200000006718 = 9; *(uint32_t*)0x200000006720 = 0x80000000; *(uint32_t*)0x200000006724 = 0xd149; *(uint64_t*)0x200000006728 = 3; *(uint64_t*)0x200000006730 = 4; *(uint64_t*)0x200000006738 = 5; *(uint64_t*)0x200000006740 = 0xe; *(uint64_t*)0x200000006748 = 0x7a; *(uint64_t*)0x200000006750 = 0xd52; *(uint32_t*)0x200000006758 = 0; *(uint32_t*)0x20000000675c = 5; *(uint32_t*)0x200000006760 = 6; *(uint32_t*)0x200000006764 = 0xa000; *(uint32_t*)0x200000006768 = 2; *(uint32_t*)0x20000000676c = r[14]; *(uint32_t*)0x200000006770 = 0; *(uint32_t*)0x200000006774 = 0x7fffffff; *(uint32_t*)0x200000006778 = 5; *(uint32_t*)0x20000000677c = 0; *(uint64_t*)0x200000006780 = 4; *(uint64_t*)0x200000006788 = 0x7ff; *(uint32_t*)0x200000006790 = 2; *(uint32_t*)0x200000006794 = 0x78d; memcpy((void*)0x200000006798, "\300\'", 2); *(uint64_t*)0x2000000067a0 = 2; *(uint64_t*)0x2000000067a8 = 0; *(uint64_t*)0x2000000067b0 = 6; *(uint64_t*)0x2000000067b8 = 0x7fffffff; *(uint32_t*)0x2000000067c0 = 5; *(uint32_t*)0x2000000067c4 = 5; *(uint64_t*)0x2000000067c8 = 2; *(uint64_t*)0x2000000067d0 = 0xc; *(uint64_t*)0x2000000067d8 = 0xbde5; *(uint64_t*)0x2000000067e0 = 5; *(uint64_t*)0x2000000067e8 = 8; *(uint64_t*)0x2000000067f0 = 0x10; *(uint32_t*)0x2000000067f8 = 9; *(uint32_t*)0x2000000067fc = 6; *(uint32_t*)0x200000006800 = 0xe31; *(uint32_t*)0x200000006804 = 0x2000; *(uint32_t*)0x200000006808 = 0x5b8; *(uint32_t*)0x20000000680c = r[16]; *(uint32_t*)0x200000006810 = r[18]; *(uint32_t*)0x200000006814 = 6; *(uint32_t*)0x200000006818 = 8; *(uint32_t*)0x20000000681c = 0; *(uint64_t*)0x200000006820 = 2; *(uint64_t*)0x200000006828 = 0x80; *(uint32_t*)0x200000006830 = 0; *(uint32_t*)0x200000006834 = 0xb6; *(uint64_t*)0x200000006838 = 5; *(uint64_t*)0x200000006840 = 2; *(uint64_t*)0x200000006848 = 0x80000001; *(uint64_t*)0x200000006850 = 2; *(uint32_t*)0x200000006858 = 6; *(uint32_t*)0x20000000685c = 0xff; *(uint64_t*)0x200000006860 = 3; *(uint64_t*)0x200000006868 = 5; *(uint64_t*)0x200000006870 = 8; *(uint64_t*)0x200000006878 = 3; *(uint64_t*)0x200000006880 = 0x8001; *(uint64_t*)0x200000006888 = 5; *(uint32_t*)0x200000006890 = 1; *(uint32_t*)0x200000006894 = 7; *(uint32_t*)0x200000006898 = 2; *(uint32_t*)0x20000000689c = 0x1000; *(uint32_t*)0x2000000068a0 = 1; *(uint32_t*)0x2000000068a4 = 0xee01; *(uint32_t*)0x2000000068a8 = r[19]; *(uint32_t*)0x2000000068ac = 0x10001; *(uint32_t*)0x2000000068b0 = 6; *(uint32_t*)0x2000000068b4 = 0; *(uint64_t*)0x2000000068b8 = 0; *(uint64_t*)0x2000000068c0 = 6; *(uint32_t*)0x2000000068c8 = 5; *(uint32_t*)0x2000000068cc = 6; memset((void*)0x2000000068d0, 170, 5); *(uint64_t*)0x2000000068d8 = 3; *(uint64_t*)0x2000000068e0 = 1; *(uint64_t*)0x2000000068e8 = 0x8000000000000000; *(uint64_t*)0x2000000068f0 = 0x2e; *(uint32_t*)0x2000000068f8 = 5; *(uint32_t*)0x2000000068fc = 7; *(uint64_t*)0x200000006900 = 6; *(uint64_t*)0x200000006908 = 5; *(uint64_t*)0x200000006910 = 5; *(uint64_t*)0x200000006918 = 0xb; *(uint64_t*)0x200000006920 = 0; *(uint64_t*)0x200000006928 = 2; *(uint32_t*)0x200000006930 = 0xffff; *(uint32_t*)0x200000006934 = 0; *(uint32_t*)0x200000006938 = 8; *(uint32_t*)0x20000000693c = 0x2000; *(uint32_t*)0x200000006940 = 9; *(uint32_t*)0x200000006944 = r[20]; *(uint32_t*)0x200000006948 = r[21]; *(uint32_t*)0x20000000694c = 2; *(uint32_t*)0x200000006950 = 7; *(uint32_t*)0x200000006954 = 0; *(uint64_t*)0x200000006958 = 6; *(uint64_t*)0x200000006960 = 0xfffffffffffffffb; *(uint32_t*)0x200000006968 = 5; *(uint32_t*)0x20000000696c = 6; memset((void*)0x200000006970, 170, 5); *(uint64_t*)0x200000006cf0 = 0x200000006980; *(uint32_t*)0x200000006980 = 0xa0; *(uint32_t*)0x200000006984 = 0; *(uint64_t*)0x200000006988 = 0xd05; *(uint64_t*)0x200000006990 = 5; *(uint64_t*)0x200000006998 = 3; *(uint64_t*)0x2000000069a0 = 0x8000000000000001; *(uint64_t*)0x2000000069a8 = 7; *(uint32_t*)0x2000000069b0 = 5; *(uint32_t*)0x2000000069b4 = 2; *(uint64_t*)0x2000000069b8 = 3; *(uint64_t*)0x2000000069c0 = 4; *(uint64_t*)0x2000000069c8 = 5; *(uint64_t*)0x2000000069d0 = 3; *(uint64_t*)0x2000000069d8 = 8; *(uint64_t*)0x2000000069e0 = 1; *(uint32_t*)0x2000000069e8 = 0x8001; *(uint32_t*)0x2000000069ec = 0; *(uint32_t*)0x2000000069f0 = 0xfff; *(uint32_t*)0x2000000069f4 = 0x8000; *(uint32_t*)0x2000000069f8 = 0x101; *(uint32_t*)0x2000000069fc = r[22]; *(uint32_t*)0x200000006a00 = 0xee00; *(uint32_t*)0x200000006a04 = 7; *(uint32_t*)0x200000006a08 = 0xac; *(uint32_t*)0x200000006a0c = 0; *(uint64_t*)0x200000006a10 = 0; *(uint32_t*)0x200000006a18 = 0x10; *(uint32_t*)0x200000006a1c = 0; *(uint64_t*)0x200000006cf8 = 0x200000006a40; *(uint32_t*)0x200000006a40 = 0x20; *(uint32_t*)0x200000006a44 = 0; *(uint64_t*)0x200000006a48 = 0xffffffff; *(uint32_t*)0x200000006a50 = 4; *(uint32_t*)0x200000006a54 = 0; *(uint32_t*)0x200000006a58 = 9; *(uint32_t*)0x200000006a5c = 0xa; *(uint64_t*)0x200000006d00 = 0x200000006b40; *(uint32_t*)0x200000006b40 = 0x130; *(uint32_t*)0x200000006b44 = 0; *(uint64_t*)0x200000006b48 = 0x1ff; *(uint64_t*)0x200000006b50 = 0x6276287e; *(uint32_t*)0x200000006b58 = 7; *(uint32_t*)0x200000006b5c = 0; memset((void*)0x200000006b60, 0, 16); *(uint32_t*)0x200000006b70 = 0x800; *(uint32_t*)0x200000006b74 = 2; *(uint64_t*)0x200000006b78 = 3; *(uint32_t*)0x200000006b80 = 0x1e; *(uint32_t*)0x200000006b84 = -1; *(uint32_t*)0x200000006b88 = r[24]; *(uint16_t*)0x200000006b8c = 0x4000; memset((void*)0x200000006b8e, 0, 2); *(uint64_t*)0x200000006b90 = 0x800; *(uint64_t*)0x200000006b98 = 9; *(uint64_t*)0x200000006ba0 = 8; *(uint64_t*)0x200000006ba8 = 0x32f3fcde; *(uint64_t*)0x200000006bb0 = 6; *(uint32_t*)0x200000006bb8 = 1; *(uint32_t*)0x200000006bbc = 0; *(uint64_t*)0x200000006bc0 = 4; *(uint32_t*)0x200000006bc8 = 0xe30; *(uint32_t*)0x200000006bcc = 0; *(uint64_t*)0x200000006bd0 = 0x4d; *(uint32_t*)0x200000006bd8 = 3; *(uint32_t*)0x200000006bdc = 0; *(uint64_t*)0x200000006be0 = 6; *(uint32_t*)0x200000006be8 = 8; *(uint32_t*)0x200000006bec = 0; *(uint32_t*)0x200000006bf0 = 6; *(uint32_t*)0x200000006bf4 = 2; *(uint32_t*)0x200000006bf8 = 0xfb; *(uint32_t*)0x200000006bfc = 2; memset((void*)0x200000006c00, 0, 112); syz_fuse_handle_req(/*fd=*/r[9], /*buf=*/0x2000000016c0, /*len=*/0x2000, /*res=*/0x200000006c80); break; case 30: memcpy((void*)0x200000006d40, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000006d40, /*fd=*/r[23]); break; case 31: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 32: *(uint32_t*)0x200000006d84 = 0xd0f0; *(uint32_t*)0x200000006d88 = 0x20; *(uint32_t*)0x200000006d8c = 0; *(uint32_t*)0x200000006d90 = 0x1e5; *(uint32_t*)0x200000006d98 = -1; memset((void*)0x200000006d9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x28c2, /*params=*/0x200000006d80, /*ring_ptr=*/0x200000006e00, /*sqes_ptr=*/0x200000006e40); if (res != -1) r[25] = *(uint64_t*)0x200000006e00; break; case 33: syz_io_uring_complete(/*ring_ptr=*/r[25]); break; case 34: *(uint32_t*)0x200000006e84 = 0x979d; *(uint32_t*)0x200000006e88 = 4; *(uint32_t*)0x200000006e8c = 1; *(uint32_t*)0x200000006e90 = 0x206; *(uint32_t*)0x200000006e98 = r[9]; memset((void*)0x200000006e9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x7c1f, /*params=*/0x200000006e80, /*ring_ptr=*/0x200000006f00, /*sqes_ptr=*/0x200000006f40); if (res != -1) { r[26] = res; r[27] = *(uint64_t*)0x200000006f00; r[28] = *(uint64_t*)0x200000006f40; } break; case 35: res = syscall(__NR_io_uring_register, /*fd=*/r[26], /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul); if (res != -1) r[29] = res; break; case 36: *(uint8_t*)0x200000007000 = 0x1c; *(uint8_t*)0x200000007001 = 0x14; *(uint16_t*)0x200000007002 = 0; *(uint32_t*)0x200000007004 = r[23]; *(uint64_t*)0x200000007008 = 0x200000006f80; *(uint64_t*)0x200000006f80 = 0x818480; *(uint64_t*)0x200000006f88 = 0; *(uint64_t*)0x200000006f90 = 0x35; *(uint64_t*)0x200000007010 = 0x200000006fc0; memcpy((void*)0x200000006fc0, "./file0\000", 8); *(uint32_t*)0x200000007018 = 0x18; *(uint32_t*)0x20000000701c = 0; *(uint64_t*)0x200000007020 = 0x23456; *(uint16_t*)0x200000007028 = 0; *(uint16_t*)0x20000000702a = r[29]; memset((void*)0x20000000702c, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[27], /*sqes_ptr=*/r[28], /*sqe=*/0x200000007000); break; case 37: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[9], /*usermem=*/0x200000bfd000); if (res != -1) r[30] = res; break; case 38: *(uint64_t*)0x200000007400 = 0; *(uint64_t*)0x200000007408 = 0x200000007040; *(uint64_t*)0x200000007040 = 0x65; *(uint64_t*)0x200000007048 = 0x20; *(uint64_t*)0x200000007050 = 0x92e; *(uint64_t*)0x200000007058 = 8; *(uint64_t*)0x200000007060 = 0x130; *(uint64_t*)0x200000007068 = 0x18; *(uint64_t*)0x200000007070 = 1; *(uint64_t*)0x200000007078 = 0x68; *(uint64_t*)0x200000007080 = 0x20; *(uint64_t*)0x200000007088 = 1; *(uint64_t*)0x200000007090 = 0; *(uint64_t*)0x200000007098 = 0x17d; *(uint64_t*)0x2000000070a0 = 0x20; *(uint64_t*)0x2000000070a8 = 0xffffffff; *(uint64_t*)0x2000000070b0 = 0xbd0d; *(uint64_t*)0x2000000070b8 = 0x183; *(uint64_t*)0x2000000070c0 = 0x18; *(uint64_t*)0x2000000070c8 = 1; *(uint64_t*)0x2000000070d0 = 0xa; *(uint64_t*)0x2000000070d8 = 0x6a; memcpy((void*)0x2000000070e0, "\x36\x49\x0f\xc7\xaa\xd6\x61\x97\xc0\x26\x66\x0f\x38\x80\x94\x5e\x00\x80\x00\x00\x0f\x01\xba\x00\x80\x00\x00\x8f\xc9\xb8\x9b\x29\x47\x0f\xc7\xae\x20\x00\x00\x00\x45\x0f\x09\xc4\xe2\xd1\x39\x67\xc4\x36\x0f\x01\x7f\x05\x66\x64\x2e\x64\x3e\xd8\xf1\xc7\x44\x24\x00\x25\xfd\x00\x00\xc7\x44\x24\x02\x54\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x14\x24", 89); *(uint8_t*)0x200000007139 = 0xc3; *(uint64_t*)0x20000000713a = 0x180; *(uint64_t*)0x200000007142 = 0x38; *(uint64_t*)0x20000000714a = 0; *(uint64_t*)0x200000007152 = 0xb5; *(uint64_t*)0x20000000715a = 7; *(uint64_t*)0x200000007162 = 5; *(uint64_t*)0x20000000716a = 0; *(uint64_t*)0x200000007172 = 0x12f; *(uint64_t*)0x20000000717a = 0x18; *(uint64_t*)0x200000007182 = 3; *(uint64_t*)0x20000000718a = 0x12c; *(uint64_t*)0x200000007192 = 0x18; *(uint64_t*)0x20000000719a = 0; *(uint64_t*)0x2000000071a2 = 0x154; *(uint64_t*)0x2000000071aa = 0x38; *(uint64_t*)0x2000000071b2 = 3; *(uint64_t*)0x2000000071ba = 4; *(uint64_t*)0x2000000071c2 = 5; *(uint64_t*)0x2000000071ca = 0x1ff; *(uint64_t*)0x2000000071d2 = 8; *(uint64_t*)0x2000000071da = 0x130; *(uint64_t*)0x2000000071e2 = 0x18; *(uint64_t*)0x2000000071ea = 0; *(uint64_t*)0x2000000071f2 = 0x6a; *(uint64_t*)0x2000000071fa = 0x28; *(uint64_t*)0x200000007202 = 0xc636; *(uint64_t*)0x20000000720a = 5; *(uint64_t*)0x200000007212 = 4; *(uint64_t*)0x20000000721a = 0x12c; *(uint64_t*)0x200000007222 = 0x18; *(uint64_t*)0x20000000722a = 0; *(uint64_t*)0x200000007232 = 0x12f; *(uint64_t*)0x20000000723a = 0x18; *(uint64_t*)0x200000007242 = 1; *(uint64_t*)0x20000000724a = 0x65; *(uint64_t*)0x200000007252 = 0x20; *(uint64_t*)0x20000000725a = 0x8a3; *(uint64_t*)0x200000007262 = 9; *(uint64_t*)0x20000000726a = 0x68; *(uint64_t*)0x200000007272 = 0x20; *(uint64_t*)0x20000000727a = 4; *(uint64_t*)0x200000007282 = 6; *(uint64_t*)0x20000000728a = 0x12f; *(uint64_t*)0x200000007292 = 0x18; *(uint64_t*)0x20000000729a = 3; *(uint64_t*)0x2000000072a2 = 0x12d; *(uint64_t*)0x2000000072aa = 0x18; *(uint64_t*)0x2000000072b2 = 2; *(uint64_t*)0x2000000072ba = 0x17d; *(uint64_t*)0x2000000072c2 = 0x20; *(uint64_t*)0x2000000072ca = 0x8080000; *(uint64_t*)0x2000000072d2 = 0x943e; *(uint64_t*)0x2000000072da = 0x17c; *(uint64_t*)0x2000000072e2 = 0x38; *(uint64_t*)0x2000000072ea = 3; *(uint64_t*)0x2000000072f2 = 0x31; *(uint64_t*)0x2000000072fa = 0xc; *(uint64_t*)0x200000007302 = 6; *(uint64_t*)0x20000000730a = 8; *(uint64_t*)0x200000007312 = 0x180; *(uint64_t*)0x20000000731a = 0x38; *(uint64_t*)0x200000007322 = 2; *(uint64_t*)0x20000000732a = 0x36; *(uint64_t*)0x200000007332 = 1; *(uint64_t*)0x20000000733a = 2; *(uint64_t*)0x200000007342 = 3; *(uint64_t*)0x20000000734a = 0x130; *(uint64_t*)0x200000007352 = 0x18; *(uint64_t*)0x20000000735a = 1; *(uint64_t*)0x200000007362 = 0x130; *(uint64_t*)0x20000000736a = 0x18; *(uint64_t*)0x200000007372 = 0; *(uint64_t*)0x20000000737a = 0x180; *(uint64_t*)0x200000007382 = 0x38; *(uint64_t*)0x20000000738a = 3; *(uint64_t*)0x200000007392 = 0x72; *(uint64_t*)0x20000000739a = 2; *(uint64_t*)0x2000000073a2 = 5; *(uint64_t*)0x2000000073aa = 2; *(uint64_t*)0x2000000073b2 = 0x12f; *(uint64_t*)0x2000000073ba = 0x18; *(uint64_t*)0x2000000073c2 = 2; *(uint64_t*)0x2000000073ca = 0x12f; *(uint64_t*)0x2000000073d2 = 0x18; *(uint64_t*)0x2000000073da = 2; *(uint64_t*)0x200000007410 = 0x3a2; syz_kvm_add_vcpu(/*vm=*/r[30], /*text=*/0x200000007400); break; case 39: res = syscall(__NR_ioctl, /*fd=*/r[9], /*cmd=*/0xae01, /*type=*/5ul); if (res != -1) r[31] = res; break; case 40: *(uint64_t*)0x200000007680 = 0; *(uint64_t*)0x200000007688 = 0x200000007440; memcpy((void*)0x200000007440, "\xcd\xfa\xef\x13\x00\x00\x00\x3e\x00\x00\x10\x62\x04\x00\x10\x7a\x00\x00\x10\x66\xc1\x00\x10\x62\xa6\x03\x00\x7e\xb9\xf0\x00\x3e\xe9\x0e\x10\x62\x04\x00\x10\x7a\xa3\x30\x10\x66\x88\x26\x10\x62\xa6\x03\x00\x7e\x24\x00\x00\x4c\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xf6\x63\x60\xba\xaa\x80\x3c\x42\xab\x84\x60\x04\x00\x84\x78\xa5\xa4\x84\x64\xdb\xea\x84\x60\xc7\xb2\xa0\x3c\x4e\xd4\xa5\x60\x04\x00\xa5\x78\x8e\xd5\xa5\x64\xc9\xc4\xa5\x60\xf6\x27\xc0\x3c\x0e\x37\xc6\x60\x04\x00\xc6\x78\x10\x50\xc6\x64\xf3\x3c\xc6\x60\x64\xae\xe0\x3c\x0f\xe0\xe7\x60\x04\x00\xe7\x78\xf8\x33\xe7\x64\x27\xe1\xe7\x60\xf9\xfe\x00\x3d\x88\x3a\x08\x61\x04\x00\x08\x79\xf6\x6c\x08\x65\xcb\x9b\x08\x61\xe7\x22\x20\x3d\xa3\x5b\x29\x61\x04\x00\x29\x79\xbb\xbc\x29\x65\x5e\x83\x29\x61\xd9\x75\x40\x3d\x52\x94\x4a\x61\x04\x00\x4a\x79\xdb\x25\x4a\x65\xf3\x5e\x4a\x61\x02\x00\x00\x44\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x50\xf3\x63\x60\x42\x00\x00\x44\x0d\x0b\xc0\x3e\xa1\xda\xd6\x62\x04\x00\xd6\x7a\xeb\x5a\xd6\x66\x62\x96\xd6\x62\x9c\xb0\x00\x7c\xec\x06\x00\x7c\xa4\x00\x00\x4c\x3d\x6a\xa0\x3e\x17\x1b\xb5\x62\x04\x00\xb5\x7a\x72\x93\xb5\x66\x34\x54\xb5\x62\xa6\x03\xa0\x7e\xd4\x8d\xa0\x3e\x12\xd2\xb5\x62\x04\x00\xb5\x7a\xf6\xf5\xb5\x66\x15\xe0\xb5\x62\xa6\x03\xa0\x7e\x24\x00\x00\x4c\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x05\xc0\x3f\x00\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x00\xc0\x3f\x21\x8c\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf6\x78\xbd\x63\x00\x00\xc0\x3f\x0a\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xfa\x78\xbd\x63\x97\x4b\xc0\x3f\x5c\x3b\xde\x63\x00\x00\xdd\x93\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x49\x30\x84\x64\xf2\x78\x84\x60\x22\x00\x00\x44\x00\x00\x80\x3f\x00\x00\x9c\x63\x04\x00\x9c\x7b\x00\x00\x9c\x67\x1a\x00\x9c\x63\x24\x01\xc0\x7f", 524); *(uint64_t*)0x200000007690 = 0x20c; *(uint64_t*)0x2000000076c0 = 1; *(uint64_t*)0x2000000076c8 = 6; syz_kvm_setup_cpu(/*fd=*/r[31], /*cpufd=*/r[23], /*usermem=*/0x200000fe5000, /*text=*/0x200000007680, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_IR*/2, /*opts=*/0x2000000076c0, /*nopt=*/1); break; case 41: syz_kvm_setup_syzos_vm(/*fd=*/r[23], /*usermem=*/0x200000c00000); break; case 42: *(uint32_t*)0x200000007700 = 0; syz_memcpy_off(/*ring_ptr=*/0, /*flag_off=SQ_FLAGS_OFFSET*/0x114, /*src=*/0x200000007700, /*src_off=*/0, /*nbytes=*/4); break; case 43: memcpy((void*)0x200000007740, "fuse\000", 5); memcpy((void*)0x200000007780, "./file0\000", 8); memcpy((void*)0x2000000077c0, "fd", 2); *(uint8_t*)0x2000000077c2 = 0x3d; sprintf((char*)0x2000000077c3, "0x%016llx", (long long)r[23]); *(uint8_t*)0x2000000077d5 = 0x2c; memcpy((void*)0x2000000077d6, "rootmode", 8); *(uint8_t*)0x2000000077de = 0x3d; sprintf((char*)0x2000000077df, "%023llo", (long long)0x6000); *(uint8_t*)0x2000000077f6 = 0x2c; memcpy((void*)0x2000000077f7, "user_id", 7); *(uint8_t*)0x2000000077fe = 0x3d; sprintf((char*)0x2000000077ff, "%020llu", (long long)r[22]); *(uint8_t*)0x200000007813 = 0x2c; memcpy((void*)0x200000007814, "group_id", 8); *(uint8_t*)0x20000000781c = 0x3d; sprintf((char*)0x20000000781d, "%020llu", (long long)r[13]); *(uint8_t*)0x200000007831 = 0x2c; memcpy((void*)0x200000007832, "max_read", 8); *(uint8_t*)0x20000000783a = 0x3d; sprintf((char*)0x20000000783b, "0x%016llx", (long long)3); *(uint8_t*)0x20000000784d = 0x2c; memcpy((void*)0x20000000784e, "default_permissions", 19); *(uint8_t*)0x200000007861 = 0x2c; memcpy((void*)0x200000007862, "allow_other", 11); *(uint8_t*)0x20000000786d = 0x2c; memcpy((void*)0x20000000786e, "default_permissions", 19); *(uint8_t*)0x200000007881 = 0x2c; memcpy((void*)0x200000007882, "allow_other", 11); *(uint8_t*)0x20000000788d = 0x2c; memcpy((void*)0x20000000788e, "default_permissions", 19); *(uint8_t*)0x2000000078a1 = 0x2c; memcpy((void*)0x2000000078a2, "default_permissions", 19); *(uint8_t*)0x2000000078b5 = 0x2c; memcpy((void*)0x2000000078b6, "allow_other", 11); *(uint8_t*)0x2000000078c1 = 0x2c; memcpy((void*)0x2000000078c2, "permit_directio", 15); *(uint8_t*)0x2000000078d1 = 0x2c; memcpy((void*)0x2000000078d2, "uid<", 4); sprintf((char*)0x2000000078d6, "%020llu", (long long)r[17]); *(uint8_t*)0x2000000078ea = 0x2c; memcpy((void*)0x2000000078eb, "appraise", 8); *(uint8_t*)0x2000000078f3 = 0x2c; memcpy((void*)0x2000000078f4, "smackfshat", 10); *(uint8_t*)0x2000000078fe = 0x3d; memcpy((void*)0x2000000078ff, "\300\'", 2); *(uint8_t*)0x200000007901 = 0x2c; memcpy((void*)0x200000007902, "appraise", 8); *(uint8_t*)0x20000000790a = 0x2c; *(uint8_t*)0x20000000790b = 0; memcpy((void*)0x200000007940, "\xa4\xb2\x22\xdf\x2b\xa1\x0d\xf2\x4f\x54\x81\xe0\xdc\x5e\x93\xb8\x1b\x1b\x82\xe9\xa2\x14\xca\xbc\xe3\x44\x80\x0a\xd5\x4d\xe6\x10\xfa\x1e\xda\x44\xb9\x04\x05\x26\xf2\xdc\x7c\x73\x1c\x54\x73\xc8\xc6\xdc\x94\x19\x2a\x03\x48\x4e\x6d\x62\xbb\x49\x12\x86\x12\x54\x3a\x9d\x01\x6e\xd9\xa3\x73\x0e\x51\x08\x0f\x5c\x86\x0d\x03\xa7\x7e\xd5\x01\x64\xbc\xf9\x9c\x42\xd3\x56\x8a\x97\x4a\x92\x7a\x87\x9d\xe4\x1e\xdc\x2f\x55\x52\x36\x58\x86\x12\x1a\x31\x09\x5b\x97\xaa\x08\xee\x29\x77\x11\x1f\x7c\xc5\x6a\x77\xc0\xf2\xa1\x6b\x32\xb1\x9d\xf5\x0a\x24\x9c\xd3\x05\x8e\x60\xa6\xae\x8c\x96\x34\x9d\x5e\x5c\x00\x97\x59\x4c\xe0\x1c\x1f\xbe\xe5\xee\x94\x60\x6f\xef\x67\x32\x31\xe6\x57\x00\xbc\x71\x5f\x1f\x01\x19\xc8\x4e\xd2\x7b\x8a\xf3\x8e\xd1\x53\xd3\x94\xd6\xb2\x2c\xca\x54\xdb\x55\xa3\x1b\xc2\x5b\x45\xe8\x1d\xec\xa7\xbe\xdb\x69\x66\x91\xae\x6b\x92\xf0\x9e\xea\x3e\x2b\x5e\x8a\xf2\xf9\x96\x33\x9d\xec\x59\x2e\xde\xc5\x89\x7e\x94\xeb", 228); syz_mount_image(/*fs=*/0x200000007740, /*dir=*/0x200000007780, /*flags=MS_PRIVATE*/0x40000, /*opts=*/0x2000000077c0, /*chdir=*/1, /*size=*/0, /*img=*/0x200000007940); break; case 44: memcpy((void*)0x200000007a40, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000007a40, /*id=*/7, /*flags=*/0); break; case 45: memcpy((void*)0x200000007a80, "net/psched\000", 11); syz_open_procfs(/*pid=*/r[4], /*file=*/0x200000007a80); break; case 46: syz_open_pts(/*fd=*/r[9], /*flags=O_PATH|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|FASYNC|0x402*/0x292c02); break; case 47: syz_pidfd_open(/*pid=*/r[15], /*flags=*/0); break; case 48: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=*/0ul); if (res != -1) r[32] = res; break; case 49: syz_pkey_set(/*key=*/r[32], /*val=PKEY_DISABLE_WRITE|PKEY_DISABLE_ACCESS*/3); break; case 50: syz_socket_connect_nvme_tcp(); break; case 51: *(uint8_t*)0x200000007ac0 = 0x12; *(uint8_t*)0x200000007ac1 = 1; *(uint16_t*)0x200000007ac2 = 0x250; *(uint8_t*)0x200000007ac4 = 0x58; *(uint8_t*)0x200000007ac5 = 6; *(uint8_t*)0x200000007ac6 = 0x54; *(uint8_t*)0x200000007ac7 = 8; *(uint16_t*)0x200000007ac8 = 0x13d3; *(uint16_t*)0x200000007aca = 0x3348; *(uint16_t*)0x200000007acc = 0x15b2; *(uint8_t*)0x200000007ace = 1; *(uint8_t*)0x200000007acf = 2; *(uint8_t*)0x200000007ad0 = 3; *(uint8_t*)0x200000007ad1 = 1; *(uint8_t*)0x200000007ad2 = 9; *(uint8_t*)0x200000007ad3 = 2; *(uint16_t*)0x200000007ad4 = 0x283; *(uint8_t*)0x200000007ad6 = 2; *(uint8_t*)0x200000007ad7 = 9; *(uint8_t*)0x200000007ad8 = 2; *(uint8_t*)0x200000007ad9 = 0x10; *(uint8_t*)0x200000007ada = 8; *(uint8_t*)0x200000007adb = 9; *(uint8_t*)0x200000007adc = 4; *(uint8_t*)0x200000007add = 0x26; *(uint8_t*)0x200000007ade = 0xb; *(uint8_t*)0x200000007adf = 5; *(uint8_t*)0x200000007ae0 = 0x83; *(uint8_t*)0x200000007ae1 = 0x18; *(uint8_t*)0x200000007ae2 = 0x74; *(uint8_t*)0x200000007ae3 = 0xee; *(uint8_t*)0x200000007ae4 = 9; *(uint8_t*)0x200000007ae5 = 5; *(uint8_t*)0x200000007ae6 = 0xb; *(uint8_t*)0x200000007ae7 = 3; *(uint16_t*)0x200000007ae8 = 8; *(uint8_t*)0x200000007aea = 4; *(uint8_t*)0x200000007aeb = 0xfb; *(uint8_t*)0x200000007aec = 0x6a; *(uint8_t*)0x200000007aed = 0xbd; *(uint8_t*)0x200000007aee = 0xc; memcpy((void*)0x200000007aef, "\x8b\x82\xbd\x3f\xc8\x13\x7d\x3d\x25\x9c\xe7\xbc\x14\x0d\xe0\x82\x3d\xe2\x22\x2e\xed\x4c\x57\x0e\xdc\xb8\x45\x53\xcd\x1e\xfd\x64\x9d\xd3\x52\xdd\x37\x5d\x81\xda\x8d\xa8\xe6\x86\x3f\xb4\x82\xec\xb3\xa1\x6f\x12\x22\x10\xbf\xf2\x5c\x59\xa3\xaf\xc6\x54\x28\x48\xc0\x6e\x1b\x98\x3f\xbc\x8d\xd0\xde\x62\x7c\xfd\xdf\x9f\x90\x5f\x5c\xb6\xed\x4a\x25\xec\x59\x47\x59\x9b\x15\xb5\x38\xc7\xbb\x0b\x0d\x65\xd4\xa3\x1b\x31\x9f\x73\x83\x95\x5c\xe7\x66\xef\x4c\x66\xd1\x8b\xc7\x5d\x69\xb2\xdd\x7d\x13\x6c\x78\xea\xec\x1e\x22\x03\xeb\x91\x8d\xd6\x16\x09\xde\x40\xf4\xf6\x93\x91\x7e\xeb\x17\xfc\x38\x7b\xb4\x27\x34\x1f\x64\x16\xe0\xb8\xc4\x6a\x24\x45\xa5\xc4\x9b\xd9\xc8\x6d\xfe\x21\xc5\x98\xac\xf1\x7e\xa9\x8f\xfe\xce\x20\x2a\x21\xdc\x93\xa0\xb8\x30\xd2\x9a\xf8\x7c", 187); *(uint8_t*)0x200000007baa = 0xc7; *(uint8_t*)0x200000007bab = 6; memcpy((void*)0x200000007bac, "\xf5\x45\x9e\x11\x78\x00\xd2\x2a\x25\xa4\x86\xd1\x44\x2f\x5c\xbd\x4d\x3d\x77\x6c\xd0\x61\xd2\xc1\x85\xf9\x92\x4e\xae\x6a\x4d\x7b\x14\xc5\x8b\x59\x98\x63\xd3\x21\xe3\xea\x80\xa2\x5f\x6d\x8b\xe5\x1d\x5c\xa7\x0c\x27\x6c\xe0\xe6\xd9\x03\x8f\x88\x77\x6b\x96\x14\x28\x7d\xb7\xee\x21\x13\xf0\xe7\xe1\xf0\x18\x73\xb6\x13\xd7\x63\xda\x5f\x87\xf8\x6c\xd1\x86\x0b\xd6\x23\x46\x3f\xc6\xd9\x3d\x9f\x94\x8d\x0d\x4d\x70\xd7\x2a\x8a\xc1\xde\xc1\xad\xce\xb8\x71\x67\x29\x90\x64\x28\xd5\xb6\xe2\x4b\x01\x49\x9b\xfa\x6a\x0a\xa0\x48\x2e\xed\x8c\x77\x51\xa1\xc7\xec\x94\x4d\xb1\x92\x54\xa7\x4b\x61\x14\x2e\x72\x5a\x7a\x29\x0c\x41\x42\x87\x5d\x34\x7b\x3e\x48\x3f\x4e\x2d\xb8\x37\x3e\xf8\xfe\xad\x81\x18\xce\x07\xd8\x12\x33\x2b\x21\x1d\xa9\x73\x3d\x44\x4f\x7d\x70\x6a\x64\x39\xc2\x9a\xea\xed\xd0\x30\x00\xa2\xa8", 197); *(uint8_t*)0x200000007c71 = 9; *(uint8_t*)0x200000007c72 = 5; *(uint8_t*)0x200000007c73 = 0xa; *(uint8_t*)0x200000007c74 = 0xc; *(uint16_t*)0x200000007c75 = 0x400; *(uint8_t*)0x200000007c77 = 0xc; *(uint8_t*)0x200000007c78 = 0; *(uint8_t*)0x200000007c79 = 0xb5; *(uint8_t*)0x200000007c7a = 7; *(uint8_t*)0x200000007c7b = 0x25; *(uint8_t*)0x200000007c7c = 1; *(uint8_t*)0x200000007c7d = 1; *(uint8_t*)0x200000007c7e = 0xb; *(uint16_t*)0x200000007c7f = 7; *(uint8_t*)0x200000007c81 = 9; *(uint8_t*)0x200000007c82 = 5; *(uint8_t*)0x200000007c83 = 2; *(uint8_t*)0x200000007c84 = 0x10; *(uint16_t*)0x200000007c85 = 0x20; *(uint8_t*)0x200000007c87 = 7; *(uint8_t*)0x200000007c88 = 5; *(uint8_t*)0x200000007c89 = 5; *(uint8_t*)0x200000007c8a = 0x24; *(uint8_t*)0x200000007c8b = 7; memcpy((void*)0x200000007c8c, "\xad\x98\x31\x4a\x82\xd7\xae\xbb\xfc\xe8\x51\x78\x75\x22\x71\xb1\x58\xc0\x5d\xea\x1b\xf5\xa2\x45\x9c\x43\x1d\xf1\x80\xc1\xf3\xb2\xbe\x3b", 34); *(uint8_t*)0x200000007cae = 9; *(uint8_t*)0x200000007caf = 5; *(uint8_t*)0x200000007cb0 = 3; *(uint8_t*)0x200000007cb1 = 2; *(uint16_t*)0x200000007cb2 = 8; *(uint8_t*)0x200000007cb4 = 7; *(uint8_t*)0x200000007cb5 = 0xf3; *(uint8_t*)0x200000007cb6 = 4; *(uint8_t*)0x200000007cb7 = 9; *(uint8_t*)0x200000007cb8 = 5; *(uint8_t*)0x200000007cb9 = 5; *(uint8_t*)0x200000007cba = 0; *(uint16_t*)0x200000007cbb = 0x40; *(uint8_t*)0x200000007cbd = 2; *(uint8_t*)0x200000007cbe = 3; *(uint8_t*)0x200000007cbf = 2; *(uint8_t*)0x200000007cc0 = 0x6a; *(uint8_t*)0x200000007cc1 = 0xa; memcpy((void*)0x200000007cc2, "\xf7\xdd\x67\x50\x5d\x35\x3d\x93\xb6\xe1\xf3\xac\x2d\x8f\x9f\x76\x60\x12\xd2\x04\xe5\x58\xa7\x07\x6c\x6a\x1d\xd6\x64\x8b\x29\x28\xac\xaf\x80\x17\x10\xc8\x55\x50\x67\xe0\x71\x5e\x60\x77\x2d\x9a\x84\xc7\x14\xf6\x3d\x52\x7b\x9f\x15\x32\xa5\xac\x65\x11\x62\x7f\x9e\x84\x00\xe6\x2a\xd6\xbd\x25\xec\x51\xec\x63\x0a\xfc\x10\xe1\xf0\xf2\xfe\x01\xc9\x58\x8e\x28\x97\xef\x26\xd5\xea\x8b\xcf\x97\x0e\x51\xfc\x28\xd8\x4a\x62\x8c", 104); *(uint8_t*)0x200000007d2a = 9; *(uint8_t*)0x200000007d2b = 4; *(uint8_t*)0x200000007d2c = 0x48; *(uint8_t*)0x200000007d2d = 0xe; *(uint8_t*)0x200000007d2e = 3; *(uint8_t*)0x200000007d2f = 0xca; *(uint8_t*)0x200000007d30 = 0x1e; *(uint8_t*)0x200000007d31 = 0x4a; *(uint8_t*)0x200000007d32 = 0xf5; *(uint8_t*)0x200000007d33 = 9; *(uint8_t*)0x200000007d34 = 5; *(uint8_t*)0x200000007d35 = 0xb; *(uint8_t*)0x200000007d36 = 4; *(uint16_t*)0x200000007d37 = 0x400; *(uint8_t*)0x200000007d39 = 5; *(uint8_t*)0x200000007d3a = 0xf7; *(uint8_t*)0x200000007d3b = 0xf6; *(uint8_t*)0x200000007d3c = 9; *(uint8_t*)0x200000007d3d = 5; *(uint8_t*)0x200000007d3e = 0xe; *(uint8_t*)0x200000007d3f = 0x10; *(uint16_t*)0x200000007d40 = 0x3ff; *(uint8_t*)0x200000007d42 = 1; *(uint8_t*)0x200000007d43 = 0xd; *(uint8_t*)0x200000007d44 = 0x80; *(uint8_t*)0x200000007d45 = 9; *(uint8_t*)0x200000007d46 = 5; *(uint8_t*)0x200000007d47 = 5; *(uint8_t*)0x200000007d48 = 0x10; *(uint16_t*)0x200000007d49 = 0x10; *(uint8_t*)0x200000007d4b = 0x95; *(uint8_t*)0x200000007d4c = 3; *(uint8_t*)0x200000007d4d = 0; *(uint8_t*)0x200000007d4e = 7; *(uint8_t*)0x200000007d4f = 0x25; *(uint8_t*)0x200000007d50 = 1; *(uint8_t*)0x200000007d51 = 0x82; *(uint8_t*)0x200000007d52 = 0xae; *(uint16_t*)0x200000007d53 = 0x12; *(uint32_t*)0x200000007ec0 = 0xa; *(uint64_t*)0x200000007ec4 = 0x200000007d80; *(uint8_t*)0x200000007d80 = 0xa; *(uint8_t*)0x200000007d81 = 6; *(uint16_t*)0x200000007d82 = 0x110; *(uint8_t*)0x200000007d84 = 4; *(uint8_t*)0x200000007d85 = 1; *(uint8_t*)0x200000007d86 = 6; *(uint8_t*)0x200000007d87 = 8; *(uint8_t*)0x200000007d88 = 0xe; *(uint8_t*)0x200000007d89 = 0; *(uint32_t*)0x200000007ecc = 0x3b; *(uint64_t*)0x200000007ed0 = 0x200000007dc0; *(uint8_t*)0x200000007dc0 = 5; *(uint8_t*)0x200000007dc1 = 0xf; *(uint16_t*)0x200000007dc2 = 0x3b; *(uint8_t*)0x200000007dc4 = 4; *(uint8_t*)0x200000007dc5 = 0x14; *(uint8_t*)0x200000007dc6 = 0x10; *(uint8_t*)0x200000007dc7 = 4; *(uint8_t*)0x200000007dc8 = 6; memcpy((void*)0x200000007dc9, "\xfd\xf4\x04\x3a\xe7\xf5\x9e\x3e\x81\xfe\x30\x3d\x4d\xe3\xea\x16", 16); *(uint8_t*)0x200000007dd9 = 7; *(uint8_t*)0x200000007dda = 0x10; *(uint8_t*)0x200000007ddb = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007ddc, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007dde, 6, 0, 16); *(uint8_t*)0x200000007de0 = 7; *(uint8_t*)0x200000007de1 = 0x10; *(uint8_t*)0x200000007de2 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007de3, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 7, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 0xd, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de5, 0x95d7, 0, 16); *(uint8_t*)0x200000007de7 = 0x14; *(uint8_t*)0x200000007de8 = 0x10; *(uint8_t*)0x200000007de9 = 4; *(uint8_t*)0x200000007dea = 3; memcpy((void*)0x200000007deb, "\xbc\x6a\x92\x66\xbf\x50\x6e\x90\x62\x0d\x9c\x90\x0e\x18\x01\x43", 16); *(uint32_t*)0x200000007ed8 = 1; *(uint32_t*)0x200000007edc = 0x98; *(uint64_t*)0x200000007ee0 = 0x200000007e00; *(uint8_t*)0x200000007e00 = 0x98; *(uint8_t*)0x200000007e01 = 3; memcpy((void*)0x200000007e02, "\xd9\x5f\x3f\xca\xaa\x58\xf9\xd3\x6d\x03\xe3\xa2\xd5\x56\x6a\x51\x91\xf7\x42\xf7\x23\xfa\x49\xe3\x64\xe0\x3b\x0d\x28\x8a\x7f\xcb\x45\x79\xb5\x8c\x56\xd8\x24\xbe\x57\xf9\xad\x0f\x87\x03\xd3\x01\x1c\xac\x46\x84\x33\xfa\x22\xc2\x3b\xfa\xf1\x5d\xad\x54\x1e\xfb\x01\x38\xc4\x6b\xb8\xf8\x86\x92\x15\x15\x5c\x26\x85\xd6\x9b\x75\xff\xe6\x8c\x0c\xbd\x6e\x71\x74\x3a\xbd\x43\x55\xe1\x2d\x9d\xcb\x7d\xff\x16\xbb\x07\x5d\xa5\x53\xc1\x78\x13\x9e\xde\x2c\x28\x5a\x4a\x28\x45\xe8\x88\x9c\x23\x45\x04\xd9\x68\xd8\x70\xb6\x08\x4a\x7b\x4a\xb0\xdc\xdb\x83\xd4\x3b\xb2\xf4\xe7\xa0\x15\x6b\x80\xa6\x89\x19\xcb\xb7\xda\x84", 150); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0x295, /*dev=*/0x200000007ac0, /*conn_descs=*/0x200000007ec0); if (res != -1) r[33] = res; break; case 52: *(uint8_t*)0x200000007f00 = 0x12; *(uint8_t*)0x200000007f01 = 1; *(uint16_t*)0x200000007f02 = 0x200; *(uint8_t*)0x200000007f04 = -1; *(uint8_t*)0x200000007f05 = -1; *(uint8_t*)0x200000007f06 = -1; *(uint8_t*)0x200000007f07 = 0x40; *(uint16_t*)0x200000007f08 = 0xcf3; *(uint16_t*)0x200000007f0a = 0x9271; *(uint16_t*)0x200000007f0c = 0x108; *(uint8_t*)0x200000007f0e = 1; *(uint8_t*)0x200000007f0f = 2; *(uint8_t*)0x200000007f10 = 3; *(uint8_t*)0x200000007f11 = 1; *(uint8_t*)0x200000007f12 = 9; *(uint8_t*)0x200000007f13 = 2; *(uint16_t*)0x200000007f14 = 0x48; *(uint8_t*)0x200000007f16 = 1; *(uint8_t*)0x200000007f17 = 1; *(uint8_t*)0x200000007f18 = 0; *(uint8_t*)0x200000007f19 = 0x80; *(uint8_t*)0x200000007f1a = 0xfa; *(uint8_t*)0x200000007f1b = 9; *(uint8_t*)0x200000007f1c = 4; *(uint8_t*)0x200000007f1d = 0; *(uint8_t*)0x200000007f1e = 0; *(uint8_t*)0x200000007f1f = 6; *(uint8_t*)0x200000007f20 = -1; *(uint8_t*)0x200000007f21 = 0; *(uint8_t*)0x200000007f22 = 0; *(uint8_t*)0x200000007f23 = 0; *(uint8_t*)0x200000007f24 = 9; *(uint8_t*)0x200000007f25 = 5; *(uint8_t*)0x200000007f26 = 1; *(uint8_t*)0x200000007f27 = 2; *(uint16_t*)0x200000007f28 = 0x200; *(uint8_t*)0x200000007f2a = 0; *(uint8_t*)0x200000007f2b = 0; *(uint8_t*)0x200000007f2c = 0; *(uint8_t*)0x200000007f2d = 9; *(uint8_t*)0x200000007f2e = 5; *(uint8_t*)0x200000007f2f = 0x82; *(uint8_t*)0x200000007f30 = 2; *(uint16_t*)0x200000007f31 = 0x200; *(uint8_t*)0x200000007f33 = 0; *(uint8_t*)0x200000007f34 = 0; *(uint8_t*)0x200000007f35 = 0; *(uint8_t*)0x200000007f36 = 9; *(uint8_t*)0x200000007f37 = 5; *(uint8_t*)0x200000007f38 = 0x83; *(uint8_t*)0x200000007f39 = 3; *(uint16_t*)0x200000007f3a = 0x40; *(uint8_t*)0x200000007f3c = 1; *(uint8_t*)0x200000007f3d = 0; *(uint8_t*)0x200000007f3e = 0; *(uint8_t*)0x200000007f3f = 9; *(uint8_t*)0x200000007f40 = 5; *(uint8_t*)0x200000007f41 = 4; *(uint8_t*)0x200000007f42 = 3; *(uint16_t*)0x200000007f43 = 0x40; *(uint8_t*)0x200000007f45 = 1; *(uint8_t*)0x200000007f46 = 0; *(uint8_t*)0x200000007f47 = 0; *(uint8_t*)0x200000007f48 = 9; *(uint8_t*)0x200000007f49 = 5; *(uint8_t*)0x200000007f4a = 5; *(uint8_t*)0x200000007f4b = 2; *(uint16_t*)0x200000007f4c = 0x200; *(uint8_t*)0x200000007f4e = 0; *(uint8_t*)0x200000007f4f = 0; *(uint8_t*)0x200000007f50 = 0; *(uint8_t*)0x200000007f51 = 9; *(uint8_t*)0x200000007f52 = 5; *(uint8_t*)0x200000007f53 = 6; *(uint8_t*)0x200000007f54 = 2; *(uint16_t*)0x200000007f55 = 0x200; *(uint8_t*)0x200000007f57 = 0; *(uint8_t*)0x200000007f58 = 0; *(uint8_t*)0x200000007f59 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000007f00, /*conn_descs=*/0); if (res != -1) r[34] = res; break; case 53: *(uint8_t*)0x200000007f80 = 0x12; *(uint8_t*)0x200000007f81 = 1; *(uint16_t*)0x200000007f82 = 0x110; *(uint8_t*)0x200000007f84 = 0; *(uint8_t*)0x200000007f85 = 0; *(uint8_t*)0x200000007f86 = 0; *(uint8_t*)0x200000007f87 = 0x40; *(uint16_t*)0x200000007f88 = 0x1d6b; *(uint16_t*)0x200000007f8a = 0x101; *(uint16_t*)0x200000007f8c = 0x40; *(uint8_t*)0x200000007f8e = 1; *(uint8_t*)0x200000007f8f = 2; *(uint8_t*)0x200000007f90 = 3; *(uint8_t*)0x200000007f91 = 1; *(uint8_t*)0x200000007f92 = 9; *(uint8_t*)0x200000007f93 = 2; *(uint16_t*)0x200000007f94 = 0xd3; *(uint8_t*)0x200000007f96 = 3; *(uint8_t*)0x200000007f97 = 1; *(uint8_t*)0x200000007f98 = 1; *(uint8_t*)0x200000007f99 = 0x80; *(uint8_t*)0x200000007f9a = 0x80; *(uint8_t*)0x200000007f9b = 9; *(uint8_t*)0x200000007f9c = 4; *(uint8_t*)0x200000007f9d = 0; *(uint8_t*)0x200000007f9e = 0; *(uint8_t*)0x200000007f9f = 0; *(uint8_t*)0x200000007fa0 = 1; *(uint8_t*)0x200000007fa1 = 1; *(uint8_t*)0x200000007fa2 = 0; *(uint8_t*)0x200000007fa3 = 0; *(uint8_t*)0x200000007fa4 = 0xa; *(uint8_t*)0x200000007fa5 = 0x24; *(uint8_t*)0x200000007fa6 = 1; *(uint16_t*)0x200000007fa7 = 0; *(uint8_t*)0x200000007fa9 = 0x7c; *(uint8_t*)0x200000007faa = 2; *(uint8_t*)0x200000007fab = 1; *(uint8_t*)0x200000007fac = 2; *(uint8_t*)0x200000007fad = 0xd; *(uint8_t*)0x200000007fae = 0x24; *(uint8_t*)0x200000007faf = 8; *(uint8_t*)0x200000007fb0 = 2; *(uint16_t*)0x200000007fb1 = 8; *(uint8_t*)0x200000007fb3 = 9; memcpy((void*)0x200000007fb4, "\x0c\xff\xda\x3f\x22\x7b", 6); *(uint8_t*)0x200000007fba = 9; *(uint8_t*)0x200000007fbb = 4; *(uint8_t*)0x200000007fbc = 1; *(uint8_t*)0x200000007fbd = 0; *(uint8_t*)0x200000007fbe = 0; *(uint8_t*)0x200000007fbf = 1; *(uint8_t*)0x200000007fc0 = 2; *(uint8_t*)0x200000007fc1 = 0; *(uint8_t*)0x200000007fc2 = 0; *(uint8_t*)0x200000007fc3 = 9; *(uint8_t*)0x200000007fc4 = 4; *(uint8_t*)0x200000007fc5 = 1; *(uint8_t*)0x200000007fc6 = 1; *(uint8_t*)0x200000007fc7 = 1; *(uint8_t*)0x200000007fc8 = 1; *(uint8_t*)0x200000007fc9 = 2; *(uint8_t*)0x200000007fca = 0; *(uint8_t*)0x200000007fcb = 0; *(uint8_t*)0x200000007fcc = 0x12; *(uint8_t*)0x200000007fcd = 0x24; *(uint8_t*)0x200000007fce = 2; *(uint8_t*)0x200000007fcf = 2; *(uint16_t*)0x200000007fd0 = 6; *(uint16_t*)0x200000007fd2 = 0x9a; *(uint8_t*)0x200000007fd4 = 0x20; memcpy((void*)0x200000007fd5, "\x2d\xa5\xee\x78\xa2\x8e\x1f\x1a\x41", 9); *(uint8_t*)0x200000007fde = 0xd; *(uint8_t*)0x200000007fdf = 0x24; *(uint8_t*)0x200000007fe0 = 2; *(uint8_t*)0x200000007fe1 = 1; *(uint8_t*)0x200000007fe2 = 0xf8; *(uint8_t*)0x200000007fe3 = 3; *(uint8_t*)0x200000007fe4 = 0x69; *(uint8_t*)0x200000007fe5 = 0x6d; memcpy((void*)0x200000007fe6, "e)", 2); memcpy((void*)0x200000007fe8, "\xbf\x07\x94", 3); *(uint8_t*)0x200000007feb = 0xb; *(uint8_t*)0x200000007fec = 0x24; *(uint8_t*)0x200000007fed = 2; *(uint8_t*)0x200000007fee = 1; *(uint8_t*)0x200000007fef = 5; *(uint8_t*)0x200000007ff0 = 4; *(uint8_t*)0x200000007ff1 = 0x5b; *(uint8_t*)0x200000007ff2 = 3; memset((void*)0x200000007ff3, 68, 1); memcpy((void*)0x200000007ff4, "\x26\x18", 2); *(uint8_t*)0x200000007ff6 = 9; *(uint8_t*)0x200000007ff7 = 0x24; *(uint8_t*)0x200000007ff8 = 2; *(uint8_t*)0x200000007ff9 = 2; *(uint16_t*)0x200000007ffa = 0x7b4; *(uint16_t*)0x200000007ffc = 8; *(uint8_t*)0x200000007ffe = 4; *(uint8_t*)0x200000007fff = 0xc; *(uint8_t*)0x200000008000 = 0x24; *(uint8_t*)0x200000008001 = 2; *(uint8_t*)0x200000008002 = 1; *(uint8_t*)0x200000008003 = 0; *(uint8_t*)0x200000008004 = 3; *(uint8_t*)0x200000008005 = 8; *(uint8_t*)0x200000008006 = 8; memset((void*)0x200000008007, 170, 1); memcpy((void*)0x200000008008, "\xe8\xe5\xb4", 3); *(uint8_t*)0x20000000800b = 9; *(uint8_t*)0x20000000800c = 5; *(uint8_t*)0x20000000800d = 1; *(uint8_t*)0x20000000800e = 9; *(uint16_t*)0x20000000800f = 0x40; *(uint8_t*)0x200000008011 = 6; *(uint8_t*)0x200000008012 = 5; *(uint8_t*)0x200000008013 = 0; *(uint8_t*)0x200000008014 = 7; *(uint8_t*)0x200000008015 = 0x25; *(uint8_t*)0x200000008016 = 1; *(uint8_t*)0x200000008017 = 0x80; *(uint8_t*)0x200000008018 = 1; *(uint16_t*)0x200000008019 = 4; *(uint8_t*)0x20000000801b = 9; *(uint8_t*)0x20000000801c = 4; *(uint8_t*)0x20000000801d = 2; *(uint8_t*)0x20000000801e = 0; *(uint8_t*)0x20000000801f = 0; *(uint8_t*)0x200000008020 = 1; *(uint8_t*)0x200000008021 = 2; *(uint8_t*)0x200000008022 = 0; *(uint8_t*)0x200000008023 = 0; *(uint8_t*)0x200000008024 = 9; *(uint8_t*)0x200000008025 = 4; *(uint8_t*)0x200000008026 = 2; *(uint8_t*)0x200000008027 = 1; *(uint8_t*)0x200000008028 = 1; *(uint8_t*)0x200000008029 = 1; *(uint8_t*)0x20000000802a = 2; *(uint8_t*)0x20000000802b = 0; *(uint8_t*)0x20000000802c = 0; *(uint8_t*)0x20000000802d = 7; *(uint8_t*)0x20000000802e = 0x24; *(uint8_t*)0x20000000802f = 1; *(uint8_t*)0x200000008030 = 3; *(uint8_t*)0x200000008031 = 0x1e; *(uint16_t*)0x200000008032 = 4; *(uint8_t*)0x200000008034 = 7; *(uint8_t*)0x200000008035 = 0x24; *(uint8_t*)0x200000008036 = 1; *(uint8_t*)0x200000008037 = 0x6f; *(uint8_t*)0x200000008038 = 7; *(uint16_t*)0x200000008039 = 0; *(uint8_t*)0x20000000803b = 0xa; *(uint8_t*)0x20000000803c = 0x24; *(uint8_t*)0x20000000803d = 2; *(uint8_t*)0x20000000803e = 2; *(uint16_t*)0x20000000803f = 8; *(uint16_t*)0x200000008041 = 2; *(uint8_t*)0x200000008043 = 8; memset((void*)0x200000008044, 102, 1); *(uint8_t*)0x200000008045 = 0x10; *(uint8_t*)0x200000008046 = 0x24; *(uint8_t*)0x200000008047 = 2; *(uint8_t*)0x200000008048 = 2; *(uint16_t*)0x200000008049 = 9; *(uint16_t*)0x20000000804b = 0x401; *(uint8_t*)0x20000000804d = 5; memcpy((void*)0x20000000804e, "\x53\xb1\x1d\xbc\x8c\xd3\x10", 7); *(uint8_t*)0x200000008055 = 9; *(uint8_t*)0x200000008056 = 5; *(uint8_t*)0x200000008057 = 0x82; *(uint8_t*)0x200000008058 = 9; *(uint16_t*)0x200000008059 = 8; *(uint8_t*)0x20000000805b = 0; *(uint8_t*)0x20000000805c = 0x28; *(uint8_t*)0x20000000805d = 6; *(uint8_t*)0x20000000805e = 7; *(uint8_t*)0x20000000805f = 0x25; *(uint8_t*)0x200000008060 = 1; *(uint8_t*)0x200000008061 = 0x80; *(uint8_t*)0x200000008062 = 5; *(uint16_t*)0x200000008063 = 0xd; *(uint32_t*)0x2000000081c0 = 0xa; *(uint64_t*)0x2000000081c4 = 0x200000008080; *(uint8_t*)0x200000008080 = 0xa; *(uint8_t*)0x200000008081 = 6; *(uint16_t*)0x200000008082 = 0x110; *(uint8_t*)0x200000008084 = 0x59; *(uint8_t*)0x200000008085 = 0xa5; *(uint8_t*)0x200000008086 = 5; *(uint8_t*)0x200000008087 = 0x10; *(uint8_t*)0x200000008088 = 1; *(uint8_t*)0x200000008089 = 0; *(uint32_t*)0x2000000081cc = 0x39; *(uint64_t*)0x2000000081d0 = 0x2000000080c0; *(uint8_t*)0x2000000080c0 = 5; *(uint8_t*)0x2000000080c1 = 0xf; *(uint16_t*)0x2000000080c2 = 0x39; *(uint8_t*)0x2000000080c4 = 5; *(uint8_t*)0x2000000080c5 = 0xb; *(uint8_t*)0x2000000080c6 = 0x10; *(uint8_t*)0x2000000080c7 = 1; *(uint8_t*)0x2000000080c8 = 4; *(uint16_t*)0x2000000080c9 = 8; *(uint8_t*)0x2000000080cb = 3; *(uint8_t*)0x2000000080cc = 0xb8; *(uint16_t*)0x2000000080cd = 9; *(uint8_t*)0x2000000080cf = 4; *(uint8_t*)0x2000000080d0 = 0x14; *(uint8_t*)0x2000000080d1 = 0x10; *(uint8_t*)0x2000000080d2 = 4; *(uint8_t*)0x2000000080d3 = 2; memcpy((void*)0x2000000080d4, "\x9d\x9a\xb0\x97\x8e\x2a\xac\xe2\x6d\xe6\x63\x06\xe6\xe2\x96\x3d", 16); *(uint8_t*)0x2000000080e4 = 0xb; *(uint8_t*)0x2000000080e5 = 0x10; *(uint8_t*)0x2000000080e6 = 1; *(uint8_t*)0x2000000080e7 = 4; *(uint16_t*)0x2000000080e8 = 0; *(uint8_t*)0x2000000080ea = 6; *(uint8_t*)0x2000000080eb = 4; *(uint16_t*)0x2000000080ec = 1; *(uint8_t*)0x2000000080ee = 5; *(uint8_t*)0x2000000080ef = 3; *(uint8_t*)0x2000000080f0 = 0x10; *(uint8_t*)0x2000000080f1 = 0xb; *(uint8_t*)0x2000000080f2 = 7; *(uint8_t*)0x2000000080f3 = 0x10; *(uint8_t*)0x2000000080f4 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000080f5, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f7, 0xfff2, 0, 16); *(uint32_t*)0x2000000081d8 = 1; *(uint32_t*)0x2000000081dc = 0x84; *(uint64_t*)0x2000000081e0 = 0x200000008100; *(uint8_t*)0x200000008100 = 0x84; *(uint8_t*)0x200000008101 = 3; memcpy((void*)0x200000008102, "\x00\x0a\x6c\x9f\x4a\x15\xea\xbc\x97\xa9\x2a\xb6\x65\x23\x1b\x2c\xf9\x05\x73\x21\xeb\x43\x0c\x65\x21\xf4\x97\xa8\xc3\xce\x81\x62\x68\xcb\x33\x7f\xa4\x8d\xee\xcf\xeb\x28\xb2\x30\x5f\xcf\x2d\x2e\x98\x8c\xc8\xb8\xb9\x80\xa1\x33\x2d\xc4\x06\xbc\x34\x69\x5f\xa2\x4d\xc3\x60\x9f\x61\x9d\x7a\xc2\x84\xcc\x3a\xe7\xf0\xaf\xe4\x44\xd5\x78\xc9\x51\xd9\xae\xdc\x4c\x68\x2e\x10\x0c\xfe\xb6\x61\x9b\x98\xa9\x6b\x19\x78\xd8\xed\xe7\x57\x4e\x96\x9f\x8a\xe8\xe3\xdf\xb8\x35\xbd\xe5\xcc\xd9\x22\x13\x3e\x53\x03\x6f\xf4\x4e\xda\x52\xa0\xa9", 130); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0xe5, /*dev=*/0x200000007f80, /*conn_descs=*/0x2000000081c0); if (res != -1) r[35] = res; break; case 54: *(uint32_t*)0x200000008380 = 0x2c; *(uint64_t*)0x200000008384 = 0x200000008200; *(uint8_t*)0x200000008200 = 0x40; *(uint8_t*)0x200000008201 = 0x22; *(uint32_t*)0x200000008202 = 0x31; *(uint8_t*)0x200000008206 = 0x31; *(uint8_t*)0x200000008207 = 5; memcpy((void*)0x200000008208, "\x74\xe8\x3d\xcf\x53\xdd\x2d\x0e\xca\xc0\xaa\x34\x67\xb1\x8d\xfa\x71\xb2\x6c\xdd\x40\x3d\x95\x5c\x0f\xfe\x22\x81\x7b\x01\xfe\x57\x95\xd5\x1c\xf2\x4a\x6a\xe3\xb8\xe3\x2f\x1b\x7a\xc5\xf8\xca", 47); *(uint64_t*)0x20000000838c = 0x200000008240; *(uint8_t*)0x200000008240 = 0; *(uint8_t*)0x200000008241 = 3; *(uint32_t*)0x200000008242 = 0x1e; *(uint8_t*)0x200000008246 = 0x1e; *(uint8_t*)0x200000008247 = 3; memcpy((void*)0x200000008248, "\x89\x57\xa5\x01\xd8\x3c\x69\xe5\x4f\x70\xf6\x2f\x93\x2a\x50\xb6\x55\x06\xc3\x88\xc1\x28\x23\x9d\x36\x22\x9e\xe2", 28); *(uint64_t*)0x200000008394 = 0x200000008280; *(uint8_t*)0x200000008280 = 0; *(uint8_t*)0x200000008281 = 0xf; *(uint32_t*)0x200000008282 = 0x4f; *(uint8_t*)0x200000008286 = 5; *(uint8_t*)0x200000008287 = 0xf; *(uint16_t*)0x200000008288 = 0x4f; *(uint8_t*)0x20000000828a = 6; *(uint8_t*)0x20000000828b = 0x1c; *(uint8_t*)0x20000000828c = 0x10; *(uint8_t*)0x20000000828d = 0xa; *(uint8_t*)0x20000000828e = 0; STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 5, 5, 27); *(uint16_t*)0x200000008293 = 0xf000; *(uint16_t*)0x200000008295 = 0x409; *(uint32_t*)0x200000008297 = 0xc000; *(uint32_t*)0x20000000829b = 0x17f; *(uint32_t*)0x20000000829f = 0xff3f30; *(uint32_t*)0x2000000082a3 = 0xffffaf; *(uint8_t*)0x2000000082a7 = 0x10; *(uint8_t*)0x2000000082a8 = 0x10; *(uint8_t*)0x2000000082a9 = 0xa; *(uint8_t*)0x2000000082aa = 9; STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 4, 5, 27); *(uint16_t*)0x2000000082af = 0xff0f; *(uint16_t*)0x2000000082b1 = 0xf87; *(uint32_t*)0x2000000082b3 = 0xc030; *(uint8_t*)0x2000000082b7 = 7; *(uint8_t*)0x2000000082b8 = 0x10; *(uint8_t*)0x2000000082b9 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000082ba, 4, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bc, 5, 0, 16); *(uint8_t*)0x2000000082be = 0xa; *(uint8_t*)0x2000000082bf = 0x10; *(uint8_t*)0x2000000082c0 = 3; *(uint8_t*)0x2000000082c1 = 0; *(uint16_t*)0x2000000082c2 = 4; *(uint8_t*)0x2000000082c4 = 0xd2; *(uint8_t*)0x2000000082c5 = 3; *(uint16_t*)0x2000000082c6 = 5; *(uint8_t*)0x2000000082c8 = 0xa; *(uint8_t*)0x2000000082c9 = 0x10; *(uint8_t*)0x2000000082ca = 3; *(uint8_t*)0x2000000082cb = 0; *(uint16_t*)0x2000000082cc = 0; *(uint8_t*)0x2000000082ce = 1; *(uint8_t*)0x2000000082cf = 7; *(uint16_t*)0x2000000082d0 = 2; *(uint8_t*)0x2000000082d2 = 3; *(uint8_t*)0x2000000082d3 = 0x10; *(uint8_t*)0x2000000082d4 = 0xb; *(uint64_t*)0x20000000839c = 0x200000008300; *(uint8_t*)0x200000008300 = 0x20; *(uint8_t*)0x200000008301 = 0x29; *(uint32_t*)0x200000008302 = 0xf; *(uint8_t*)0x200000008306 = 0xf; *(uint8_t*)0x200000008307 = 0x29; *(uint8_t*)0x200000008308 = 8; *(uint16_t*)0x200000008309 = 1; *(uint8_t*)0x20000000830b = 7; *(uint8_t*)0x20000000830c = 4; memcpy((void*)0x20000000830d, "\b\r$}", 4); memcpy((void*)0x200000008311, "\x67\x01\x6d\xee", 4); *(uint64_t*)0x2000000083a4 = 0x200000008340; *(uint8_t*)0x200000008340 = 0x20; *(uint8_t*)0x200000008341 = 0x2a; *(uint32_t*)0x200000008342 = 0xc; *(uint8_t*)0x200000008346 = 0xc; *(uint8_t*)0x200000008347 = 0x2a; *(uint8_t*)0x200000008348 = 0x16; *(uint16_t*)0x200000008349 = 0x80; *(uint8_t*)0x20000000834b = 9; *(uint8_t*)0x20000000834c = 3; *(uint8_t*)0x20000000834d = 3; *(uint16_t*)0x20000000834e = 2; *(uint16_t*)0x200000008350 = 0xf000; *(uint32_t*)0x2000000087c0 = 0x84; *(uint64_t*)0x2000000087c4 = 0x2000000083c0; *(uint8_t*)0x2000000083c0 = 0; *(uint8_t*)0x2000000083c1 = 0x11; *(uint32_t*)0x2000000083c2 = 0x1f; memcpy((void*)0x2000000083c6, "\x16\xd6\x0d\x77\x43\x50\x14\x52\xff\xd5\x73\x04\x24\xbc\x4a\x97\x0c\xc6\x49\x0b\xb9\xcc\x85\x93\x86\x99\xed\xf2\x7a\x0c\x7d", 31); *(uint64_t*)0x2000000087cc = 0x200000008400; *(uint8_t*)0x200000008400 = 0; *(uint8_t*)0x200000008401 = 0xa; *(uint32_t*)0x200000008402 = 1; *(uint8_t*)0x200000008406 = 9; *(uint64_t*)0x2000000087d4 = 0x200000008440; *(uint8_t*)0x200000008440 = 0; *(uint8_t*)0x200000008441 = 8; *(uint32_t*)0x200000008442 = 1; *(uint8_t*)0x200000008446 = 4; *(uint64_t*)0x2000000087dc = 0x200000008480; *(uint8_t*)0x200000008480 = 0x20; *(uint8_t*)0x200000008481 = 0; *(uint32_t*)0x200000008482 = 4; *(uint16_t*)0x200000008486 = 0xe554; *(uint16_t*)0x200000008488 = 1; *(uint64_t*)0x2000000087e4 = 0x2000000084c0; *(uint8_t*)0x2000000084c0 = 0x20; *(uint8_t*)0x2000000084c1 = 0; *(uint32_t*)0x2000000084c2 = 4; *(uint16_t*)0x2000000084c6 = 0x200; *(uint16_t*)0x2000000084c8 = 0x2b; *(uint64_t*)0x2000000087ec = 0x200000008500; *(uint8_t*)0x200000008500 = 0x40; *(uint8_t*)0x200000008501 = 7; *(uint32_t*)0x200000008502 = 2; *(uint16_t*)0x200000008506 = 0xfd37; *(uint64_t*)0x2000000087f4 = 0x200000008540; *(uint8_t*)0x200000008540 = 0x40; *(uint8_t*)0x200000008541 = 9; *(uint32_t*)0x200000008542 = 1; *(uint8_t*)0x200000008546 = 0; *(uint64_t*)0x2000000087fc = 0x200000008580; *(uint8_t*)0x200000008580 = 0x40; *(uint8_t*)0x200000008581 = 0xb; *(uint32_t*)0x200000008582 = 2; memcpy((void*)0x200000008586, "E\"", 2); *(uint64_t*)0x200000008804 = 0x2000000085c0; *(uint8_t*)0x2000000085c0 = 0x40; *(uint8_t*)0x2000000085c1 = 0xf; *(uint32_t*)0x2000000085c2 = 2; *(uint16_t*)0x2000000085c6 = 2; *(uint64_t*)0x20000000880c = 0x200000008600; *(uint8_t*)0x200000008600 = 0x40; *(uint8_t*)0x200000008601 = 0x13; *(uint32_t*)0x200000008602 = 6; memcpy((void*)0x200000008606, "\x2f\xa6\xdd\xe0\x3a\x0f", 6); *(uint64_t*)0x200000008814 = 0x200000008640; *(uint8_t*)0x200000008640 = 0x40; *(uint8_t*)0x200000008641 = 0x17; *(uint32_t*)0x200000008642 = 6; memcpy((void*)0x200000008646, "\xde\x1c\x10\x2b\x02\x7e", 6); *(uint64_t*)0x20000000881c = 0x200000008680; *(uint8_t*)0x200000008680 = 0x40; *(uint8_t*)0x200000008681 = 0x19; *(uint32_t*)0x200000008682 = 2; memcpy((void*)0x200000008686, "\x0d\x97", 2); *(uint64_t*)0x200000008824 = 0x2000000086c0; *(uint8_t*)0x2000000086c0 = 0x40; *(uint8_t*)0x2000000086c1 = 0x1a; *(uint32_t*)0x2000000086c2 = 2; *(uint16_t*)0x2000000086c6 = 2; *(uint64_t*)0x20000000882c = 0x200000008700; *(uint8_t*)0x200000008700 = 0x40; *(uint8_t*)0x200000008701 = 0x1c; *(uint32_t*)0x200000008702 = 1; *(uint8_t*)0x200000008706 = 0xfd; *(uint64_t*)0x200000008834 = 0x200000008740; *(uint8_t*)0x200000008740 = 0x40; *(uint8_t*)0x200000008741 = 0x1e; *(uint32_t*)0x200000008742 = 1; *(uint8_t*)0x200000008746 = 0xfd; *(uint64_t*)0x20000000883c = 0x200000008780; *(uint8_t*)0x200000008780 = 0x40; *(uint8_t*)0x200000008781 = 0x21; *(uint32_t*)0x200000008782 = 1; *(uint8_t*)0x200000008786 = 0xc9; syz_usb_control_io(/*fd=*/r[35], /*descs=*/0x200000008380, /*resps=*/0x2000000087c0); break; case 55: syz_usb_disconnect(/*fd=*/r[33]); break; case 56: syz_usb_ep_read(/*fd=*/r[34], /*ep=*/7, /*len=*/0xfc, /*data=*/0x200000008880); break; case 57: *(uint8_t*)0x200000008980 = 0x12; *(uint8_t*)0x200000008981 = 1; *(uint16_t*)0x200000008982 = 0x200; *(uint8_t*)0x200000008984 = 7; *(uint8_t*)0x200000008985 = 1; *(uint8_t*)0x200000008986 = 1; *(uint8_t*)0x200000008987 = 0x20; *(uint16_t*)0x200000008988 = 0x525; *(uint16_t*)0x20000000898a = 0xa4a8; *(uint16_t*)0x20000000898c = 0x40; *(uint8_t*)0x20000000898e = 1; *(uint8_t*)0x20000000898f = 2; *(uint8_t*)0x200000008990 = 3; *(uint8_t*)0x200000008991 = 1; *(uint8_t*)0x200000008992 = 9; *(uint8_t*)0x200000008993 = 2; *(uint16_t*)0x200000008994 = 0x24; *(uint8_t*)0x200000008996 = 1; *(uint8_t*)0x200000008997 = 1; *(uint8_t*)0x200000008998 = 0xf4; *(uint8_t*)0x200000008999 = 0x60; *(uint8_t*)0x20000000899a = 4; *(uint8_t*)0x20000000899b = 9; *(uint8_t*)0x20000000899c = 4; *(uint8_t*)0x20000000899d = 0; *(uint8_t*)0x20000000899e = 3; *(uint8_t*)0x20000000899f = 2; *(uint8_t*)0x2000000089a0 = 0; *(uint8_t*)0x2000000089a1 = 0; *(uint8_t*)0x2000000089a2 = 0; *(uint8_t*)0x2000000089a3 = 0x81; *(uint8_t*)0x2000000089a4 = 9; *(uint8_t*)0x2000000089a5 = 5; *(uint8_t*)0x2000000089a6 = 1; *(uint8_t*)0x2000000089a7 = 2; *(uint16_t*)0x2000000089a8 = 0x400; *(uint8_t*)0x2000000089aa = 0; *(uint8_t*)0x2000000089ab = 8; *(uint8_t*)0x2000000089ac = 2; *(uint8_t*)0x2000000089ad = 9; *(uint8_t*)0x2000000089ae = 5; *(uint8_t*)0x2000000089af = 0x82; *(uint8_t*)0x2000000089b0 = 2; *(uint16_t*)0x2000000089b1 = 0x3ff; *(uint8_t*)0x2000000089b3 = 4; *(uint8_t*)0x2000000089b4 = 0x48; *(uint8_t*)0x2000000089b5 = 8; *(uint32_t*)0x200000008f00 = 0xa; *(uint64_t*)0x200000008f04 = 0x2000000089c0; *(uint8_t*)0x2000000089c0 = 0xa; *(uint8_t*)0x2000000089c1 = 6; *(uint16_t*)0x2000000089c2 = 0x250; *(uint8_t*)0x2000000089c4 = 0x7d; *(uint8_t*)0x2000000089c5 = 0xdd; *(uint8_t*)0x2000000089c6 = 3; *(uint8_t*)0x2000000089c7 = 0x20; *(uint8_t*)0x2000000089c8 = 0xfa; *(uint8_t*)0x2000000089c9 = 0; *(uint32_t*)0x200000008f0c = 0x154; *(uint64_t*)0x200000008f10 = 0x200000008a00; *(uint8_t*)0x200000008a00 = 5; *(uint8_t*)0x200000008a01 = 0xf; *(uint16_t*)0x200000008a02 = 0x154; *(uint8_t*)0x200000008a04 = 6; *(uint8_t*)0x200000008a05 = 0xe8; *(uint8_t*)0x200000008a06 = 0x10; *(uint8_t*)0x200000008a07 = 1; memcpy((void*)0x200000008a08, "\xd0\x31\xa9\x16\x5b\x9e\x27\x3f\xf6\xff\xe5\x55\x84\x9a\xf6\xdc\xa6\x6e\x17\xa6\x8e\xe5\xac\x78\x4d\xca\x23\xe4\xa5\x6d\x46\x16\x9a\xd0\x6e\xad\x2b\x8b\xcd\x99\x7e\xac\x2e\xcb\x8b\x2a\x25\x26\xaa\x20\x0d\xb5\x57\x58\xd0\x86\x59\x46\x92\x83\xd6\xec\xfb\xa9\x82\xc3\x00\xae\x82\xcc\xf4\xa8\xbf\x07\x3d\xbd\xe4\x53\x76\xb4\xf6\xfc\x55\x9b\xe5\x19\xf8\x2e\x8e\x5b\x2c\xf5\x9c\x3a\x3a\xf4\xf2\x90\x70\x7e\x76\x7a\x4e\x27\x68\x51\x09\x0d\x90\xbe\x0a\xb6\x6f\x78\x8e\x77\x60\xcd\x71\xab\x86\x5e\xa8\xb6\xbc\xc5\xf3\x5f\x60\x53\x81\x54\xa0\x99\xc3\x54\xa3\x59\x34\x17\x68\x2f\xc3\x9d\x2a\x6a\x25\x5e\xf4\xbb\x65\xf8\xd9\x7a\xf2\x9b\xeb\x0f\x87\x34\xa6\x8e\xd8\x4e\xf0\x8d\xf6\x9e\x9b\x35\xfa\x2e\x3f\xe6\x5e\x99\x38\xff\x44\x1d\xc3\xe7\x98\x2a\x81\xcc\xca\xf9\x62\x1d\x5d\xbc\x66\x3b\x80\xab\x44\x8c\x97\x5c\xbc\x19\xbb\x6c\x39\x01\xa0\x2c\x16\xb3\x2d\xfa\xf9\xf5\xc2\x20\xfa\x21\x43\x49\x37\xb4\x62\x03\x81\x05\xe6\xd0\x86", 229); *(uint8_t*)0x200000008aed = 0x4b; *(uint8_t*)0x200000008aee = 0x10; *(uint8_t*)0x200000008aef = 3; memcpy((void*)0x200000008af0, "\x10\xbe\xd1\x91\x2f\x7d\xc9\x4a\xc6\xd8\x7c\xbc\x68\x96\x2c\x89\xe7\x77\xcc\x51\xa2\x57\xd0\xca\xd3\x3c\xdc\xf3\x36\xa3\x1a\xc3\x9b\x86\x71\x44\xc2\xc9\x6b\xe4\x0f\xcc\xac\x19\x63\x3a\x54\x77\x87\xbc\x6e\x4f\xe9\x1e\x91\xfa\x47\x59\xdb\x2a\x86\x7d\x85\x9c\xd5\xa6\x0c\x84\xc1\xa3\x8e\x09", 72); *(uint8_t*)0x200000008b38 = 0xb; *(uint8_t*)0x200000008b39 = 0x10; *(uint8_t*)0x200000008b3a = 1; *(uint8_t*)0x200000008b3b = 2; *(uint16_t*)0x200000008b3c = 9; *(uint8_t*)0x200000008b3e = 0x77; *(uint8_t*)0x200000008b3f = 9; *(uint16_t*)0x200000008b40 = 0x2cf; *(uint8_t*)0x200000008b42 = 0; *(uint8_t*)0x200000008b43 = 0xb; *(uint8_t*)0x200000008b44 = 0x10; *(uint8_t*)0x200000008b45 = 1; *(uint8_t*)0x200000008b46 = 0xc; *(uint16_t*)0x200000008b47 = 5; *(uint8_t*)0x200000008b49 = 8; *(uint8_t*)0x200000008b4a = 5; *(uint16_t*)0x200000008b4b = 9; *(uint8_t*)0x200000008b4d = 0x16; *(uint8_t*)0x200000008b4e = 3; *(uint8_t*)0x200000008b4f = 0x10; *(uint8_t*)0x200000008b50 = 0xb; *(uint8_t*)0x200000008b51 = 3; *(uint8_t*)0x200000008b52 = 0x10; *(uint8_t*)0x200000008b53 = 0xb; *(uint32_t*)0x200000008f18 = 0xa; *(uint32_t*)0x200000008f1c = 4; *(uint64_t*)0x200000008f20 = 0x200000008b80; *(uint8_t*)0x200000008b80 = 4; *(uint8_t*)0x200000008b81 = 3; *(uint16_t*)0x200000008b82 = 0x40e; *(uint32_t*)0x200000008f28 = 4; *(uint64_t*)0x200000008f2c = 0x200000008bc0; *(uint8_t*)0x200000008bc0 = 4; *(uint8_t*)0x200000008bc1 = 3; *(uint16_t*)0x200000008bc2 = 0x427; *(uint32_t*)0x200000008f34 = 4; *(uint64_t*)0x200000008f38 = 0x200000008c00; *(uint8_t*)0x200000008c00 = 4; *(uint8_t*)0x200000008c01 = 3; *(uint16_t*)0x200000008c02 = 0x415; *(uint32_t*)0x200000008f40 = 4; *(uint64_t*)0x200000008f44 = 0x200000008c40; *(uint8_t*)0x200000008c40 = 4; *(uint8_t*)0x200000008c41 = 3; *(uint16_t*)0x200000008c42 = 0x1c0a; *(uint32_t*)0x200000008f4c = 4; *(uint64_t*)0x200000008f50 = 0x200000008c80; *(uint8_t*)0x200000008c80 = 4; *(uint8_t*)0x200000008c81 = 3; *(uint16_t*)0x200000008c82 = 0x83e; *(uint32_t*)0x200000008f58 = 4; *(uint64_t*)0x200000008f5c = 0x200000008cc0; *(uint8_t*)0x200000008cc0 = 4; *(uint8_t*)0x200000008cc1 = 3; *(uint16_t*)0x200000008cc2 = 0x300a; *(uint32_t*)0x200000008f64 = 4; *(uint64_t*)0x200000008f68 = 0x200000008d00; *(uint8_t*)0x200000008d00 = 4; *(uint8_t*)0x200000008d01 = 3; *(uint16_t*)0x200000008d02 = 0x300a; *(uint32_t*)0x200000008f70 = 4; *(uint64_t*)0x200000008f74 = 0x200000008d40; *(uint8_t*)0x200000008d40 = 4; *(uint8_t*)0x200000008d41 = 3; *(uint16_t*)0x200000008d42 = 0x423; *(uint32_t*)0x200000008f7c = 0x9f; *(uint64_t*)0x200000008f80 = 0x200000008d80; *(uint8_t*)0x200000008d80 = 0x9f; *(uint8_t*)0x200000008d81 = 3; memcpy((void*)0x200000008d82, "\xd4\x8e\x87\x24\x64\x9a\x28\x41\x92\x3d\x48\xb8\xb2\x35\xfd\xc4\x31\x5e\x0d\xfb\xe1\xb8\xa8\xa0\x83\x53\xaf\x5b\x63\x0b\xeb\x6e\xca\x1d\x6b\xe0\x3d\x88\xd5\x58\x79\x33\xd6\xad\xe1\x22\xb2\xad\x4c\x55\x80\x40\xe7\xf2\x03\xd8\xc7\xaf\x79\x0a\xf8\x5d\xe3\x6e\x84\x1e\xb9\x48\x0a\xfa\x1a\xaf\x9a\x22\x6f\x4d\xe2\x8c\xd4\x44\x15\x57\x41\x1c\x77\x37\xf7\x4d\x7d\x60\x31\x3c\xd3\xd0\x51\x28\x4f\xce\xb5\xb3\x27\x83\x73\xf6\x3c\x72\xa8\x4e\x8d\xe4\xe2\x3b\xf6\x4e\x2a\x69\xc0\x57\x91\x06\xc9\x33\x18\x03\xe2\xef\x32\xfd\x09\x88\x9a\xdc\xe7\xbc\xd7\xeb\x61\x34\xc4\x65\xed\x17\x38\x6d\x3f\x97\xa4\xe8\xa4\xe9\xc4\x19\xf9\xc6\xeb\x2d\x32", 157); *(uint32_t*)0x200000008f88 = 0xa4; *(uint64_t*)0x200000008f8c = 0x200000008e40; *(uint8_t*)0x200000008e40 = 0xa4; *(uint8_t*)0x200000008e41 = 3; memcpy((void*)0x200000008e42, "\x81\x10\x3e\x0d\x22\x88\x43\x34\x4b\x9a\x28\x85\x67\x53\x24\xf5\x79\xdf\x27\x8e\x6d\x25\x06\x59\x98\xbd\xbb\x69\xb8\xee\xd0\xe1\xdb\x8d\xf1\x6b\x19\x64\x6d\x92\xc5\xd0\x35\x21\xf7\x73\xc1\x6c\x24\xde\xea\xe5\x56\xbe\x69\xb0\x4e\x1e\x96\x6f\xeb\xfb\xf3\x7f\x3b\xbc\x6d\xd6\x4c\x83\xf4\xc2\xa8\x7d\xaf\x95\xfb\x91\xe1\x0a\x36\xc0\x06\x9f\x4d\x51\x7b\xf3\x96\x21\x11\xd8\xf9\xc8\x45\x32\x3c\x0b\x91\xe6\x8d\xea\x34\xb2\x77\xb4\x10\x72\x0b\xdf\x4a\x58\x64\xfe\x06\x9b\xde\xe8\x4f\xa9\xe4\x46\x55\x49\x71\x3f\xb3\x33\xaa\xed\x85\x5b\xaf\x29\x53\x27\xe1\xfb\x65\x17\x29\xfe\x4a\xcf\x1d\x9e\xbf\x80\xd6\x4c\x29\xfc\xd3\x68\xee\x16\x11\xe5\x50\xd7\xb6\x7a", 162); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_SUPER*/5, /*dev_len=*/0x36, /*dev=*/0x200000008980, /*conn_descs=*/0x200000008f00); if (res != -1) r[36] = res; break; case 58: memcpy((void*)0x200000008fc0, "\x18\x15\x12\xf6\x08\x38\x97\xf1\xb9\x4a\xd0\x1c\x9d\x8c\xc9\xeb\x6d\x7c\x14\x9c\x5e\xdf\x5e\xcf\x21\xcf\x4a\x2b\x2a\x9f\xf0\x2e\x0d\x8f\x8a\x4f\x60\xf7\xb3\x1a\xd0\xb2\x55\x2e\x14\x87\x8f\x84\x0f\x51\xa9\x7c\x25\x63\xb6\x19\xb1\x01\xea\x77\x61\x3b\x97\x52\x36\x7f\x0f\x6e\x6a\x62\x37\x81\xa3\x83\xe4\x99\xdc\x26\xfe\xd6\x0a\xfe\x6f\x15\x6d\x32\x6b\xc1\x41\xd6\x61\x5d\x18\xb6\x1a\x5c\x06\xcb\x49\xd9\xe0\x08\xe0\x5f\x65\x37\x6a\xef\xb5\xec\x21\xed\xc4\x68\xb8\x43\x4a\x0c\x9e\x39\xd1\x20\xbc\xd3\x11\x32\xf0\x75\x5c\x1f\xca\xf9\x1f\xec\xb2\x73\x3f\x98\x18\x42\x56\xd2\xf7\x9e\x80\x45\x2d\xc8\x6c\xf3\x19\x85\x08\x2e\x38\x60\x17\xeb\xe8\x21\x25\xc7\x8b\xee\x42\xf9\x49\xca\x67\x98\x67\x34\x33\xfb\x0a\x20\xd9\x16\x1b\x69\x8f\x04\x66\xb0\xea\x53\x58\x7a\x3f\x08\xcc\x34\x35\xbb\x7c\x19\x3f\x4a\xdc\xd2\xe5\xe1\x04\xf3\x3e\x3e\x1c\xdd\x33\xba\x95\x1f\xc9\xf7\x6b\x10\x8a\x40\x74\xc8\x07\x2b\x16\x46\x59\x62\xeb\x28\xe1\x38\xc9\x18\x8c\x3e\x54\xa0\x0a\xfb\x4f\xb1\x71\x0a\x27\x3a\x1f\x1c\x53\x0a\xda\x0d\x50", 251); syz_usb_ep_write(/*fd=*/r[36], /*ep=*/0xf9, /*len=*/0xfb, /*data=*/0x200000008fc0); break; case 59: syz_usbip_server_init(/*speed=USB_SPEED_FULL*/2); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :5997:17: error: '__NR_socketcall' undeclared (first use in this function) :5997:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor2750422364 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/13 (1.13s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:true NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$IMCTRLREQ(0xffffffffffffffff, 0x80044945, &(0x7f0000000000)={0x4006, 0xd, 0x2, 0x8}) (fail_nth: 1) ioctl$SNDRV_TIMER_IOCTL_GINFO(0xffffffffffffffff, 0xc0f85403, &(0x7f0000000040)={{0x0, 0x1, 0x4, 0x2, 0x5}, 0x81, 0x0, 'id1\x00', 'timer0\x00', 0x0, 0x6, 0x3, 0x70a, 0x9}) (async) r0 = syz_open_dev$ircomm(&(0x7f0000000140), 0x0, 0x0) (rerun: 4) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTA3D_RGXCREATERENDERCONTEXT(0xffffffffffffffff, 0xc0206440, &(0x7f0000000340)={0x82, 0x8, &(0x7f0000000280)={0x1, 0x0, 0xc0, &(0x7f0000000180)="5b58ac0ed1d27b217d3fdc6299cdde4d85321f7bbaa064d361519cdde43b225cf00658ddbfbd914cf79eceb348f18692315c3c69ec148e2dd928ac7ee62f5111b9dccaca88524912341955f79b0f2206b80e6e5a7e681a629694a34f9b0e39877eefde60a068cdc44545d6fe45d0000c9961a1ff168747447e346b16460875c691de1183b2d7b032cfae85497d0d8848d4baa9adc6caaccd9af6019ea2ba6f3b4e6018df94cacabeddec7b600230ea7790019399d0beb61f427df8359cc34893", 0x0, 0x0, &(0x7f0000000240), 0x10000, 0x0, 0x0, 0x81, 0xe}, &(0x7f0000000300)={0x0}, 0x44, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXCMP_RGXGETLASTCOMPUTECONTEXTRESETREASON(r0, 0xc0206440, &(0x7f0000000400)={0x81, 0x4, &(0x7f0000000380)={r1}, &(0x7f00000003c0), 0x8, 0xc}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r0, 0xc08c5335, &(0x7f0000000440)={0x3, 0x6, 0x1, 'queue1\x00', 0xdae}) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000540), r0) sendmsg$TIPC_NL_BEARER_GET(r0, &(0x7f0000000880)={&(0x7f0000000500)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000840)={&(0x7f0000000580)={0x2b4, r2, 0x400, 0x70bd2d, 0x25dfdbfb, {}, [@TIPC_NLA_PUBL={0x44, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3f}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x2}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x4c00000}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x67c}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x7}]}, @TIPC_NLA_LINK={0x3c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_PROP={0x2c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x220a}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9c0}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x101}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x8}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x6}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}]}, @TIPC_NLA_BEARER={0xb8, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_PROP={0x24, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8}]}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz2\x00'}, @TIPC_NLA_BEARER_PROP={0xc, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}]}, @TIPC_NLA_BEARER_PROP={0x1c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}]}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @multicast2}}, {0x14, 0x2, @in={0x2, 0x4e20, @broadcast}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0xb}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz1\x00'}]}, @TIPC_NLA_NET={0x20, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x8}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x6}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x80}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK={0x10c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x187}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x40}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x10}]}, @TIPC_NLA_LINK_PROP={0x24, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xc0fb}, @TIPC_NLA_PROP_TOL={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x18}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x80000000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xfffffff2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xd0}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xf}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x401}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK_PROP={0x54, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0xe6a9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x10000}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x81}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3ff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x79}]}]}, 0x2b4}, 0x1, 0x0, 0x0, 0x4040811}, 0x0) read$snddsp(r0, &(0x7f00000008c0)=""/29, 0x1d) ioctl$KBASE_IOCTL_STICKY_RESOURCE_MAP(0xffffffffffffffff, 0x4010801d, &(0x7f0000000980)={0x6, &(0x7f0000000940)=[0x904e, 0x1, 0x9, 0x6, 0xe, 0x5]}) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@mgmt_frame=@deauth={{{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x4}, @device_a, @broadcast, @from_mac=@device_b, {0x1, 0x7f}}, 0x1f, @val={0x8c, 0x18, {0x5d9, "8e85144c6433", @long="e023fbed513011c5707e452472e2055d"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@random="3a386465f389380e26b0cb13f98a36e2214f099ee0d0b29b754e31d6efc82c04", 0x20, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_path_truncate\x00') r3 = syz_clone(0x4004000, &(0x7f0000000140)="daa4ed40f7cf4da86377e864d8e6c6d4fc5486af4a6f23dea58b3243a291b0180dbaf5c92758af73f9", 0x29, &(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)="40f276856b8191c4f312759d795a22c3c7edc91678794f4eeac45746fcc9930722c8189ba59565f7327cbcd4506164eb9f6ff175f1f08d60247091772c185ac38304e9b5b3") r4 = getpgrp(r3) r5 = syz_clone3(&(0x7f0000000500)={0x800, &(0x7f0000000280)=0xffffffffffffffff, &(0x7f00000002c0)=0x0, &(0x7f0000000300)=0x0, {0x12}, &(0x7f0000000340)=""/102, 0x66, &(0x7f00000003c0)=""/198, &(0x7f00000004c0)=[r3, r3, r3, r4], 0x4}, 0x58) syz_create_resource$binfmt(&(0x7f0000000580)='./file0\x00') syz_emit_ethernet(0x101a, &(0x7f00000005c0)={@remote, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}, @val={@void, {0x8100, 0x7, 0x0, 0x3}}, {@llc_tr={0x11, {@snap={0xab, 0x1fe, "fe", "1622d0", 0x1b, "e65515bded2366eb29e120fec39b24808c92d09c78d7f5b7b11d8a64fe8fb0e0ea7a265610503e40fe69ea35f6a592cca6605cbab30ca2b6e81defbfa8975d3233a7b511fa76cb1b755c8d00c96c16443f2b1682d6f197dea702f3216131e4d76b49c13ecc66674fc2fe47ae163527636f868d604cca513f5112bb56c3ab4ba6aea3059e1a484546566112328bdd5ba37697af7f361913e718bf091a66aed625deb89ea8c63fb756c958819dd3d2467301b0cd35eafbcc0f96ca0aaf82d82c8156f5fa27ea2d1d298f564f94160fd4b81af8f9e62eaffd504a2cd9412d4b6df66b447e1029b1a015a3f9207dbf1957660c19a6e0e73660325510e34133ffc4275e4e1d6d7acab29f9b371d0217382faee8c77911aa3f5378b09a5f6523357d2adec78972e15295abedbaa9969f37f316d474b2347dc11b523a88a0cd5745ae30ad7612f830013d78a6b149f3b332e6e7c5fb13bb95845924c3f180c3c6f347bb328022e5d07f540ec60bdbd9e8352d385e1b943062aa0bf38206a1d95e2f42e15838ade610c0c44e038b790096b521d1112f35c9922cbee2bfb184d6f979a7721cf0e6fd69fa705ae3e253113d2fc772ca741e96db42fc8ca72abd6d3d43c4bb64f13d2e5a5a8c433baf25ce3286c2e2355fc130e86841cde79482c3539d57122eecf25f3e35751e81980de375a713c18f9bcd952bde4bf36610a52ae2317c8b6689deb1810a091169200b2a9eeebeff191dafc5bc32b774cad960c8414ff0eee708563daefbfb26f59f6a8f289ea5fcba17412119f3faf53001a0f5a44f9c6dd6ac8d3380273e07c6ffdba5a224636ded1974137a40175f4944941ede7117cd3ddbb800defc6f8306e3f0435eeb74d44e021c9abdc636052b5170da68981617b28471a581a1eb095c6d3c977ef0fce842b5f260f2b276ac6cf24b2297f3e75479c7412f405e48343f4db14e4210bee79d3273bdef00d8175dd603b442210632bc8cb2ebfc4392bf8aefd9d4a264a63341f15189f8ac9add56f605e8797e2d70863afedb792eaf982ffac60ea0af41ceaadd6b2878511c8edd8bb273914bccf17a2d4393d4e235144be8ae79fd28a47d3c33bfc8ac4d199fdc73cf8e03cb6f15f4134599f2d95c46cb1a6e77d816080ae7e1ef85edab4b4553cee197da9594104139276ad2b9099def507e600efbb6a9877d8d7569e0599318aa400ea4674cc2bc0b86efdd2ddfb3966647ab570d200094b6ec63403274201d65481378db16529bd775feed537223c0d4e710125cafea8b65b9ef669cf32592fc3a93dd2d21a95e54ad2362302b1d5db5e6fe547edbac508c82d6b39a820b25bf1078418accf067c018443c430f9f2338afebe9705a654d50bc1595073615c52bc93703e446fe6befd76149bdfa9d69cff69b9d9b4f3fa0bb04900737116e49b4d0c08848215dbf90dbd523e9abff71319cf0a358be976598c41fd6d16edc3f0856ebbcc1e4086e79621a233991554e01420215c5ada574b6442e0134a744db4eddc1142f2936f7d9412dbb63cacddd60b2563fee5623ab0ece52481dac6fae957b61918a871c32652e0e7f73f2c2b424d4dffd636665e06bd0422195a1aa8cf62e89fb47fc0708ebf49a5f3b586ac088f570b11ed8d069dcf88ef1e849a22560ca8b60aec9859719983916a4a4b9246ea2ddb8409b0ec2d36728647a8f7462f2d4c4706c4b1888098d61d3231d89ee15026e63b55e1af3845bd60a72493af19313188400870de9bff53eb68011928201c34828ffcd88b35e4fca14c06a6790b5f28e8f85f0c906e1ea44ef4f6c50bcfa0213d0462fbf90324dcad6fc0008d575e5df11a98b7b231884c0626890f9cb18dcf85063f426fac0025bc6bd16e74c53eabb81423633df7391be5cb1ccd73ea25c7e7055fed3146202b97fd7f1a85890d444a20ce0d051efa2a3357d32f8585c0f798a3607c350f22ddb5c9912ce3684b2d7aa6c785b792504c31c7edb6dc5fa6d069f0352e3e9f771e146ab80ac39a120d005452e190a9147cb48fa8539f3a3c1d88716575003248e021a7038bd63657d46440402571949c24555432d26dbaa9d2cd2906ce0cf746dcd9348433bef36297b4a7a07faf2688249297c960a0fd8a3257534ea1372a3af5cdba9a6a48fbc95a07549a82bdd6181b1fa3fddc71d77b3460c6a32405589b89edf715a910fcc72449d9c36967fa9768a0ee59b23418561cf4f6b0fd9cbe02d19c7997e55259550dfdd97616015d2224c18c15a80b743ef8857d181d7efe40499f66d20158c0f62e4c692b3bd64ef3825a32bd662d9f580779d60a34669150e7874a45a7101af48cb3a6e3f763db20c5014edef61d07887c79d5711ed11be5306f7c4c2b7bba2bc8236c93a49bd2a252c4510785e0cebf75fbe5c69d928d8e48fe9f56a33ce6e0552630f338ab632320e750c32ede137447aa9aa69e3c3ea8ce4daf6eeb91d0a339974ce9875ccc30fcc08ecb203c3e4a7da99224b71d6ebf77331721fbb6ada6403d43eba812c0bddc6018062ca1231994de110586bff4589e52b8ab440baf13c24b35883ba4ae2ea8cc1fcfb49a7123bd6fafbb7291adb7f81fc58208cb7559ee5cfd779f899c11ee49ad92b0057e8dd79dfaa1f15bf659c360c8228eb36a9d17e0d479a88b9da28f3e962bedc108e22332bf55144f0b2ba0e21a334acd8bed5922128dbc75eeed571e1049e2689dda8992e2f9539373f0dd20e2bd43cb5ba34080ad38bf160a37cb0b7c39c015918202dd8349c4eacc0e4a40436b8d1eee12f9a6b9e2dbac9ca7c190c1bedc390dde78f896bd2837ce30d8ea888db6971930feee72206e308c7ada862b664b4b48b11d39dc7b1816d3da555778998eca5e3b4ac20c83c55021db6406eb6ab125f2bb2ec1a2c8fbda5bb0df736393dc62f9078de52e46872b4c18bde2959b18fea581e0eb42038522fb7af7ed40538ea7fd08e865102f5a9929c24a9fe936230655a7b131ab9eaeb9c491ef98d407dbbbded8852c387d6fd7741179775ea4a4562eaf0dee83f87ef117178086544f4cda982d3c0cf618bd1ed663cc9f4bdc77632398d24fe3002a7a78c079d0a5f5ac3bbdabd85309090aa0b5a8c269468ac8b7fa4428bd98bab7bd5643c721dd7d92810bbfde6bf8bf2013ee5e587d0da9991c66f58ccfa0fe497d0d743f0be668cef72d8a922fec8e10f368934227c98e9abe1f85bac46f80f17a15ccea46d256e1f56710e489cd7106fac936aea65f0e8a5d79d43730989a2642ee7ad9f35d8ea7a80647e15fb4db645efd8ca830469261efe740a2288bcc72b5c40a665d51812ce9a1df192dc4d9604153e84b86b8709fbce27aa27a99c73cc948a10561c1d4fcd0aca5e4f52d43b17f6790f1f79f00b90ed573b6a621bf3d64200274321292a04379e0ea3366bfad2d1fcfe3a05608d9be0e459cebc878ba6ad6de83922154a7ecbd01f5cfc77299c69c670a2763660b2ab98539c3050a64f10a89099a8bc54e234512250d273136455fe5825d5dbb4e9b733ee28dc11d0e2b3f9f4072b048771509c017af5d6d64385a54924f55c8d16cc1a72d8519301194f445c424e51d49f6616016580d2ea70ba1e0c86670926c738779ee67c3926bd2f90376e211ec1d7860737af1136446b2faa01baba239b7a5868f40780cdd13329fd67730bdfd298b20d63f1448e9fcff309e9091c39ccc75aabf18e598ecf0342ba94fc420373aedf83d4cbf0e5f176ea4bca7f0cc72faef9bdb6797be191e1d304704659b6b63b2066358d4eca8ea898cdde509cd2b9145c55adc3c46fbd2989817ad2403d4a0d6b6e6aaad0b2311d43d216e6cc8446b0d946e43916e662c5e687bffee3f3f21d9f34ea1624074d1d90273f0683f202b6cc24300b8f5a6325d6ce06bd69c9a95d6c8af3be8967e3bd49efc3e9c5f27ab9aaddc0ffabf87e7ed08d4253844f1f48f08a9fa268e13e0d73dc6af0abfadc5443a9a1daf12b4dbfd5f7902a5d41313683355d5e716f3a65a315170749bbaf8846dfd332bef6cd1443729abf2147120e53018bf2d062dd07bd5e20e30bf58bb4900db9aaea54a6402cc1ad562e8a59233868f38d666afd7b96aca5f9ec2aa94b4c22f6dd54924a1f5d98eaff57f742b01378d3b1c6322781b99d8774b07fd5b4af2b88bd4915f6eae83e33b469afa153324ee889105a74d3680d39e55a4a39183416961346447fc5a8532832031c52517a3896360d51fe593ef5a639eeee83df74db9e4d3218dd901db76a6130aef73955dbc866778a2c3421d4090b1df7648a42c558af46150e902b3129e5fe1071458ac93abc76d495e744412fb98ae401cbe04427d0f30e314eb6047513adffdd11a566f9734e058fa3bd2d1d6506122ae869725e3a6f4252ee5e971c430cd02cff254759c908943953ba8c978f1cae5ddf28c5d9dc85d27c2d4c19a16e34e094f1ca9172397cd4c5615e384715605452919ad74e70c78c282c0cce1bc618ae012f5283d1081399fd79c95e52a523f3729a180780547f9766507e21109254831787c1131ccd4ce8e5e9f3d24750ed3676fbff23dd4218e05eb68efc0a7be9cef8189c08e186f938ba691172d235fa32ca4b0e30b111189f32d15daf3cfff0a429a446aa68ec18c0c0755efc080733e9c3548f029e8dd634b3b6b69ba749486704d0f9ad702961773251624117f56945c04b8c6f0350a3d99a7b6e033f13ac7c01a1ffcb5a4cd7412bc176f50af905b0b6aa36d67289ceb12a6572c4eb872fb06f96735d31e8a153ff9bde2181e235868ad7dde54705c187130ae0fce01bdf3bf64e6ac86842bec3e0ef09b60a4c691134d89b6c6c6465ca949b58ef63a556918bd5c7f835c0e002f2cb4123d66481c737470f26b590fee1ad40eb641e73ec3501c69ca4fa50b75d9f23ae9e041c88df37a8947bbd0722f22911aba12976db4759af63f2b143ac155bf56333f6f6a69219453b92e5361843581802fb722a2c3ce2dec3e1e278444020ec6ee424ec7fc559d9cfcf68b2010eaaa9b391b071b6d53df5a2788cafe84a081bc3f0810194818039e68fc1b76de13ddba48a741b11bc963b8422a510a1a132d870153c2d01305c767c9d188c64b5d14979e1563aa7fdea0b85ff3de913fae64b3a7ccf087e933ab15ccc0c77fdafe42acd070780f2a7cc15a117a2bdd9576e574b10b56a00e007d69291985b50ef1296f37ec9b74c4623da3f94e0bb69f46e52c8765569b8817af5482532a50232f050635e67e235aec75c8f69efbe25383467cc82f43a214a142a8b76817f22338aeb3d4f0d39fc1dd1023a07b53adbe754884af3b789cb2dd9f386b26378d0d54267c47efa0ea5a7c26cc80d9bf9cf16bd217754a1951e9fd7fbe64335610faa909f0d7f77786f974c1becec9cb49be7f79e7bfbe29ea82cd13c197fbaa48f46019617ce6c6ad08c9a1d41c716baef284a4e4d77c06e4ddc07a46c3534beafd3729088ad142cd22bd5a220e589314c242a304581e88a246b51790d238c131ec7b09de7e1c618708363335fccf56eee3000466ce5fd70c5b3f35884a467469673d2dd5a8a2362e6028206a2ecde709d7cb1888bfe78cf6803f05ab0b11eae6d935ae116b3fd841a2717ed52790dd4f802cdcf72e4409d68c086a542d66eb14538421564ac9ed37617987ef2f4b83f43022394a2479c764b30f56c6ea76c1a056f82ad78ad980d1b5603a0ecbb72437bc2a1838b9ae37cd6ddefd2927e9d9adb7d56a98695c78ecb1f65739fe094edbfafce3f"}}}}}, 0x0) syz_emit_vhci(&(0x7f0000001600)=@HCI_VENDOR_PKT, 0x2) syz_extract_tcp_res(&(0x7f0000001640), 0x401, 0x8001) r9 = socketcall$auto_SYS_ACCEPT(0x5, &(0x7f0000001680)=0x4) shmctl$auto_SHM_UNLOCK(0x6, 0xc, &(0x7f0000004a80)={{0x80000000, 0xee01, 0xee01, 0x5, 0xfffffff8, 0x1, 0x6bc1}, 0x40, 0xffff, 0x2265, 0xfffffffffffffff8, @inferred=r3, @inferred=r8, 0xfffa, 0x0, &(0x7f0000003a40)="8917f96eff001e006491da948f25c3ac3665392d077a2878a0c47186fbb59600e8725c574893c0d645651cd496d4d6c43dd8d9e3ceca2e2a35fd60785cd77ec5c5eed5ea44a853769a52cb3e89d06c0995f77e9b7ecc68fa521ac4b193ee67dccec0a7d13f3c068ee046a9a142011cd4ba8e67f381e16745d81a2b5bf11f4ef0014330c95f0f5bc89d00f16129a9637782e5a6f4d922e0f07457ee515e1bbf5654906d887ba02bee664da72a51b5dcdf4becca2d8067e35753c0312359efb6da86149afc1010d0c6c86cc9c8831ca1276ca968811c87baab121c9d817273196e97ae66f397667e023fc23319c24fa823572226fb748ac54ff528236b0781a20ed52e116927a22b11e0b8aceb36d2cf4a78eb3465fcb9c9493eadd44686766fb26d4d0a54d028273a5c605388534e4937f18ca90532445f946651f3634e9b365bb8ed7242b91231ba06347eab1f320096374fbd8a7a94c2fa7154415c923fd66cd626489e7c79cad39b66b0674b9439b57b79ec7903d35ec314db9d7e415df3c4f75514b1c83e9b6b271dabebd3b793a78ad5baef25393934bc1b4969eb6128d3521490470f25e7a47b13ee0c4772d0473da518441b7bd362bc99b09cf696beb9e5f9d3d5e88e9e960e259e4fe67cfa3b2abde10010f3c6a60d269ad13e59052e8ab951401dde345c4fed4fea6d91b84daeeebf45fa7998ee41da06875e7bc48d9de54de36d9e27495fe7e88e024e7dd3587dcbc71cd433b71a4d972b026559efbf17c2b02b2357b9d913a764c95c5aa7b32fd2c0b62b47f27e4785e76d8562b4e43edc6d610d2b97dd1a1ee65bd1ef89e0110b14c2025b04b8cf16f0c2c1ab89ad30bdbd8b9894278b4be8d08155ec0cd20f544f18a4f26a980decac1ce2942127d8d0350dc4a9a32930af33531822319dd139e27cf769d068879608c2517d59965fbffe9879afd487875ad239586bbecad1b00e1377203abe3fc582faaf4f9e08e57658812209b3a8653bf39e126b79474ced54b74fd477b03a80906e346dfc7f5a86410f6bbc64a7ff88c37aa1d1871331ad2a63fecea9b43d3fad062de70ddd1c773ae62568ff3be804583d3a5a10796813cd4b51f67b09910b427eb92804e7f27adcd8ec9afb24e3151b48a38cc5992799df37e5cf6ad577941ad7e2caf15619236927342e87b5b260473716a9bad70b3951f7265c20c000852667fde0c4b7f27a32b7ee133cbc65ba4dc3910c2375e195ba7654e2d2d45f916e47f107595adc63247840df4ecaeb9640fb661986add0dd02796d5810f51c93fdcf8974da1f1014f2f4adb16f04e733b53ac2e8b4a853e93a935a732028c8e3ec120fc541e5126f2d88dd4bbca06fa610163464cb17f45e7a2be0e51d8e45e37c5091d762ce5bfdb69353bafb955c25544702dcf7d1394aac7a49a0787ff1687425a375249ca378bc4f4aa24abca24a871fd67425b2f66093b5b9872499ec85faeffbf43f0a4d3efb5ceae705a1a8e1f2bf79f553c1c9f38bd09f93a822beb454744dd1177eea67b7bd6c421e58246202ab902f79e0155f1de2bf226f61bb39bfc2fba3479f25eea7f01f70bc08a98e8874e5d1384283b99607eaa52e895490bdb21c81cb3b3791c1dece0ebce67cc45bcba299bb892c9d1950bf335e954fd303c65e1afec48a3d3e10a404352a1302efcebe1254eb2b25d6f450b26a3f1bd7f577e54c95e5661174d32782fe6b11996542fe1b9751396288d27a47e3c98d1cc3f3ab558ba3e82a6c3ed4840f4e3d79369573c37534073e79adfd2323832b65e7a6c45b72579138e226291d2700dac3a1cc916140f54cb28b3470856189812544366f757c0a294ee2b5bf6c308ad4df230d5a743b8cf7a1f64a3061983f223850262c7574ae480a02f68c043ba7aa822ff645d4e4482c14cbb58c15f65c98d1692f939d0d95585045424abe5e58651477f91d0c1dafb3f33af9e69b794e13eb0c429de9b92bbc5f9282a2e6c9119f6fd8603fe11af2d516c9a7ad38e3337b969c3d9593f0d4ac95c44e7f47e810f6970a1a6f18f209fedc35656dc5c536b0396aedaf83ca46655edcc4088c6fcffa689a878309c1767b2187c9b5fa575efd80e0574a577673b45edac8b1c912ce60cd18290d31025c80eba3d997e4792be23a49c0094ee28548fa33275e6c280bb6e0a0aa8e7904c641cbcb3d994946f0e4c6d6b191d3465364793a697f2c25d130923c799a3a8d7169a37ac29bddfb766d5130b5e4bd43978aad3549052cf6f564768052032346aef8f5844b9704842c0f1fa7d26c697188c0e8641658d6d299a61ff140a4b94f04f6ec06ffca6e574bdd600372ed5d166aeeae4f24e1ec3c212f05aa8537f0ab831e472f32164a0887c6f4e42532565f055a8cd435e9cc9108967e422c6d0e740633c9778471efa8a44ab55a06bdb6b817f8a6cc55d52ace6ec438ad4fbee7c64e00fc65c76a3616c35fb71bb6084f44f8083dff56d771e1d323584b82f105e0a211ceae9afc0f5e61a2649476440cf68d9abffb48decd0e8d2ed10907d35e390daa1eef83dac8ab44e2ac5886f6235f6bd7b69ff3c098b558894908d4cd28247fb6ec4bb5b163f6b2eef386e7ce26de759bd6e24e46aa2b38f0a4e6a4785af14bd6035a326c29af215a4c1c45ae767bd7e6db1bae69be045ef0b1eb3934ac5ebe3a4c1dd59bb96053beeb5561b521c47852d9a2c66cfaf82c2a016e5de729ea0e0ce4f98085792b5e5a802cd7fbac9ef38e203ebb3651f1b30af6ea29fa179f8b192641604be02929daffadd6c97ba4cd56790cc243d0470eb8c1ae7812da666b0b329fb3f04f78e25ad17b4b39781382ad937e08ad3448b63238185b982242190fd1e4ad8fbba55d6abf96e016e1d98d37d51c2ee1e41f54f8ac7e038e3616f569d024690ea303bec698beb98b9ea49f6b87e3f7104997a6ad7d33db8fb79ada8c5f7f54ee17f7b3d86aa1532b439cd8de90b5fd7fc3325680061d9319d1835e603faf7933bfd60d733965f0f25adf3945092bb99e95346602faf6aabeb33cbca3b219b4f8afafe825c6627c0c7b00c33875b69d01c08b90e6fa64f09b42932e1ccc9b3da36771667d5bb7531a2ac174bc412dffad7c6f8fd4dad330fb415a97e8136cd5c0bb7d00d2b2c956936c9f5f747e3c9a361d79d048cb3f528f187f9bba5d78d7309b1b256fbb349cd52945541a5a57809f2d71a8e80557b23be4fb31caddc59553b6bc0faa165e4ab1f8279ca6e307ce7920c43bdbadec04ef8be70d57af598d1d8a896a0952b23cba464e0e9b3625f993dc12c8f774e87da051eca49bd14e4e2e270cf75dc8343b2ad4b0a2178cb557c6d0eb1a0b23ed92580ce5ada78c2bb10ddd25d4bb147d61a00f5e1d1d5c888d47424c04de7d41384e2c688a57358d05814ad917135a80eccd1d1f147242a5da4dad0838322e9a2fa531fbb6b0832b6700f87279846ce2331679b82f04fe1be1e8ce9f610b63ff30ad0b76977817739a295c9ec9dcf11f81a67619407304c1d594c5196db1bdebfe03f22adaac9253d753967138bc9d2cf4735491d2745c23e5d229c74627dd191bc6c038513914dbdcfacb8bcb2814dc525edad889520999fce64469c60694405961518441c3e84453afa3499e3a8983b57f94593e8664719d5e6598422bb8cbc51620b259413bea16490bbe6c9a72bf21f6b4d499371ad9fc8277dd3f2f7523cc5e6ceebf74fc3944136b2d56daa2040374319a1c83c3bb0c962d321d8039170b98b604c8ed42c596314a01139c9d36ccd6f2cbd3113b2c9d4e19f08694463610a368f8ac74f29794f14560e0a3d481c673410ad9466581aa2a334ff380a100fb049ad8196eb4784ea1bedc139a7054f18a8d44bca0a3d0122f5dc3a1c4d29bde35e332bdf28cb9b98543ad3e33143af87903b5624f62305598de275833208ec8370682ad9f0f9ac64c439044a2de3033468734f49266138859695b60a6fb45d794b871c19cbedf59b764453b78cfead4c501b1f8c0ff827b70297392697adb13ceff2f139bff3ba238798a07fe5f55a0ef5b75ccb498bb8943bab4a671f125fb06f2e59f77fdb02cb23e8687568dc0d5c4860994a37ccab365d7a70803c6a6f48f5b3ff1cbdd51d8961f973c703375d252e6c5a0ff133b59724313f988841bd61ec29767a4608a5bc45b104e4fc98261e4540a10382a495d64dd5f6c039066d9d358efb16671178e884f070a07fd02a00b63b7f575f642bf91eec3bb90dba9a21df3179cf12ea9525d0974d6fc44bf69fc54f8a5ff986706678d7ce06cce44df2974b966e67aca314e0b58acc41554a442ef3587abbaf18295eca59ca8a10edd3fbd1fac0b06013de5f7333751c57deb4daef9e4c55e93741ed1d2f7f963cdedc6efdb5d8b14d7d612e2612f30966f4e6760d1a46fbee50dccffc0b2e5177b1c6027adaee09075b655cf85ddbb4e4483d5de7b38a910f996711c058c1b97e6212748c8cc7de8cf7a56af75e291867c2688e999c6553d7aaf3d2f62c2f53bf88cf2044007dbe929856531b0ad6b48a6118bf35cce827e5d0cd2a19b3fc37395e1ced2137f0c726f5cc991333a0f0794da0b6d757374217eaebcbb6d87431f089a57102ca5373b8d730a92026059c6a88094e9c629d81eccf86b4e8f091d325563d1f4016c97972c584bc76d1fb4ed94b721344d00cc6724f5649dfed84dc511583e1a08a43c2409934172ff3f0dfc93996b8479c050dc19309aa998f709eda3b3cf806bec717e1718b8cc10060b335c46f17c522ac0bb696fb4393a9450be5fa755ea0d71b30a8431515c446390154bc2a4951b3f15f419ce20b0302bd90025d83c47a018f6886ab1fbb7577d5c066bab23d84189ccff6340a3ca41df5c6d994b26b8fc34c690dfb229c83760224bdce8e867d1f5a097736d3f19d8229f9143ac037093d4cc32ab104b5828f1cc84495a68d767b7fbd725d434719a3601b5fb23364a5e4151c6f915ce53f7debbb9f15b811cb02bb87394ffb61e8b8ae5749dc7432b516b8a627990537b9cdfd2a09439b7dc043997e0f59036ab3470af1bc7671011e5b472e3f6ad456ba706d550661cbcf6107e9b7ee49a82052d901bb79fb18d82216aeefa2e76390f80943cc856a008c7256b84d8857fa634ad7dd4501386bbabe238a58aecb77a0de5ffaaa563a1968b72b92ba58d1a1ef6f9ed049ff38b7fc34227461631fec653e781f157ec7386362b66778afc8982cdae50e129f4329bfe35cd9da3d5752204fa7275ccbc01abf85c6cf3ab9eabb2ea7a1c779e673d0f9516b185154dc83cc5f69370e314198b7fa83ce5c5c91c2c50e54489b3a670a330a4e49fca517c83a9532cbc7edc840cd010b37ecc7537453016ed1ab445e45fc1238b14e2f8f93166cbf7d38b8528baa0fad3e9e76f4b32eebb60526881620bca5b11ac063dbe2169e5437843f6d2d486855ad5f192b268b2f3eb25deeabd2de89c48ba28f1ee2c84658656c337339b53acf988baf29ac5c9199ec7912b28940934bc02b131d1461354626b690835ba09abafa0ca7f515579e533c4bbfda2bc9f2faedd3538ce8c1e3606ea98395e0ff88492045f47cca85f4af16f950abbf3f2229de58ea2b45692d4ba843e70e5aeed29f68807138aaf5c994b30d47311ebb969107677dcf007f64d0b32c3600cd32bd42ca69ee46d786cf0cf9496bc51602c989fc54f76c4d383ce414af45fc948e5b971e3020af447c589b09956c9033d0904d6445d7e9fff7c903939f79c2d4c30b6", &(0x7f0000004a40)="884f381309896a88173889994e74c60694f7baa45be088e59bc3e939728257e8d2db71"}) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000004c40)={{{@in, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast1}, 0x0, @in=@remote}}, &(0x7f0000004d40)=0xe8) shmctl$auto(0x5, 0x2, &(0x7f0000004e00)={{0x7, 0xee00, 0xffffffffffffffff, 0x8, 0x80, 0x5, 0xfffc}, 0x1, 0x7, 0x5, 0xbed1, @inferred=r5, @inferred=r7, 0x1, 0x0, &(0x7f0000004d80), &(0x7f0000004dc0)="05c9215687a3ff1747cae5c18cb186ed5c62984337f90f0ab5948e21c63d1686f1da1459a89718a9f84930b892c2ad4de61f714ab8"}) msgctl$auto_IPC_RMID(0x4, 0x0, &(0x7f0000004f00)={{0x7, 0xffffffffffffffff, 0xffffffffffffffff, 0x1, 0x0, 0x98, 0x4}, &(0x7f0000004e80)=0x6, &(0x7f0000004ec0)=0x5, 0xc, 0x1ff800000, 0x8, 0x7f, 0x3, 0x101, 0x8, 0x1000, @inferred=r5, @inferred=r8}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000004f80)={{{@in6=@mcast1, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@multicast2}}, &(0x7f0000005080)=0xe8) shmctl$auto(0x2, 0x5, &(0x7f00000052c0)={{0x8, 0x0, 0x0, 0x7f, 0x5, 0x80000001, 0x43}, 0x7, 0x2, 0x0, 0xffffffffffffffff, @raw=0xf, @inferred=r7, 0x2, 0x0, &(0x7f00000050c0)="bcc4b5d86e91b02b73e16c4665dc3088f7cc9826da7807f9a8300d9d8980de67a1a2a153e95466e76d2c38c41558c08efe37ee81d9904674ced86dda9b2b6cc7c97b199758bef8d92dd20e0e69864d6fcd03a80ca012019cf41e5166475038fcd360338436e7827ef730469187e6a495f5bf018ee7caa71c804a386756c3242b30eca0b841166d7839e94a5639d08fbc06dac1f861494456d8d153de7fc30387d452304e7c3069bbfb424391d04fab12037c6d6ae6025df869fa3a45e03148c2dd052c", &(0x7f00000051c0)="0b7d67852a6f3d8968f476adad1672e6dcfcebe8e6249d8cc72d1a05c28acd3deda6431481c88ee1c2c09944ee7333d9d16b3f9bd186be36210e7e52fdac24099773c07af6f1a940e4baec3ada4766e38014ad527a5df77c9061c5a4caccc48bcf1562207f8db04d608a823c71979bdaf702b9a6ec8f62f23d316b69a8e40f1cd792585f34d8ff6c705641dbc09a0245efad326ca84d8ca39d29cc33a4a3fbe76c240d055e261e16d6bb5d9c231fe3c9e84fe59565befc53fe9d119eb50ce04e6e3c1df216ae69c313d80bb6a77e219b94516572eeaa398bfea649335ae8114cb0574236f4613167d9758b53b66cb6ba75d75af92f3c6e638b82"}) stat$auto(&(0x7f0000005340)='./file0\x00', &(0x7f0000005380)={0x355, 0x100000001, 0x5, 0x7, 0xffffffffffffffff, 0xee01, 0x0, 0x7, 0x2, 0x2, 0x6, 0xfffffffffffffff7, 0x7, 0x4, 0xfff, 0x17b, 0xffffffffffff27a1}) shmctl$auto(0x8001, 0xfffffee8, &(0x7f0000006480)={{0x7, 0xee00, 0x0, 0x0, 0x7, 0x8, 0x3ff}, 0x10, 0x2, 0x8, 0x7fffffff, @inferred=r8, @raw=0xffff, 0xffff, 0x0, &(0x7f0000005440)="4cf77c89a8a36d9b71d16c43ca99caec6590564d8951864cccc348102a7779cd97d951003ae876a9a0301c11867ff6432c9c54bd04ee433fce5f5db9eb71b76221d284c78dc7db27840ca0b1e9a5a119f0d74ff6485b52a986a6717f3cfd726d0a6a038bed2189344a3d14c2f119bf2e543fe4e716bc4c5bec83767da2f97d1cce4b2696bc5f9989fd42dc97a0c16cdc2fa967adaaa2bac730e2cbda744dc3121e3f015b66eae89156b262639f95bb014aba78bf2a4801499bf38268d77d99494aef486b9b388a1ebacb4b771a52bfa29990e93618af03762f953e3480fe01dde92ca7835ccd5e8864dbc9100d25c4fa632c9febddfdb1e77f1bcd7679ea4689d2c8504e50af6952c889d328c12c66c90d8ead369270d94e5aa342fb2387dc7cfe6ede705464985f301feb34b002ccefb80fde10d9fc1cb39b5f877524986dd12447a7c96f63507cb4d88068edfd7748fb2b667ae1aedbb416377574d70a3f6de46e4a3e5c149a64a4364666bd99fdb0e413a1335ba932575d1e9228508d614b663ab17acb21b2ac4d3618a65943804d5ba52cbb043a9619861202b505140e4844b8ceb6faf5024223d9636cb0be384a4cc1dd3d4f357629521a07698418dd1a97c39417196f861afb05bd702f4ccdc3d44b5a4193378b936f53c5c4b09c9858be95e349baeb7eb4da309400a4dbb08a24d0bb3772bee7a3873cf8d76e06df6f7ce591f40bdc849ea04cade886f075e1458f021f1b730b0cb5c328b911412aee9616ab5fdc831e34cea69de1a40806aafd4e64d3cd70c1a6c6f636d3bb94c995977c594f0f4e90d7aec43fec4c8aa707d00dfa26ff9db8a45e6ac65b5e5ceac43f78b50f1e4f494c85827b3f0ea1f7a4fe3bbbd390e3616628ed4770dd366694893513dc1cd252d3887a2f19a846d18ee7baf8b5680e61800baaf0041810a5a21fe06cba83e0621b2626c3ec5ba62dfe1f94ae16114c9f89e89458a069222b43b4504dca5fd969c06666dcf982434631597babaad465cb739e72835f69ad699b0efbe216a12cc188d54beb66861c78c80225438deb75b3af96a60a084e68edceca252c22225b4f3e56e99f976c2a082a29f4a5bc3d0c251f9122b584661f39bfd18dfb9d57a591c6d7013b420bd1e4c47e804cc40edffa4dc90cda1de0a6e5f0d7a4d1c0a02bf92582900643f97f8f2cc13768374cc13610f27c3ab9d6931479d0215c4ad669ef802e32928788c525f752edae477ff89ea3f0c87d9ec7eb1ef512dcab1037284291861322f872aa261fa46746edd83985ee320fef53b11518f5d58f846819b88b16588c13dd019058a1ce865b4e685e9478539b9b9af69a13126d6ad30b2bacb144c02ffb153966d20f565684a8749131c7def88f2c87e48eac6c0af576cc861118a9b718dca2eafbc5413bb6e7513746479bd801f07b9465bd80d0dc3d83eeb7d688f913bbc787b23a90a8637c579884a1585d5323b04a449feebd0cbe2bc32721244e92e5d033e20d0b2ccf8ed5e23900199dc5ecdea429a25961c907af8d93d57d5d0d7ff990310ac092dc447e88cf81617b67754ad8ee0b12532c7313d15fd65c9f65c0a94b755a09d24078bde275a44457eca4c8b2b3bc0dfd4c8acb9d2c6c4a8daa22a6cd961b4476b07880f8cf0988bce7dd8d3c3fbd9cfdb6563b681034b272fb3cde591de803d0b68405d25dea801ee8713aeb5498198395799db2ab19fbcedbaa3ced3e124d293d63ee8c12d931079fd94ca0fb5c456932a07ac665b9410d1237735872766764c05e852e061dc399bb31ed488d1ba5aef53ac7b4536c6e5fc45c96a99385512fe6ee8a2278a06be19a7cddf3ca678bdd73c255c159ea073557d666f67b9d1b9968e023f636c693a8adfc923acff108ed4370bb966b0f4c05034b08576c2bc89ceeb57c633d2a7c87665be7e75ffb30edb5fe9fcdc7256a0112d49f52031800b70f698038f0f1f81223cbe0e30b47e80570971d4fa84da58099f875ac76323c5ac25b69c5eaf67825ab8ac98cbd6dc0163751a47a1e52998e00e05c1c6901f504340318727902b1ed2bd2cff2d2ed09601a8cedf4528c1c13a670375fe3a685c7cb14723b559ce2786ca2955ae351eff839758c311e99ed53ff128372bf9fc38c570bd900b497c93161c34d8b4e4806ebccda1611445ea9d676bdc146ea5ba100fc5d995b2ca60709fabbf6aabb01ef243a129a3c6738cf66f6d3e3b00320be0f85e754878937e39762debbf5a3e7a811103566340fdf7dac8450e68eff102cbfd495a801de06e74df57fe06e15edfba4da71a43339c5248f422ee29a22efa493690d97246e2083be24c21ee4f2f1d60d753b2da75a15408af7f4ffc3f11673b89345795750c2ea6b6c789c9e4ed093056171e9fd9a675486a4a51afa967e009c5ab5da74fb7fcd00044ab94b287b54217848d47848d6a116aed41d454cdcbf4ad8d86e629997e308b86e23ea1bf1a4d25296b19fa79f2a8c9b13702b7628c89f71ba6d5c3aa656d4318c4ec3305b9d7ae29374e9356709c46d401c6b745118bc70d1ac74fbc57d9248b1a915de03df367a9a1044752775e3b336a935bc082a2c88299fad16993f6e3f4373de0c488af1af00adb940cb45f5cfd5372d6c0a4c696f96636d52d27939de729974a9a5be21f99b49fc6d4c65aca98c2874f3671de29264941cd4a4a6be0b2021ac02adcd1756bfcff10e7655db958bb999810d8b3fee9832646dedbeee86892eceb4fa04b7284fdce5669dc7eeb775d009ca176d82bbddd4262716efbbe18c8c79f6c76cb59bfa82a19a6681e0d5a49dbd642933648af881c56940e8c5e18fb8288c35e130e1f62817af3f187d002d1b9a1d584b662ebc5c9c9520c4d516649f2d99363efff116348caed43556b58ea9b7c4255fd27efb05edece75535963d32ef597eb133495dc6ff0117d923027f108dbc64cbaa4bedd565e057a0e28649908d87ab0164a1155abe4603ec3f81c3b5327ed0d5e1fc890162510afca7b91d61857573f6184386a7a7cbfba8eff79fb883d04aa6bb7f93f776a375565f67a037e475e28b57f42ca0fc54a30b9d91eed124cdc1bc53feaa475828f20db8ba50815c812a1e9c7454cd4144eb9a423e6d172edee0bad94cd150bbeb4deabc6e98e3e5f7c6bb47f35f110eec4ba632e9c426af699a5bd6c2331ef0c11d24a5a3f3888fae3a36a89fb8a0dbdba9cadfb9e052a93f00ed75755b4d78d99aaa84f69dcc6a6ab05eadd817b9f704e9a7697a315f36ac99d299b5cb8a2f0c7cd53aa16fdad2331947d81a52734dc38efd0309b4837fcc18c88a0cb8bf5f96e4209192266a2c7f60371d41fc8c7d050ae43bf5f67407b54f4b731e0f7195659cd71ecccf87e68e1b4bb874707336ca5bce6ae7d588d6d68e2f66eaf0faa26d488ef0a1a0b59686af8120558fd76c9d19590a9611d5f3eca00e148194d9b69594124be005cdde6d57b26c53ac6488236de7dc8ef17eee67cd948e32d8c11f14bd2478b5d7e2c1d39d02b47595cebe0851f99448960dd64c14a84dac887ce5b39309b1530b71295c36b1b19592242d6617f9ba315c8d0a9d39792541d11c0ec999975169e8af06a444b716c45240b315a08961fac6a69681d832198aad3de10ef3a488f507ab56fd194f6d94376d24968d5caadf3f2c3efb667dd1d19b18dc8dab53df92c2dc0fb4ad49aa8034cf6f9eae6220beaec08784cac765da9e98219ecae0fba094240d3df34f3c89539b206a9af38dac75874b0beeedc9b3795d5f1d1f9065a81ac5e15588c179c4b0effcba466b9170b12e72fb525acc0e2bf5b8c43efbdf53279e5c9fee04b029db5220ba82d4930e96374baf4338aef5550fb5922015a1f9f076f3615ee6d814da808d1bbcad1b176d5bb20b795882476c0c72345eb16134807a82b9d86c9d7a4d84d189be309ba025303eea1889b05cdcea4c2073cfb30bb3b90f35bcd6ee790f1360f963dcd6be81168de75e1d04e8150d2c00005df7fadeac9e5c3d2026799cbb2a2db4268e4d1cb614f158ef12a0b2282e42ba33ff9d67ceda79320f1d897277f486588a0dc0e46c1c0fa223be06cdaca909483358be8b182b37e3789f7c93959c0b45335b2c00cad1a70f8d04081383a79c3fd595fc8647bb6552c6081c26c720ed1b229a192b9a91fa1e12cd31840f86e0dad7feb7dadeadd232709bc99aa8fbc3a87af0d5c82e53aceb6122bf9b71b7bc92a0a063957cc666fafbad1f688bd911608bfc7681c64d8191c5d0c80f7dedd5a9ad4ebccd04e2618d9aad121fd9aa8b8d6848720a736722c7eced31540419659c0911a06e039e959c84dd5cc1640eba08505ea489a121ddca4a09c63b2e271d1edb91aea042e92bea12939ab6d4157efa94a68d07b5f9b2058bccaef5826ebd37657a99be45134aa30a84a4c4e08e463b75645c2b726c14f35750efa680408d1ea9f3f56feb1060c7b8e8114681c24992aa2e1e65219a036afc034dba75a390afce2963d756c7eaf67d213c75371935f9eab4d428c54322e32498a4340254cc41fbb55cf63b4f3f43c8930101f3ae3542fb96ac776263789a984a3a62bb46c5a4a41b85f9d66b47fb28ea765bbcdb52b01f4c15ebe188b454c3ae277dc8a9f8a1c634163c631bd5430a8a80b80b3733413a1e00eb3fff34bc5aa8d907d79de8866cbc6f10661356277716c88474be9b393018a7d8b9b3e1ce4b7a326b77f62fcfa9494e1b7c0280c3a25ee346c94ae4cb3af3fe09534e63836d5a00a62808742f5cc926088a6ed11ea2051a33c60b2dedd2069fc9fc2f2cd45366618e11000216ef8017163aa828eae1d15f02067aa46af467750cfdd36f7ecba0fd1f7382c2a78aa40ccb037ed72490759f08e4a257b73e1b4519ec4720d9081dd464a47ad468f8881ca3023e753100ae0a1b2989ac574ebb9ac9134bf16202ce61aeaafdf7689bb921c4a39a46f03a14decffec78cf9ffd01b4fca7d7bd40030fefa02591a28451bd35da746db7b5cdfd5ee9eb6c51b3be05fb0cd5d39e8103b0e903eec110b3ff1f9df981232a558234281039b46637641849d6412feb74a37b1393c31513cd994ad239e20addc7b6be2be448857bacb20cb1469fe9446946b6d60349ff39219f7c002ecb4dbfd317f79d950b395dd77cfd49a6fad36be0bd4591e4d2ca837fe7374a36792ccb0b2b027c69dcb0852749309b937177272f4a80d8e2a24997ffca208b7f528be82116556d235f17d574d17acc1c4b58363f03f6b2177a2d9bd31d7da8b2d37ea2a5eace2b4f3eab549cc55b38e0f1731cc82ef548a5cb6a7564b442a86da7312a94a1315e270f390a197b91e435fa70443f387cf53738f775a2362a87217b574f8f63ca63613375205dc194498a0c929ff130014d7426af7c0d098d69aff0da1027b123c023e732e0ca1eb695b4210adcaef9285fec8c83fea7efb3b5a09ab0e26a2c0926e158ee17089ef7f8eab5375718ba2e8ab683d2a1eefe25c2e303f419ed01423799867e02eb01ae20002207136a60a875077393a019ae7df3aadc5d4aed4d459cedde966d84fa64c2e564860172be41b9fbdcc9bb29cc2af86bcb8da14d1d7efd6d90fefd473fbac5b0559ac2bdc110c7fdaa921d920731f362f95d426680b73312da58facc4d0a1d7ba590b3e91c03bf3b5f500a5cae46bed373702129ee2f25b0500219bbec050285949f2de4948328964329b1a46a38421c137cb95b99290b4f6cb46b576697c95b9378e7c15caa04ab0e8a04b8df8bc46d615fa29", &(0x7f0000006440)="1c3d61efc1467b6b61e9e5f06fa3d1dcc0e70035dcc9c6c3b00df58900"}) r21 = getgid() r22 = geteuid() ioctl$auto_XFS_IOC_SWAPEXT(0xffffffffffffffff, 0xc0c0586d, &(0x7f0000006a80)={0xfff, @raw=0xd, @inferred=r6, 0x7, 0x2, '\x00', {0xf, 0x0, 0x46, 0xffffffffffffffff, 0x0, 0xfffffffd, 0xf7, 0x7f, {0x8, 0x9}, {0x3, 0x200}, {0x4, 0x5}, 0x62, 0x5, 0xff, 0x6cbf, 0x48, 0x0, 0x8001, 0x7f, 0x6, 0x8, '\x00', 0x40, 0xffff, 0xa, 0xb04b}}) syz_fuse_handle_req(r9, &(0x7f00000016c0)="27fe2ffe47404c4ac0a1ecab30bbcb864ead78fed0c0e175ac9994f22c05a47188988b3ff7cddec1f6f39e606160f4f199d3745e26e2748d68e35a99f1bc4ac32084634f2c0ba5d1e0000e2d5bee777a2ab509e7c94c43f297b825934378ffa3bb7942256fc52a69e23820cd520e7559ed9a31a954df955de5bc7c1855d974b95ff00a84dc2d9ad67964334434d528bce5934808b48f8e251a179eb47dee2a108b50092f559816136cffe9bd6e0a34004e62d50f73c14b23ce17518f954c4bc61e6175756c1204e2f27c182b9e3a7e3b823dc2d210e5232c7ad0e8d8e049f0e92060b620499b0b8f4b4b971d29a97ae94ce3cea6fb4e4296f72e3deabff562e79243933cfc5300e3c41c6ab9c0559ae24b21ce45bc69b7a1eb56c08b822ba10fbcb0bd238f6fcd60ed24092b3f47f1900e3d3373379649daa3959bcb319d7a74ab3e62bb5fbdfa42f9d3b3e7340efd12d9db738b9a7a581d914f4deb34005aacaee865dd595ad5f007c48b5168e699e52decc666509f0bac516d5d8b1ecc1c99e601b8f85af1c67623fd2cff7b883841aecddf3a85239980d3ea2ae6378d59cc242b2abcda91e918487cfea037839017eefbed85e0de24148b3c67ecadc8bbe51ffdd0696a55d8ff21523178a6829ec4d3f25977433b85e9238fe5d8b1437c54a93382fa152549cfca4e4700705f3ce5a260a4b943dd3e532cc196c8129518225566e93e29a8c6f02f054a94ee5fe21e5ad5bf55dd7fde9ac641f347a992e8197fe5fc4b9c65ef4d687921dff0f6cb82a3a96f6df1cfaedffced7cb06b21de9b83cde5f96bdad6ee4c617b9da766cc443712f84ef7c38708070bd19db90abe251009d9bbcce7c419bf7efa7ea70086a95a27e7359d3bcf81899bb6b7560c58227db92bbe342e60019ff0cdbeec13bdb56c5b5fdfdbce7e2f5a7d971dbbc64c59c5111d0b452af57980e21785d5af0884822d12f4081e8381d16e0f411936274b9030215c4b0b47074dab09b9fa2322a88050a62448ffb2bdbb9d6b87521b3bfeb5de7736a4de11ff4e56d41aaed90061e8f13c3789a44a63e76902c4ee9b6fc735ab8ff9525af0ab52167e04d3479667852b755d0074cc95078094dfe03926007fcf4b2b68e262d117df6c918127cd6a5642b80c30bf916a1e51520229e1e0ece35ac9b909fd5ff92b930aa55ae60a2a7f5274e047ae70cd1d894c3a93094d5e88ca4ff4a1f7a74c2572c591f254ec0946de4f96248388b06f7f0a7daa490f4359184a76a56a9bbca593c6f6fe479c675fb02c63547d0804963bbbfe5c668769f3cf16be9cd51178030d64cc2bb9d82634399db8859e4887c8cece4c852f5cb76ce70a6c4edd0e8a465cbf7827b21b5538579771fb56b79974aa36288516bd08a9394900160f75d6bbe89de70f8b5ceacc9419fc5a3d5ee5ea783d0ca808a6248c13ad17c873bc93e0e50a39487fb25ec3233070d7776e7ce8ba022ccd8e2db5645594e0b2d874ede739f93b617ffefaf3d8468e66eecc8561fdb81dd4fe7c779dd93cce317a8f5cb86551c26166c7824c87140d9647508cbbc15c1d3b7208609168909e890e9e9fd2671d3a9a7527a734471f2c7480926d8d18ba6e24da6d6cee422aebfb14d1f12a915ffb7375ccb3ecc9863c45534a97a922433217dde2203545aa983e2a6c546511d8626428aabe7cec1d0e8124de1983d5ab1ed6e9dee82f0df4699f4ab70706c34c754d0cd8b6de541ca8a71d5f9825fc13158480d5980e6415cca05c5757894169223b43cc2963091824cf953fcf54530558ad5ce422fce99f5f2650b7dec702fe12bbb08c28519f08b6354cf58d01f027237070cb438fe4807b7b1f7ebc27f274fd50ef37ad060a7adcdf65962f8a52c04b569d7db3d86a0feb6c78ed1adb361866f7d5606569d910c6727cdd76c6bb2a405ed12dfc2edc81666787f3a3a239c62f65d2d98d8b07c5911355a3a6206646fe74c075a6778072870fd652aa4df9aa3b96f145c3afa74f5aaa8d7ff0427c9389dd5462af0eb6828f3aa54c752bb4c89d1821076172a925f146aef789deb14c6b6cb2873388cbe0be062871048c49679d72c3f325c77ea319ed28fa27861040f6be5d4f32cf29cac11243da042becf2125d21e735493ac7694aa961ee92443fc588c2adc0f97ac7b5fae10d43ddb81f31128582185b9aa124fe6ed780ac954f84421767f90f5c0b569443d63beac0684ed68bc5039a27567bd233b8f2675e1afa140df8e1e64f0a90ec553b52172739d0d6b3884947f2666929cb5dd7931942c06e9df9ec7917f1d93a2f0fbe5cd0f573c0102ff0205e4d59ddd603db5da56694bd92873ee21fe7786a87428bdf19a1a87d72ba697fbe0ed975db5bb3a705177f3a1369e29dec7581d43aea3855943ff4efa4d7af3622c319d78b31083788d20310208299ca0347afffe54ecaf1fbece6e0935abc7aa8f8553f9996ff1d46b88b78df2fe267f1699f2ebf1925b8e50cb46c8a103cfb556510155ddb84276e1e0aef3f411c7af3d20593b6fec7006aa7a4ee33802aad168949dad9fa911888d7f61bf16db2265003416fb576de44f80b9c901ace454d2b04b374f3dcfc38fdd6edcfab24d367aff3f6d8298a4133d081563de1365beaff74da252b248fa61d80e72cbbd58533e7518dbae1a925d9912bfe70fbc64b8c81ce262530bd11ae83f366e38c53bfd5a0dac9785b922bcdd1a3b683f43f8d485dfcc6dd00b6cddea064f846fb2693d48fa97b5263f537eabf6c0e549a78d2bcadb2e8fdb2b1b0f47fd49dc61ca1058bb8882aa1ca2ed341feb737d5eaae0ea08f945a04a38b6e3137f961a7563ad13cec30072b9143e4f9c7824e7cbda2df89b74c142dadaf5ca24b6fe909ce3a1ff37ee5a0b661d30739ef0c372cf7a1b4c6a0e519b48b40dc794cd61356756609f68dd58f724bdd86db7f2649b90e163530ca69f0696addfcef84efc9f9e04d9d6e18ed17f74ff807e92b0f330fb6e06e0e2f193ea03a181c8673950a19eba22fd6b1b56ebb336e0248c64f936cafd3311fd50c50fc916156bb28156d15d7f4d5a798d8626afc6ba7d217d2c9f1a98fede62b1bacfc314dfa89e8cbb8c37bd526dd53ede81b1953cef517703babce446e863bf9d246b03b88502c7fdbac4d87f1eaad86ed170d710d81eaf395aef60dc164d9116601a5a58c79a89275c95d28912e8708fee2472e6b87d2e077d362c0ba8f4bc6a5e38745eae91046bc61e6a040cbfe38204f17e604f0e1405e8ee07d7141b698bc2be7690a8f0bf31d58ae906cb70e4fe5fe035631d76533b7a7b032e1b1eee21428084afbcc930a9f28e9f17e269a6997af838f95e2fb395b540a1d49f3d4290274d2d31f760835ff7351d25b62e135adf59e0118872d17843d99154f4660fa8f48b6c4868b1fbc6b84da61f98123167b067370a54fc6c5a688e31d4201ac4c4d5646f9a4a4a804a175167cf79dda22f4d6867281cb0b3e0999fad7bf26512d131440a8f9ec75fe9df680547855d8c9b3b3f0d514197c2af0d672991373b8d4ac1dd51e1f907450d62101b5e2613ea289c194d0735e1c5e166909eb71ee2a4ee5ff99140c0becca2672faf6944938c61809d8bf2faa561f9b56dab85ded7ee735d300c8da84c57f067b2fe50929cae139875abbab084742c90706bc31fc4c68538889718769d1c6da0ee1826ecde1f60ea66ced44c24fe2875dcbc87a3572af96455edf31e051e5422a8e2910c7d975df6448da0c0f833f61f7150598fb47fae938357a7b645e406df9a4a30cdd1cef6ddb263c9f06b268767a9a0f92c4ea1380e5e36f5f2a3e90bf87d6818c5aefc3439c4f4de2cfb4db145756848b27b618c22feea3f9f4601557f53c2aae71dbc0e9468243f1bf3b086b4dcab2734d6128c5441546903d2fea40c7ca4840ac4b1b3ea8897cf037623e427fb1ef9c0e7deb9eba0f8e5a5b29d422923f2fc8c5dc1369fe526709247c2776f5b7687ccf420b0dc84461105c2a31cce9decca30b746bfe43440d49c4775a2dfc88f049e23a30e2de2ce634549bbc0c263097ebb8044b4b9bb6f5f95a4a499a3dce9c11b99487d996eb57d654090b436dfe0b94796e93feae2b63d01320af7323a8006bc75f95a0c6ce53691802a097108881bda64a2cf8ed8f6752e19815e71e2b8554fac0301875262109331151915f6b19362c2d82c3047478525a649ae4c9a41f756083f138156f6ec4ea04b44f652ab1e66c5c630e6130062a260be553f10b8b700e6c6b089f0b09ce117ca78d45aec4339764dc2e39b5bb955602d57323e40d49ecf8987184a12d21993c03b458fca98c773071c2242d90596599336e1c69ff551af3ef27aaa74c547f231a1ef64a2fbe5498f5bffd9e597b8d871a073e82f13f5bdf2189d361649dbe144e7c2fb26a518884c4f276afa04450b3b1261511a1861507e94be4b0c301e62471bb953363e54a80ac90b2551b012d74a5621e265bf91260a467fe7606e79592272aa208b12935a8991dfb817a5cb05acba79dccb97d0a0f9eb5825e16d124a77224c9a09a5335f1ced785636ae3581598af5c28e54ea8dcc4c722e4a658a33fa7c473f3b5e74ed5625680f07c7d472966ab646ac3ac2d67469c43dbab6b886779def79417698cfed9472fdcab0f8079f221285441881eaae4c211a814e6d4e6c25d49a5706738b03b35c0d284fcd675505b0adc88d04390f3a1b0c82785ba7bf029aa46187131dbdc36aaed980b90888e67e8a8be7c1f7c5e3ad4442e97aa77c7e1d286c29d8b761ec91250529bfffc56ce2d1f4e79cf74237f02050afb6e25d5436545da66622970e89e4cb9e77e0e9a6672feb03328568d75d51465772b5e408e40ebc9676e7e5ee7ab0cbfca5ff0c023b393529464668b774ae1b5cef76d67f1d735b87281555b396c7858701c6d42b0f365b253e7bccb64c2dc39bfed645906ae68bc5ebc3cda73f386b4b97953b3ca6c735f7c47e4762925d3599480e7c17633e5276af75a60332bab2d8c039e4f980a7de81229bd174f6e50e5de20d20b518c418b6eb6a06ee93789fb6f4a6ecb8b01691ad1eb2ae951a42f976e018ac4b585bbc3f42da79e55d1b7f24e909fcee23436b727dd9ce47b41b3bcaa883715d316acdc55e0fcab97ef90da859a80ebebc6dfd0af9524e8a36b3f71ebd703b0afcbd7acc6aa413648ad935e7094a293f1ad659bf55951511b8feaa0390b982c91b1a1bc04cb1e158b132e8ff2fe46667f10312a25468f07324810a97ddfad6df0d61ee5db1929580227ea260682a8937d0379bbcd796aa13fe92f793e958d28d8e4564bfdd4944d7ebadddd673392c6772d0961cebe60a3d9e9f96e4a4ca07e55d31e9d9425e00171aba02f0aef4b8f5e43ec62327a950fe292427d513476c31839a5d11e03f7949cb2d8343ef4b98268797190344a7a6891cddde29faef1333f7fb75069a74e806a4121addf986835281f4868f15c7343e1307d237bb50a7ec6764b9f4325b6e41357edc33d247a583e285735faffc5bebc400476af6c5cdd349137470860d159a976ef3c4761285ebb8c53a7ef569ee2e710d41819eb85cb3e38c6d6ccd03587fb0828f631c19900153a6f1edb812a58ead041c63a6ac6283806d3cfb69b65591a829baba97a367c9b0f2497b44f3ca85a0731e5942b57ecf9c2dee01ef7ea533f8ba317f74c30f49bd69489735361092292205509c574200663f771cf4d1d484fe5a9c4cd3b0cc432e925b302fab0574b53606f2777563d6794fb5fe487d5ce7b5beab399bf7727b67eebf9b9dacf5c5678ec9821a34dc030d036d04d7025ed5b1782965cf262bba0b3de34974d1e77a63e9bb52dc659de690e47b35f4bbca66f8d5e0a271a04a289435f5dc9013c0652633dcce4102fcbe47fb4c5eb9a6eaff5463c73c11e37e8df9dab0932334922fed80d5e3ed125dde3764f48d496f4f3b49f0322a9b9b968ff75efedb369b4b1c9afc5d27e68d76d17c216c4fed82dc2487aabc660bb55b2ee17d68365da8408c45af38783ac2be54772bbea41f5868456ee66a27a36be499a5e5dd3396f4805e22a2cdc229079c2a53c9299559269ed1c512213544f2bf331388e1cb85e5550915f8f27a47ba9fc9a50ce01cd2b53b37f357966f1d00bd340e050c9d84f2914b8abd4294826e7500b0dcae9cd4d284d17345653ccb469c5ee3a31058eae14fed75585cde2fd71b88ebf517359774e9023466ea5a47956b8225671792df45b9f38b10ab03f9ede1ddb2e157d61c095d9b82b977cc09d929745560fe8106503ff7dd228db22b251776897ee15b180b4b4631f85ecf6a6074efd2cdf40a448dad62331c27ed8b3377fde4b1533126a4dc708b77202f6f8c015966ef711c4c496e9034cf15a33bc998a43265edfe436342d7eb4973be8ab0ae6719a1aaa41e0d76d952b06808dff02fd81603429a36ff7440e0b215d9ebc908efc145b6e1b7feb53bd5e175c7d1a7764f9040744b81db86fd22c0a38a2daf7440bbfe8835009d4aebbb11a0e9148bc04951fc06ec1c2a268a05cc2cc76791b82269f963d3d2f564ae03789601940d56f28e5ab0152acf663e481195209efc1a3a1b472536e0acf9ae383b5951dfbb6bd4d1eb5550102c3d7fa2365a36fb7c5949cc727ce57311dec52a4c3b91f0d5ec3677c265d5835535f16006985ce846ef12a46cb8662cff85af2ffd4b3b35085705d45df3e8c60ee4963823cea99dd55c0c33da9de354f709f2a4583561325c4a5954a34e2ab32738c2f3fbfb2786aa57828ef3091122e5932058c12d50d0e89ee5dc1e3ee4135d38c0c984daf3947670272714de8935720c1f3d3dd9fc57529a75013d85946484233ce69257718d3cd667cd0886d1f3c257ccac6b48ee5cdc03eb6c6aa2a78d68e2a9c2253954450915762f3f2fade0ac78593cc38e55cef3bc0bfb938ebd0a61c739c024addaf443406a7b6026360a7fc87c274a9bdcdb2eb5cf470b53f7fc1bd4ed05ceaa66528cef79e9de78da42b167c82cf4dadca5707d0a166b0f41b7f7e3421a8f88f6d88d24cfd9981b50b6c342bb49cce4b823f3cfdb17bba24fdb1601ba060a4792c0909a7c7cebf0c33e8ff27fb6e327c8877fb31efd8bb0b9fca2829cac2c143f4a5bd0afba4324548af32f05f581ae264c9e20d0f1604e112c6e2bc518b78097c145d871a3c0287371b0cf6bdcf17266371c7464d87a55f52e01e297866d6d498868ac01648249c1edd314580bfc35834b15d108ddbaf6ca3536aa43161019c3af0b331d9d071eb0a50442355a2a2e195474e13b7971d956ad54ed590b429d6a1ec7e38d41a27536bbbfadad1b35fc8f827a92e0baffabb811816cfb4cdac4b98c5f6f71cdcf30649536f7800eb6b7cee222d64165e0ca9504693b6d8459bc327e5da2e6f38a4ee2472ca5e6caa0811d042f8fb32a99bd36101cf19acceeed73b44e3deb223cf282ecd4c439f55f5c274e2c756c67c23c00ef7bffa4b6012a1334d0c97f816a6123cbcb77ace8e7be0515269248622028b7a9c0e49f1c8dde866d3bb0c53db9c67b10b20d4bb263f2c5a0185baccfa7b8fe825657078fabab003b9318a84f765daafc37f496efbbce9fa5d2c1f0a4b2ad0cf9269618440713bc3d92985ffbd6cc19afc86703044370eabc4de11f3bcbfb221dddc51bba352dc28fd49c084047fb0ed8b9742a96e53ef4ccb94ce4cad746e9caeeec843f72b779cc58d25fe931c1af8a795e195685c92185803adbec6066cddd87e0b9a5380afcd80798f580859eab317cb2783112af7b362a59ae7a824749440e66661b788b8560549a0b1350dfb7a5e88928d558cbc8a26a0d74e67634ee9ec1c1ca08afc5beb43da65f4ae0ac7eb257442c9990edcf93b1dadfea90bc292bbf1d823c61ee969249f67be07d70df8afc7c3e5bf145f28a2d06c880eff9a181127c13460a06b3664a94c888b07af77e84d60deab764228ffea21633f0204a5d7ec4a0b303fb08fb76728c43d9073800183c8b99e22d605a5e6399c049f7f887cb9d7fba94db323084bf94df544f6ce2dd49a21d2cab54df04397482a64d2900bb40fa87f42ec75d68bab17714a934bcdf36f87074f6028f9d61a00adffc06d624bc64297059682cc8adc7e2fb210bd22fbd4ad3d3515f71b933126759ec4c001ed5cdbace7cce4319b7ab50ffc8f2f8f1bb81ac07f81dfff335450acf08e13912d3c5f3aa12581811ebdb4416eada259651c070b06ea7e18a8f0c400575a0e7fdc4c88645d35c2d36a8ce6a2972f355d1a5d832cd7ef2c611fd11059da390ec8c87491d4964fa40b80839057362e676455c7172a23154efeba6fc9ab4c15a737e299c1f14daa8f3497e3370a523ec15c52bad987109003f8dcee4ac6c90b0f8e4b7491978788a9c1b23a14396b508aa95175fe3bd6a8b4a9c217f4c9842c1c339d4d95db83ce6e7e7ac88eae0413961055220b65693d49a2f696f641421925b42f77b0f9431239527fd6d86d6f9abdf3d27c0a79a6b05a61dd7d993de2d4ee9973b778ff195d1240db1836a5258b4f574497ca2f9b34977800e728297d983e1e585faf45381b476d2531e86cc6e835a972c3a5bbccba7d852edc83bbad4c852064007087bbd36bf8a800f91eea0a72d9a75f5db35b1098686d51340a172c701bc47b140ce52ef47502d0071e545597975a55ca1e91217645e3cfebf4a6201a8481f65113860f592863af1dd473383b1b79ab32cfcd46e6ace2958d42cce5f9b2347681f7707ab4a35f9af521d4c1bad7513033a5f7af2b7a2d3a4914d38462b16b85d69fa60c0c5ef54ba2fb78fb156a947cf80b1daccd589fdd0791b3a9eb835b61534a16f8f4b1cabbd386b4c21ba97de916d2cf48b7208c1bda77ecf81677cbce25582ccab9a65a2b73dd34b002c234948a42b5664d56d824429a78b6970367ec170d1b110b2223175872bdc866318de066fea560151d8825dee82d344b816fb55aaa524e860862ac0c36cb6b6e81f4123da59cb3effe29ce7698e2aa0c6036820c457f404233e32261319a46bc8bd3de3c948dc52e27ca527df7ad68e6c4d4ba8f6b4313a29402981059a148797fa0880257fe0427011928af752f81b8186802108f0590195039c838257202421410b8a359e69ddcd47470f4d05ae289834be304caf49bbbacfdbe927f423be9b87882b0fab4f50bc7cdbff6ef101f33f703556d45b6ace1643cd7e75acf74063e3e34e963db19f0d19f14829c91c450661d0e809d5b7909695ba15446c876a167ecca09fc00e1737cbd4ef4f70a50e3a00fc96f0e1023e5c81e67d247ae0ec7ec267252804a65b301b91a599b8ce37d95a93dd9a911dfb395f361924e82ea281efd7a2e015aadaf6485fceaee0ab905e1396c125603aff4ca165f749c23310250f800b2a87917b9421b0b4cdec9d86414eb822374b0d4325358b2bf43e0e312588879765c25c098d1718653bea52768dd7f100fbd2b6afccf0213469a7fa25b5f77c6b56ca09df886a16ed24f51e21d078f25c48887da12dea57c8f4825f27ae3d9160196eb6be09f7be8b239a05dbf6aaeca9637090d1e6f76eb9369274c3aada336243b8b9c59c3f9c91ab43fc9273bb5bf2b59de8fbc506c9436565e4c9ba29650b3784d87f337a4a4b528ca2a280cedc369b0090c3f69c7604a6df31fba781c07d58dbadd7c85a626f885f09a91224e79bd68793f167ebd8da10e5da78cfa7ebf10a8f2c9003fb1cdd87e469861f3ed23d25bcb14530a8ff8d91e9e0c7c3976c3afc7bd5005ccef59faec52ba35693d0f0dceba843add5a747e0aa72f09f2f45281c9d4c6f1bb78379aec782c64810de323c8abacc9fb7e7dbc1e2913a85df0bdb6ac701a68269e79ab28458c0291e1840b34ace2d0dca9029f6d950e6ef1e5cbb9524db501dc3022733cb10bb74e9e698245a98dffe2378c42548119dd60f2b021953b300f38972661c3ebdf64a3afb3c629cca5ec938c31ee8cb682dd38f3581812f7ba6431c160659039e7cfe7859b1aa8130833f1f63724f863b3e2a18f9ebd1ea614d30d28bd4f5b8c2617becd8a4d8b3a9b42b85d8e80c8faf7d9cf5637dd98826a10b692402933d2ae0ea908ff5d6c22fc335be00614a0f5e7004ebef71fd23d3f90115984f0e46e82ac8b03e5d2bfeaa2192333c1a0a9fb19a75bdc8f9058336e86f3f7b30f0bed24c4b230cdfc92a9885be51c0b851cd7a04a62fb3ce47e765a114ef7686bc7d82ef5e1ca0214b95b64e57f851215ce5a47ddfb91932c854c6525ebe7f6e16845fa225a74093f6a2680085a8fef66541fc3643fc814c5a806415f70688a4be77beaf75d71026e4dff3800124bdec0e065463edc69641f67c7c42b8e025f81406fd4896d5db8e19fec099809ad50a98a83b3caa8fd87310514f4a7afd9a970c456231d916b26d5c62bc4834af9bc2777a7c7d3bbf5f2c6d828935f3b827743c09222328e8e8291bb283eba7d4bc897877f6e50a5fabc77abf31534d700962edecb1df4ee1228a729df7da85771a3f1e30429fac993d9738d9d6728bf492b4791438c3cf6d59af809974aec448098c26cb3791e43724076ef5ca9c70cb3f58accb539943786ce98b092c965a147d1870ad454686ba579c9d10a6131d4d980ff68898fb11a0a9f61e60a86427f60660088984eed16acf6d31430183b81912adcde8084457122ecdd7054cf3dddee25a975fb2448e71a27aedf68685e9e8bf607056d68d720607599cb4997a1d591a1cc174eddc66f39160a2e55eee6c82b218c5b963a0268117fccda9314d7de3b1bfdf1de338310418dbb11f73bfc1a705a7f12560c6a836ebc1c927d1427eb6d7104f942705a25e7a79488768c707cddb059d06f4f55d64114658bb327072a0f248f9191aebf838ccf464e3db38bd015c1fe7e0a1ce8c854e064ad28df20854ecaf442881d5b922db3327a73a8007f84aacb941bc1232742d0ad98eb8f05a812c7957fb4b688522ea6a1d5ef22dabf2537b5f68d81e06b517839b474238564967929fa8231eb8eaa9bf79554917939336f71edad5c011de4a9887c9d8bfe588c1747b47ecae641ae076a53cb661d344659ed82a4f10612ea2ee00a444de7e4b1a0c5614d4a6369b48cfae5316e8389cb720a111171383a78798031af5e4976b89175ac1efa79ca7dd728d21cf2853f69870379dcd691f412b0dabb49f74d48f9313be45895e8d4e78e23e357a9a2294befb173ceccddb7dec84781920e951ecc863bdc843af7535e721a7a7f5bd6e0d37fe9e5b5af3f2aaa62967112c0fe848d3c38a646ded7deba1ab98d40881ba2fc918a8664bbabea14be6f5bb92e254c471b324a026c661de4b97ba0ae1f67063f41a5619da8a49a7ad6cf8153977a4c63171bba20884b7344c405d61b9ce3ce90dd0b6d86be27c028a2a48fe040d6f9d2f5dc2466cb9f745e5a98e5266498b14d16e3fcee12026c0f46b7fd1d30076505cd64c1d60c5cac8cb400ea6b7522c165b0094ff0ff656d081673056b73eee3efcbfba260ff87e4304c8eb14aeadfdaa09570f630646c", 0x2000, &(0x7f0000006c80)={&(0x7f00000036c0)={0x50, 0x0, 0x8, {0x7, 0x2d, 0x7, 0x8000008, 0x7, 0xfc00, 0x3ff, 0x59, 0x0, 0x0, 0xe0, 0x10000}}, &(0x7f0000003740)={0x18, 0x0, 0x6, {0x80000001}}, &(0x7f0000003780)={0x18, 0x0, 0x4, {0x2}}, &(0x7f00000037c0)={0x18, 0xffffffffffffffda, 0x37}, &(0x7f0000003800)={0x18, 0x0, 0x1, {0xff}}, &(0x7f0000003840)={0x28, 0x26, 0x7fffffffffffffff, {{0x7a, 0x8}}}, &(0x7f0000003880)={0x60, 0xfffffffffffffff5, 0x1, {{0x81, 0x6, 0x3ff, 0x2, 0x4, 0x4, 0x8, 0x2}}}, &(0x7f0000003900)={0x18, 0x0, 0x0, {0xb}}, &(0x7f0000003940)={0x12, 0xf92c178daeab5fde, 0x9, {'^\x00'}}, &(0x7f0000003980)={0x20, 0x0, 0x0, {0x0, 0x2}}, &(0x7f00000039c0)={0x78, 0x0, 0xfffffffffffffff7, {0x3, 0x67, 0x0, {0x3, 0x2, 0x5, 0x2, 0x0, 0x5b, 0x200, 0x6, 0xf0b7, 0x1000, 0x1, 0xffffffffffffffff, 0xffffffffffffffff, 0x4, 0x6}}}, &(0x7f0000004b00)={0x90, 0x0, 0x7, {0x1, 0x3, 0x10000, 0x200, 0x8, 0xa87, {0x4, 0x1, 0x7, 0x1, 0xfffffffffffffffd, 0x4, 0x9, 0xffff, 0x10000000, 0x0, 0xf40, 0x0, r10, 0x8001, 0x9}}}, &(0x7f0000004bc0)={0x48, 0x0, 0x5c, [{0x1, 0x4, 0x6, 0x8, '\xff\xff\xff\xff\xff\xff'}, {0x1, 0x8, 0x0, 0xb}]}, &(0x7f0000006500)={0x478, 0x0, 0x2, [{{0x1, 0x1, 0xf, 0x9, 0x7fffffff, 0x3ff, {0x5, 0xb3fc, 0x3, 0xa2d9, 0x3, 0x80000000, 0x4, 0x5, 0x2, 0x6000, 0xfff, 0xffffffffffffffff, 0xee01, 0x5, 0x6}}, {0x5, 0x9, 0x6, 0x6, 'wlan1\x00'}}, {{0x3, 0x1, 0x4, 0xf, 0x1, 0x5, {0x4, 0xffc, 0x2, 0xffffffffffffdbca, 0x35, 0x5fa, 0x8, 0x5, 0x16d, 0x6000, 0x8000, r11, 0xee00, 0x8, 0x2}}, {0x2, 0x3e8, 0x16, 0x5, 'bpf_lsm_path_truncate\x00'}}, {{0x6, 0x3, 0xcff0, 0xfffffffffffffbff, 0x3, 0x3, {0x5, 0x4, 0x8, 0x9, 0x10, 0x5, 0x91, 0xfff, 0xfffffffd, 0xc000, 0x3, r12, 0xee00, 0x80, 0x40}}, {0x0, 0x8, 0x6, 0x80000001, 'wlan1\x00'}}, {{0x3, 0x2, 0x8, 0x9, 0x80000000, 0xd149, {0x3, 0x4, 0x5, 0xe, 0x7a, 0xd52, 0x0, 0x5, 0x6, 0xa000, 0x2, r14, 0x0, 0x7fffffff, 0x5}}, {0x4, 0x7ff, 0x2, 0x78d, '\xc0\''}}, {{0x2, 0x0, 0x6, 0x7fffffff, 0x5, 0x5, {0x2, 0xc, 0xbde5, 0x5, 0x8, 0x10, 0x9, 0x6, 0xe31, 0x2000, 0x5b8, r16, r18, 0x6, 0x8}}, {0x2, 0x80, 0x0, 0xb6}}, {{0x5, 0x2, 0x80000001, 0x2, 0x6, 0xff, {0x3, 0x5, 0x8, 0x3, 0x8001, 0x5, 0x1, 0x7, 0x2, 0x1000, 0x1, 0xee01, r19, 0x10001, 0x6}}, {0x0, 0x6, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}, {{0x3, 0x1, 0x8000000000000000, 0x2e, 0x5, 0x7, {0x6, 0x5, 0x5, 0xb, 0x0, 0x2, 0xffff, 0x0, 0x8, 0x2000, 0x9, r20, r21, 0x2, 0x7}}, {0x6, 0xfffffffffffffffb, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000006980)={0xa0, 0x0, 0xd05, {{0x5, 0x3, 0x8000000000000001, 0x7, 0x5, 0x2, {0x3, 0x4, 0x5, 0x3, 0x8, 0x1, 0x8001, 0x0, 0xfff, 0x8000, 0x101, r22, 0xee00, 0x7, 0xac}}, {0x0, 0x10}}}, &(0x7f0000006a40)={0x20, 0x0, 0xffffffff, {0x4, 0x0, 0x9, 0xa}}, &(0x7f0000006b40)={0x130, 0x0, 0x1ff, {0x6276287e, 0x7, 0x0, '\x00', {0x800, 0x2, 0x3, 0x1e, 0xffffffffffffffff, r24, 0x4000, '\x00', 0x800, 0x9, 0x8, 0x32f3fcde, {0x6, 0x1}, {0x4, 0xe30}, {0x4d, 0x3}, {0x6, 0x8}, 0x6, 0x2, 0xfb, 0x2}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000006d40), r23) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) syz_io_uring_setup(0x28c2, &(0x7f0000006d80)={0x0, 0xd0f0, 0x20, 0x0, 0x1e5}, &(0x7f0000006e00)=0x0, &(0x7f0000006e40)) syz_io_uring_complete(r25) r26 = syz_io_uring_setup(0x7c1f, &(0x7f0000006e80)={0x0, 0x979d, 0x4, 0x1, 0x206, 0x0, r9}, &(0x7f0000006f00)=0x0, &(0x7f0000006f40)=0x0) r29 = io_uring_register$IORING_REGISTER_PERSONALITY(r26, 0x9, 0x0, 0x0) syz_io_uring_submit(r27, r28, &(0x7f0000007000)=@IORING_OP_OPENAT2={0x1c, 0x14, 0x0, r23, &(0x7f0000006f80)={0x818480, 0x0, 0x35}, &(0x7f0000006fc0)='./file0\x00', 0x18, 0x0, 0x23456, {0x0, r29}}) r30 = syz_kvm_setup_syzos_vm$x86(r9, &(0x7f0000bfd000/0x400000)=nil) syz_kvm_add_vcpu$x86(r30, &(0x7f0000007400)={0x0, &(0x7f0000007040)=[@wrmsr={0x65, 0x20, {0x92e, 0x8}}, @nested_vmresume={0x130, 0x18, 0x1}, @wr_drn={0x68, 0x20, {0x1}}, @nested_amd_invlpga={0x17d, 0x20, {0xffffffff, 0xbd0d}}, @nested_amd_vmsave={0x183, 0x18, 0x1}, @code={0xa, 0x6a, {"36490fc7aad66197c026660f3880945e008000000f01ba008000008fc9b89b29470fc7ae20000000450f09c4e2d13967c4360f017f0566642e643ed8f1c744240025fd0000c744240254000000c7442406000000000f011424"}}, @nested_amd_inject_event={0x180, 0x38, {0x0, 0xb5, 0x7, 0x5}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @enable_nested={0x12c, 0x18}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x3, @control16=0x4, 0x5, 0x1ff, 0x8}}, @nested_vmresume={0x130, 0x18}, @out_dx={0x6a, 0x28, {0xc636, 0x5, 0x4}}, @enable_nested={0x12c, 0x18}, @nested_vmlaunch={0x12f, 0x18, 0x1}, @wrmsr={0x65, 0x20, {0x8a3, 0x9}}, @wr_drn={0x68, 0x20, {0x4, 0x6}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @nested_create_vm={0x12d, 0x18, 0x2}, @nested_amd_invlpga={0x17d, 0x20, {0x8080000, 0x943e}}, @nested_amd_vmcb_write_mask={0x17c, 0x38, {0x3, @control_area=0x31, 0xc, 0x6, 0x8}}, @nested_amd_inject_event={0x180, 0x38, {0x2, 0x36, 0x1, 0x2, 0x3}}, @nested_vmresume={0x130, 0x18, 0x1}, @nested_vmresume={0x130, 0x18}, @nested_amd_inject_event={0x180, 0x38, {0x3, 0x72, 0x2, 0x5, 0x2}}, @nested_vmlaunch={0x12f, 0x18, 0x2}, @nested_vmlaunch={0x12f, 0x18, 0x2}], 0x3a2}) r31 = ioctl$KVM_CREATE_VM(r9, 0xae01, 0x5) syz_kvm_setup_cpu$ppc64(r31, r23, &(0x7f0000fe5000/0x18000)=nil, &(0x7f0000007680)=[{0x0, &(0x7f0000007440)="cdfaef130000003e000010620400107a00001066c1001062a603007eb9f0003ee90e10620400107aa330106688261062a603007e2400004c0000603c0000636004006378000063640cf66360baaa803c42ab846004008478a5a48464dbea8460c7b2a03c4ed4a5600400a5788ed5a564c9c4a560f627c03c0e37c6600400c6781050c664f33cc66064aee03c0fe0e7600400e778f833e76427e1e760f9fe003d883a086104000879f66c0865cb9b0861e722203da35b296104002979bbbc29655e832961d975403d52944a6104004a79db254a65f35e4a61020000440000603c00006360040063780000636450f36360420000440d0bc03ea1dad6620400d67aeb5ad6666296d6629cb0007cec06007ca400004c3d6aa03e171bb5620400b57a7293b5663454b562a603a07ed48da03e12d2b5620400b57af6f5b56615e0b562a603a07e2400004c0000a03f0000bd630400bd7b4930bd67f278bd630005c03f0000de630000dd930000a03f0000bd630400bd7b4930bd67f278bd630000c03f218cde630000dd930000a03f0000bd630400bd7b4930bd67f678bd630000c03f0a00de630000dd930000a03f0000bd630400bd7b4930bd67fa78bd63974bc03f5c3bde630000dd930000603c00006360040063780000636400f063600000803c000084600400847849308464f2788460220000440000803f00009c6304009c7b00009c671a009c632401c07f", 0x20c}], 0x1, 0x2, &(0x7f00000076c0)=[@featur2={0x1, 0x6}], 0x1) syz_kvm_setup_syzos_vm$x86(r23, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(0x0, 0x114, &(0x7f0000007700), 0x0, 0x4) syz_mount_image$fuse(&(0x7f0000007740), &(0x7f0000007780)='./file0\x00', 0x40000, &(0x7f00000077c0)={{'fd', 0x3d, r23}, 0x2c, {'rootmode', 0x3d, 0x6000}, 0x2c, {'user_id', 0x3d, r22}, 0x2c, {'group_id', 0x3d, r13}, 0x2c, {[{@max_read={'max_read', 0x3d, 0x3}}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@default_permissions}, {@allow_other}], [{@permit_directio}, {@uid_lt={'uid<', r17}}, {@appraise}, {@smackfshat={'smackfshat', 0x3d, '\xc0\''}}, {@appraise}]}}, 0x1, 0x0, &(0x7f0000007940)="a4b222df2ba10df24f5481e0dc5e93b81b1b82e9a214cabce344800ad54de610fa1eda44b9040526f2dc7c731c5473c8c6dc94192a03484e6d62bb49128612543a9d016ed9a3730e51080f5c860d03a77ed50164bcf99c42d3568a974a927a879de41edc2f5552365886121a31095b97aa08ee2977111f7cc56a77c0f2a16b32b19df50a249cd3058e60a6ae8c96349d5e5c0097594ce01c1fbee5ee94606fef673231e65700bc715f1f0119c84ed27b8af38ed153d394d6b22cca54db55a31bc25b45e81deca7bedb696691ae6b92f09eea3e2b5e8af2f996339dec592edec5897e94eb") syz_open_dev$I2C(&(0x7f0000007a40), 0x7, 0x0) syz_open_procfs(r4, &(0x7f0000007a80)='net/psched\x00') syz_open_pts(r9, 0x292c02) syz_pidfd_open(r15, 0x0) r32 = pkey_alloc(0x0, 0x0) syz_pkey_set(r32, 0x3) syz_socket_connect_nvme_tcp() r33 = syz_usb_connect(0x1, 0x295, &(0x7f0000007ac0)={{0x12, 0x1, 0x250, 0x58, 0x6, 0x54, 0x8, 0x13d3, 0x3348, 0x15b2, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x283, 0x2, 0x9, 0x2, 0x10, 0x8, [{{0x9, 0x4, 0x26, 0xb, 0x5, 0x83, 0x18, 0x74, 0xee, [], [{{0x9, 0x5, 0xb, 0x3, 0x8, 0x4, 0xfb, 0x6a, [@generic={0xbd, 0xc, "8b82bd3fc8137d3d259ce7bc140de0823de2222eed4c570edcb84553cd1efd649dd352dd375d81da8da8e6863fb482ecb3a16f122210bff25c59a3afc6542848c06e1b983fbc8dd0de627cfddf9f905f5cb6ed4a25ec5947599b15b538c7bb0b0d65d4a31b319f7383955ce766ef4c66d18bc75d69b2dd7d136c78eaec1e2203eb918dd61609de40f4f693917eeb17fc387bb427341f6416e0b8c46a2445a5c49bd9c86dfe21c598acf17ea98ffece202a21dc93a0b830d29af87c"}, @generic={0xc7, 0x6, "f5459e117800d22a25a486d1442f5cbd4d3d776cd061d2c185f9924eae6a4d7b14c58b599863d321e3ea80a25f6d8be51d5ca70c276ce0e6d9038f88776b9614287db7ee2113f0e7e1f01873b613d763da5f87f86cd1860bd623463fc6d93d9f948d0d4d70d72a8ac1dec1adceb8716729906428d5b6e24b01499bfa6a0aa0482eed8c7751a1c7ec944db19254a74b61142e725a7a290c4142875d347b3e483f4e2db8373ef8fead8118ce07d812332b211da9733d444f7d706a6439c29aeaedd03000a2a8"}]}}, {{0x9, 0x5, 0xa, 0xc, 0x400, 0xc, 0x0, 0xb5, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0xb, 0x7}]}}, {{0x9, 0x5, 0x2, 0x10, 0x20, 0x7, 0x5, 0x5, [@generic={0x24, 0x7, "ad98314a82d7aebbfce85178752271b158c05dea1bf5a2459c431df180c1f3b2be3b"}]}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x7, 0xf3, 0x4}}, {{0x9, 0x5, 0x5, 0x0, 0x40, 0x2, 0x3, 0x2, [@generic={0x6a, 0xa, "f7dd67505d353d93b6e1f3ac2d8f9f766012d204e558a7076c6a1dd6648b2928acaf801710c8555067e0715e60772d9a84c714f63d527b9f1532a5ac6511627f9e8400e62ad6bd25ec51ec630afc10e1f0f2fe01c9588e2897ef26d5ea8bcf970e51fc28d84a628c"}]}}]}}, {{0x9, 0x4, 0x48, 0xe, 0x3, 0xca, 0x1e, 0x4a, 0xf5, [], [{{0x9, 0x5, 0xb, 0x4, 0x400, 0x5, 0xf7, 0xf6}}, {{0x9, 0x5, 0xe, 0x10, 0x3ff, 0x1, 0xd, 0x80}}, {{0x9, 0x5, 0x5, 0x10, 0x10, 0x95, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xae, 0x12}]}}]}}]}}]}}, &(0x7f0000007ec0)={0xa, &(0x7f0000007d80)={0xa, 0x6, 0x110, 0x4, 0x1, 0x6, 0x8, 0xe}, 0x3b, &(0x7f0000007dc0)={0x5, 0xf, 0x3b, 0x4, [@ss_container_id={0x14, 0x10, 0x4, 0x6, "fdf4043ae7f59e3e81fe303d4de3ea16"}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x8, 0x6, 0x6}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x7, 0xd, 0x95d7}, @ss_container_id={0x14, 0x10, 0x4, 0x3, "bc6a9266bf506e90620d9c900e180143"}]}, 0x1, [{0x98, &(0x7f0000007e00)=@string={0x98, 0x3, "d95f3fcaaa58f9d36d03e3a2d5566a5191f742f723fa49e364e03b0d288a7fcb4579b58c56d824be57f9ad0f8703d3011cac468433fa22c23bfaf15dad541efb0138c46bb8f8869215155c2685d69b75ffe68c0cbd6e71743abd4355e12d9dcb7dff16bb075da553c178139ede2c285a4a2845e8889c234504d968d870b6084a7b4ab0dcdb83d43bb2f4e7a0156b80a68919cbb7da84"}}]}) r34 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007f00)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r35 = syz_usb_connect$uac1(0x3, 0xe5, &(0x7f0000007f80)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xd3, 0x3, 0x1, 0x1, 0x80, 0x80, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x0, 0x7c}, [@extension_unit={0xd, 0x24, 0x8, 0x2, 0x8, 0x9, "0cffda3f227b"}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x6, 0x9a, 0x20, "2da5ee78a28e1f1a41"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0xf8, 0x3, 0x69, 0x6d, 'e)', "bf0794"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x5, 0x4, 0x5b, 0x3, 'D', "2618"}, @format_type_ii_discrete={0x9, 0x24, 0x2, 0x2, 0x7b4, 0x8, 0x4}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x0, 0x3, 0x8, 0x8, "aa", "e8e5b4"}]}, {{0x9, 0x5, 0x1, 0x9, 0x40, 0x6, 0x5, 0x0, {0x7, 0x25, 0x1, 0x80, 0x1, 0x4}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@as_header={0x7, 0x24, 0x1, 0x3, 0x1e, 0x4}, @as_header={0x7, 0x24, 0x1, 0x6f, 0x7}, @format_type_ii_discrete={0xa, 0x24, 0x2, 0x2, 0x8, 0x2, 0x8, 'f'}, @format_type_ii_discrete={0x10, 0x24, 0x2, 0x2, 0x9, 0x401, 0x5, "53b11dbc8cd310"}]}, {{0x9, 0x5, 0x82, 0x9, 0x8, 0x0, 0x28, 0x6, {0x7, 0x25, 0x1, 0x80, 0x5, 0xd}}}}}}}]}}, &(0x7f00000081c0)={0xa, &(0x7f0000008080)={0xa, 0x6, 0x110, 0x59, 0xa5, 0x5, 0x10, 0x1}, 0x39, &(0x7f00000080c0)={0x5, 0xf, 0x39, 0x5, [@wireless={0xb, 0x10, 0x1, 0x4, 0x8, 0x3, 0xb8, 0x9, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0x2, "9d9ab0978e2aace26de66306e6e2963d"}, @wireless={0xb, 0x10, 0x1, 0x4, 0x0, 0x6, 0x4, 0x1, 0x5}, @ptm_cap={0x3}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x5, 0x6, 0xfff2}]}, 0x1, [{0x84, &(0x7f0000008100)=@string={0x84, 0x3, "000a6c9f4a15eabc97a92ab665231b2cf9057321eb430c6521f497a8c3ce816268cb337fa48deecfeb28b2305fcf2d2e988cc8b8b980a1332dc406bc34695fa24dc3609f619d7ac284cc3ae7f0afe444d578c951d9aedc4c682e100cfeb6619b98a96b1978d8ede7574e969f8ae8e3dfb835bde5ccd922133e53036ff44eda52a0a9"}}]}) syz_usb_control_io(r35, &(0x7f0000008380)={0x2c, &(0x7f0000008200)={0x40, 0x22, 0x31, {0x31, 0x5, "74e83dcf53dd2d0ecac0aa3467b18dfa71b26cdd403d955c0ffe22817b01fe5795d51cf24a6ae3b8e32f1b7ac5f8ca"}}, &(0x7f0000008240)={0x0, 0x3, 0x1e, @string={0x1e, 0x3, "8957a501d83c69e54f70f62f932a50b65506c388c128239d36229ee2"}}, &(0x7f0000008280)={0x0, 0xf, 0x4f, {0x5, 0xf, 0x4f, 0x6, [@ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x5, 0xf000, 0x409, [0xc000, 0x17f, 0xff3f30, 0xffffaf]}, @ssp_cap={0x10, 0x10, 0xa, 0x9, 0x1, 0x4, 0xff0f, 0xf87, [0xc030]}, @ext_cap={0x7, 0x10, 0x2, 0x4, 0x1, 0x4, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x4, 0xd2, 0x3, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x1, 0x7, 0x2}, @ptm_cap={0x3}]}}, &(0x7f0000008300)={0x20, 0x29, 0xf, {0xf, 0x29, 0x8, 0x1, 0x7, 0x4, '\b\r$}', "67016dee"}}, &(0x7f0000008340)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x16, 0x80, 0x9, 0x3, 0x3, 0x2, 0xf000}}}, &(0x7f00000087c0)={0x84, &(0x7f00000083c0)={0x0, 0x11, 0x1f, "16d60d7743501452ffd5730424bc4a970cc6490bb9cc85938699edf27a0c7d"}, &(0x7f0000008400)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000008440)={0x0, 0x8, 0x1, 0x4}, &(0x7f0000008480)={0x20, 0x0, 0x4, {0x2f1050d721a8e554, 0x1}}, &(0x7f00000084c0)={0x20, 0x0, 0x4, {0x200, 0x2b}}, &(0x7f0000008500)={0x40, 0x7, 0x2, 0xfd37}, &(0x7f0000008540)={0x40, 0x9, 0x1}, &(0x7f0000008580)={0x40, 0xb, 0x2, 'E\"'}, &(0x7f00000085c0)={0x40, 0xf, 0x2, 0x2}, &(0x7f0000008600)={0x40, 0x13, 0x6, @random="2fa6dde03a0f"}, &(0x7f0000008640)={0x40, 0x17, 0x6, @random="de1c102b027e"}, &(0x7f0000008680)={0x40, 0x19, 0x2, "0d97"}, &(0x7f00000086c0)={0x40, 0x1a, 0x2, 0x2}, &(0x7f0000008700)={0x40, 0x1c, 0x1, 0xfd}, &(0x7f0000008740)={0x40, 0x1e, 0x1, 0xfd}, &(0x7f0000008780)={0x40, 0x21, 0x1, 0xc9}}) syz_usb_disconnect(r33) syz_usb_ep_read(r34, 0x7, 0xfc, &(0x7f0000008880)=""/252) r36 = syz_usb_connect$printer(0x5, 0x36, &(0x7f0000008980)={{0x12, 0x1, 0x200, 0x7, 0x1, 0x1, 0x20, 0x525, 0xa4a8, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0xf4, 0x60, 0x4, [{{0x9, 0x4, 0x0, 0x3, 0x2, 0x0, 0x0, 0x0, 0x81, "", {{{0x9, 0x5, 0x1, 0x2, 0x400, 0x0, 0x8, 0x2}}, [{{0x9, 0x5, 0x82, 0x2, 0x3ff, 0x4, 0x48, 0x8}}]}}}]}}]}}, &(0x7f0000008f00)={0xa, &(0x7f00000089c0)={0xa, 0x6, 0x250, 0x7d, 0xdd, 0x3, 0x20, 0xfa}, 0x154, &(0x7f0000008a00)={0x5, 0xf, 0x154, 0x6, [@generic={0xe8, 0x10, 0x1, "d031a9165b9e273ff6ffe555849af6dca66e17a68ee5ac784dca23e4a56d46169ad06ead2b8bcd997eac2ecb8b2a2526aa200db55758d08659469283d6ecfba982c300ae82ccf4a8bf073dbde45376b4f6fc559be519f82e8e5b2cf59c3a3af4f290707e767a4e276851090d90be0ab66f788e7760cd71ab865ea8b6bcc5f35f60538154a099c354a3593417682fc39d2a6a255ef4bb65f8d97af29beb0f8734a68ed84ef08df69e9b35fa2e3fe65e9938ff441dc3e7982a81cccaf9621d5dbc663b80ab448c975cbc19bb6c3901a02c16b32dfaf9f5c220fa21434937b462038105e6d086"}, @generic={0x4b, 0x10, 0x3, "10bed1912f7dc94ac6d87cbc68962c89e777cc51a257d0cad33cdcf336a31ac39b867144c2c96be40fccac19633a547787bc6e4fe91e91fa4759db2a867d859cd5a60c84c1a38e09"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x9, 0x77, 0x9, 0x2cf}, @wireless={0xb, 0x10, 0x1, 0xc, 0x5, 0x8, 0x5, 0x9, 0x16}, @ptm_cap={0x3}, @ptm_cap={0x3}]}, 0xa, [{0x4, &(0x7f0000008b80)=@lang_id={0x4, 0x3, 0x40e}}, {0x4, &(0x7f0000008bc0)=@lang_id={0x4, 0x3, 0x427}}, {0x4, &(0x7f0000008c00)=@lang_id={0x4, 0x3, 0x415}}, {0x4, &(0x7f0000008c40)=@lang_id={0x4, 0x3, 0x1c0a}}, {0x4, &(0x7f0000008c80)=@lang_id={0x4, 0x3, 0x83e}}, {0x4, &(0x7f0000008cc0)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d00)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d40)=@lang_id={0x4, 0x3, 0x423}}, {0x9f, &(0x7f0000008d80)=@string={0x9f, 0x3, "d48e8724649a2841923d48b8b235fdc4315e0dfbe1b8a8a08353af5b630beb6eca1d6be03d88d5587933d6ade122b2ad4c558040e7f203d8c7af790af85de36e841eb9480afa1aaf9a226f4de28cd4441557411c7737f74d7d60313cd3d051284fceb5b3278373f63c72a84e8de4e23bf64e2a69c0579106c9331803e2ef32fd09889adce7bcd7eb6134c465ed17386d3f97a4e8a4e9c419f9c6eb2d32"}}, {0xa4, &(0x7f0000008e40)=@string={0xa4, 0x3, "81103e0d228843344b9a2885675324f579df278e6d25065998bdbb69b8eed0e1db8df16b19646d92c5d03521f773c16c24deeae556be69b04e1e966febfbf37f3bbc6dd64c83f4c2a87daf95fb91e10a36c0069f4d517bf3962111d8f9c845323c0b91e68dea34b277b410720bdf4a5864fe069bdee84fa9e4465549713fb333aaed855baf295327e1fb651729fe4acf1d9ebf80d64c29fcd368ee1611e550d7b67a"}}]}) syz_usb_ep_write(r36, 0xf9, 0xfb, &(0x7f0000008fc0)="181512f6083897f1b94ad01c9d8cc9eb6d7c149c5edf5ecf21cf4a2b2a9ff02e0d8f8a4f60f7b31ad0b2552e14878f840f51a97c2563b619b101ea77613b9752367f0f6e6a623781a383e499dc26fed60afe6f156d326bc141d6615d18b61a5c06cb49d9e008e05f65376aefb5ec21edc468b8434a0c9e39d120bcd31132f0755c1fcaf91fecb2733f98184256d2f79e80452dc86cf31985082e386017ebe82125c78bee42f949ca6798673433fb0a20d9161b698f0466b0ea53587a3f08cc3435bb7c193f4adcd2e5e104f33e3e1cdd33ba951fc9f76b108a4074c8072b16465962eb28e138c9188c3e54a00afb4fb1710a273a1f1c530ada0d50") syz_usbip_server_init(0x2) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_PT_POOL 0x5000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x70000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x200000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 8) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t size, uint64_t cpu) { uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; if (cmd->call >= SYZOS_API_STOP) return; if (cmd->size > size) return; volatile uint64_t call = cmd->call; if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit((uint64_t)-1); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; *ptr = exit_code; } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_pdpt_addr = l2_pml4_addr + KVM_PAGE_SIZE; uint64_t l2_pd_addr = l2_pml4_addr + 2 * KVM_PAGE_SIZE; uint64_t l2_pt_addr = l2_pml4_addr + 3 * KVM_PAGE_SIZE; volatile uint64_t* pml4 = (volatile uint64_t*)l2_pml4_addr; volatile uint64_t* pdpt = (volatile uint64_t*)l2_pdpt_addr; volatile uint64_t* pd = (volatile uint64_t*)l2_pd_addr; volatile uint64_t* pt = (volatile uint64_t*)l2_pt_addr; guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pdpt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pd_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id), 0, KVM_PAGE_SIZE); uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; pml4[0] = l2_pdpt_addr | flags; pdpt[0] = l2_pd_addr | flags; pd[0] = l2_pt_addr | flags; uint64_t pt_flags = flags; if (vendor == CPU_VENDOR_INTEL) { pt_flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { pt_flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } for (int i = 0; i < 512; i++) pt[i] = (i * KVM_PAGE_SIZE) | pt_flags; } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%rax push %%rbx push %%rcx push %%rdx push %%rsi push %%rdi push %%rbp push %%r8 push %%r9 push %%r10 push %%r11 push %%r12 push %%r13 push %%r14 push %%r15 mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[stack_cleanup_size], %%rsp jmp after_vmentry_label )" : : [stack_cleanup_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, 0); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); uint64_t tmpreg = 0; asm volatile("mov %%rsp, %0" : "=r"(tmpreg)); vmwrite(VMCS_HOST_RSP, tmpreg); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, VMX_AR_TSS_AVAILABLE); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_DEBUGCTL, 0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR6, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR7, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, efer & ~X86_EFER_SCE); vmcb_write64(vmcb_addr, VMCB_GUEST_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_addr, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline __optnone void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { uint64_t vmx_error_code = 0; uint8_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); if (is_launch) { asm volatile(R"( vmlaunch setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } else { asm volatile(R"( vmresume setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } asm volatile(".globl after_vmentry_label\nafter_vmentry_label:"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile uint8_t* vmcb_ptr = (volatile uint8_t*)vmcb_addr; uint8_t fail_flag = 0; asm volatile( "mov %1, %%rax\n\t" "vmrun\n\t" "setc %0\n\t" : "=q"(fail_flag) : "m"(vmcb_addr) : "rax", "cc", "memory"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } uint64_t exit_reason = vmcb_read64(vmcb_ptr, VMCB_EXIT_CODE); nested_vm_exit_handler_amd(exit_reason, cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 48, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, }; struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; }; #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)((uint64_t)vm->host_mem + sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static void map_4k_page(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)(host_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = (uint64_t*)(host_mem + (pml4[pml4_idx] & PAGE_MASK)); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = (uint64_t*)(host_mem + (pdpt[pdpt_idx] & PAGE_MASK)); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = (uint64_t*)(host_mem + (pd[pd_idx] & PAGE_MASK)); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(host_mem, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; uint64_t host_mem = (uint64_t)vm->gpa0_mem; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + 32 * KVM_PAGE_SIZE}; for (uint64_t i = 0; i < (alloc.last_page - alloc.next_page); i += KVM_PAGE_SIZE) memset((void*)(host_mem + alloc.next_page + i), 0, KVM_PAGE_SIZE); for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) total -= map_4k_region(host_mem, &alloc, syzos_mem_regions[i].gpa, syzos_mem_regions[i].pages); map_4k_region(host_mem, &alloc, X86_SYZOS_ADDR_UNUSED, total); } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = 0, .base_mid = 0, .access = 0x89, .limit_high_and_flags = 0x00, .base_high = 0}; } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)((uint64_t)vm->host_mem + sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)((uint64_t)vm->host_mem + X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); setup_pg_table(vm); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, int cpu_id, size_t text_size) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = executor_fn_guest_addr(guest_main); regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = text_size; regs.rsi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd); setup_cpuid(cpufd); reset_cpu_regs(cpufd, cpu_id, text_size); } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; struct addr_size next = alloc_guest_mem(&allocator, r->pages * KVM_PAGE_SIZE); uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); } struct addr_size next = alloc_guest_mem(&allocator, allocator.size); vm_set_user_memory_region(vmfd, slot++, 0, X86_SYZOS_ADDR_UNUSED, next.size, (uintptr_t)next.addr); } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define KMEMLEAK_FILE "/sys/kernel/debug/kmemleak" static const char* setup_leak() { if (!write_file(KMEMLEAK_FILE, "scan=off")) { if (errno == EBUSY) return "KMEMLEAK disabled: increase CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE" " or unset CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF"; return "failed to write(kmemleak, \"scan=off\")"; } if (!write_file(KMEMLEAK_FILE, "scan")) return "failed to write(kmemleak, \"scan\")"; sleep(5); if (!write_file(KMEMLEAK_FILE, "scan")) return "failed to write(kmemleak, \"scan\")"; if (!write_file(KMEMLEAK_FILE, "clear")) return "failed to write(kmemleak, \"clear\")"; return NULL; } static void check_leaks(void) { int fd = open(KMEMLEAK_FILE, O_RDWR); if (fd == -1) exit(1); uint64_t start = current_time_ms(); if (write(fd, "scan", 4) != 4) exit(1); sleep(1); while (current_time_ms() - start < 4 * 1000) sleep(1); if (write(fd, "scan", 4) != 4) exit(1); static char buf[128 << 10]; ssize_t n = read(fd, buf, sizeof(buf) - 1); if (n < 0) exit(1); int nleaks = 0; if (n != 0) { sleep(1); if (write(fd, "scan", 4) != 4) exit(1); if (lseek(fd, 0, SEEK_SET) < 0) exit(1); n = read(fd, buf, sizeof(buf) - 1); if (n < 0) exit(1); buf[n] = 0; char* pos = buf; char* end = buf + n; while (pos < end) { char* next = strstr(pos + 1, "unreferenced object"); if (!next) next = end; char prev = *next; *next = 0; fprintf(stderr, "BUG: memory leak\n%s\n", pos); *next = prev; pos = next; nleaks++; } } if (write(fd, "clear", 5) != 5) exit(1); close(fd); if (nleaks) exit(1); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 60; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 51 ? 3000 : 0) + (call == 52 ? 3000 : 0) + (call == 53 ? 3000 : 0) + (call == 54 ? 300 : 0) + (call == 55 ? 300 : 0) + (call == 56 ? 300 : 0) + (call == 57 ? 3000 : 0) + (call == 58 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); check_leaks(); } } uint64_t r[37] = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x200000000000 = 0x4006; *(uint32_t*)0x200000000004 = 0xd; *(uint32_t*)0x200000000008 = 2; *(uint32_t*)0x20000000000c = 8; inject_fault(1); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x80044945, /*arg=*/0x200000000000ul); break; case 1: *(uint32_t*)0x200000000040 = 0; *(uint32_t*)0x200000000044 = 1; *(uint32_t*)0x200000000048 = 4; *(uint32_t*)0x20000000004c = 2; *(uint32_t*)0x200000000050 = 5; *(uint32_t*)0x200000000054 = 0x81; *(uint32_t*)0x200000000058 = 0; memcpy((void*)0x20000000005c, "id1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); memcpy((void*)0x20000000009c, "timer0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 80); *(uint64_t*)0x2000000000f0 = 0; *(uint64_t*)0x2000000000f8 = 6; *(uint64_t*)0x200000000100 = 3; *(uint64_t*)0x200000000108 = 0x70a; *(uint32_t*)0x200000000110 = 9; memset((void*)0x200000000114, 0, 32); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0f85403, /*arg=*/0x200000000040ul); break; case 2: memcpy((void*)0x200000000140, "/dev/ircomm#\000", 13); res = -1; res = syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); for (int i = 0; i < 4; i++) { syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); } if (res != -1) r[0] = res; break; case 3: *(uint32_t*)0x200000000340 = 0x82; *(uint32_t*)0x200000000344 = 8; *(uint64_t*)0x200000000348 = 0x200000000280; *(uint32_t*)0x200000000280 = 1; *(uint64_t*)0x200000000284 = 0; *(uint32_t*)0x20000000028c = 0xc0; *(uint64_t*)0x200000000290 = 0x200000000180; memcpy((void*)0x200000000180, "\x5b\x58\xac\x0e\xd1\xd2\x7b\x21\x7d\x3f\xdc\x62\x99\xcd\xde\x4d\x85\x32\x1f\x7b\xba\xa0\x64\xd3\x61\x51\x9c\xdd\xe4\x3b\x22\x5c\xf0\x06\x58\xdd\xbf\xbd\x91\x4c\xf7\x9e\xce\xb3\x48\xf1\x86\x92\x31\x5c\x3c\x69\xec\x14\x8e\x2d\xd9\x28\xac\x7e\xe6\x2f\x51\x11\xb9\xdc\xca\xca\x88\x52\x49\x12\x34\x19\x55\xf7\x9b\x0f\x22\x06\xb8\x0e\x6e\x5a\x7e\x68\x1a\x62\x96\x94\xa3\x4f\x9b\x0e\x39\x87\x7e\xef\xde\x60\xa0\x68\xcd\xc4\x45\x45\xd6\xfe\x45\xd0\x00\x0c\x99\x61\xa1\xff\x16\x87\x47\x44\x7e\x34\x6b\x16\x46\x08\x75\xc6\x91\xde\x11\x83\xb2\xd7\xb0\x32\xcf\xae\x85\x49\x7d\x0d\x88\x48\xd4\xba\xa9\xad\xc6\xca\xac\xcd\x9a\xf6\x01\x9e\xa2\xba\x6f\x3b\x4e\x60\x18\xdf\x94\xca\xca\xbe\xdd\xec\x7b\x60\x02\x30\xea\x77\x90\x01\x93\x99\xd0\xbe\xb6\x1f\x42\x7d\xf8\x35\x9c\xc3\x48\x93", 192); *(uint64_t*)0x200000000298 = 0; *(uint32_t*)0x2000000002a0 = 0; *(uint64_t*)0x2000000002a4 = 0x200000000240; *(uint32_t*)0x2000000002ac = 0x10000; *(uint32_t*)0x2000000002b0 = 0; *(uint64_t*)0x2000000002b4 = 0; *(uint32_t*)0x2000000002bc = 0x81; *(uint32_t*)0x2000000002c0 = 0xe; *(uint64_t*)0x200000000350 = 0x200000000300; *(uint32_t*)0x200000000358 = 0x44; *(uint32_t*)0x20000000035c = 0xc; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0206440, /*arg=*/0x200000000340ul); if (res != -1) r[1] = *(uint64_t*)0x200000000300; break; case 4: *(uint32_t*)0x200000000400 = 0x81; *(uint32_t*)0x200000000404 = 4; *(uint64_t*)0x200000000408 = 0x200000000380; *(uint64_t*)0x200000000380 = r[1]; *(uint64_t*)0x200000000410 = 0x2000000003c0; *(uint32_t*)0x200000000418 = 8; *(uint32_t*)0x20000000041c = 0xc; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000400ul); break; case 5: *(uint32_t*)0x200000000440 = 3; *(uint32_t*)0x200000000444 = 6; STORE_BY_BITMASK(uint32_t, , 0x200000000448, 1, 0, 1); memcpy((void*)0x200000000449, "queue1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); *(uint32_t*)0x20000000048c = 0xdae; memset((void*)0x200000000490, 0, 60); syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc08c5335, /*arg=*/0x200000000440ul); break; case 6: memcpy((void*)0x200000000540, "TIPCv2\000", 7); res = -1; res = syz_genetlink_get_family_id(/*name=*/0x200000000540, /*fd=*/r[0]); if (res != -1) r[2] = res; break; case 7: *(uint64_t*)0x200000000880 = 0x200000000500; *(uint16_t*)0x200000000500 = 0x10; *(uint16_t*)0x200000000502 = 0; *(uint32_t*)0x200000000504 = 0; *(uint32_t*)0x200000000508 = 0x1000000; *(uint32_t*)0x200000000888 = 0xc; *(uint64_t*)0x200000000890 = 0x200000000840; *(uint64_t*)0x200000000840 = 0x200000000580; *(uint32_t*)0x200000000580 = 0x2b4; *(uint16_t*)0x200000000584 = r[2]; *(uint16_t*)0x200000000586 = 0x400; *(uint32_t*)0x200000000588 = 0x70bd2d; *(uint32_t*)0x20000000058c = 0x25dfdbfb; *(uint8_t*)0x200000000590 = 4; *(uint8_t*)0x200000000591 = 0; *(uint16_t*)0x200000000592 = 0; *(uint16_t*)0x200000000594 = 0x44; STORE_BY_BITMASK(uint16_t, , 0x200000000596, 3, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 1, 7, 1); *(uint16_t*)0x200000000598 = 8; *(uint16_t*)0x20000000059a = 1; *(uint32_t*)0x20000000059c = 6; *(uint16_t*)0x2000000005a0 = 8; *(uint16_t*)0x2000000005a2 = 1; *(uint32_t*)0x2000000005a4 = 0x3f; *(uint16_t*)0x2000000005a8 = 8; *(uint16_t*)0x2000000005aa = 1; *(uint32_t*)0x2000000005ac = 2; *(uint16_t*)0x2000000005b0 = 8; *(uint16_t*)0x2000000005b2 = 1; *(uint32_t*)0x2000000005b4 = 0x4c00000; *(uint16_t*)0x2000000005b8 = 8; *(uint16_t*)0x2000000005ba = 1; *(uint32_t*)0x2000000005bc = 3; *(uint16_t*)0x2000000005c0 = 8; *(uint16_t*)0x2000000005c2 = 1; *(uint32_t*)0x2000000005c4 = 6; *(uint16_t*)0x2000000005c8 = 8; *(uint16_t*)0x2000000005ca = 3; *(uint32_t*)0x2000000005cc = 0x67c; *(uint16_t*)0x2000000005d0 = 8; *(uint16_t*)0x2000000005d2 = 1; *(uint32_t*)0x2000000005d4 = 7; *(uint16_t*)0x2000000005d8 = 0x3c; STORE_BY_BITMASK(uint16_t, , 0x2000000005da, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 1, 7, 1); *(uint16_t*)0x2000000005dc = 9; *(uint16_t*)0x2000000005de = 1; memcpy((void*)0x2000000005e0, "syz1\000", 5); *(uint16_t*)0x2000000005e8 = 0x2c; STORE_BY_BITMASK(uint16_t, , 0x2000000005ea, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 1, 7, 1); *(uint16_t*)0x2000000005ec = 8; *(uint16_t*)0x2000000005ee = 3; *(uint32_t*)0x2000000005f0 = 0x220a; *(uint16_t*)0x2000000005f4 = 8; *(uint16_t*)0x2000000005f6 = 4; *(uint32_t*)0x2000000005f8 = 0x9c0; *(uint16_t*)0x2000000005fc = 8; *(uint16_t*)0x2000000005fe = 2; *(uint32_t*)0x200000000600 = 0x101; *(uint16_t*)0x200000000604 = 8; *(uint16_t*)0x200000000606 = 4; *(uint32_t*)0x200000000608 = 3; *(uint16_t*)0x20000000060c = 8; *(uint16_t*)0x20000000060e = 1; *(uint32_t*)0x200000000610 = 8; *(uint16_t*)0x200000000614 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000616, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 1, 7, 1); *(uint16_t*)0x200000000618 = 8; *(uint16_t*)0x20000000061a = 2; *(uint32_t*)0x20000000061c = 6; *(uint16_t*)0x200000000620 = 8; *(uint16_t*)0x200000000622 = 1; *(uint32_t*)0x200000000624 = 1; *(uint16_t*)0x200000000628 = 0xb8; STORE_BY_BITMASK(uint16_t, , 0x20000000062a, 1, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 1, 7, 1); *(uint16_t*)0x20000000062c = 0x24; STORE_BY_BITMASK(uint16_t, , 0x20000000062e, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 1, 7, 1); *(uint16_t*)0x200000000630 = 8; *(uint16_t*)0x200000000632 = 2; *(uint32_t*)0x200000000634 = 9; *(uint16_t*)0x200000000638 = 8; *(uint16_t*)0x20000000063a = 4; *(uint32_t*)0x20000000063c = 7; *(uint16_t*)0x200000000640 = 8; *(uint16_t*)0x200000000642 = 2; *(uint32_t*)0x200000000644 = 5; *(uint16_t*)0x200000000648 = 8; *(uint16_t*)0x20000000064a = 2; *(uint32_t*)0x20000000064c = 2; *(uint16_t*)0x200000000650 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000652, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 1, 7, 1); *(uint16_t*)0x200000000654 = 8; *(uint16_t*)0x200000000656 = 3; *(uint32_t*)0x200000000658 = 6; *(uint16_t*)0x20000000065c = 8; *(uint16_t*)0x20000000065e = 4; *(uint32_t*)0x200000000660 = 0; *(uint16_t*)0x200000000664 = 0xd; *(uint16_t*)0x200000000666 = 1; memcpy((void*)0x200000000668, "udp:syz2\000", 9); *(uint16_t*)0x200000000674 = 0xc; STORE_BY_BITMASK(uint16_t, , 0x200000000676, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 1, 7, 1); *(uint16_t*)0x200000000678 = 8; *(uint16_t*)0x20000000067a = 4; *(uint32_t*)0x20000000067c = 7; *(uint16_t*)0x200000000680 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000682, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 1, 7, 1); *(uint16_t*)0x200000000684 = 8; *(uint16_t*)0x200000000686 = 1; *(uint32_t*)0x200000000688 = 0x17; *(uint16_t*)0x20000000068c = 8; *(uint16_t*)0x20000000068e = 1; *(uint32_t*)0x200000000690 = 0x17; *(uint16_t*)0x200000000694 = 8; *(uint16_t*)0x200000000696 = 1; *(uint32_t*)0x200000000698 = 0x12; *(uint16_t*)0x20000000069c = 0x2c; *(uint16_t*)0x20000000069e = 4; *(uint16_t*)0x2000000006a0 = 0x14; *(uint16_t*)0x2000000006a2 = 1; *(uint16_t*)0x2000000006a4 = 2; *(uint16_t*)0x2000000006a6 = htobe16(0x4e21); *(uint32_t*)0x2000000006a8 = htobe32(0xe0000002); *(uint16_t*)0x2000000006b4 = 0x14; *(uint16_t*)0x2000000006b6 = 2; *(uint16_t*)0x2000000006b8 = 2; *(uint16_t*)0x2000000006ba = htobe16(0x4e20); *(uint32_t*)0x2000000006bc = htobe32(-1); *(uint16_t*)0x2000000006c8 = 8; *(uint16_t*)0x2000000006ca = 3; *(uint32_t*)0x2000000006cc = 0xb; *(uint16_t*)0x2000000006d0 = 0xd; *(uint16_t*)0x2000000006d2 = 1; memcpy((void*)0x2000000006d4, "udp:syz1\000", 9); *(uint16_t*)0x2000000006e0 = 0x20; STORE_BY_BITMASK(uint16_t, , 0x2000000006e2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 1, 7, 1); *(uint16_t*)0x2000000006e4 = 8; *(uint16_t*)0x2000000006e6 = 1; *(uint32_t*)0x2000000006e8 = 8; *(uint16_t*)0x2000000006ec = 0xc; *(uint16_t*)0x2000000006ee = 3; *(uint64_t*)0x2000000006f0 = 6; *(uint16_t*)0x2000000006f8 = 8; *(uint16_t*)0x2000000006fa = 1; *(uint32_t*)0x2000000006fc = 0x80; *(uint16_t*)0x200000000700 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000702, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 1, 7, 1); *(uint16_t*)0x200000000704 = 8; *(uint16_t*)0x200000000706 = 1; *(uint32_t*)0x200000000708 = 2; *(uint16_t*)0x20000000070c = 8; *(uint16_t*)0x20000000070e = 1; *(uint32_t*)0x200000000710 = 9; *(uint16_t*)0x200000000714 = 0x10c; STORE_BY_BITMASK(uint16_t, , 0x200000000716, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 1, 7, 1); *(uint16_t*)0x200000000718 = 9; *(uint16_t*)0x20000000071a = 1; memcpy((void*)0x20000000071c, "syz1\000", 5); *(uint16_t*)0x200000000724 = 0x13; *(uint16_t*)0x200000000726 = 1; memcpy((void*)0x200000000728, "broadcast-link\000", 15); *(uint16_t*)0x200000000738 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000073a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 1, 7, 1); *(uint16_t*)0x20000000073c = 8; *(uint16_t*)0x20000000073e = 2; *(uint32_t*)0x200000000740 = 0x187; *(uint16_t*)0x200000000744 = 8; *(uint16_t*)0x200000000746 = 4; *(uint32_t*)0x200000000748 = 0x40; *(uint16_t*)0x20000000074c = 8; *(uint16_t*)0x20000000074e = 1; *(uint32_t*)0x200000000750 = 0x10; *(uint16_t*)0x200000000754 = 0x24; STORE_BY_BITMASK(uint16_t, , 0x200000000756, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 1, 7, 1); *(uint16_t*)0x200000000758 = 8; *(uint16_t*)0x20000000075a = 2; *(uint32_t*)0x20000000075c = 0xc0fb; *(uint16_t*)0x200000000760 = 8; *(uint16_t*)0x200000000762 = 2; *(uint32_t*)0x200000000764 = 0; *(uint16_t*)0x200000000768 = 8; *(uint16_t*)0x20000000076a = 2; *(uint32_t*)0x20000000076c = 3; *(uint16_t*)0x200000000770 = 8; *(uint16_t*)0x200000000772 = 4; *(uint32_t*)0x200000000774 = 6; *(uint16_t*)0x200000000778 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000077a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 1, 7, 1); *(uint16_t*)0x20000000077c = 8; *(uint16_t*)0x20000000077e = 1; *(uint32_t*)0x200000000780 = 0x18; *(uint16_t*)0x200000000784 = 8; *(uint16_t*)0x200000000786 = 2; *(uint32_t*)0x200000000788 = 0x80000000; *(uint16_t*)0x20000000078c = 8; *(uint16_t*)0x20000000078e = 2; *(uint32_t*)0x200000000790 = 2; *(uint16_t*)0x200000000794 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000796, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 1, 7, 1); *(uint16_t*)0x200000000798 = 8; *(uint16_t*)0x20000000079a = 4; *(uint32_t*)0x20000000079c = 0xfffffff2; *(uint16_t*)0x2000000007a0 = 8; *(uint16_t*)0x2000000007a2 = 3; *(uint32_t*)0x2000000007a4 = 7; *(uint16_t*)0x2000000007a8 = 8; *(uint16_t*)0x2000000007aa = 3; *(uint32_t*)0x2000000007ac = 0xd0; *(uint16_t*)0x2000000007b0 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x2000000007b2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 1, 7, 1); *(uint16_t*)0x2000000007b4 = 8; *(uint16_t*)0x2000000007b6 = 1; *(uint32_t*)0x2000000007b8 = 0xf; *(uint16_t*)0x2000000007bc = 8; *(uint16_t*)0x2000000007be = 4; *(uint32_t*)0x2000000007c0 = 0x401; *(uint16_t*)0x2000000007c4 = 8; *(uint16_t*)0x2000000007c6 = 1; *(uint32_t*)0x2000000007c8 = 9; *(uint16_t*)0x2000000007cc = 0x54; STORE_BY_BITMASK(uint16_t, , 0x2000000007ce, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 1, 7, 1); *(uint16_t*)0x2000000007d0 = 8; *(uint16_t*)0x2000000007d2 = 3; *(uint32_t*)0x2000000007d4 = 0xe6a9; *(uint16_t*)0x2000000007d8 = 8; *(uint16_t*)0x2000000007da = 4; *(uint32_t*)0x2000000007dc = 7; *(uint16_t*)0x2000000007e0 = 8; *(uint16_t*)0x2000000007e2 = 3; *(uint32_t*)0x2000000007e4 = 0x10000; *(uint16_t*)0x2000000007e8 = 8; *(uint16_t*)0x2000000007ea = 3; *(uint32_t*)0x2000000007ec = 0x2000; *(uint16_t*)0x2000000007f0 = 8; *(uint16_t*)0x2000000007f2 = 2; *(uint32_t*)0x2000000007f4 = 9; *(uint16_t*)0x2000000007f8 = 8; *(uint16_t*)0x2000000007fa = 3; *(uint32_t*)0x2000000007fc = 6; *(uint16_t*)0x200000000800 = 8; *(uint16_t*)0x200000000802 = 4; *(uint32_t*)0x200000000804 = 0x81; *(uint16_t*)0x200000000808 = 8; *(uint16_t*)0x20000000080a = 3; *(uint32_t*)0x20000000080c = 0x3ff; *(uint16_t*)0x200000000810 = 8; *(uint16_t*)0x200000000812 = 1; *(uint32_t*)0x200000000814 = 0x19; *(uint16_t*)0x200000000818 = 8; *(uint16_t*)0x20000000081a = 1; *(uint32_t*)0x20000000081c = 0x1a; *(uint16_t*)0x200000000820 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000822, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 1, 7, 1); *(uint16_t*)0x200000000824 = 8; *(uint16_t*)0x200000000826 = 1; *(uint32_t*)0x200000000828 = 1; *(uint16_t*)0x20000000082c = 8; *(uint16_t*)0x20000000082e = 2; *(uint32_t*)0x200000000830 = 0x79; *(uint64_t*)0x200000000848 = 0x2b4; *(uint64_t*)0x200000000898 = 1; *(uint64_t*)0x2000000008a0 = 0; *(uint64_t*)0x2000000008a8 = 0; *(uint32_t*)0x2000000008b0 = 0x4040811; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x200000000880ul, /*f=*/0ul); break; case 8: syscall(__NR_read, /*fd=*/r[0], /*data=*/0x2000000008c0ul, /*len=*/0x1dul); break; case 9: *(uint64_t*)0x200000000980 = 6; *(uint64_t*)0x200000000988 = 0x200000000940; *(uint64_t*)0x200000000940 = 0x904e; *(uint64_t*)0x200000000948 = 1; *(uint64_t*)0x200000000950 = 9; *(uint64_t*)0x200000000958 = 6; *(uint64_t*)0x200000000960 = 0xe; *(uint64_t*)0x200000000968 = 5; syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x4010801d, /*arg=*/0x200000000980ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 4, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 0; memset((void*)0x20000000004a, 255, 6); *(uint8_t*)0x200000000050 = 8; *(uint8_t*)0x200000000051 = 2; *(uint8_t*)0x200000000052 = 0x11; *(uint8_t*)0x200000000053 = 0; *(uint8_t*)0x200000000054 = 0; *(uint8_t*)0x200000000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x200000000056, 1, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 0x7f, 4, 12); *(uint16_t*)0x200000000058 = 0x1f; *(uint8_t*)0x20000000005a = 0x8c; *(uint8_t*)0x20000000005b = 0x18; *(uint16_t*)0x20000000005c = 0x5d9; memcpy((void*)0x20000000005e, "\x8e\x85\x14\x4c\x64\x33", 6); memcpy((void*)0x200000000064, "\xe0\x23\xfb\xed\x51\x30\x11\xc5\x70\x7e\x45\x24\x72\xe2\x05\x5d", 16); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x34); break; case 11: memcpy((void*)0x200000000080, "wlan1\000", 6); memcpy((void*)0x2000000000c0, "\x3a\x38\x64\x65\xf3\x89\x38\x0e\x26\xb0\xcb\x13\xf9\x8a\x36\xe2\x21\x4f\x09\x9e\xe0\xd0\xb2\x9b\x75\x4e\x31\xd6\xef\xc8\x2c\x04", 32); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/0x20, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_path_truncate\000", 22); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\xda\xa4\xed\x40\xf7\xcf\x4d\xa8\x63\x77\xe8\x64\xd8\xe6\xc6\xd4\xfc\x54\x86\xaf\x4a\x6f\x23\xde\xa5\x8b\x32\x43\xa2\x91\xb0\x18\x0d\xba\xf5\xc9\x27\x58\xaf\x73\xf9", 41); memcpy((void*)0x200000000200, "\x40\xf2\x76\x85\x6b\x81\x91\xc4\xf3\x12\x75\x9d\x79\x5a\x22\xc3\xc7\xed\xc9\x16\x78\x79\x4f\x4e\xea\xc4\x57\x46\xfc\xc9\x93\x07\x22\xc8\x18\x9b\xa5\x95\x65\xf7\x32\x7c\xbc\xd4\x50\x61\x64\xeb\x9f\x6f\xf1\x75\xf1\xf0\x8d\x60\x24\x70\x91\x77\x2c\x18\x5a\xc3\x83\x04\xe9\xb5\xb3", 69); res = -1; res = syz_clone(/*flags=CLONE_NEWUTS|CLONE_VFORK*/0x4004000, /*stack=*/0x200000000140, /*stack_len=*/0x29, /*parentid=*/0x200000000180, /*childtid=*/0x2000000001c0, /*tls=*/0x200000000200); if (res != -1) r[3] = res; break; case 14: res = syscall(__NR_getpgrp, /*pid=*/r[3]); if (res != -1) r[4] = res; break; case 15: *(uint64_t*)0x200000000500 = 0x800; *(uint64_t*)0x200000000508 = 0x200000000280; *(uint64_t*)0x200000000510 = 0x2000000002c0; *(uint64_t*)0x200000000518 = 0x200000000300; *(uint32_t*)0x200000000520 = 0x12; *(uint64_t*)0x200000000528 = 0x200000000340; *(uint64_t*)0x200000000530 = 0x66; *(uint64_t*)0x200000000538 = 0x2000000003c0; *(uint64_t*)0x200000000540 = 0x2000000004c0; *(uint32_t*)0x2000000004c0 = r[3]; *(uint32_t*)0x2000000004c4 = r[3]; *(uint32_t*)0x2000000004c8 = r[3]; *(uint32_t*)0x2000000004cc = r[4]; *(uint64_t*)0x200000000548 = 4; *(uint32_t*)0x200000000550 = -1; res = -1; res = syz_clone3(/*args=*/0x200000000500, /*size=*/0x58); if (res != -1) { r[5] = res; r[6] = *(uint32_t*)0x200000000280; r[7] = *(uint32_t*)0x2000000002c0; r[8] = *(uint32_t*)0x200000000300; } break; case 16: memcpy((void*)0x200000000580, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000580); break; case 17: *(uint64_t*)0x200000001680 = 4; res = syscall(__NR_socketcall, /*call=*/5ul, /*args=*/0x200000001680ul); if (res != -1) r[9] = res; break; case 18: *(uint32_t*)0x200000004a80 = 0x80000000; *(uint32_t*)0x200000004a84 = 0xee01; *(uint32_t*)0x200000004a88 = 0xee01; *(uint32_t*)0x200000004a8c = 5; *(uint32_t*)0x200000004a90 = 0xfffffff8; *(uint32_t*)0x200000004a94 = 1; *(uint16_t*)0x200000004a98 = 0x6bc1; *(uint32_t*)0x200000004a9c = 0x40; *(uint64_t*)0x200000004aa0 = 0xffff; *(uint64_t*)0x200000004aa8 = 0x2265; *(uint64_t*)0x200000004ab0 = 0xfffffffffffffff8; *(uint32_t*)0x200000004ab8 = r[3]; *(uint32_t*)0x200000004abc = r[8]; *(uint16_t*)0x200000004ac0 = 0xfffa; *(uint16_t*)0x200000004ac2 = 0; *(uint64_t*)0x200000004ac8 = 0x200000003a40; memcpy((void*)0x200000003a40, "\x89\x17\xf9\x6e\xff\x00\x1e\x00\x64\x91\xda\x94\x8f\x25\xc3\xac\x36\x65\x39\x2d\x07\x7a\x28\x78\xa0\xc4\x71\x86\xfb\xb5\x96\x00\xe8\x72\x5c\x57\x48\x93\xc0\xd6\x45\x65\x1c\xd4\x96\xd4\xd6\xc4\x3d\xd8\xd9\xe3\xce\xca\x2e\x2a\x35\xfd\x60\x78\x5c\xd7\x7e\xc5\xc5\xee\xd5\xea\x44\xa8\x53\x76\x9a\x52\xcb\x3e\x89\xd0\x6c\x09\x95\xf7\x7e\x9b\x7e\xcc\x68\xfa\x52\x1a\xc4\xb1\x93\xee\x67\xdc\xce\xc0\xa7\xd1\x3f\x3c\x06\x8e\xe0\x46\xa9\xa1\x42\x01\x1c\xd4\xba\x8e\x67\xf3\x81\xe1\x67\x45\xd8\x1a\x2b\x5b\xf1\x1f\x4e\xf0\x01\x43\x30\xc9\x5f\x0f\x5b\xc8\x9d\x00\xf1\x61\x29\xa9\x63\x77\x82\xe5\xa6\xf4\xd9\x22\xe0\xf0\x74\x57\xee\x51\x5e\x1b\xbf\x56\x54\x90\x6d\x88\x7b\xa0\x2b\xee\x66\x4d\xa7\x2a\x51\xb5\xdc\xdf\x4b\xec\xca\x2d\x80\x67\xe3\x57\x53\xc0\x31\x23\x59\xef\xb6\xda\x86\x14\x9a\xfc\x10\x10\xd0\xc6\xc8\x6c\xc9\xc8\x83\x1c\xa1\x27\x6c\xa9\x68\x81\x1c\x87\xba\xab\x12\x1c\x9d\x81\x72\x73\x19\x6e\x97\xae\x66\xf3\x97\x66\x7e\x02\x3f\xc2\x33\x19\xc2\x4f\xa8\x23\x57\x22\x26\xfb\x74\x8a\xc5\x4f\xf5\x28\x23\x6b\x07\x81\xa2\x0e\xd5\x2e\x11\x69\x27\xa2\x2b\x11\xe0\xb8\xac\xeb\x36\xd2\xcf\x4a\x78\xeb\x34\x65\xfc\xb9\xc9\x49\x3e\xad\xd4\x46\x86\x76\x6f\xb2\x6d\x4d\x0a\x54\xd0\x28\x27\x3a\x5c\x60\x53\x88\x53\x4e\x49\x37\xf1\x8c\xa9\x05\x32\x44\x5f\x94\x66\x51\xf3\x63\x4e\x9b\x36\x5b\xb8\xed\x72\x42\xb9\x12\x31\xba\x06\x34\x7e\xab\x1f\x32\x00\x96\x37\x4f\xbd\x8a\x7a\x94\xc2\xfa\x71\x54\x41\x5c\x92\x3f\xd6\x6c\xd6\x26\x48\x9e\x7c\x79\xca\xd3\x9b\x66\xb0\x67\x4b\x94\x39\xb5\x7b\x79\xec\x79\x03\xd3\x5e\xc3\x14\xdb\x9d\x7e\x41\x5d\xf3\xc4\xf7\x55\x14\xb1\xc8\x3e\x9b\x6b\x27\x1d\xab\xeb\xd3\xb7\x93\xa7\x8a\xd5\xba\xef\x25\x39\x39\x34\xbc\x1b\x49\x69\xeb\x61\x28\xd3\x52\x14\x90\x47\x0f\x25\xe7\xa4\x7b\x13\xee\x0c\x47\x72\xd0\x47\x3d\xa5\x18\x44\x1b\x7b\xd3\x62\xbc\x99\xb0\x9c\xf6\x96\xbe\xb9\xe5\xf9\xd3\xd5\xe8\x8e\x9e\x96\x0e\x25\x9e\x4f\xe6\x7c\xfa\x3b\x2a\xbd\xe1\x00\x10\xf3\xc6\xa6\x0d\x26\x9a\xd1\x3e\x59\x05\x2e\x8a\xb9\x51\x40\x1d\xde\x34\x5c\x4f\xed\x4f\xea\x6d\x91\xb8\x4d\xae\xee\xbf\x45\xfa\x79\x98\xee\x41\xda\x06\x87\x5e\x7b\xc4\x8d\x9d\xe5\x4d\xe3\x6d\x9e\x27\x49\x5f\xe7\xe8\x8e\x02\x4e\x7d\xd3\x58\x7d\xcb\xc7\x1c\xd4\x33\xb7\x1a\x4d\x97\x2b\x02\x65\x59\xef\xbf\x17\xc2\xb0\x2b\x23\x57\xb9\xd9\x13\xa7\x64\xc9\x5c\x5a\xa7\xb3\x2f\xd2\xc0\xb6\x2b\x47\xf2\x7e\x47\x85\xe7\x6d\x85\x62\xb4\xe4\x3e\xdc\x6d\x61\x0d\x2b\x97\xdd\x1a\x1e\xe6\x5b\xd1\xef\x89\xe0\x11\x0b\x14\xc2\x02\x5b\x04\xb8\xcf\x16\xf0\xc2\xc1\xab\x89\xad\x30\xbd\xbd\x8b\x98\x94\x27\x8b\x4b\xe8\xd0\x81\x55\xec\x0c\xd2\x0f\x54\x4f\x18\xa4\xf2\x6a\x98\x0d\xec\xac\x1c\xe2\x94\x21\x27\xd8\xd0\x35\x0d\xc4\xa9\xa3\x29\x30\xaf\x33\x53\x18\x22\x31\x9d\xd1\x39\xe2\x7c\xf7\x69\xd0\x68\x87\x96\x08\xc2\x51\x7d\x59\x96\x5f\xbf\xfe\x98\x79\xaf\xd4\x87\x87\x5a\xd2\x39\x58\x6b\xbe\xca\xd1\xb0\x0e\x13\x77\x20\x3a\xbe\x3f\xc5\x82\xfa\xaf\x4f\x9e\x08\xe5\x76\x58\x81\x22\x09\xb3\xa8\x65\x3b\xf3\x9e\x12\x6b\x79\x47\x4c\xed\x54\xb7\x4f\xd4\x77\xb0\x3a\x80\x90\x6e\x34\x6d\xfc\x7f\x5a\x86\x41\x0f\x6b\xbc\x64\xa7\xff\x88\xc3\x7a\xa1\xd1\x87\x13\x31\xad\x2a\x63\xfe\xce\xa9\xb4\x3d\x3f\xad\x06\x2d\xe7\x0d\xdd\x1c\x77\x3a\xe6\x25\x68\xff\x3b\xe8\x04\x58\x3d\x3a\x5a\x10\x79\x68\x13\xcd\x4b\x51\xf6\x7b\x09\x91\x0b\x42\x7e\xb9\x28\x04\xe7\xf2\x7a\xdc\xd8\xec\x9a\xfb\x24\xe3\x15\x1b\x48\xa3\x8c\xc5\x99\x27\x99\xdf\x37\xe5\xcf\x6a\xd5\x77\x94\x1a\xd7\xe2\xca\xf1\x56\x19\x23\x69\x27\x34\x2e\x87\xb5\xb2\x60\x47\x37\x16\xa9\xba\xd7\x0b\x39\x51\xf7\x26\x5c\x20\xc0\x00\x85\x26\x67\xfd\xe0\xc4\xb7\xf2\x7a\x32\xb7\xee\x13\x3c\xbc\x65\xba\x4d\xc3\x91\x0c\x23\x75\xe1\x95\xba\x76\x54\xe2\xd2\xd4\x5f\x91\x6e\x47\xf1\x07\x59\x5a\xdc\x63\x24\x78\x40\xdf\x4e\xca\xeb\x96\x40\xfb\x66\x19\x86\xad\xd0\xdd\x02\x79\x6d\x58\x10\xf5\x1c\x93\xfd\xcf\x89\x74\xda\x1f\x10\x14\xf2\xf4\xad\xb1\x6f\x04\xe7\x33\xb5\x3a\xc2\xe8\xb4\xa8\x53\xe9\x3a\x93\x5a\x73\x20\x28\xc8\xe3\xec\x12\x0f\xc5\x41\xe5\x12\x6f\x2d\x88\xdd\x4b\xbc\xa0\x6f\xa6\x10\x16\x34\x64\xcb\x17\xf4\x5e\x7a\x2b\xe0\xe5\x1d\x8e\x45\xe3\x7c\x50\x91\xd7\x62\xce\x5b\xfd\xb6\x93\x53\xba\xfb\x95\x5c\x25\x54\x47\x02\xdc\xf7\xd1\x39\x4a\xac\x7a\x49\xa0\x78\x7f\xf1\x68\x74\x25\xa3\x75\x24\x9c\xa3\x78\xbc\x4f\x4a\xa2\x4a\xbc\xa2\x4a\x87\x1f\xd6\x74\x25\xb2\xf6\x60\x93\xb5\xb9\x87\x24\x99\xec\x85\xfa\xef\xfb\xf4\x3f\x0a\x4d\x3e\xfb\x5c\xea\xe7\x05\xa1\xa8\xe1\xf2\xbf\x79\xf5\x53\xc1\xc9\xf3\x8b\xd0\x9f\x93\xa8\x22\xbe\xb4\x54\x74\x4d\xd1\x17\x7e\xea\x67\xb7\xbd\x6c\x42\x1e\x58\x24\x62\x02\xab\x90\x2f\x79\xe0\x15\x5f\x1d\xe2\xbf\x22\x6f\x61\xbb\x39\xbf\xc2\xfb\xa3\x47\x9f\x25\xee\xa7\xf0\x1f\x70\xbc\x08\xa9\x8e\x88\x74\xe5\xd1\x38\x42\x83\xb9\x96\x07\xea\xa5\x2e\x89\x54\x90\xbd\xb2\x1c\x81\xcb\x3b\x37\x91\xc1\xde\xce\x0e\xbc\xe6\x7c\xc4\x5b\xcb\xa2\x99\xbb\x89\x2c\x9d\x19\x50\xbf\x33\x5e\x95\x4f\xd3\x03\xc6\x5e\x1a\xfe\xc4\x8a\x3d\x3e\x10\xa4\x04\x35\x2a\x13\x02\xef\xce\xbe\x12\x54\xeb\x2b\x25\xd6\xf4\x50\xb2\x6a\x3f\x1b\xd7\xf5\x77\xe5\x4c\x95\xe5\x66\x11\x74\xd3\x27\x82\xfe\x6b\x11\x99\x65\x42\xfe\x1b\x97\x51\x39\x62\x88\xd2\x7a\x47\xe3\xc9\x8d\x1c\xc3\xf3\xab\x55\x8b\xa3\xe8\x2a\x6c\x3e\xd4\x84\x0f\x4e\x3d\x79\x36\x95\x73\xc3\x75\x34\x07\x3e\x79\xad\xfd\x23\x23\x83\x2b\x65\xe7\xa6\xc4\x5b\x72\x57\x91\x38\xe2\x26\x29\x1d\x27\x00\xda\xc3\xa1\xcc\x91\x61\x40\xf5\x4c\xb2\x8b\x34\x70\x85\x61\x89\x81\x25\x44\x36\x6f\x75\x7c\x0a\x29\x4e\xe2\xb5\xbf\x6c\x30\x8a\xd4\xdf\x23\x0d\x5a\x74\x3b\x8c\xf7\xa1\xf6\x4a\x30\x61\x98\x3f\x22\x38\x50\x26\x2c\x75\x74\xae\x48\x0a\x02\xf6\x8c\x04\x3b\xa7\xaa\x82\x2f\xf6\x45\xd4\xe4\x48\x2c\x14\xcb\xb5\x8c\x15\xf6\x5c\x98\xd1\x69\x2f\x93\x9d\x0d\x95\x58\x50\x45\x42\x4a\xbe\x5e\x58\x65\x14\x77\xf9\x1d\x0c\x1d\xaf\xb3\xf3\x3a\xf9\xe6\x9b\x79\x4e\x13\xeb\x0c\x42\x9d\xe9\xb9\x2b\xbc\x5f\x92\x82\xa2\xe6\xc9\x11\x9f\x6f\xd8\x60\x3f\xe1\x1a\xf2\xd5\x16\xc9\xa7\xad\x38\xe3\x33\x7b\x96\x9c\x3d\x95\x93\xf0\xd4\xac\x95\xc4\x4e\x7f\x47\xe8\x10\xf6\x97\x0a\x1a\x6f\x18\xf2\x09\xfe\xdc\x35\x65\x6d\xc5\xc5\x36\xb0\x39\x6a\xed\xaf\x83\xca\x46\x65\x5e\xdc\xc4\x08\x8c\x6f\xcf\xfa\x68\x9a\x87\x83\x09\xc1\x76\x7b\x21\x87\xc9\xb5\xfa\x57\x5e\xfd\x80\xe0\x57\x4a\x57\x76\x73\xb4\x5e\xda\xc8\xb1\xc9\x12\xce\x60\xcd\x18\x29\x0d\x31\x02\x5c\x80\xeb\xa3\xd9\x97\xe4\x79\x2b\xe2\x3a\x49\xc0\x09\x4e\xe2\x85\x48\xfa\x33\x27\x5e\x6c\x28\x0b\xb6\xe0\xa0\xaa\x8e\x79\x04\xc6\x41\xcb\xcb\x3d\x99\x49\x46\xf0\xe4\xc6\xd6\xb1\x91\xd3\x46\x53\x64\x79\x3a\x69\x7f\x2c\x25\xd1\x30\x92\x3c\x79\x9a\x3a\x8d\x71\x69\xa3\x7a\xc2\x9b\xdd\xfb\x76\x6d\x51\x30\xb5\xe4\xbd\x43\x97\x8a\xad\x35\x49\x05\x2c\xf6\xf5\x64\x76\x80\x52\x03\x23\x46\xae\xf8\xf5\x84\x4b\x97\x04\x84\x2c\x0f\x1f\xa7\xd2\x6c\x69\x71\x88\xc0\xe8\x64\x16\x58\xd6\xd2\x99\xa6\x1f\xf1\x40\xa4\xb9\x4f\x04\xf6\xec\x06\xff\xca\x6e\x57\x4b\xdd\x60\x03\x72\xed\x5d\x16\x6a\xee\xae\x4f\x24\xe1\xec\x3c\x21\x2f\x05\xaa\x85\x37\xf0\xab\x83\x1e\x47\x2f\x32\x16\x4a\x08\x87\xc6\xf4\xe4\x25\x32\x56\x5f\x05\x5a\x8c\xd4\x35\xe9\xcc\x91\x08\x96\x7e\x42\x2c\x6d\x0e\x74\x06\x33\xc9\x77\x84\x71\xef\xa8\xa4\x4a\xb5\x5a\x06\xbd\xb6\xb8\x17\xf8\xa6\xcc\x55\xd5\x2a\xce\x6e\xc4\x38\xad\x4f\xbe\xe7\xc6\x4e\x00\xfc\x65\xc7\x6a\x36\x16\xc3\x5f\xb7\x1b\xb6\x08\x4f\x44\xf8\x08\x3d\xff\x56\xd7\x71\xe1\xd3\x23\x58\x4b\x82\xf1\x05\xe0\xa2\x11\xce\xae\x9a\xfc\x0f\x5e\x61\xa2\x64\x94\x76\x44\x0c\xf6\x8d\x9a\xbf\xfb\x48\xde\xcd\x0e\x8d\x2e\xd1\x09\x07\xd3\x5e\x39\x0d\xaa\x1e\xef\x83\xda\xc8\xab\x44\xe2\xac\x58\x86\xf6\x23\x5f\x6b\xd7\xb6\x9f\xf3\xc0\x98\xb5\x58\x89\x49\x08\xd4\xcd\x28\x24\x7f\xb6\xec\x4b\xb5\xb1\x63\xf6\xb2\xee\xf3\x86\xe7\xce\x26\xde\x75\x9b\xd6\xe2\x4e\x46\xaa\x2b\x38\xf0\xa4\xe6\xa4\x78\x5a\xf1\x4b\xd6\x03\x5a\x32\x6c\x29\xaf\x21\x5a\x4c\x1c\x45\xae\x76\x7b\xd7\xe6\xdb\x1b\xae\x69\xbe\x04\x5e\xf0\xb1\xeb\x39\x34\xac\x5e\xbe\x3a\x4c\x1d\xd5\x9b\xb9\x60\x53\xbe\xeb\x55\x61\xb5\x21\xc4\x78\x52\xd9\xa2\xc6\x6c\xfa\xf8\x2c\x2a\x01\x6e\x5d\xe7\x29\xea\x0e\x0c\xe4\xf9\x80\x85\x79\x2b\x5e\x5a\x80\x2c\xd7\xfb\xac\x9e\xf3\x8e\x20\x3e\xbb\x36\x51\xf1\xb3\x0a\xf6\xea\x29\xfa\x17\x9f\x8b\x19\x26\x41\x60\x4b\xe0\x29\x29\xda\xff\xad\xd6\xc9\x7b\xa4\xcd\x56\x79\x0c\xc2\x43\xd0\x47\x0e\xb8\xc1\xae\x78\x12\xda\x66\x6b\x0b\x32\x9f\xb3\xf0\x4f\x78\xe2\x5a\xd1\x7b\x4b\x39\x78\x13\x82\xad\x93\x7e\x08\xad\x34\x48\xb6\x32\x38\x18\x5b\x98\x22\x42\x19\x0f\xd1\xe4\xad\x8f\xbb\xa5\x5d\x6a\xbf\x96\xe0\x16\xe1\xd9\x8d\x37\xd5\x1c\x2e\xe1\xe4\x1f\x54\xf8\xac\x7e\x03\x8e\x36\x16\xf5\x69\xd0\x24\x69\x0e\xa3\x03\xbe\xc6\x98\xbe\xb9\x8b\x9e\xa4\x9f\x6b\x87\xe3\xf7\x10\x49\x97\xa6\xad\x7d\x33\xdb\x8f\xb7\x9a\xda\x8c\x5f\x7f\x54\xee\x17\xf7\xb3\xd8\x6a\xa1\x53\x2b\x43\x9c\xd8\xde\x90\xb5\xfd\x7f\xc3\x32\x56\x80\x06\x1d\x93\x19\xd1\x83\x5e\x60\x3f\xaf\x79\x33\xbf\xd6\x0d\x73\x39\x65\xf0\xf2\x5a\xdf\x39\x45\x09\x2b\xb9\x9e\x95\x34\x66\x02\xfa\xf6\xaa\xbe\xb3\x3c\xbc\xa3\xb2\x19\xb4\xf8\xaf\xaf\xe8\x25\xc6\x62\x7c\x0c\x7b\x00\xc3\x38\x75\xb6\x9d\x01\xc0\x8b\x90\xe6\xfa\x64\xf0\x9b\x42\x93\x2e\x1c\xcc\x9b\x3d\xa3\x67\x71\x66\x7d\x5b\xb7\x53\x1a\x2a\xc1\x74\xbc\x41\x2d\xff\xad\x7c\x6f\x8f\xd4\xda\xd3\x30\xfb\x41\x5a\x97\xe8\x13\x6c\xd5\xc0\xbb\x7d\x00\xd2\xb2\xc9\x56\x93\x6c\x9f\x5f\x74\x7e\x3c\x9a\x36\x1d\x79\xd0\x48\xcb\x3f\x52\x8f\x18\x7f\x9b\xba\x5d\x78\xd7\x30\x9b\x1b\x25\x6f\xbb\x34\x9c\xd5\x29\x45\x54\x1a\x5a\x57\x80\x9f\x2d\x71\xa8\xe8\x05\x57\xb2\x3b\xe4\xfb\x31\xca\xdd\xc5\x95\x53\xb6\xbc\x0f\xaa\x16\x5e\x4a\xb1\xf8\x27\x9c\xa6\xe3\x07\xce\x79\x20\xc4\x3b\xdb\xad\xec\x04\xef\x8b\xe7\x0d\x57\xaf\x59\x8d\x1d\x8a\x89\x6a\x09\x52\xb2\x3c\xba\x46\x4e\x0e\x9b\x36\x25\xf9\x93\xdc\x12\xc8\xf7\x74\xe8\x7d\xa0\x51\xec\xa4\x9b\xd1\x4e\x4e\x2e\x27\x0c\xf7\x5d\xc8\x34\x3b\x2a\xd4\xb0\xa2\x17\x8c\xb5\x57\xc6\xd0\xeb\x1a\x0b\x23\xed\x92\x58\x0c\xe5\xad\xa7\x8c\x2b\xb1\x0d\xdd\x25\xd4\xbb\x14\x7d\x61\xa0\x0f\x5e\x1d\x1d\x5c\x88\x8d\x47\x42\x4c\x04\xde\x7d\x41\x38\x4e\x2c\x68\x8a\x57\x35\x8d\x05\x81\x4a\xd9\x17\x13\x5a\x80\xec\xcd\x1d\x1f\x14\x72\x42\xa5\xda\x4d\xad\x08\x38\x32\x2e\x9a\x2f\xa5\x31\xfb\xb6\xb0\x83\x2b\x67\x00\xf8\x72\x79\x84\x6c\xe2\x33\x16\x79\xb8\x2f\x04\xfe\x1b\xe1\xe8\xce\x9f\x61\x0b\x63\xff\x30\xad\x0b\x76\x97\x78\x17\x73\x9a\x29\x5c\x9e\xc9\xdc\xf1\x1f\x81\xa6\x76\x19\x40\x73\x04\xc1\xd5\x94\xc5\x19\x6d\xb1\xbd\xeb\xfe\x03\xf2\x2a\xda\xac\x92\x53\xd7\x53\x96\x71\x38\xbc\x9d\x2c\xf4\x73\x54\x91\xd2\x74\x5c\x23\xe5\xd2\x29\xc7\x46\x27\xdd\x19\x1b\xc6\xc0\x38\x51\x39\x14\xdb\xdc\xfa\xcb\x8b\xcb\x28\x14\xdc\x52\x5e\xda\xd8\x89\x52\x09\x99\xfc\xe6\x44\x69\xc6\x06\x94\x40\x59\x61\x51\x84\x41\xc3\xe8\x44\x53\xaf\xa3\x49\x9e\x3a\x89\x83\xb5\x7f\x94\x59\x3e\x86\x64\x71\x9d\x5e\x65\x98\x42\x2b\xb8\xcb\xc5\x16\x20\xb2\x59\x41\x3b\xea\x16\x49\x0b\xbe\x6c\x9a\x72\xbf\x21\xf6\xb4\xd4\x99\x37\x1a\xd9\xfc\x82\x77\xdd\x3f\x2f\x75\x23\xcc\x5e\x6c\xee\xbf\x74\xfc\x39\x44\x13\x6b\x2d\x56\xda\xa2\x04\x03\x74\x31\x9a\x1c\x83\xc3\xbb\x0c\x96\x2d\x32\x1d\x80\x39\x17\x0b\x98\xb6\x04\xc8\xed\x42\xc5\x96\x31\x4a\x01\x13\x9c\x9d\x36\xcc\xd6\xf2\xcb\xd3\x11\x3b\x2c\x9d\x4e\x19\xf0\x86\x94\x46\x36\x10\xa3\x68\xf8\xac\x74\xf2\x97\x94\xf1\x45\x60\xe0\xa3\xd4\x81\xc6\x73\x41\x0a\xd9\x46\x65\x81\xaa\x2a\x33\x4f\xf3\x80\xa1\x00\xfb\x04\x9a\xd8\x19\x6e\xb4\x78\x4e\xa1\xbe\xdc\x13\x9a\x70\x54\xf1\x8a\x8d\x44\xbc\xa0\xa3\xd0\x12\x2f\x5d\xc3\xa1\xc4\xd2\x9b\xde\x35\xe3\x32\xbd\xf2\x8c\xb9\xb9\x85\x43\xad\x3e\x33\x14\x3a\xf8\x79\x03\xb5\x62\x4f\x62\x30\x55\x98\xde\x27\x58\x33\x20\x8e\xc8\x37\x06\x82\xad\x9f\x0f\x9a\xc6\x4c\x43\x90\x44\xa2\xde\x30\x33\x46\x87\x34\xf4\x92\x66\x13\x88\x59\x69\x5b\x60\xa6\xfb\x45\xd7\x94\xb8\x71\xc1\x9c\xbe\xdf\x59\xb7\x64\x45\x3b\x78\xcf\xea\xd4\xc5\x01\xb1\xf8\xc0\xff\x82\x7b\x70\x29\x73\x92\x69\x7a\xdb\x13\xce\xff\x2f\x13\x9b\xff\x3b\xa2\x38\x79\x8a\x07\xfe\x5f\x55\xa0\xef\x5b\x75\xcc\xb4\x98\xbb\x89\x43\xba\xb4\xa6\x71\xf1\x25\xfb\x06\xf2\xe5\x9f\x77\xfd\xb0\x2c\xb2\x3e\x86\x87\x56\x8d\xc0\xd5\xc4\x86\x09\x94\xa3\x7c\xca\xb3\x65\xd7\xa7\x08\x03\xc6\xa6\xf4\x8f\x5b\x3f\xf1\xcb\xdd\x51\xd8\x96\x1f\x97\x3c\x70\x33\x75\xd2\x52\xe6\xc5\xa0\xff\x13\x3b\x59\x72\x43\x13\xf9\x88\x84\x1b\xd6\x1e\xc2\x97\x67\xa4\x60\x8a\x5b\xc4\x5b\x10\x4e\x4f\xc9\x82\x61\xe4\x54\x0a\x10\x38\x2a\x49\x5d\x64\xdd\x5f\x6c\x03\x90\x66\xd9\xd3\x58\xef\xb1\x66\x71\x17\x8e\x88\x4f\x07\x0a\x07\xfd\x02\xa0\x0b\x63\xb7\xf5\x75\xf6\x42\xbf\x91\xee\xc3\xbb\x90\xdb\xa9\xa2\x1d\xf3\x17\x9c\xf1\x2e\xa9\x52\x5d\x09\x74\xd6\xfc\x44\xbf\x69\xfc\x54\xf8\xa5\xff\x98\x67\x06\x67\x8d\x7c\xe0\x6c\xce\x44\xdf\x29\x74\xb9\x66\xe6\x7a\xca\x31\x4e\x0b\x58\xac\xc4\x15\x54\xa4\x42\xef\x35\x87\xab\xba\xf1\x82\x95\xec\xa5\x9c\xa8\xa1\x0e\xdd\x3f\xbd\x1f\xac\x0b\x06\x01\x3d\xe5\xf7\x33\x37\x51\xc5\x7d\xeb\x4d\xae\xf9\xe4\xc5\x5e\x93\x74\x1e\xd1\xd2\xf7\xf9\x63\xcd\xed\xc6\xef\xdb\x5d\x8b\x14\xd7\xd6\x12\xe2\x61\x2f\x30\x96\x6f\x4e\x67\x60\xd1\xa4\x6f\xbe\xe5\x0d\xcc\xff\xc0\xb2\xe5\x17\x7b\x1c\x60\x27\xad\xae\xe0\x90\x75\xb6\x55\xcf\x85\xdd\xbb\x4e\x44\x83\xd5\xde\x7b\x38\xa9\x10\xf9\x96\x71\x1c\x05\x8c\x1b\x97\xe6\x21\x27\x48\xc8\xcc\x7d\xe8\xcf\x7a\x56\xaf\x75\xe2\x91\x86\x7c\x26\x88\xe9\x99\xc6\x55\x3d\x7a\xaf\x3d\x2f\x62\xc2\xf5\x3b\xf8\x8c\xf2\x04\x40\x07\xdb\xe9\x29\x85\x65\x31\xb0\xad\x6b\x48\xa6\x11\x8b\xf3\x5c\xce\x82\x7e\x5d\x0c\xd2\xa1\x9b\x3f\xc3\x73\x95\xe1\xce\xd2\x13\x7f\x0c\x72\x6f\x5c\xc9\x91\x33\x3a\x0f\x07\x94\xda\x0b\x6d\x75\x73\x74\x21\x7e\xae\xbc\xbb\x6d\x87\x43\x1f\x08\x9a\x57\x10\x2c\xa5\x37\x3b\x8d\x73\x0a\x92\x02\x60\x59\xc6\xa8\x80\x94\xe9\xc6\x29\xd8\x1e\xcc\xf8\x6b\x4e\x8f\x09\x1d\x32\x55\x63\xd1\xf4\x01\x6c\x97\x97\x2c\x58\x4b\xc7\x6d\x1f\xb4\xed\x94\xb7\x21\x34\x4d\x00\xcc\x67\x24\xf5\x64\x9d\xfe\xd8\x4d\xc5\x11\x58\x3e\x1a\x08\xa4\x3c\x24\x09\x93\x41\x72\xff\x3f\x0d\xfc\x93\x99\x6b\x84\x79\xc0\x50\xdc\x19\x30\x9a\xa9\x98\xf7\x09\xed\xa3\xb3\xcf\x80\x6b\xec\x71\x7e\x17\x18\xb8\xcc\x10\x06\x0b\x33\x5c\x46\xf1\x7c\x52\x2a\xc0\xbb\x69\x6f\xb4\x39\x3a\x94\x50\xbe\x5f\xa7\x55\xea\x0d\x71\xb3\x0a\x84\x31\x51\x5c\x44\x63\x90\x15\x4b\xc2\xa4\x95\x1b\x3f\x15\xf4\x19\xce\x20\xb0\x30\x2b\xd9\x00\x25\xd8\x3c\x47\xa0\x18\xf6\x88\x6a\xb1\xfb\xb7\x57\x7d\x5c\x06\x6b\xab\x23\xd8\x41\x89\xcc\xff\x63\x40\xa3\xca\x41\xdf\x5c\x6d\x99\x4b\x26\xb8\xfc\x34\xc6\x90\xdf\xb2\x29\xc8\x37\x60\x22\x4b\xdc\xe8\xe8\x67\xd1\xf5\xa0\x97\x73\x6d\x3f\x19\xd8\x22\x9f\x91\x43\xac\x03\x70\x93\xd4\xcc\x32\xab\x10\x4b\x58\x28\xf1\xcc\x84\x49\x5a\x68\xd7\x67\xb7\xfb\xd7\x25\xd4\x34\x71\x9a\x36\x01\xb5\xfb\x23\x36\x4a\x5e\x41\x51\xc6\xf9\x15\xce\x53\xf7\xde\xbb\xb9\xf1\x5b\x81\x1c\xb0\x2b\xb8\x73\x94\xff\xb6\x1e\x8b\x8a\xe5\x74\x9d\xc7\x43\x2b\x51\x6b\x8a\x62\x79\x90\x53\x7b\x9c\xdf\xd2\xa0\x94\x39\xb7\xdc\x04\x39\x97\xe0\xf5\x90\x36\xab\x34\x70\xaf\x1b\xc7\x67\x10\x11\xe5\xb4\x72\xe3\xf6\xad\x45\x6b\xa7\x06\xd5\x50\x66\x1c\xbc\xf6\x10\x7e\x9b\x7e\xe4\x9a\x82\x05\x2d\x90\x1b\xb7\x9f\xb1\x8d\x82\x21\x6a\xee\xfa\x2e\x76\x39\x0f\x80\x94\x3c\xc8\x56\xa0\x08\xc7\x25\x6b\x84\xd8\x85\x7f\xa6\x34\xad\x7d\xd4\x50\x13\x86\xbb\xab\xe2\x38\xa5\x8a\xec\xb7\x7a\x0d\xe5\xff\xaa\xa5\x63\xa1\x96\x8b\x72\xb9\x2b\xa5\x8d\x1a\x1e\xf6\xf9\xed\x04\x9f\xf3\x8b\x7f\xc3\x42\x27\x46\x16\x31\xfe\xc6\x53\xe7\x81\xf1\x57\xec\x73\x86\x36\x2b\x66\x77\x8a\xfc\x89\x82\xcd\xae\x50\xe1\x29\xf4\x32\x9b\xfe\x35\xcd\x9d\xa3\xd5\x75\x22\x04\xfa\x72\x75\xcc\xbc\x01\xab\xf8\x5c\x6c\xf3\xab\x9e\xab\xb2\xea\x7a\x1c\x77\x9e\x67\x3d\x0f\x95\x16\xb1\x85\x15\x4d\xc8\x3c\xc5\xf6\x93\x70\xe3\x14\x19\x8b\x7f\xa8\x3c\xe5\xc5\xc9\x1c\x2c\x50\xe5\x44\x89\xb3\xa6\x70\xa3\x30\xa4\xe4\x9f\xca\x51\x7c\x83\xa9\x53\x2c\xbc\x7e\xdc\x84\x0c\xd0\x10\xb3\x7e\xcc\x75\x37\x45\x30\x16\xed\x1a\xb4\x45\xe4\x5f\xc1\x23\x8b\x14\xe2\xf8\xf9\x31\x66\xcb\xf7\xd3\x8b\x85\x28\xba\xa0\xfa\xd3\xe9\xe7\x6f\x4b\x32\xee\xbb\x60\x52\x68\x81\x62\x0b\xca\x5b\x11\xac\x06\x3d\xbe\x21\x69\xe5\x43\x78\x43\xf6\xd2\xd4\x86\x85\x5a\xd5\xf1\x92\xb2\x68\xb2\xf3\xeb\x25\xde\xea\xbd\x2d\xe8\x9c\x48\xba\x28\xf1\xee\x2c\x84\x65\x86\x56\xc3\x37\x33\x9b\x53\xac\xf9\x88\xba\xf2\x9a\xc5\xc9\x19\x9e\xc7\x91\x2b\x28\x94\x09\x34\xbc\x02\xb1\x31\xd1\x46\x13\x54\x62\x6b\x69\x08\x35\xba\x09\xab\xaf\xa0\xca\x7f\x51\x55\x79\xe5\x33\xc4\xbb\xfd\xa2\xbc\x9f\x2f\xae\xdd\x35\x38\xce\x8c\x1e\x36\x06\xea\x98\x39\x5e\x0f\xf8\x84\x92\x04\x5f\x47\xcc\xa8\x5f\x4a\xf1\x6f\x95\x0a\xbb\xf3\xf2\x22\x9d\xe5\x8e\xa2\xb4\x56\x92\xd4\xba\x84\x3e\x70\xe5\xae\xed\x29\xf6\x88\x07\x13\x8a\xaf\x5c\x99\x4b\x30\xd4\x73\x11\xeb\xb9\x69\x10\x76\x77\xdc\xf0\x07\xf6\x4d\x0b\x32\xc3\x60\x0c\xd3\x2b\xd4\x2c\xa6\x9e\xe4\x6d\x78\x6c\xf0\xcf\x94\x96\xbc\x51\x60\x2c\x98\x9f\xc5\x4f\x76\xc4\xd3\x83\xce\x41\x4a\xf4\x5f\xc9\x48\xe5\xb9\x71\xe3\x02\x0a\xf4\x47\xc5\x89\xb0\x99\x56\xc9\x03\x3d\x09\x04\xd6\x44\x5d\x7e\x9f\xff\x7c\x90\x39\x39\xf7\x9c\x2d\x4c\x30\xb6", 4096); *(uint64_t*)0x200000004ad0 = 0x200000004a40; memcpy((void*)0x200000004a40, "\x88\x4f\x38\x13\x09\x89\x6a\x88\x17\x38\x89\x99\x4e\x74\xc6\x06\x94\xf7\xba\xa4\x5b\xe0\x88\xe5\x9b\xc3\xe9\x39\x72\x82\x57\xe8\xd2\xdb\x71", 35); res = syscall(__NR_shmctl, /*shmid=*/6, /*cmd=*/0xcul, /*buf=*/0x200000004a80ul); if (res != -1) r[10] = *(uint32_t*)0x200000004a88; break; case 19: *(uint32_t*)0x200000004d40 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x23, /*optval=*/0x200000004c40ul, /*optlen=*/0x200000004d40ul); if (res != -1) r[11] = *(uint32_t*)0x200000004c74; break; case 20: *(uint32_t*)0x200000004e00 = 7; *(uint32_t*)0x200000004e04 = 0xee00; *(uint32_t*)0x200000004e08 = -1; *(uint32_t*)0x200000004e0c = 8; *(uint32_t*)0x200000004e10 = 0x80; *(uint32_t*)0x200000004e14 = 5; *(uint16_t*)0x200000004e18 = 0xfffc; *(uint32_t*)0x200000004e1c = 1; *(uint64_t*)0x200000004e20 = 7; *(uint64_t*)0x200000004e28 = 5; *(uint64_t*)0x200000004e30 = 0xbed1; *(uint32_t*)0x200000004e38 = r[5]; *(uint32_t*)0x200000004e3c = r[7]; *(uint16_t*)0x200000004e40 = 1; *(uint16_t*)0x200000004e42 = 0; *(uint64_t*)0x200000004e48 = 0x200000004d80; *(uint64_t*)0x200000004e50 = 0x200000004dc0; memcpy((void*)0x200000004dc0, "\x05\xc9\x21\x56\x87\xa3\xff\x17\x47\xca\xe5\xc1\x8c\xb1\x86\xed\x5c\x62\x98\x43\x37\xf9\x0f\x0a\xb5\x94\x8e\x21\xc6\x3d\x16\x86\xf1\xda\x14\x59\xa8\x97\x18\xa9\xf8\x49\x30\xb8\x92\xc2\xad\x4d\xe6\x1f\x71\x4a\xb8", 53); res = syscall(__NR_shmctl, /*shmid=*/5, /*cmd=*/2, /*buf=*/0x200000004e00ul); if (res != -1) { r[12] = *(uint32_t*)0x200000004e04; r[13] = *(uint32_t*)0x200000004e08; } break; case 21: *(uint32_t*)0x200000004f00 = 7; *(uint32_t*)0x200000004f04 = -1; *(uint32_t*)0x200000004f08 = -1; *(uint32_t*)0x200000004f0c = 1; *(uint32_t*)0x200000004f10 = 0; *(uint32_t*)0x200000004f14 = 0x98; *(uint16_t*)0x200000004f18 = 4; *(uint64_t*)0x200000004f20 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 6; *(uint64_t*)0x200000004f28 = 0x200000004ec0; *(uint8_t*)0x200000004ec0 = 5; *(uint64_t*)0x200000004f30 = 0xc; *(uint64_t*)0x200000004f38 = 0x1ff800000; *(uint64_t*)0x200000004f40 = 8; *(uint64_t*)0x200000004f48 = 0x7f; *(uint64_t*)0x200000004f50 = 3; *(uint16_t*)0x200000004f58 = 0x101; *(uint16_t*)0x200000004f5a = 8; *(uint16_t*)0x200000004f5c = 0x1000; *(uint32_t*)0x200000004f60 = r[5]; *(uint32_t*)0x200000004f64 = r[8]; res = syscall(__NR_msgctl, /*msqid=*/4, /*cmd=*/0ul, /*buf=*/0x200000004f00ul); if (res != -1) { r[14] = *(uint32_t*)0x200000004f04; r[15] = *(uint32_t*)0x200000004f60; } break; case 22: *(uint32_t*)0x200000005080 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x22, /*optval=*/0x200000004f80ul, /*optlen=*/0x200000005080ul); if (res != -1) r[16] = *(uint32_t*)0x200000004fb4; break; case 23: *(uint32_t*)0x2000000052c0 = 8; *(uint32_t*)0x2000000052c4 = 0; *(uint32_t*)0x2000000052c8 = 0; *(uint32_t*)0x2000000052cc = 0x7f; *(uint32_t*)0x2000000052d0 = 5; *(uint32_t*)0x2000000052d4 = 0x80000001; *(uint16_t*)0x2000000052d8 = 0x43; *(uint32_t*)0x2000000052dc = 7; *(uint64_t*)0x2000000052e0 = 2; *(uint64_t*)0x2000000052e8 = 0; *(uint64_t*)0x2000000052f0 = -1; *(uint32_t*)0x2000000052f8 = 0xf; *(uint32_t*)0x2000000052fc = r[7]; *(uint16_t*)0x200000005300 = 2; *(uint16_t*)0x200000005302 = 0; *(uint64_t*)0x200000005308 = 0x2000000050c0; memcpy((void*)0x2000000050c0, "\xbc\xc4\xb5\xd8\x6e\x91\xb0\x2b\x73\xe1\x6c\x46\x65\xdc\x30\x88\xf7\xcc\x98\x26\xda\x78\x07\xf9\xa8\x30\x0d\x9d\x89\x80\xde\x67\xa1\xa2\xa1\x53\xe9\x54\x66\xe7\x6d\x2c\x38\xc4\x15\x58\xc0\x8e\xfe\x37\xee\x81\xd9\x90\x46\x74\xce\xd8\x6d\xda\x9b\x2b\x6c\xc7\xc9\x7b\x19\x97\x58\xbe\xf8\xd9\x2d\xd2\x0e\x0e\x69\x86\x4d\x6f\xcd\x03\xa8\x0c\xa0\x12\x01\x9c\xf4\x1e\x51\x66\x47\x50\x38\xfc\xd3\x60\x33\x84\x36\xe7\x82\x7e\xf7\x30\x46\x91\x87\xe6\xa4\x95\xf5\xbf\x01\x8e\xe7\xca\xa7\x1c\x80\x4a\x38\x67\x56\xc3\x24\x2b\x30\xec\xa0\xb8\x41\x16\x6d\x78\x39\xe9\x4a\x56\x39\xd0\x8f\xbc\x06\xda\xc1\xf8\x61\x49\x44\x56\xd8\xd1\x53\xde\x7f\xc3\x03\x87\xd4\x52\x30\x4e\x7c\x30\x69\xbb\xfb\x42\x43\x91\xd0\x4f\xab\x12\x03\x7c\x6d\x6a\xe6\x02\x5d\xf8\x69\xfa\x3a\x45\xe0\x31\x48\xc2\xdd\x05\x2c", 195); *(uint64_t*)0x200000005310 = 0x2000000051c0; memcpy((void*)0x2000000051c0, "\x0b\x7d\x67\x85\x2a\x6f\x3d\x89\x68\xf4\x76\xad\xad\x16\x72\xe6\xdc\xfc\xeb\xe8\xe6\x24\x9d\x8c\xc7\x2d\x1a\x05\xc2\x8a\xcd\x3d\xed\xa6\x43\x14\x81\xc8\x8e\xe1\xc2\xc0\x99\x44\xee\x73\x33\xd9\xd1\x6b\x3f\x9b\xd1\x86\xbe\x36\x21\x0e\x7e\x52\xfd\xac\x24\x09\x97\x73\xc0\x7a\xf6\xf1\xa9\x40\xe4\xba\xec\x3a\xda\x47\x66\xe3\x80\x14\xad\x52\x7a\x5d\xf7\x7c\x90\x61\xc5\xa4\xca\xcc\xc4\x8b\xcf\x15\x62\x20\x7f\x8d\xb0\x4d\x60\x8a\x82\x3c\x71\x97\x9b\xda\xf7\x02\xb9\xa6\xec\x8f\x62\xf2\x3d\x31\x6b\x69\xa8\xe4\x0f\x1c\xd7\x92\x58\x5f\x34\xd8\xff\x6c\x70\x56\x41\xdb\xc0\x9a\x02\x45\xef\xad\x32\x6c\xa8\x4d\x8c\xa3\x9d\x29\xcc\x33\xa4\xa3\xfb\xe7\x6c\x24\x0d\x05\x5e\x26\x1e\x16\xd6\xbb\x5d\x9c\x23\x1f\xe3\xc9\xe8\x4f\xe5\x95\x65\xbe\xfc\x53\xfe\x9d\x11\x9e\xb5\x0c\xe0\x4e\x6e\x3c\x1d\xf2\x16\xae\x69\xc3\x13\xd8\x0b\xb6\xa7\x7e\x21\x9b\x94\x51\x65\x72\xee\xaa\x39\x8b\xfe\xa6\x49\x33\x5a\xe8\x11\x4c\xb0\x57\x42\x36\xf4\x61\x31\x67\xd9\x75\x8b\x53\xb6\x6c\xb6\xba\x75\xd7\x5a\xf9\x2f\x3c\x6e\x63\x8b\x82", 250); res = syscall(__NR_shmctl, /*shmid=*/2, /*cmd=*/5, /*buf=*/0x2000000052c0ul); if (res != -1) { r[17] = *(uint32_t*)0x2000000052c4; r[18] = *(uint32_t*)0x2000000052c8; } break; case 24: memcpy((void*)0x200000005340, "./file0\000", 8); *(uint64_t*)0x200000005380 = 0x355; *(uint64_t*)0x200000005388 = 0x100000001; *(uint64_t*)0x200000005390 = 5; *(uint32_t*)0x200000005398 = 7; *(uint32_t*)0x20000000539c = -1; *(uint32_t*)0x2000000053a0 = 0xee01; *(uint32_t*)0x2000000053a4 = 0; *(uint64_t*)0x2000000053a8 = 7; *(uint64_t*)0x2000000053b0 = 2; *(uint64_t*)0x2000000053b8 = 2; *(uint64_t*)0x2000000053c0 = 6; *(uint64_t*)0x2000000053c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000053d0 = 7; *(uint64_t*)0x2000000053d8 = 4; *(uint64_t*)0x2000000053e0 = 0xfff; *(uint64_t*)0x2000000053e8 = 0x17b; *(uint64_t*)0x2000000053f0 = 0xffffffffffff27a1; memset((void*)0x2000000053f8, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000005340ul, /*statbuf=*/0x200000005380ul); if (res != -1) r[19] = *(uint32_t*)0x2000000053a0; break; case 25: *(uint32_t*)0x200000006480 = 7; *(uint32_t*)0x200000006484 = 0xee00; *(uint32_t*)0x200000006488 = 0; *(uint32_t*)0x20000000648c = 0; *(uint32_t*)0x200000006490 = 7; *(uint32_t*)0x200000006494 = 8; *(uint16_t*)0x200000006498 = 0x3ff; *(uint32_t*)0x20000000649c = 0x10; *(uint64_t*)0x2000000064a0 = 2; *(uint64_t*)0x2000000064a8 = 8; *(uint64_t*)0x2000000064b0 = 0x7fffffff; *(uint32_t*)0x2000000064b8 = r[8]; *(uint32_t*)0x2000000064bc = 0xffff; *(uint16_t*)0x2000000064c0 = -1; *(uint16_t*)0x2000000064c2 = 0; *(uint64_t*)0x2000000064c8 = 0x200000005440; memcpy((void*)0x200000005440, "\x4c\xf7\x7c\x89\xa8\xa3\x6d\x9b\x71\xd1\x6c\x43\xca\x99\xca\xec\x65\x90\x56\x4d\x89\x51\x86\x4c\xcc\xc3\x48\x10\x2a\x77\x79\xcd\x97\xd9\x51\x00\x3a\xe8\x76\xa9\xa0\x30\x1c\x11\x86\x7f\xf6\x43\x2c\x9c\x54\xbd\x04\xee\x43\x3f\xce\x5f\x5d\xb9\xeb\x71\xb7\x62\x21\xd2\x84\xc7\x8d\xc7\xdb\x27\x84\x0c\xa0\xb1\xe9\xa5\xa1\x19\xf0\xd7\x4f\xf6\x48\x5b\x52\xa9\x86\xa6\x71\x7f\x3c\xfd\x72\x6d\x0a\x6a\x03\x8b\xed\x21\x89\x34\x4a\x3d\x14\xc2\xf1\x19\xbf\x2e\x54\x3f\xe4\xe7\x16\xbc\x4c\x5b\xec\x83\x76\x7d\xa2\xf9\x7d\x1c\xce\x4b\x26\x96\xbc\x5f\x99\x89\xfd\x42\xdc\x97\xa0\xc1\x6c\xdc\x2f\xa9\x67\xad\xaa\xa2\xba\xc7\x30\xe2\xcb\xda\x74\x4d\xc3\x12\x1e\x3f\x01\x5b\x66\xea\xe8\x91\x56\xb2\x62\x63\x9f\x95\xbb\x01\x4a\xba\x78\xbf\x2a\x48\x01\x49\x9b\xf3\x82\x68\xd7\x7d\x99\x49\x4a\xef\x48\x6b\x9b\x38\x8a\x1e\xba\xcb\x4b\x77\x1a\x52\xbf\xa2\x99\x90\xe9\x36\x18\xaf\x03\x76\x2f\x95\x3e\x34\x80\xfe\x01\xdd\xe9\x2c\xa7\x83\x5c\xcd\x5e\x88\x64\xdb\xc9\x10\x0d\x25\xc4\xfa\x63\x2c\x9f\xeb\xdd\xfd\xb1\xe7\x7f\x1b\xcd\x76\x79\xea\x46\x89\xd2\xc8\x50\x4e\x50\xaf\x69\x52\xc8\x89\xd3\x28\xc1\x2c\x66\xc9\x0d\x8e\xad\x36\x92\x70\xd9\x4e\x5a\xa3\x42\xfb\x23\x87\xdc\x7c\xfe\x6e\xde\x70\x54\x64\x98\x5f\x30\x1f\xeb\x34\xb0\x02\xcc\xef\xb8\x0f\xde\x10\xd9\xfc\x1c\xb3\x9b\x5f\x87\x75\x24\x98\x6d\xd1\x24\x47\xa7\xc9\x6f\x63\x50\x7c\xb4\xd8\x80\x68\xed\xfd\x77\x48\xfb\x2b\x66\x7a\xe1\xae\xdb\xb4\x16\x37\x75\x74\xd7\x0a\x3f\x6d\xe4\x6e\x4a\x3e\x5c\x14\x9a\x64\xa4\x36\x46\x66\xbd\x99\xfd\xb0\xe4\x13\xa1\x33\x5b\xa9\x32\x57\x5d\x1e\x92\x28\x50\x8d\x61\x4b\x66\x3a\xb1\x7a\xcb\x21\xb2\xac\x4d\x36\x18\xa6\x59\x43\x80\x4d\x5b\xa5\x2c\xbb\x04\x3a\x96\x19\x86\x12\x02\xb5\x05\x14\x0e\x48\x44\xb8\xce\xb6\xfa\xf5\x02\x42\x23\xd9\x63\x6c\xb0\xbe\x38\x4a\x4c\xc1\xdd\x3d\x4f\x35\x76\x29\x52\x1a\x07\x69\x84\x18\xdd\x1a\x97\xc3\x94\x17\x19\x6f\x86\x1a\xfb\x05\xbd\x70\x2f\x4c\xcd\xc3\xd4\x4b\x5a\x41\x93\x37\x8b\x93\x6f\x53\xc5\xc4\xb0\x9c\x98\x58\xbe\x95\xe3\x49\xba\xeb\x7e\xb4\xda\x30\x94\x00\xa4\xdb\xb0\x8a\x24\xd0\xbb\x37\x72\xbe\xe7\xa3\x87\x3c\xf8\xd7\x6e\x06\xdf\x6f\x7c\xe5\x91\xf4\x0b\xdc\x84\x9e\xa0\x4c\xad\xe8\x86\xf0\x75\xe1\x45\x8f\x02\x1f\x1b\x73\x0b\x0c\xb5\xc3\x28\xb9\x11\x41\x2a\xee\x96\x16\xab\x5f\xdc\x83\x1e\x34\xce\xa6\x9d\xe1\xa4\x08\x06\xaa\xfd\x4e\x64\xd3\xcd\x70\xc1\xa6\xc6\xf6\x36\xd3\xbb\x94\xc9\x95\x97\x7c\x59\x4f\x0f\x4e\x90\xd7\xae\xc4\x3f\xec\x4c\x8a\xa7\x07\xd0\x0d\xfa\x26\xff\x9d\xb8\xa4\x5e\x6a\xc6\x5b\x5e\x5c\xea\xc4\x3f\x78\xb5\x0f\x1e\x4f\x49\x4c\x85\x82\x7b\x3f\x0e\xa1\xf7\xa4\xfe\x3b\xbb\xd3\x90\xe3\x61\x66\x28\xed\x47\x70\xdd\x36\x66\x94\x89\x35\x13\xdc\x1c\xd2\x52\xd3\x88\x7a\x2f\x19\xa8\x46\xd1\x8e\xe7\xba\xf8\xb5\x68\x0e\x61\x80\x0b\xaa\xf0\x04\x18\x10\xa5\xa2\x1f\xe0\x6c\xba\x83\xe0\x62\x1b\x26\x26\xc3\xec\x5b\xa6\x2d\xfe\x1f\x94\xae\x16\x11\x4c\x9f\x89\xe8\x94\x58\xa0\x69\x22\x2b\x43\xb4\x50\x4d\xca\x5f\xd9\x69\xc0\x66\x66\xdc\xf9\x82\x43\x46\x31\x59\x7b\xab\xaa\xd4\x65\xcb\x73\x9e\x72\x83\x5f\x69\xad\x69\x9b\x0e\xfb\xe2\x16\xa1\x2c\xc1\x88\xd5\x4b\xeb\x66\x86\x1c\x78\xc8\x02\x25\x43\x8d\xeb\x75\xb3\xaf\x96\xa6\x0a\x08\x4e\x68\xed\xce\xca\x25\x2c\x22\x22\x5b\x4f\x3e\x56\xe9\x9f\x97\x6c\x2a\x08\x2a\x29\xf4\xa5\xbc\x3d\x0c\x25\x1f\x91\x22\xb5\x84\x66\x1f\x39\xbf\xd1\x8d\xfb\x9d\x57\xa5\x91\xc6\xd7\x01\x3b\x42\x0b\xd1\xe4\xc4\x7e\x80\x4c\xc4\x0e\xdf\xfa\x4d\xc9\x0c\xda\x1d\xe0\xa6\xe5\xf0\xd7\xa4\xd1\xc0\xa0\x2b\xf9\x25\x82\x90\x06\x43\xf9\x7f\x8f\x2c\xc1\x37\x68\x37\x4c\xc1\x36\x10\xf2\x7c\x3a\xb9\xd6\x93\x14\x79\xd0\x21\x5c\x4a\xd6\x69\xef\x80\x2e\x32\x92\x87\x88\xc5\x25\xf7\x52\xed\xae\x47\x7f\xf8\x9e\xa3\xf0\xc8\x7d\x9e\xc7\xeb\x1e\xf5\x12\xdc\xab\x10\x37\x28\x42\x91\x86\x13\x22\xf8\x72\xaa\x26\x1f\xa4\x67\x46\xed\xd8\x39\x85\xee\x32\x0f\xef\x53\xb1\x15\x18\xf5\xd5\x8f\x84\x68\x19\xb8\x8b\x16\x58\x8c\x13\xdd\x01\x90\x58\xa1\xce\x86\x5b\x4e\x68\x5e\x94\x78\x53\x9b\x9b\x9a\xf6\x9a\x13\x12\x6d\x6a\xd3\x0b\x2b\xac\xb1\x44\xc0\x2f\xfb\x15\x39\x66\xd2\x0f\x56\x56\x84\xa8\x74\x91\x31\xc7\xde\xf8\x8f\x2c\x87\xe4\x8e\xac\x6c\x0a\xf5\x76\xcc\x86\x11\x18\xa9\xb7\x18\xdc\xa2\xea\xfb\xc5\x41\x3b\xb6\xe7\x51\x37\x46\x47\x9b\xd8\x01\xf0\x7b\x94\x65\xbd\x80\xd0\xdc\x3d\x83\xee\xb7\xd6\x88\xf9\x13\xbb\xc7\x87\xb2\x3a\x90\xa8\x63\x7c\x57\x98\x84\xa1\x58\x5d\x53\x23\xb0\x4a\x44\x9f\xee\xbd\x0c\xbe\x2b\xc3\x27\x21\x24\x4e\x92\xe5\xd0\x33\xe2\x0d\x0b\x2c\xcf\x8e\xd5\xe2\x39\x00\x19\x9d\xc5\xec\xde\xa4\x29\xa2\x59\x61\xc9\x07\xaf\x8d\x93\xd5\x7d\x5d\x0d\x7f\xf9\x90\x31\x0a\xc0\x92\xdc\x44\x7e\x88\xcf\x81\x61\x7b\x67\x75\x4a\xd8\xee\x0b\x12\x53\x2c\x73\x13\xd1\x5f\xd6\x5c\x9f\x65\xc0\xa9\x4b\x75\x5a\x09\xd2\x40\x78\xbd\xe2\x75\xa4\x44\x57\xec\xa4\xc8\xb2\xb3\xbc\x0d\xfd\x4c\x8a\xcb\x9d\x2c\x6c\x4a\x8d\xaa\x22\xa6\xcd\x96\x1b\x44\x76\xb0\x78\x80\xf8\xcf\x09\x88\xbc\xe7\xdd\x8d\x3c\x3f\xbd\x9c\xfd\xb6\x56\x3b\x68\x10\x34\xb2\x72\xfb\x3c\xde\x59\x1d\xe8\x03\xd0\xb6\x84\x05\xd2\x5d\xea\x80\x1e\xe8\x71\x3a\xeb\x54\x98\x19\x83\x95\x79\x9d\xb2\xab\x19\xfb\xce\xdb\xaa\x3c\xed\x3e\x12\x4d\x29\x3d\x63\xee\x8c\x12\xd9\x31\x07\x9f\xd9\x4c\xa0\xfb\x5c\x45\x69\x32\xa0\x7a\xc6\x65\xb9\x41\x0d\x12\x37\x73\x58\x72\x76\x67\x64\xc0\x5e\x85\x2e\x06\x1d\xc3\x99\xbb\x31\xed\x48\x8d\x1b\xa5\xae\xf5\x3a\xc7\xb4\x53\x6c\x6e\x5f\xc4\x5c\x96\xa9\x93\x85\x51\x2f\xe6\xee\x8a\x22\x78\xa0\x6b\xe1\x9a\x7c\xdd\xf3\xca\x67\x8b\xdd\x73\xc2\x55\xc1\x59\xea\x07\x35\x57\xd6\x66\xf6\x7b\x9d\x1b\x99\x68\xe0\x23\xf6\x36\xc6\x93\xa8\xad\xfc\x92\x3a\xcf\xf1\x08\xed\x43\x70\xbb\x96\x6b\x0f\x4c\x05\x03\x4b\x08\x57\x6c\x2b\xc8\x9c\xee\xb5\x7c\x63\x3d\x2a\x7c\x87\x66\x5b\xe7\xe7\x5f\xfb\x30\xed\xb5\xfe\x9f\xcd\xc7\x25\x6a\x01\x12\xd4\x9f\x52\x03\x18\x00\xb7\x0f\x69\x80\x38\xf0\xf1\xf8\x12\x23\xcb\xe0\xe3\x0b\x47\xe8\x05\x70\x97\x1d\x4f\xa8\x4d\xa5\x80\x99\xf8\x75\xac\x76\x32\x3c\x5a\xc2\x5b\x69\xc5\xea\xf6\x78\x25\xab\x8a\xc9\x8c\xbd\x6d\xc0\x16\x37\x51\xa4\x7a\x1e\x52\x99\x8e\x00\xe0\x5c\x1c\x69\x01\xf5\x04\x34\x03\x18\x72\x79\x02\xb1\xed\x2b\xd2\xcf\xf2\xd2\xed\x09\x60\x1a\x8c\xed\xf4\x52\x8c\x1c\x13\xa6\x70\x37\x5f\xe3\xa6\x85\xc7\xcb\x14\x72\x3b\x55\x9c\xe2\x78\x6c\xa2\x95\x5a\xe3\x51\xef\xf8\x39\x75\x8c\x31\x1e\x99\xed\x53\xff\x12\x83\x72\xbf\x9f\xc3\x8c\x57\x0b\xd9\x00\xb4\x97\xc9\x31\x61\xc3\x4d\x8b\x4e\x48\x06\xeb\xcc\xda\x16\x11\x44\x5e\xa9\xd6\x76\xbd\xc1\x46\xea\x5b\xa1\x00\xfc\x5d\x99\x5b\x2c\xa6\x07\x09\xfa\xbb\xf6\xaa\xbb\x01\xef\x24\x3a\x12\x9a\x3c\x67\x38\xcf\x66\xf6\xd3\xe3\xb0\x03\x20\xbe\x0f\x85\xe7\x54\x87\x89\x37\xe3\x97\x62\xde\xbb\xf5\xa3\xe7\xa8\x11\x10\x35\x66\x34\x0f\xdf\x7d\xac\x84\x50\xe6\x8e\xff\x10\x2c\xbf\xd4\x95\xa8\x01\xde\x06\xe7\x4d\xf5\x7f\xe0\x6e\x15\xed\xfb\xa4\xda\x71\xa4\x33\x39\xc5\x24\x8f\x42\x2e\xe2\x9a\x22\xef\xa4\x93\x69\x0d\x97\x24\x6e\x20\x83\xbe\x24\xc2\x1e\xe4\xf2\xf1\xd6\x0d\x75\x3b\x2d\xa7\x5a\x15\x40\x8a\xf7\xf4\xff\xc3\xf1\x16\x73\xb8\x93\x45\x79\x57\x50\xc2\xea\x6b\x6c\x78\x9c\x9e\x4e\xd0\x93\x05\x61\x71\xe9\xfd\x9a\x67\x54\x86\xa4\xa5\x1a\xfa\x96\x7e\x00\x9c\x5a\xb5\xda\x74\xfb\x7f\xcd\x00\x04\x4a\xb9\x4b\x28\x7b\x54\x21\x78\x48\xd4\x78\x48\xd6\xa1\x16\xae\xd4\x1d\x45\x4c\xdc\xbf\x4a\xd8\xd8\x6e\x62\x99\x97\xe3\x08\xb8\x6e\x23\xea\x1b\xf1\xa4\xd2\x52\x96\xb1\x9f\xa7\x9f\x2a\x8c\x9b\x13\x70\x2b\x76\x28\xc8\x9f\x71\xba\x6d\x5c\x3a\xa6\x56\xd4\x31\x8c\x4e\xc3\x30\x5b\x9d\x7a\xe2\x93\x74\xe9\x35\x67\x09\xc4\x6d\x40\x1c\x6b\x74\x51\x18\xbc\x70\xd1\xac\x74\xfb\xc5\x7d\x92\x48\xb1\xa9\x15\xde\x03\xdf\x36\x7a\x9a\x10\x44\x75\x27\x75\xe3\xb3\x36\xa9\x35\xbc\x08\x2a\x2c\x88\x29\x9f\xad\x16\x99\x3f\x6e\x3f\x43\x73\xde\x0c\x48\x8a\xf1\xaf\x00\xad\xb9\x40\xcb\x45\xf5\xcf\xd5\x37\x2d\x6c\x0a\x4c\x69\x6f\x96\x63\x6d\x52\xd2\x79\x39\xde\x72\x99\x74\xa9\xa5\xbe\x21\xf9\x9b\x49\xfc\x6d\x4c\x65\xac\xa9\x8c\x28\x74\xf3\x67\x1d\xe2\x92\x64\x94\x1c\xd4\xa4\xa6\xbe\x0b\x20\x21\xac\x02\xad\xcd\x17\x56\xbf\xcf\xf1\x0e\x76\x55\xdb\x95\x8b\xb9\x99\x81\x0d\x8b\x3f\xee\x98\x32\x64\x6d\xed\xbe\xee\x86\x89\x2e\xce\xb4\xfa\x04\xb7\x28\x4f\xdc\xe5\x66\x9d\xc7\xee\xb7\x75\xd0\x09\xca\x17\x6d\x82\xbb\xdd\xd4\x26\x27\x16\xef\xbb\xe1\x8c\x8c\x79\xf6\xc7\x6c\xb5\x9b\xfa\x82\xa1\x9a\x66\x81\xe0\xd5\xa4\x9d\xbd\x64\x29\x33\x64\x8a\xf8\x81\xc5\x69\x40\xe8\xc5\xe1\x8f\xb8\x28\x8c\x35\xe1\x30\xe1\xf6\x28\x17\xaf\x3f\x18\x7d\x00\x2d\x1b\x9a\x1d\x58\x4b\x66\x2e\xbc\x5c\x9c\x95\x20\xc4\xd5\x16\x64\x9f\x2d\x99\x36\x3e\xff\xf1\x16\x34\x8c\xae\xd4\x35\x56\xb5\x8e\xa9\xb7\xc4\x25\x5f\xd2\x7e\xfb\x05\xed\xec\xe7\x55\x35\x96\x3d\x32\xef\x59\x7e\xb1\x33\x49\x5d\xc6\xff\x01\x17\xd9\x23\x02\x7f\x10\x8d\xbc\x64\xcb\xaa\x4b\xed\xd5\x65\xe0\x57\xa0\xe2\x86\x49\x90\x8d\x87\xab\x01\x64\xa1\x15\x5a\xbe\x46\x03\xec\x3f\x81\xc3\xb5\x32\x7e\xd0\xd5\xe1\xfc\x89\x01\x62\x51\x0a\xfc\xa7\xb9\x1d\x61\x85\x75\x73\xf6\x18\x43\x86\xa7\xa7\xcb\xfb\xa8\xef\xf7\x9f\xb8\x83\xd0\x4a\xa6\xbb\x7f\x93\xf7\x76\xa3\x75\x56\x5f\x67\xa0\x37\xe4\x75\xe2\x8b\x57\xf4\x2c\xa0\xfc\x54\xa3\x0b\x9d\x91\xee\xd1\x24\xcd\xc1\xbc\x53\xfe\xaa\x47\x58\x28\xf2\x0d\xb8\xba\x50\x81\x5c\x81\x2a\x1e\x9c\x74\x54\xcd\x41\x44\xeb\x9a\x42\x3e\x6d\x17\x2e\xde\xe0\xba\xd9\x4c\xd1\x50\xbb\xeb\x4d\xea\xbc\x6e\x98\xe3\xe5\xf7\xc6\xbb\x47\xf3\x5f\x11\x0e\xec\x4b\xa6\x32\xe9\xc4\x26\xaf\x69\x9a\x5b\xd6\xc2\x33\x1e\xf0\xc1\x1d\x24\xa5\xa3\xf3\x88\x8f\xae\x3a\x36\xa8\x9f\xb8\xa0\xdb\xdb\xa9\xca\xdf\xb9\xe0\x52\xa9\x3f\x00\xed\x75\x75\x5b\x4d\x78\xd9\x9a\xaa\x84\xf6\x9d\xcc\x6a\x6a\xb0\x5e\xad\xd8\x17\xb9\xf7\x04\xe9\xa7\x69\x7a\x31\x5f\x36\xac\x99\xd2\x99\xb5\xcb\x8a\x2f\x0c\x7c\xd5\x3a\xa1\x6f\xda\xd2\x33\x19\x47\xd8\x1a\x52\x73\x4d\xc3\x8e\xfd\x03\x09\xb4\x83\x7f\xcc\x18\xc8\x8a\x0c\xb8\xbf\x5f\x96\xe4\x20\x91\x92\x26\x6a\x2c\x7f\x60\x37\x1d\x41\xfc\x8c\x7d\x05\x0a\xe4\x3b\xf5\xf6\x74\x07\xb5\x4f\x4b\x73\x1e\x0f\x71\x95\x65\x9c\xd7\x1e\xcc\xcf\x87\xe6\x8e\x1b\x4b\xb8\x74\x70\x73\x36\xca\x5b\xce\x6a\xe7\xd5\x88\xd6\xd6\x8e\x2f\x66\xea\xf0\xfa\xa2\x6d\x48\x8e\xf0\xa1\xa0\xb5\x96\x86\xaf\x81\x20\x55\x8f\xd7\x6c\x9d\x19\x59\x0a\x96\x11\xd5\xf3\xec\xa0\x0e\x14\x81\x94\xd9\xb6\x95\x94\x12\x4b\xe0\x05\xcd\xde\x6d\x57\xb2\x6c\x53\xac\x64\x88\x23\x6d\xe7\xdc\x8e\xf1\x7e\xee\x67\xcd\x94\x8e\x32\xd8\xc1\x1f\x14\xbd\x24\x78\xb5\xd7\xe2\xc1\xd3\x9d\x02\xb4\x75\x95\xce\xbe\x08\x51\xf9\x94\x48\x96\x0d\xd6\x4c\x14\xa8\x4d\xac\x88\x7c\xe5\xb3\x93\x09\xb1\x53\x0b\x71\x29\x5c\x36\xb1\xb1\x95\x92\x24\x2d\x66\x17\xf9\xba\x31\x5c\x8d\x0a\x9d\x39\x79\x25\x41\xd1\x1c\x0e\xc9\x99\x97\x51\x69\xe8\xaf\x06\xa4\x44\xb7\x16\xc4\x52\x40\xb3\x15\xa0\x89\x61\xfa\xc6\xa6\x96\x81\xd8\x32\x19\x8a\xad\x3d\xe1\x0e\xf3\xa4\x88\xf5\x07\xab\x56\xfd\x19\x4f\x6d\x94\x37\x6d\x24\x96\x8d\x5c\xaa\xdf\x3f\x2c\x3e\xfb\x66\x7d\xd1\xd1\x9b\x18\xdc\x8d\xab\x53\xdf\x92\xc2\xdc\x0f\xb4\xad\x49\xaa\x80\x34\xcf\x6f\x9e\xae\x62\x20\xbe\xae\xc0\x87\x84\xca\xc7\x65\xda\x9e\x98\x21\x9e\xca\xe0\xfb\xa0\x94\x24\x0d\x3d\xf3\x4f\x3c\x89\x53\x9b\x20\x6a\x9a\xf3\x8d\xac\x75\x87\x4b\x0b\xee\xed\xc9\xb3\x79\x5d\x5f\x1d\x1f\x90\x65\xa8\x1a\xc5\xe1\x55\x88\xc1\x79\xc4\xb0\xef\xfc\xba\x46\x6b\x91\x70\xb1\x2e\x72\xfb\x52\x5a\xcc\x0e\x2b\xf5\xb8\xc4\x3e\xfb\xdf\x53\x27\x9e\x5c\x9f\xee\x04\xb0\x29\xdb\x52\x20\xba\x82\xd4\x93\x0e\x96\x37\x4b\xaf\x43\x38\xae\xf5\x55\x0f\xb5\x92\x20\x15\xa1\xf9\xf0\x76\xf3\x61\x5e\xe6\xd8\x14\xda\x80\x8d\x1b\xbc\xad\x1b\x17\x6d\x5b\xb2\x0b\x79\x58\x82\x47\x6c\x0c\x72\x34\x5e\xb1\x61\x34\x80\x7a\x82\xb9\xd8\x6c\x9d\x7a\x4d\x84\xd1\x89\xbe\x30\x9b\xa0\x25\x30\x3e\xea\x18\x89\xb0\x5c\xdc\xea\x4c\x20\x73\xcf\xb3\x0b\xb3\xb9\x0f\x35\xbc\xd6\xee\x79\x0f\x13\x60\xf9\x63\xdc\xd6\xbe\x81\x16\x8d\xe7\x5e\x1d\x04\xe8\x15\x0d\x2c\x00\x00\x5d\xf7\xfa\xde\xac\x9e\x5c\x3d\x20\x26\x79\x9c\xbb\x2a\x2d\xb4\x26\x8e\x4d\x1c\xb6\x14\xf1\x58\xef\x12\xa0\xb2\x28\x2e\x42\xba\x33\xff\x9d\x67\xce\xda\x79\x32\x0f\x1d\x89\x72\x77\xf4\x86\x58\x8a\x0d\xc0\xe4\x6c\x1c\x0f\xa2\x23\xbe\x06\xcd\xac\xa9\x09\x48\x33\x58\xbe\x8b\x18\x2b\x37\xe3\x78\x9f\x7c\x93\x95\x9c\x0b\x45\x33\x5b\x2c\x00\xca\xd1\xa7\x0f\x8d\x04\x08\x13\x83\xa7\x9c\x3f\xd5\x95\xfc\x86\x47\xbb\x65\x52\xc6\x08\x1c\x26\xc7\x20\xed\x1b\x22\x9a\x19\x2b\x9a\x91\xfa\x1e\x12\xcd\x31\x84\x0f\x86\xe0\xda\xd7\xfe\xb7\xda\xde\xad\xd2\x32\x70\x9b\xc9\x9a\xa8\xfb\xc3\xa8\x7a\xf0\xd5\xc8\x2e\x53\xac\xeb\x61\x22\xbf\x9b\x71\xb7\xbc\x92\xa0\xa0\x63\x95\x7c\xc6\x66\xfa\xfb\xad\x1f\x68\x8b\xd9\x11\x60\x8b\xfc\x76\x81\xc6\x4d\x81\x91\xc5\xd0\xc8\x0f\x7d\xed\xd5\xa9\xad\x4e\xbc\xcd\x04\xe2\x61\x8d\x9a\xad\x12\x1f\xd9\xaa\x8b\x8d\x68\x48\x72\x0a\x73\x67\x22\xc7\xec\xed\x31\x54\x04\x19\x65\x9c\x09\x11\xa0\x6e\x03\x9e\x95\x9c\x84\xdd\x5c\xc1\x64\x0e\xba\x08\x50\x5e\xa4\x89\xa1\x21\xdd\xca\x4a\x09\xc6\x3b\x2e\x27\x1d\x1e\xdb\x91\xae\xa0\x42\xe9\x2b\xea\x12\x93\x9a\xb6\xd4\x15\x7e\xfa\x94\xa6\x8d\x07\xb5\xf9\xb2\x05\x8b\xcc\xae\xf5\x82\x6e\xbd\x37\x65\x7a\x99\xbe\x45\x13\x4a\xa3\x0a\x84\xa4\xc4\xe0\x8e\x46\x3b\x75\x64\x5c\x2b\x72\x6c\x14\xf3\x57\x50\xef\xa6\x80\x40\x8d\x1e\xa9\xf3\xf5\x6f\xeb\x10\x60\xc7\xb8\xe8\x11\x46\x81\xc2\x49\x92\xaa\x2e\x1e\x65\x21\x9a\x03\x6a\xfc\x03\x4d\xba\x75\xa3\x90\xaf\xce\x29\x63\xd7\x56\xc7\xea\xf6\x7d\x21\x3c\x75\x37\x19\x35\xf9\xea\xb4\xd4\x28\xc5\x43\x22\xe3\x24\x98\xa4\x34\x02\x54\xcc\x41\xfb\xb5\x5c\xf6\x3b\x4f\x3f\x43\xc8\x93\x01\x01\xf3\xae\x35\x42\xfb\x96\xac\x77\x62\x63\x78\x9a\x98\x4a\x3a\x62\xbb\x46\xc5\xa4\xa4\x1b\x85\xf9\xd6\x6b\x47\xfb\x28\xea\x76\x5b\xbc\xdb\x52\xb0\x1f\x4c\x15\xeb\xe1\x88\xb4\x54\xc3\xae\x27\x7d\xc8\xa9\xf8\xa1\xc6\x34\x16\x3c\x63\x1b\xd5\x43\x0a\x8a\x80\xb8\x0b\x37\x33\x41\x3a\x1e\x00\xeb\x3f\xff\x34\xbc\x5a\xa8\xd9\x07\xd7\x9d\xe8\x86\x6c\xbc\x6f\x10\x66\x13\x56\x27\x77\x16\xc8\x84\x74\xbe\x9b\x39\x30\x18\xa7\xd8\xb9\xb3\xe1\xce\x4b\x7a\x32\x6b\x77\xf6\x2f\xcf\xa9\x49\x4e\x1b\x7c\x02\x80\xc3\xa2\x5e\xe3\x46\xc9\x4a\xe4\xcb\x3a\xf3\xfe\x09\x53\x4e\x63\x83\x6d\x5a\x00\xa6\x28\x08\x74\x2f\x5c\xc9\x26\x08\x8a\x6e\xd1\x1e\xa2\x05\x1a\x33\xc6\x0b\x2d\xed\xd2\x06\x9f\xc9\xfc\x2f\x2c\xd4\x53\x66\x61\x8e\x11\x00\x02\x16\xef\x80\x17\x16\x3a\xa8\x28\xea\xe1\xd1\x5f\x02\x06\x7a\xa4\x6a\xf4\x67\x75\x0c\xfd\xd3\x6f\x7e\xcb\xa0\xfd\x1f\x73\x82\xc2\xa7\x8a\xa4\x0c\xcb\x03\x7e\xd7\x24\x90\x75\x9f\x08\xe4\xa2\x57\xb7\x3e\x1b\x45\x19\xec\x47\x20\xd9\x08\x1d\xd4\x64\xa4\x7a\xd4\x68\xf8\x88\x1c\xa3\x02\x3e\x75\x31\x00\xae\x0a\x1b\x29\x89\xac\x57\x4e\xbb\x9a\xc9\x13\x4b\xf1\x62\x02\xce\x61\xae\xaa\xfd\xf7\x68\x9b\xb9\x21\xc4\xa3\x9a\x46\xf0\x3a\x14\xde\xcf\xfe\xc7\x8c\xf9\xff\xd0\x1b\x4f\xca\x7d\x7b\xd4\x00\x30\xfe\xfa\x02\x59\x1a\x28\x45\x1b\xd3\x5d\xa7\x46\xdb\x7b\x5c\xdf\xd5\xee\x9e\xb6\xc5\x1b\x3b\xe0\x5f\xb0\xcd\x5d\x39\xe8\x10\x3b\x0e\x90\x3e\xec\x11\x0b\x3f\xf1\xf9\xdf\x98\x12\x32\xa5\x58\x23\x42\x81\x03\x9b\x46\x63\x76\x41\x84\x9d\x64\x12\xfe\xb7\x4a\x37\xb1\x39\x3c\x31\x51\x3c\xd9\x94\xad\x23\x9e\x20\xad\xdc\x7b\x6b\xe2\xbe\x44\x88\x57\xba\xcb\x20\xcb\x14\x69\xfe\x94\x46\x94\x6b\x6d\x60\x34\x9f\xf3\x92\x19\xf7\xc0\x02\xec\xb4\xdb\xfd\x31\x7f\x79\xd9\x50\xb3\x95\xdd\x77\xcf\xd4\x9a\x6f\xad\x36\xbe\x0b\xd4\x59\x1e\x4d\x2c\xa8\x37\xfe\x73\x74\xa3\x67\x92\xcc\xb0\xb2\xb0\x27\xc6\x9d\xcb\x08\x52\x74\x93\x09\xb9\x37\x17\x72\x72\xf4\xa8\x0d\x8e\x2a\x24\x99\x7f\xfc\xa2\x08\xb7\xf5\x28\xbe\x82\x11\x65\x56\xd2\x35\xf1\x7d\x57\x4d\x17\xac\xc1\xc4\xb5\x83\x63\xf0\x3f\x6b\x21\x77\xa2\xd9\xbd\x31\xd7\xda\x8b\x2d\x37\xea\x2a\x5e\xac\xe2\xb4\xf3\xea\xb5\x49\xcc\x55\xb3\x8e\x0f\x17\x31\xcc\x82\xef\x54\x8a\x5c\xb6\xa7\x56\x4b\x44\x2a\x86\xda\x73\x12\xa9\x4a\x13\x15\xe2\x70\xf3\x90\xa1\x97\xb9\x1e\x43\x5f\xa7\x04\x43\xf3\x87\xcf\x53\x73\x8f\x77\x5a\x23\x62\xa8\x72\x17\xb5\x74\xf8\xf6\x3c\xa6\x36\x13\x37\x52\x05\xdc\x19\x44\x98\xa0\xc9\x29\xff\x13\x00\x14\xd7\x42\x6a\xf7\xc0\xd0\x98\xd6\x9a\xff\x0d\xa1\x02\x7b\x12\x3c\x02\x3e\x73\x2e\x0c\xa1\xeb\x69\x5b\x42\x10\xad\xca\xef\x92\x85\xfe\xc8\xc8\x3f\xea\x7e\xfb\x3b\x5a\x09\xab\x0e\x26\xa2\xc0\x92\x6e\x15\x8e\xe1\x70\x89\xef\x7f\x8e\xab\x53\x75\x71\x8b\xa2\xe8\xab\x68\x3d\x2a\x1e\xef\xe2\x5c\x2e\x30\x3f\x41\x9e\xd0\x14\x23\x79\x98\x67\xe0\x2e\xb0\x1a\xe2\x00\x02\x20\x71\x36\xa6\x0a\x87\x50\x77\x39\x3a\x01\x9a\xe7\xdf\x3a\xad\xc5\xd4\xae\xd4\xd4\x59\xce\xdd\xe9\x66\xd8\x4f\xa6\x4c\x2e\x56\x48\x60\x17\x2b\xe4\x1b\x9f\xbd\xcc\x9b\xb2\x9c\xc2\xaf\x86\xbc\xb8\xda\x14\xd1\xd7\xef\xd6\xd9\x0f\xef\xd4\x73\xfb\xac\x5b\x05\x59\xac\x2b\xdc\x11\x0c\x7f\xda\xa9\x21\xd9\x20\x73\x1f\x36\x2f\x95\xd4\x26\x68\x0b\x73\x31\x2d\xa5\x8f\xac\xc4\xd0\xa1\xd7\xba\x59\x0b\x3e\x91\xc0\x3b\xf3\xb5\xf5\x00\xa5\xca\xe4\x6b\xed\x37\x37\x02\x12\x9e\xe2\xf2\x5b\x05\x00\x21\x9b\xbe\xc0\x50\x28\x59\x49\xf2\xde\x49\x48\x32\x89\x64\x32\x9b\x1a\x46\xa3\x84\x21\xc1\x37\xcb\x95\xb9\x92\x90\xb4\xf6\xcb\x46\xb5\x76\x69\x7c\x95\xb9\x37\x8e\x7c\x15\xca\xa0\x4a\xb0\xe8\xa0\x4b\x8d\xf8\xbc\x46\xd6\x15\xfa\x29", 4096); *(uint64_t*)0x2000000064d0 = 0x200000006440; memcpy((void*)0x200000006440, "\x1c\x3d\x61\xef\xc1\x46\x7b\x6b\x61\xe9\xe5\xf0\x6f\xa3\xd1\xdc\xc0\xe7\x00\x35\xdc\xc9\xc6\xc3\xb0\x0d\xf5\x89\x00", 29); res = syscall(__NR_shmctl, /*shmid=*/0x8001, /*cmd=*/0xfffffee8, /*buf=*/0x200000006480ul); if (res != -1) r[20] = *(uint32_t*)0x200000006484; break; case 26: res = syscall(__NR_getgid); if (res != -1) r[21] = res; break; case 27: res = syscall(__NR_geteuid); if (res != -1) r[22] = res; break; case 28: *(uint64_t*)0x200000006a80 = 0xfff; *(uint64_t*)0x200000006a88 = 0xd; *(uint32_t*)0x200000006a90 = r[6]; *(uint64_t*)0x200000006a98 = 7; *(uint64_t*)0x200000006aa0 = 2; memset((void*)0x200000006aa8, 0, 16); *(uint64_t*)0x200000006ab8 = 0xf; *(uint16_t*)0x200000006ac0 = 0; *(uint16_t*)0x200000006ac2 = 0x46; *(uint32_t*)0x200000006ac4 = -1; *(uint32_t*)0x200000006ac8 = 0; *(uint32_t*)0x200000006acc = 0xfffffffd; *(uint32_t*)0x200000006ad0 = 0xf7; *(uint64_t*)0x200000006ad8 = 0x7f; *(uint64_t*)0x200000006ae0 = 8; *(uint32_t*)0x200000006ae8 = 9; *(uint64_t*)0x200000006af0 = 3; *(uint32_t*)0x200000006af8 = 0x200; *(uint64_t*)0x200000006b00 = 4; *(uint32_t*)0x200000006b08 = 5; *(uint64_t*)0x200000006b10 = 0x62; *(uint32_t*)0x200000006b18 = 5; *(uint32_t*)0x200000006b1c = 0xff; *(uint32_t*)0x200000006b20 = 0x6cbf; *(uint32_t*)0x200000006b24 = 0x48; *(uint16_t*)0x200000006b28 = 0; *(uint16_t*)0x200000006b2a = 0x8001; *(uint16_t*)0x200000006b2c = 0x7f; *(uint16_t*)0x200000006b2e = 6; *(uint16_t*)0x200000006b30 = 8; memset((void*)0x200000006b32, 0, 2); *(uint32_t*)0x200000006b34 = 0x40; *(uint32_t*)0x200000006b38 = 0xffff; *(uint16_t*)0x200000006b3c = 0xa; *(uint16_t*)0x200000006b3e = 0xb04b; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0c0586d, /*arg=*/0x200000006a80ul); if (res != -1) { r[23] = *(uint32_t*)0x200000006a90; r[24] = *(uint32_t*)0x200000006ac8; } break; case 29: memcpy((void*)0x2000000016c0, "\x27\xfe\x2f\xfe\x47\x40\x4c\x4a\xc0\xa1\xec\xab\x30\xbb\xcb\x86\x4e\xad\x78\xfe\xd0\xc0\xe1\x75\xac\x99\x94\xf2\x2c\x05\xa4\x71\x88\x98\x8b\x3f\xf7\xcd\xde\xc1\xf6\xf3\x9e\x60\x61\x60\xf4\xf1\x99\xd3\x74\x5e\x26\xe2\x74\x8d\x68\xe3\x5a\x99\xf1\xbc\x4a\xc3\x20\x84\x63\x4f\x2c\x0b\xa5\xd1\xe0\x00\x0e\x2d\x5b\xee\x77\x7a\x2a\xb5\x09\xe7\xc9\x4c\x43\xf2\x97\xb8\x25\x93\x43\x78\xff\xa3\xbb\x79\x42\x25\x6f\xc5\x2a\x69\xe2\x38\x20\xcd\x52\x0e\x75\x59\xed\x9a\x31\xa9\x54\xdf\x95\x5d\xe5\xbc\x7c\x18\x55\xd9\x74\xb9\x5f\xf0\x0a\x84\xdc\x2d\x9a\xd6\x79\x64\x33\x44\x34\xd5\x28\xbc\xe5\x93\x48\x08\xb4\x8f\x8e\x25\x1a\x17\x9e\xb4\x7d\xee\x2a\x10\x8b\x50\x09\x2f\x55\x98\x16\x13\x6c\xff\xe9\xbd\x6e\x0a\x34\x00\x4e\x62\xd5\x0f\x73\xc1\x4b\x23\xce\x17\x51\x8f\x95\x4c\x4b\xc6\x1e\x61\x75\x75\x6c\x12\x04\xe2\xf2\x7c\x18\x2b\x9e\x3a\x7e\x3b\x82\x3d\xc2\xd2\x10\xe5\x23\x2c\x7a\xd0\xe8\xd8\xe0\x49\xf0\xe9\x20\x60\xb6\x20\x49\x9b\x0b\x8f\x4b\x4b\x97\x1d\x29\xa9\x7a\xe9\x4c\xe3\xce\xa6\xfb\x4e\x42\x96\xf7\x2e\x3d\xea\xbf\xf5\x62\xe7\x92\x43\x93\x3c\xfc\x53\x00\xe3\xc4\x1c\x6a\xb9\xc0\x55\x9a\xe2\x4b\x21\xce\x45\xbc\x69\xb7\xa1\xeb\x56\xc0\x8b\x82\x2b\xa1\x0f\xbc\xb0\xbd\x23\x8f\x6f\xcd\x60\xed\x24\x09\x2b\x3f\x47\xf1\x90\x0e\x3d\x33\x73\x37\x96\x49\xda\xa3\x95\x9b\xcb\x31\x9d\x7a\x74\xab\x3e\x62\xbb\x5f\xbd\xfa\x42\xf9\xd3\xb3\xe7\x34\x0e\xfd\x12\xd9\xdb\x73\x8b\x9a\x7a\x58\x1d\x91\x4f\x4d\xeb\x34\x00\x5a\xac\xae\xe8\x65\xdd\x59\x5a\xd5\xf0\x07\xc4\x8b\x51\x68\xe6\x99\xe5\x2d\xec\xc6\x66\x50\x9f\x0b\xac\x51\x6d\x5d\x8b\x1e\xcc\x1c\x99\xe6\x01\xb8\xf8\x5a\xf1\xc6\x76\x23\xfd\x2c\xff\x7b\x88\x38\x41\xae\xcd\xdf\x3a\x85\x23\x99\x80\xd3\xea\x2a\xe6\x37\x8d\x59\xcc\x24\x2b\x2a\xbc\xda\x91\xe9\x18\x48\x7c\xfe\xa0\x37\x83\x90\x17\xee\xfb\xed\x85\xe0\xde\x24\x14\x8b\x3c\x67\xec\xad\xc8\xbb\xe5\x1f\xfd\xd0\x69\x6a\x55\xd8\xff\x21\x52\x31\x78\xa6\x82\x9e\xc4\xd3\xf2\x59\x77\x43\x3b\x85\xe9\x23\x8f\xe5\xd8\xb1\x43\x7c\x54\xa9\x33\x82\xfa\x15\x25\x49\xcf\xca\x4e\x47\x00\x70\x5f\x3c\xe5\xa2\x60\xa4\xb9\x43\xdd\x3e\x53\x2c\xc1\x96\xc8\x12\x95\x18\x22\x55\x66\xe9\x3e\x29\xa8\xc6\xf0\x2f\x05\x4a\x94\xee\x5f\xe2\x1e\x5a\xd5\xbf\x55\xdd\x7f\xde\x9a\xc6\x41\xf3\x47\xa9\x92\xe8\x19\x7f\xe5\xfc\x4b\x9c\x65\xef\x4d\x68\x79\x21\xdf\xf0\xf6\xcb\x82\xa3\xa9\x6f\x6d\xf1\xcf\xae\xdf\xfc\xed\x7c\xb0\x6b\x21\xde\x9b\x83\xcd\xe5\xf9\x6b\xda\xd6\xee\x4c\x61\x7b\x9d\xa7\x66\xcc\x44\x37\x12\xf8\x4e\xf7\xc3\x87\x08\x07\x0b\xd1\x9d\xb9\x0a\xbe\x25\x10\x09\xd9\xbb\xcc\xe7\xc4\x19\xbf\x7e\xfa\x7e\xa7\x00\x86\xa9\x5a\x27\xe7\x35\x9d\x3b\xcf\x81\x89\x9b\xb6\xb7\x56\x0c\x58\x22\x7d\xb9\x2b\xbe\x34\x2e\x60\x01\x9f\xf0\xcd\xbe\xec\x13\xbd\xb5\x6c\x5b\x5f\xdf\xdb\xce\x7e\x2f\x5a\x7d\x97\x1d\xbb\xc6\x4c\x59\xc5\x11\x1d\x0b\x45\x2a\xf5\x79\x80\xe2\x17\x85\xd5\xaf\x08\x84\x82\x2d\x12\xf4\x08\x1e\x83\x81\xd1\x6e\x0f\x41\x19\x36\x27\x4b\x90\x30\x21\x5c\x4b\x0b\x47\x07\x4d\xab\x09\xb9\xfa\x23\x22\xa8\x80\x50\xa6\x24\x48\xff\xb2\xbd\xbb\x9d\x6b\x87\x52\x1b\x3b\xfe\xb5\xde\x77\x36\xa4\xde\x11\xff\x4e\x56\xd4\x1a\xae\xd9\x00\x61\xe8\xf1\x3c\x37\x89\xa4\x4a\x63\xe7\x69\x02\xc4\xee\x9b\x6f\xc7\x35\xab\x8f\xf9\x52\x5a\xf0\xab\x52\x16\x7e\x04\xd3\x47\x96\x67\x85\x2b\x75\x5d\x00\x74\xcc\x95\x07\x80\x94\xdf\xe0\x39\x26\x00\x7f\xcf\x4b\x2b\x68\xe2\x62\xd1\x17\xdf\x6c\x91\x81\x27\xcd\x6a\x56\x42\xb8\x0c\x30\xbf\x91\x6a\x1e\x51\x52\x02\x29\xe1\xe0\xec\xe3\x5a\xc9\xb9\x09\xfd\x5f\xf9\x2b\x93\x0a\xa5\x5a\xe6\x0a\x2a\x7f\x52\x74\xe0\x47\xae\x70\xcd\x1d\x89\x4c\x3a\x93\x09\x4d\x5e\x88\xca\x4f\xf4\xa1\xf7\xa7\x4c\x25\x72\xc5\x91\xf2\x54\xec\x09\x46\xde\x4f\x96\x24\x83\x88\xb0\x6f\x7f\x0a\x7d\xaa\x49\x0f\x43\x59\x18\x4a\x76\xa5\x6a\x9b\xbc\xa5\x93\xc6\xf6\xfe\x47\x9c\x67\x5f\xb0\x2c\x63\x54\x7d\x08\x04\x96\x3b\xbb\xfe\x5c\x66\x87\x69\xf3\xcf\x16\xbe\x9c\xd5\x11\x78\x03\x0d\x64\xcc\x2b\xb9\xd8\x26\x34\x39\x9d\xb8\x85\x9e\x48\x87\xc8\xce\xce\x4c\x85\x2f\x5c\xb7\x6c\xe7\x0a\x6c\x4e\xdd\x0e\x8a\x46\x5c\xbf\x78\x27\xb2\x1b\x55\x38\x57\x97\x71\xfb\x56\xb7\x99\x74\xaa\x36\x28\x85\x16\xbd\x08\xa9\x39\x49\x00\x16\x0f\x75\xd6\xbb\xe8\x9d\xe7\x0f\x8b\x5c\xea\xcc\x94\x19\xfc\x5a\x3d\x5e\xe5\xea\x78\x3d\x0c\xa8\x08\xa6\x24\x8c\x13\xad\x17\xc8\x73\xbc\x93\xe0\xe5\x0a\x39\x48\x7f\xb2\x5e\xc3\x23\x30\x70\xd7\x77\x6e\x7c\xe8\xba\x02\x2c\xcd\x8e\x2d\xb5\x64\x55\x94\xe0\xb2\xd8\x74\xed\xe7\x39\xf9\x3b\x61\x7f\xfe\xfa\xf3\xd8\x46\x8e\x66\xee\xcc\x85\x61\xfd\xb8\x1d\xd4\xfe\x7c\x77\x9d\xd9\x3c\xce\x31\x7a\x8f\x5c\xb8\x65\x51\xc2\x61\x66\xc7\x82\x4c\x87\x14\x0d\x96\x47\x50\x8c\xbb\xc1\x5c\x1d\x3b\x72\x08\x60\x91\x68\x90\x9e\x89\x0e\x9e\x9f\xd2\x67\x1d\x3a\x9a\x75\x27\xa7\x34\x47\x1f\x2c\x74\x80\x92\x6d\x8d\x18\xba\x6e\x24\xda\x6d\x6c\xee\x42\x2a\xeb\xfb\x14\xd1\xf1\x2a\x91\x5f\xfb\x73\x75\xcc\xb3\xec\xc9\x86\x3c\x45\x53\x4a\x97\xa9\x22\x43\x32\x17\xdd\xe2\x20\x35\x45\xaa\x98\x3e\x2a\x6c\x54\x65\x11\xd8\x62\x64\x28\xaa\xbe\x7c\xec\x1d\x0e\x81\x24\xde\x19\x83\xd5\xab\x1e\xd6\xe9\xde\xe8\x2f\x0d\xf4\x69\x9f\x4a\xb7\x07\x06\xc3\x4c\x75\x4d\x0c\xd8\xb6\xde\x54\x1c\xa8\xa7\x1d\x5f\x98\x25\xfc\x13\x15\x84\x80\xd5\x98\x0e\x64\x15\xcc\xa0\x5c\x57\x57\x89\x41\x69\x22\x3b\x43\xcc\x29\x63\x09\x18\x24\xcf\x95\x3f\xcf\x54\x53\x05\x58\xad\x5c\xe4\x22\xfc\xe9\x9f\x5f\x26\x50\xb7\xde\xc7\x02\xfe\x12\xbb\xb0\x8c\x28\x51\x9f\x08\xb6\x35\x4c\xf5\x8d\x01\xf0\x27\x23\x70\x70\xcb\x43\x8f\xe4\x80\x7b\x7b\x1f\x7e\xbc\x27\xf2\x74\xfd\x50\xef\x37\xad\x06\x0a\x7a\xdc\xdf\x65\x96\x2f\x8a\x52\xc0\x4b\x56\x9d\x7d\xb3\xd8\x6a\x0f\xeb\x6c\x78\xed\x1a\xdb\x36\x18\x66\xf7\xd5\x60\x65\x69\xd9\x10\xc6\x72\x7c\xdd\x76\xc6\xbb\x2a\x40\x5e\xd1\x2d\xfc\x2e\xdc\x81\x66\x67\x87\xf3\xa3\xa2\x39\xc6\x2f\x65\xd2\xd9\x8d\x8b\x07\xc5\x91\x13\x55\xa3\xa6\x20\x66\x46\xfe\x74\xc0\x75\xa6\x77\x80\x72\x87\x0f\xd6\x52\xaa\x4d\xf9\xaa\x3b\x96\xf1\x45\xc3\xaf\xa7\x4f\x5a\xaa\x8d\x7f\xf0\x42\x7c\x93\x89\xdd\x54\x62\xaf\x0e\xb6\x82\x8f\x3a\xa5\x4c\x75\x2b\xb4\xc8\x9d\x18\x21\x07\x61\x72\xa9\x25\xf1\x46\xae\xf7\x89\xde\xb1\x4c\x6b\x6c\xb2\x87\x33\x88\xcb\xe0\xbe\x06\x28\x71\x04\x8c\x49\x67\x9d\x72\xc3\xf3\x25\xc7\x7e\xa3\x19\xed\x28\xfa\x27\x86\x10\x40\xf6\xbe\x5d\x4f\x32\xcf\x29\xca\xc1\x12\x43\xda\x04\x2b\xec\xf2\x12\x5d\x21\xe7\x35\x49\x3a\xc7\x69\x4a\xa9\x61\xee\x92\x44\x3f\xc5\x88\xc2\xad\xc0\xf9\x7a\xc7\xb5\xfa\xe1\x0d\x43\xdd\xb8\x1f\x31\x12\x85\x82\x18\x5b\x9a\xa1\x24\xfe\x6e\xd7\x80\xac\x95\x4f\x84\x42\x17\x67\xf9\x0f\x5c\x0b\x56\x94\x43\xd6\x3b\xea\xc0\x68\x4e\xd6\x8b\xc5\x03\x9a\x27\x56\x7b\xd2\x33\xb8\xf2\x67\x5e\x1a\xfa\x14\x0d\xf8\xe1\xe6\x4f\x0a\x90\xec\x55\x3b\x52\x17\x27\x39\xd0\xd6\xb3\x88\x49\x47\xf2\x66\x69\x29\xcb\x5d\xd7\x93\x19\x42\xc0\x6e\x9d\xf9\xec\x79\x17\xf1\xd9\x3a\x2f\x0f\xbe\x5c\xd0\xf5\x73\xc0\x10\x2f\xf0\x20\x5e\x4d\x59\xdd\xd6\x03\xdb\x5d\xa5\x66\x94\xbd\x92\x87\x3e\xe2\x1f\xe7\x78\x6a\x87\x42\x8b\xdf\x19\xa1\xa8\x7d\x72\xba\x69\x7f\xbe\x0e\xd9\x75\xdb\x5b\xb3\xa7\x05\x17\x7f\x3a\x13\x69\xe2\x9d\xec\x75\x81\xd4\x3a\xea\x38\x55\x94\x3f\xf4\xef\xa4\xd7\xaf\x36\x22\xc3\x19\xd7\x8b\x31\x08\x37\x88\xd2\x03\x10\x20\x82\x99\xca\x03\x47\xaf\xff\xe5\x4e\xca\xf1\xfb\xec\xe6\xe0\x93\x5a\xbc\x7a\xa8\xf8\x55\x3f\x99\x96\xff\x1d\x46\xb8\x8b\x78\xdf\x2f\xe2\x67\xf1\x69\x9f\x2e\xbf\x19\x25\xb8\xe5\x0c\xb4\x6c\x8a\x10\x3c\xfb\x55\x65\x10\x15\x5d\xdb\x84\x27\x6e\x1e\x0a\xef\x3f\x41\x1c\x7a\xf3\xd2\x05\x93\xb6\xfe\xc7\x00\x6a\xa7\xa4\xee\x33\x80\x2a\xad\x16\x89\x49\xda\xd9\xfa\x91\x18\x88\xd7\xf6\x1b\xf1\x6d\xb2\x26\x50\x03\x41\x6f\xb5\x76\xde\x44\xf8\x0b\x9c\x90\x1a\xce\x45\x4d\x2b\x04\xb3\x74\xf3\xdc\xfc\x38\xfd\xd6\xed\xcf\xab\x24\xd3\x67\xaf\xf3\xf6\xd8\x29\x8a\x41\x33\xd0\x81\x56\x3d\xe1\x36\x5b\xea\xff\x74\xda\x25\x2b\x24\x8f\xa6\x1d\x80\xe7\x2c\xbb\xd5\x85\x33\xe7\x51\x8d\xba\xe1\xa9\x25\xd9\x91\x2b\xfe\x70\xfb\xc6\x4b\x8c\x81\xce\x26\x25\x30\xbd\x11\xae\x83\xf3\x66\xe3\x8c\x53\xbf\xd5\xa0\xda\xc9\x78\x5b\x92\x2b\xcd\xd1\xa3\xb6\x83\xf4\x3f\x8d\x48\x5d\xfc\xc6\xdd\x00\xb6\xcd\xde\xa0\x64\xf8\x46\xfb\x26\x93\xd4\x8f\xa9\x7b\x52\x63\xf5\x37\xea\xbf\x6c\x0e\x54\x9a\x78\xd2\xbc\xad\xb2\xe8\xfd\xb2\xb1\xb0\xf4\x7f\xd4\x9d\xc6\x1c\xa1\x05\x8b\xb8\x88\x2a\xa1\xca\x2e\xd3\x41\xfe\xb7\x37\xd5\xea\xae\x0e\xa0\x8f\x94\x5a\x04\xa3\x8b\x6e\x31\x37\xf9\x61\xa7\x56\x3a\xd1\x3c\xec\x30\x07\x2b\x91\x43\xe4\xf9\xc7\x82\x4e\x7c\xbd\xa2\xdf\x89\xb7\x4c\x14\x2d\xad\xaf\x5c\xa2\x4b\x6f\xe9\x09\xce\x3a\x1f\xf3\x7e\xe5\xa0\xb6\x61\xd3\x07\x39\xef\x0c\x37\x2c\xf7\xa1\xb4\xc6\xa0\xe5\x19\xb4\x8b\x40\xdc\x79\x4c\xd6\x13\x56\x75\x66\x09\xf6\x8d\xd5\x8f\x72\x4b\xdd\x86\xdb\x7f\x26\x49\xb9\x0e\x16\x35\x30\xca\x69\xf0\x69\x6a\xdd\xfc\xef\x84\xef\xc9\xf9\xe0\x4d\x9d\x6e\x18\xed\x17\xf7\x4f\xf8\x07\xe9\x2b\x0f\x33\x0f\xb6\xe0\x6e\x0e\x2f\x19\x3e\xa0\x3a\x18\x1c\x86\x73\x95\x0a\x19\xeb\xa2\x2f\xd6\xb1\xb5\x6e\xbb\x33\x6e\x02\x48\xc6\x4f\x93\x6c\xaf\xd3\x31\x1f\xd5\x0c\x50\xfc\x91\x61\x56\xbb\x28\x15\x6d\x15\xd7\xf4\xd5\xa7\x98\xd8\x62\x6a\xfc\x6b\xa7\xd2\x17\xd2\xc9\xf1\xa9\x8f\xed\xe6\x2b\x1b\xac\xfc\x31\x4d\xfa\x89\xe8\xcb\xb8\xc3\x7b\xd5\x26\xdd\x53\xed\xe8\x1b\x19\x53\xce\xf5\x17\x70\x3b\xab\xce\x44\x6e\x86\x3b\xf9\xd2\x46\xb0\x3b\x88\x50\x2c\x7f\xdb\xac\x4d\x87\xf1\xea\xad\x86\xed\x17\x0d\x71\x0d\x81\xea\xf3\x95\xae\xf6\x0d\xc1\x64\xd9\x11\x66\x01\xa5\xa5\x8c\x79\xa8\x92\x75\xc9\x5d\x28\x91\x2e\x87\x08\xfe\xe2\x47\x2e\x6b\x87\xd2\xe0\x77\xd3\x62\xc0\xba\x8f\x4b\xc6\xa5\xe3\x87\x45\xea\xe9\x10\x46\xbc\x61\xe6\xa0\x40\xcb\xfe\x38\x20\x4f\x17\xe6\x04\xf0\xe1\x40\x5e\x8e\xe0\x7d\x71\x41\xb6\x98\xbc\x2b\xe7\x69\x0a\x8f\x0b\xf3\x1d\x58\xae\x90\x6c\xb7\x0e\x4f\xe5\xfe\x03\x56\x31\xd7\x65\x33\xb7\xa7\xb0\x32\xe1\xb1\xee\xe2\x14\x28\x08\x4a\xfb\xcc\x93\x0a\x9f\x28\xe9\xf1\x7e\x26\x9a\x69\x97\xaf\x83\x8f\x95\xe2\xfb\x39\x5b\x54\x0a\x1d\x49\xf3\xd4\x29\x02\x74\xd2\xd3\x1f\x76\x08\x35\xff\x73\x51\xd2\x5b\x62\xe1\x35\xad\xf5\x9e\x01\x18\x87\x2d\x17\x84\x3d\x99\x15\x4f\x46\x60\xfa\x8f\x48\xb6\xc4\x86\x8b\x1f\xbc\x6b\x84\xda\x61\xf9\x81\x23\x16\x7b\x06\x73\x70\xa5\x4f\xc6\xc5\xa6\x88\xe3\x1d\x42\x01\xac\x4c\x4d\x56\x46\xf9\xa4\xa4\xa8\x04\xa1\x75\x16\x7c\xf7\x9d\xda\x22\xf4\xd6\x86\x72\x81\xcb\x0b\x3e\x09\x99\xfa\xd7\xbf\x26\x51\x2d\x13\x14\x40\xa8\xf9\xec\x75\xfe\x9d\xf6\x80\x54\x78\x55\xd8\xc9\xb3\xb3\xf0\xd5\x14\x19\x7c\x2a\xf0\xd6\x72\x99\x13\x73\xb8\xd4\xac\x1d\xd5\x1e\x1f\x90\x74\x50\xd6\x21\x01\xb5\xe2\x61\x3e\xa2\x89\xc1\x94\xd0\x73\x5e\x1c\x5e\x16\x69\x09\xeb\x71\xee\x2a\x4e\xe5\xff\x99\x14\x0c\x0b\xec\xca\x26\x72\xfa\xf6\x94\x49\x38\xc6\x18\x09\xd8\xbf\x2f\xaa\x56\x1f\x9b\x56\xda\xb8\x5d\xed\x7e\xe7\x35\xd3\x00\xc8\xda\x84\xc5\x7f\x06\x7b\x2f\xe5\x09\x29\xca\xe1\x39\x87\x5a\xbb\xab\x08\x47\x42\xc9\x07\x06\xbc\x31\xfc\x4c\x68\x53\x88\x89\x71\x87\x69\xd1\xc6\xda\x0e\xe1\x82\x6e\xcd\xe1\xf6\x0e\xa6\x6c\xed\x44\xc2\x4f\xe2\x87\x5d\xcb\xc8\x7a\x35\x72\xaf\x96\x45\x5e\xdf\x31\xe0\x51\xe5\x42\x2a\x8e\x29\x10\xc7\xd9\x75\xdf\x64\x48\xda\x0c\x0f\x83\x3f\x61\xf7\x15\x05\x98\xfb\x47\xfa\xe9\x38\x35\x7a\x7b\x64\x5e\x40\x6d\xf9\xa4\xa3\x0c\xdd\x1c\xef\x6d\xdb\x26\x3c\x9f\x06\xb2\x68\x76\x7a\x9a\x0f\x92\xc4\xea\x13\x80\xe5\xe3\x6f\x5f\x2a\x3e\x90\xbf\x87\xd6\x81\x8c\x5a\xef\xc3\x43\x9c\x4f\x4d\xe2\xcf\xb4\xdb\x14\x57\x56\x84\x8b\x27\xb6\x18\xc2\x2f\xee\xa3\xf9\xf4\x60\x15\x57\xf5\x3c\x2a\xae\x71\xdb\xc0\xe9\x46\x82\x43\xf1\xbf\x3b\x08\x6b\x4d\xca\xb2\x73\x4d\x61\x28\xc5\x44\x15\x46\x90\x3d\x2f\xea\x40\xc7\xca\x48\x40\xac\x4b\x1b\x3e\xa8\x89\x7c\xf0\x37\x62\x3e\x42\x7f\xb1\xef\x9c\x0e\x7d\xeb\x9e\xba\x0f\x8e\x5a\x5b\x29\xd4\x22\x92\x3f\x2f\xc8\xc5\xdc\x13\x69\xfe\x52\x67\x09\x24\x7c\x27\x76\xf5\xb7\x68\x7c\xcf\x42\x0b\x0d\xc8\x44\x61\x10\x5c\x2a\x31\xcc\xe9\xde\xcc\xa3\x0b\x74\x6b\xfe\x43\x44\x0d\x49\xc4\x77\x5a\x2d\xfc\x88\xf0\x49\xe2\x3a\x30\xe2\xde\x2c\xe6\x34\x54\x9b\xbc\x0c\x26\x30\x97\xeb\xb8\x04\x4b\x4b\x9b\xb6\xf5\xf9\x5a\x4a\x49\x9a\x3d\xce\x9c\x11\xb9\x94\x87\xd9\x96\xeb\x57\xd6\x54\x09\x0b\x43\x6d\xfe\x0b\x94\x79\x6e\x93\xfe\xae\x2b\x63\xd0\x13\x20\xaf\x73\x23\xa8\x00\x6b\xc7\x5f\x95\xa0\xc6\xce\x53\x69\x18\x02\xa0\x97\x10\x88\x81\xbd\xa6\x4a\x2c\xf8\xed\x8f\x67\x52\xe1\x98\x15\xe7\x1e\x2b\x85\x54\xfa\xc0\x30\x18\x75\x26\x21\x09\x33\x11\x51\x91\x5f\x6b\x19\x36\x2c\x2d\x82\xc3\x04\x74\x78\x52\x5a\x64\x9a\xe4\xc9\xa4\x1f\x75\x60\x83\xf1\x38\x15\x6f\x6e\xc4\xea\x04\xb4\x4f\x65\x2a\xb1\xe6\x6c\x5c\x63\x0e\x61\x30\x06\x2a\x26\x0b\xe5\x53\xf1\x0b\x8b\x70\x0e\x6c\x6b\x08\x9f\x0b\x09\xce\x11\x7c\xa7\x8d\x45\xae\xc4\x33\x97\x64\xdc\x2e\x39\xb5\xbb\x95\x56\x02\xd5\x73\x23\xe4\x0d\x49\xec\xf8\x98\x71\x84\xa1\x2d\x21\x99\x3c\x03\xb4\x58\xfc\xa9\x8c\x77\x30\x71\xc2\x24\x2d\x90\x59\x65\x99\x33\x6e\x1c\x69\xff\x55\x1a\xf3\xef\x27\xaa\xa7\x4c\x54\x7f\x23\x1a\x1e\xf6\x4a\x2f\xbe\x54\x98\xf5\xbf\xfd\x9e\x59\x7b\x8d\x87\x1a\x07\x3e\x82\xf1\x3f\x5b\xdf\x21\x89\xd3\x61\x64\x9d\xbe\x14\x4e\x7c\x2f\xb2\x6a\x51\x88\x84\xc4\xf2\x76\xaf\xa0\x44\x50\xb3\xb1\x26\x15\x11\xa1\x86\x15\x07\xe9\x4b\xe4\xb0\xc3\x01\xe6\x24\x71\xbb\x95\x33\x63\xe5\x4a\x80\xac\x90\xb2\x55\x1b\x01\x2d\x74\xa5\x62\x1e\x26\x5b\xf9\x12\x60\xa4\x67\xfe\x76\x06\xe7\x95\x92\x27\x2a\xa2\x08\xb1\x29\x35\xa8\x99\x1d\xfb\x81\x7a\x5c\xb0\x5a\xcb\xa7\x9d\xcc\xb9\x7d\x0a\x0f\x9e\xb5\x82\x5e\x16\xd1\x24\xa7\x72\x24\xc9\xa0\x9a\x53\x35\xf1\xce\xd7\x85\x63\x6a\xe3\x58\x15\x98\xaf\x5c\x28\xe5\x4e\xa8\xdc\xc4\xc7\x22\xe4\xa6\x58\xa3\x3f\xa7\xc4\x73\xf3\xb5\xe7\x4e\xd5\x62\x56\x80\xf0\x7c\x7d\x47\x29\x66\xab\x64\x6a\xc3\xac\x2d\x67\x46\x9c\x43\xdb\xab\x6b\x88\x67\x79\xde\xf7\x94\x17\x69\x8c\xfe\xd9\x47\x2f\xdc\xab\x0f\x80\x79\xf2\x21\x28\x54\x41\x88\x1e\xaa\xe4\xc2\x11\xa8\x14\xe6\xd4\xe6\xc2\x5d\x49\xa5\x70\x67\x38\xb0\x3b\x35\xc0\xd2\x84\xfc\xd6\x75\x50\x5b\x0a\xdc\x88\xd0\x43\x90\xf3\xa1\xb0\xc8\x27\x85\xba\x7b\xf0\x29\xaa\x46\x18\x71\x31\xdb\xdc\x36\xaa\xed\x98\x0b\x90\x88\x8e\x67\xe8\xa8\xbe\x7c\x1f\x7c\x5e\x3a\xd4\x44\x2e\x97\xaa\x77\xc7\xe1\xd2\x86\xc2\x9d\x8b\x76\x1e\xc9\x12\x50\x52\x9b\xff\xfc\x56\xce\x2d\x1f\x4e\x79\xcf\x74\x23\x7f\x02\x05\x0a\xfb\x6e\x25\xd5\x43\x65\x45\xda\x66\x62\x29\x70\xe8\x9e\x4c\xb9\xe7\x7e\x0e\x9a\x66\x72\xfe\xb0\x33\x28\x56\x8d\x75\xd5\x14\x65\x77\x2b\x5e\x40\x8e\x40\xeb\xc9\x67\x6e\x7e\x5e\xe7\xab\x0c\xbf\xca\x5f\xf0\xc0\x23\xb3\x93\x52\x94\x64\x66\x8b\x77\x4a\xe1\xb5\xce\xf7\x6d\x67\xf1\xd7\x35\xb8\x72\x81\x55\x5b\x39\x6c\x78\x58\x70\x1c\x6d\x42\xb0\xf3\x65\xb2\x53\xe7\xbc\xcb\x64\xc2\xdc\x39\xbf\xed\x64\x59\x06\xae\x68\xbc\x5e\xbc\x3c\xda\x73\xf3\x86\xb4\xb9\x79\x53\xb3\xca\x6c\x73\x5f\x7c\x47\xe4\x76\x29\x25\xd3\x59\x94\x80\xe7\xc1\x76\x33\xe5\x27\x6a\xf7\x5a\x60\x33\x2b\xab\x2d\x8c\x03\x9e\x4f\x98\x0a\x7d\xe8\x12\x29\xbd\x17\x4f\x6e\x50\xe5\xde\x20\xd2\x0b\x51\x8c\x41\x8b\x6e\xb6\xa0\x6e\xe9\x37\x89\xfb\x6f\x4a\x6e\xcb\x8b\x01\x69\x1a\xd1\xeb\x2a\xe9\x51\xa4\x2f\x97\x6e\x01\x8a\xc4\xb5\x85\xbb\xc3\xf4\x2d\xa7\x9e\x55\xd1\xb7\xf2\x4e\x90\x9f\xce\xe2\x34\x36\xb7\x27\xdd\x9c\xe4\x7b\x41\xb3\xbc\xaa\x88\x37\x15\xd3\x16\xac\xdc\x55\xe0\xfc\xab\x97\xef\x90\xda\x85\x9a\x80\xeb\xeb\xc6\xdf\xd0\xaf\x95\x24\xe8\xa3\x6b\x3f\x71\xeb\xd7\x03\xb0\xaf\xcb\xd7\xac\xc6\xaa\x41\x36\x48\xad\x93\x5e\x70\x94\xa2\x93\xf1\xad\x65\x9b\xf5\x59\x51\x51\x1b\x8f\xea\xa0\x39\x0b\x98\x2c\x91\xb1\xa1\xbc\x04\xcb\x1e\x15\x8b\x13\x2e\x8f\xf2\xfe\x46\x66\x7f\x10\x31\x2a\x25\x46\x8f\x07\x32\x48\x10\xa9\x7d\xdf\xad\x6d\xf0\xd6\x1e\xe5\xdb\x19\x29\x58\x02\x27\xea\x26\x06\x82\xa8\x93\x7d\x03\x79\xbb\xcd\x79\x6a\xa1\x3f\xe9\x2f\x79\x3e\x95\x8d\x28\xd8\xe4\x56\x4b\xfd\xd4\x94\x4d\x7e\xba\xdd\xdd\x67\x33\x92\xc6\x77\x2d\x09\x61\xce\xbe\x60\xa3\xd9\xe9\xf9\x6e\x4a\x4c\xa0\x7e\x55\xd3\x1e\x9d\x94\x25\xe0\x01\x71\xab\xa0\x2f\x0a\xef\x4b\x8f\x5e\x43\xec\x62\x32\x7a\x95\x0f\xe2\x92\x42\x7d\x51\x34\x76\xc3\x18\x39\xa5\xd1\x1e\x03\xf7\x94\x9c\xb2\xd8\x34\x3e\xf4\xb9\x82\x68\x79\x71\x90\x34\x4a\x7a\x68\x91\xcd\xdd\xe2\x9f\xae\xf1\x33\x3f\x7f\xb7\x50\x69\xa7\x4e\x80\x6a\x41\x21\xad\xdf\x98\x68\x35\x28\x1f\x48\x68\xf1\x5c\x73\x43\xe1\x30\x7d\x23\x7b\xb5\x0a\x7e\xc6\x76\x4b\x9f\x43\x25\xb6\xe4\x13\x57\xed\xc3\x3d\x24\x7a\x58\x3e\x28\x57\x35\xfa\xff\xc5\xbe\xbc\x40\x04\x76\xaf\x6c\x5c\xdd\x34\x91\x37\x47\x08\x60\xd1\x59\xa9\x76\xef\x3c\x47\x61\x28\x5e\xbb\x8c\x53\xa7\xef\x56\x9e\xe2\xe7\x10\xd4\x18\x19\xeb\x85\xcb\x3e\x38\xc6\xd6\xcc\xd0\x35\x87\xfb\x08\x28\xf6\x31\xc1\x99\x00\x15\x3a\x6f\x1e\xdb\x81\x2a\x58\xea\xd0\x41\xc6\x3a\x6a\xc6\x28\x38\x06\xd3\xcf\xb6\x9b\x65\x59\x1a\x82\x9b\xab\xa9\x7a\x36\x7c\x9b\x0f\x24\x97\xb4\x4f\x3c\xa8\x5a\x07\x31\xe5\x94\x2b\x57\xec\xf9\xc2\xde\xe0\x1e\xf7\xea\x53\x3f\x8b\xa3\x17\xf7\x4c\x30\xf4\x9b\xd6\x94\x89\x73\x53\x61\x09\x22\x92\x20\x55\x09\xc5\x74\x20\x06\x63\xf7\x71\xcf\x4d\x1d\x48\x4f\xe5\xa9\xc4\xcd\x3b\x0c\xc4\x32\xe9\x25\xb3\x02\xfa\xb0\x57\x4b\x53\x60\x6f\x27\x77\x56\x3d\x67\x94\xfb\x5f\xe4\x87\xd5\xce\x7b\x5b\xea\xb3\x99\xbf\x77\x27\xb6\x7e\xeb\xf9\xb9\xda\xcf\x5c\x56\x78\xec\x98\x21\xa3\x4d\xc0\x30\xd0\x36\xd0\x4d\x70\x25\xed\x5b\x17\x82\x96\x5c\xf2\x62\xbb\xa0\xb3\xde\x34\x97\x4d\x1e\x77\xa6\x3e\x9b\xb5\x2d\xc6\x59\xde\x69\x0e\x47\xb3\x5f\x4b\xbc\xa6\x6f\x8d\x5e\x0a\x27\x1a\x04\xa2\x89\x43\x5f\x5d\xc9\x01\x3c\x06\x52\x63\x3d\xcc\xe4\x10\x2f\xcb\xe4\x7f\xb4\xc5\xeb\x9a\x6e\xaf\xf5\x46\x3c\x73\xc1\x1e\x37\xe8\xdf\x9d\xab\x09\x32\x33\x49\x22\xfe\xd8\x0d\x5e\x3e\xd1\x25\xdd\xe3\x76\x4f\x48\xd4\x96\xf4\xf3\xb4\x9f\x03\x22\xa9\xb9\xb9\x68\xff\x75\xef\xed\xb3\x69\xb4\xb1\xc9\xaf\xc5\xd2\x7e\x68\xd7\x6d\x17\xc2\x16\xc4\xfe\xd8\x2d\xc2\x48\x7a\xab\xc6\x60\xbb\x55\xb2\xee\x17\xd6\x83\x65\xda\x84\x08\xc4\x5a\xf3\x87\x83\xac\x2b\xe5\x47\x72\xbb\xea\x41\xf5\x86\x84\x56\xee\x66\xa2\x7a\x36\xbe\x49\x9a\x5e\x5d\xd3\x39\x6f\x48\x05\xe2\x2a\x2c\xdc\x22\x90\x79\xc2\xa5\x3c\x92\x99\x55\x92\x69\xed\x1c\x51\x22\x13\x54\x4f\x2b\xf3\x31\x38\x8e\x1c\xb8\x5e\x55\x50\x91\x5f\x8f\x27\xa4\x7b\xa9\xfc\x9a\x50\xce\x01\xcd\x2b\x53\xb3\x7f\x35\x79\x66\xf1\xd0\x0b\xd3\x40\xe0\x50\xc9\xd8\x4f\x29\x14\xb8\xab\xd4\x29\x48\x26\xe7\x50\x0b\x0d\xca\xe9\xcd\x4d\x28\x4d\x17\x34\x56\x53\xcc\xb4\x69\xc5\xee\x3a\x31\x05\x8e\xae\x14\xfe\xd7\x55\x85\xcd\xe2\xfd\x71\xb8\x8e\xbf\x51\x73\x59\x77\x4e\x90\x23\x46\x6e\xa5\xa4\x79\x56\xb8\x22\x56\x71\x79\x2d\xf4\x5b\x9f\x38\xb1\x0a\xb0\x3f\x9e\xde\x1d\xdb\x2e\x15\x7d\x61\xc0\x95\xd9\xb8\x2b\x97\x7c\xc0\x9d\x92\x97\x45\x56\x0f\xe8\x10\x65\x03\xff\x7d\xd2\x28\xdb\x22\xb2\x51\x77\x68\x97\xee\x15\xb1\x80\xb4\xb4\x63\x1f\x85\xec\xf6\xa6\x07\x4e\xfd\x2c\xdf\x40\xa4\x48\xda\xd6\x23\x31\xc2\x7e\xd8\xb3\x37\x7f\xde\x4b\x15\x33\x12\x6a\x4d\xc7\x08\xb7\x72\x02\xf6\xf8\xc0\x15\x96\x6e\xf7\x11\xc4\xc4\x96\xe9\x03\x4c\xf1\x5a\x33\xbc\x99\x8a\x43\x26\x5e\xdf\xe4\x36\x34\x2d\x7e\xb4\x97\x3b\xe8\xab\x0a\xe6\x71\x9a\x1a\xaa\x41\xe0\xd7\x6d\x95\x2b\x06\x80\x8d\xff\x02\xfd\x81\x60\x34\x29\xa3\x6f\xf7\x44\x0e\x0b\x21\x5d\x9e\xbc\x90\x8e\xfc\x14\x5b\x6e\x1b\x7f\xeb\x53\xbd\x5e\x17\x5c\x7d\x1a\x77\x64\xf9\x04\x07\x44\xb8\x1d\xb8\x6f\xd2\x2c\x0a\x38\xa2\xda\xf7\x44\x0b\xbf\xe8\x83\x50\x09\xd4\xae\xbb\xb1\x1a\x0e\x91\x48\xbc\x04\x95\x1f\xc0\x6e\xc1\xc2\xa2\x68\xa0\x5c\xc2\xcc\x76\x79\x1b\x82\x26\x9f\x96\x3d\x3d\x2f\x56\x4a\xe0\x37\x89\x60\x19\x40\xd5\x6f\x28\xe5\xab\x01\x52\xac\xf6\x63\xe4\x81\x19\x52\x09\xef\xc1\xa3\xa1\xb4\x72\x53\x6e\x0a\xcf\x9a\xe3\x83\xb5\x95\x1d\xfb\xb6\xbd\x4d\x1e\xb5\x55\x01\x02\xc3\xd7\xfa\x23\x65\xa3\x6f\xb7\xc5\x94\x9c\xc7\x27\xce\x57\x31\x1d\xec\x52\xa4\xc3\xb9\x1f\x0d\x5e\xc3\x67\x7c\x26\x5d\x58\x35\x53\x5f\x16\x00\x69\x85\xce\x84\x6e\xf1\x2a\x46\xcb\x86\x62\xcf\xf8\x5a\xf2\xff\xd4\xb3\xb3\x50\x85\x70\x5d\x45\xdf\x3e\x8c\x60\xee\x49\x63\x82\x3c\xea\x99\xdd\x55\xc0\xc3\x3d\xa9\xde\x35\x4f\x70\x9f\x2a\x45\x83\x56\x13\x25\xc4\xa5\x95\x4a\x34\xe2\xab\x32\x73\x8c\x2f\x3f\xbf\xb2\x78\x6a\xa5\x78\x28\xef\x30\x91\x12\x2e\x59\x32\x05\x8c\x12\xd5\x0d\x0e\x89\xee\x5d\xc1\xe3\xee\x41\x35\xd3\x8c\x0c\x98\x4d\xaf\x39\x47\x67\x02\x72\x71\x4d\xe8\x93\x57\x20\xc1\xf3\xd3\xdd\x9f\xc5\x75\x29\xa7\x50\x13\xd8\x59\x46\x48\x42\x33\xce\x69\x25\x77\x18\xd3\xcd\x66\x7c\xd0\x88\x6d\x1f\x3c\x25\x7c\xca\xc6\xb4\x8e\xe5\xcd\xc0\x3e\xb6\xc6\xaa\x2a\x78\xd6\x8e\x2a\x9c\x22\x53\x95\x44\x50\x91\x57\x62\xf3\xf2\xfa\xde\x0a\xc7\x85\x93\xcc\x38\xe5\x5c\xef\x3b\xc0\xbf\xb9\x38\xeb\xd0\xa6\x1c\x73\x9c\x02\x4a\xdd\xaf\x44\x34\x06\xa7\xb6\x02\x63\x60\xa7\xfc\x87\xc2\x74\xa9\xbd\xcd\xb2\xeb\x5c\xf4\x70\xb5\x3f\x7f\xc1\xbd\x4e\xd0\x5c\xea\xa6\x65\x28\xce\xf7\x9e\x9d\xe7\x8d\xa4\x2b\x16\x7c\x82\xcf\x4d\xad\xca\x57\x07\xd0\xa1\x66\xb0\xf4\x1b\x7f\x7e\x34\x21\xa8\xf8\x8f\x6d\x88\xd2\x4c\xfd\x99\x81\xb5\x0b\x6c\x34\x2b\xb4\x9c\xce\x4b\x82\x3f\x3c\xfd\xb1\x7b\xba\x24\xfd\xb1\x60\x1b\xa0\x60\xa4\x79\x2c\x09\x09\xa7\xc7\xce\xbf\x0c\x33\xe8\xff\x27\xfb\x6e\x32\x7c\x88\x77\xfb\x31\xef\xd8\xbb\x0b\x9f\xca\x28\x29\xca\xc2\xc1\x43\xf4\xa5\xbd\x0a\xfb\xa4\x32\x45\x48\xaf\x32\xf0\x5f\x58\x1a\xe2\x64\xc9\xe2\x0d\x0f\x16\x04\xe1\x12\xc6\xe2\xbc\x51\x8b\x78\x09\x7c\x14\x5d\x87\x1a\x3c\x02\x87\x37\x1b\x0c\xf6\xbd\xcf\x17\x26\x63\x71\xc7\x46\x4d\x87\xa5\x5f\x52\xe0\x1e\x29\x78\x66\xd6\xd4\x98\x86\x8a\xc0\x16\x48\x24\x9c\x1e\xdd\x31\x45\x80\xbf\xc3\x58\x34\xb1\x5d\x10\x8d\xdb\xaf\x6c\xa3\x53\x6a\xa4\x31\x61\x01\x9c\x3a\xf0\xb3\x31\xd9\xd0\x71\xeb\x0a\x50\x44\x23\x55\xa2\xa2\xe1\x95\x47\x4e\x13\xb7\x97\x1d\x95\x6a\xd5\x4e\xd5\x90\xb4\x29\xd6\xa1\xec\x7e\x38\xd4\x1a\x27\x53\x6b\xbb\xfa\xda\xd1\xb3\x5f\xc8\xf8\x27\xa9\x2e\x0b\xaf\xfa\xbb\x81\x18\x16\xcf\xb4\xcd\xac\x4b\x98\xc5\xf6\xf7\x1c\xdc\xf3\x06\x49\x53\x6f\x78\x00\xeb\x6b\x7c\xee\x22\x2d\x64\x16\x5e\x0c\xa9\x50\x46\x93\xb6\xd8\x45\x9b\xc3\x27\xe5\xda\x2e\x6f\x38\xa4\xee\x24\x72\xca\x5e\x6c\xaa\x08\x11\xd0\x42\xf8\xfb\x32\xa9\x9b\xd3\x61\x01\xcf\x19\xac\xce\xee\xd7\x3b\x44\xe3\xde\xb2\x23\xcf\x28\x2e\xcd\x4c\x43\x9f\x55\xf5\xc2\x74\xe2\xc7\x56\xc6\x7c\x23\xc0\x0e\xf7\xbf\xfa\x4b\x60\x12\xa1\x33\x4d\x0c\x97\xf8\x16\xa6\x12\x3c\xbc\xb7\x7a\xce\x8e\x7b\xe0\x51\x52\x69\x24\x86\x22\x02\x8b\x7a\x9c\x0e\x49\xf1\xc8\xdd\xe8\x66\xd3\xbb\x0c\x53\xdb\x9c\x67\xb1\x0b\x20\xd4\xbb\x26\x3f\x2c\x5a\x01\x85\xba\xcc\xfa\x7b\x8f\xe8\x25\x65\x70\x78\xfa\xba\xb0\x03\xb9\x31\x8a\x84\xf7\x65\xda\xaf\xc3\x7f\x49\x6e\xfb\xbc\xe9\xfa\x5d\x2c\x1f\x0a\x4b\x2a\xd0\xcf\x92\x69\x61\x84\x40\x71\x3b\xc3\xd9\x29\x85\xff\xbd\x6c\xc1\x9a\xfc\x86\x70\x30\x44\x37\x0e\xab\xc4\xde\x11\xf3\xbc\xbf\xb2\x21\xdd\xdc\x51\xbb\xa3\x52\xdc\x28\xfd\x49\xc0\x84\x04\x7f\xb0\xed\x8b\x97\x42\xa9\x6e\x53\xef\x4c\xcb\x94\xce\x4c\xad\x74\x6e\x9c\xae\xee\xc8\x43\xf7\x2b\x77\x9c\xc5\x8d\x25\xfe\x93\x1c\x1a\xf8\xa7\x95\xe1\x95\x68\x5c\x92\x18\x58\x03\xad\xbe\xc6\x06\x6c\xdd\xd8\x7e\x0b\x9a\x53\x80\xaf\xcd\x80\x79\x8f\x58\x08\x59\xea\xb3\x17\xcb\x27\x83\x11\x2a\xf7\xb3\x62\xa5\x9a\xe7\xa8\x24\x74\x94\x40\xe6\x66\x61\xb7\x88\xb8\x56\x05\x49\xa0\xb1\x35\x0d\xfb\x7a\x5e\x88\x92\x8d\x55\x8c\xbc\x8a\x26\xa0\xd7\x4e\x67\x63\x4e\xe9\xec\x1c\x1c\xa0\x8a\xfc\x5b\xeb\x43\xda\x65\xf4\xae\x0a\xc7\xeb\x25\x74\x42\xc9\x99\x0e\xdc\xf9\x3b\x1d\xad\xfe\xa9\x0b\xc2\x92\xbb\xf1\xd8\x23\xc6\x1e\xe9\x69\x24\x9f\x67\xbe\x07\xd7\x0d\xf8\xaf\xc7\xc3\xe5\xbf\x14\x5f\x28\xa2\xd0\x6c\x88\x0e\xff\x9a\x18\x11\x27\xc1\x34\x60\xa0\x6b\x36\x64\xa9\x4c\x88\x8b\x07\xaf\x77\xe8\x4d\x60\xde\xab\x76\x42\x28\xff\xea\x21\x63\x3f\x02\x04\xa5\xd7\xec\x4a\x0b\x30\x3f\xb0\x8f\xb7\x67\x28\xc4\x3d\x90\x73\x80\x01\x83\xc8\xb9\x9e\x22\xd6\x05\xa5\xe6\x39\x9c\x04\x9f\x7f\x88\x7c\xb9\xd7\xfb\xa9\x4d\xb3\x23\x08\x4b\xf9\x4d\xf5\x44\xf6\xce\x2d\xd4\x9a\x21\xd2\xca\xb5\x4d\xf0\x43\x97\x48\x2a\x64\xd2\x90\x0b\xb4\x0f\xa8\x7f\x42\xec\x75\xd6\x8b\xab\x17\x71\x4a\x93\x4b\xcd\xf3\x6f\x87\x07\x4f\x60\x28\xf9\xd6\x1a\x00\xad\xff\xc0\x6d\x62\x4b\xc6\x42\x97\x05\x96\x82\xcc\x8a\xdc\x7e\x2f\xb2\x10\xbd\x22\xfb\xd4\xad\x3d\x35\x15\xf7\x1b\x93\x31\x26\x75\x9e\xc4\xc0\x01\xed\x5c\xdb\xac\xe7\xcc\xe4\x31\x9b\x7a\xb5\x0f\xfc\x8f\x2f\x8f\x1b\xb8\x1a\xc0\x7f\x81\xdf\xff\x33\x54\x50\xac\xf0\x8e\x13\x91\x2d\x3c\x5f\x3a\xa1\x25\x81\x81\x1e\xbd\xb4\x41\x6e\xad\xa2\x59\x65\x1c\x07\x0b\x06\xea\x7e\x18\xa8\xf0\xc4\x00\x57\x5a\x0e\x7f\xdc\x4c\x88\x64\x5d\x35\xc2\xd3\x6a\x8c\xe6\xa2\x97\x2f\x35\x5d\x1a\x5d\x83\x2c\xd7\xef\x2c\x61\x1f\xd1\x10\x59\xda\x39\x0e\xc8\xc8\x74\x91\xd4\x96\x4f\xa4\x0b\x80\x83\x90\x57\x36\x2e\x67\x64\x55\xc7\x17\x2a\x23\x15\x4e\xfe\xba\x6f\xc9\xab\x4c\x15\xa7\x37\xe2\x99\xc1\xf1\x4d\xaa\x8f\x34\x97\xe3\x37\x0a\x52\x3e\xc1\x5c\x52\xba\xd9\x87\x10\x90\x03\xf8\xdc\xee\x4a\xc6\xc9\x0b\x0f\x8e\x4b\x74\x91\x97\x87\x88\xa9\xc1\xb2\x3a\x14\x39\x6b\x50\x8a\xa9\x51\x75\xfe\x3b\xd6\xa8\xb4\xa9\xc2\x17\xf4\xc9\x84\x2c\x1c\x33\x9d\x4d\x95\xdb\x83\xce\x6e\x7e\x7a\xc8\x8e\xae\x04\x13\x96\x10\x55\x22\x0b\x65\x69\x3d\x49\xa2\xf6\x96\xf6\x41\x42\x19\x25\xb4\x2f\x77\xb0\xf9\x43\x12\x39\x52\x7f\xd6\xd8\x6d\x6f\x9a\xbd\xf3\xd2\x7c\x0a\x79\xa6\xb0\x5a\x61\xdd\x7d\x99\x3d\xe2\xd4\xee\x99\x73\xb7\x78\xff\x19\x5d\x12\x40\xdb\x18\x36\xa5\x25\x8b\x4f\x57\x44\x97\xca\x2f\x9b\x34\x97\x78\x00\xe7\x28\x29\x7d\x98\x3e\x1e\x58\x5f\xaf\x45\x38\x1b\x47\x6d\x25\x31\xe8\x6c\xc6\xe8\x35\xa9\x72\xc3\xa5\xbb\xcc\xba\x7d\x85\x2e\xdc\x83\xbb\xad\x4c\x85\x20\x64\x00\x70\x87\xbb\xd3\x6b\xf8\xa8\x00\xf9\x1e\xea\x0a\x72\xd9\xa7\x5f\x5d\xb3\x5b\x10\x98\x68\x6d\x51\x34\x0a\x17\x2c\x70\x1b\xc4\x7b\x14\x0c\xe5\x2e\xf4\x75\x02\xd0\x07\x1e\x54\x55\x97\x97\x5a\x55\xca\x1e\x91\x21\x76\x45\xe3\xcf\xeb\xf4\xa6\x20\x1a\x84\x81\xf6\x51\x13\x86\x0f\x59\x28\x63\xaf\x1d\xd4\x73\x38\x3b\x1b\x79\xab\x32\xcf\xcd\x46\xe6\xac\xe2\x95\x8d\x42\xcc\xe5\xf9\xb2\x34\x76\x81\xf7\x70\x7a\xb4\xa3\x5f\x9a\xf5\x21\xd4\xc1\xba\xd7\x51\x30\x33\xa5\xf7\xaf\x2b\x7a\x2d\x3a\x49\x14\xd3\x84\x62\xb1\x6b\x85\xd6\x9f\xa6\x0c\x0c\x5e\xf5\x4b\xa2\xfb\x78\xfb\x15\x6a\x94\x7c\xf8\x0b\x1d\xac\xcd\x58\x9f\xdd\x07\x91\xb3\xa9\xeb\x83\x5b\x61\x53\x4a\x16\xf8\xf4\xb1\xca\xbb\xd3\x86\xb4\xc2\x1b\xa9\x7d\xe9\x16\xd2\xcf\x48\xb7\x20\x8c\x1b\xda\x77\xec\xf8\x16\x77\xcb\xce\x25\x58\x2c\xca\xb9\xa6\x5a\x2b\x73\xdd\x34\xb0\x02\xc2\x34\x94\x8a\x42\xb5\x66\x4d\x56\xd8\x24\x42\x9a\x78\xb6\x97\x03\x67\xec\x17\x0d\x1b\x11\x0b\x22\x23\x17\x58\x72\xbd\xc8\x66\x31\x8d\xe0\x66\xfe\xa5\x60\x15\x1d\x88\x25\xde\xe8\x2d\x34\x4b\x81\x6f\xb5\x5a\xaa\x52\x4e\x86\x08\x62\xac\x0c\x36\xcb\x6b\x6e\x81\xf4\x12\x3d\xa5\x9c\xb3\xef\xfe\x29\xce\x76\x98\xe2\xaa\x0c\x60\x36\x82\x0c\x45\x7f\x40\x42\x33\xe3\x22\x61\x31\x9a\x46\xbc\x8b\xd3\xde\x3c\x94\x8d\xc5\x2e\x27\xca\x52\x7d\xf7\xad\x68\xe6\xc4\xd4\xba\x8f\x6b\x43\x13\xa2\x94\x02\x98\x10\x59\xa1\x48\x79\x7f\xa0\x88\x02\x57\xfe\x04\x27\x01\x19\x28\xaf\x75\x2f\x81\xb8\x18\x68\x02\x10\x8f\x05\x90\x19\x50\x39\xc8\x38\x25\x72\x02\x42\x14\x10\xb8\xa3\x59\xe6\x9d\xdc\xd4\x74\x70\xf4\xd0\x5a\xe2\x89\x83\x4b\xe3\x04\xca\xf4\x9b\xbb\xac\xfd\xbe\x92\x7f\x42\x3b\xe9\xb8\x78\x82\xb0\xfa\xb4\xf5\x0b\xc7\xcd\xbf\xf6\xef\x10\x1f\x33\xf7\x03\x55\x6d\x45\xb6\xac\xe1\x64\x3c\xd7\xe7\x5a\xcf\x74\x06\x3e\x3e\x34\xe9\x63\xdb\x19\xf0\xd1\x9f\x14\x82\x9c\x91\xc4\x50\x66\x1d\x0e\x80\x9d\x5b\x79\x09\x69\x5b\xa1\x54\x46\xc8\x76\xa1\x67\xec\xca\x09\xfc\x00\xe1\x73\x7c\xbd\x4e\xf4\xf7\x0a\x50\xe3\xa0\x0f\xc9\x6f\x0e\x10\x23\xe5\xc8\x1e\x67\xd2\x47\xae\x0e\xc7\xec\x26\x72\x52\x80\x4a\x65\xb3\x01\xb9\x1a\x59\x9b\x8c\xe3\x7d\x95\xa9\x3d\xd9\xa9\x11\xdf\xb3\x95\xf3\x61\x92\x4e\x82\xea\x28\x1e\xfd\x7a\x2e\x01\x5a\xad\xaf\x64\x85\xfc\xea\xee\x0a\xb9\x05\xe1\x39\x6c\x12\x56\x03\xaf\xf4\xca\x16\x5f\x74\x9c\x23\x31\x02\x50\xf8\x00\xb2\xa8\x79\x17\xb9\x42\x1b\x0b\x4c\xde\xc9\xd8\x64\x14\xeb\x82\x23\x74\xb0\xd4\x32\x53\x58\xb2\xbf\x43\xe0\xe3\x12\x58\x88\x79\x76\x5c\x25\xc0\x98\xd1\x71\x86\x53\xbe\xa5\x27\x68\xdd\x7f\x10\x0f\xbd\x2b\x6a\xfc\xcf\x02\x13\x46\x9a\x7f\xa2\x5b\x5f\x77\xc6\xb5\x6c\xa0\x9d\xf8\x86\xa1\x6e\xd2\x4f\x51\xe2\x1d\x07\x8f\x25\xc4\x88\x87\xda\x12\xde\xa5\x7c\x8f\x48\x25\xf2\x7a\xe3\xd9\x16\x01\x96\xeb\x6b\xe0\x9f\x7b\xe8\xb2\x39\xa0\x5d\xbf\x6a\xae\xca\x96\x37\x09\x0d\x1e\x6f\x76\xeb\x93\x69\x27\x4c\x3a\xad\xa3\x36\x24\x3b\x8b\x9c\x59\xc3\xf9\xc9\x1a\xb4\x3f\xc9\x27\x3b\xb5\xbf\x2b\x59\xde\x8f\xbc\x50\x6c\x94\x36\x56\x5e\x4c\x9b\xa2\x96\x50\xb3\x78\x4d\x87\xf3\x37\xa4\xa4\xb5\x28\xca\x2a\x28\x0c\xed\xc3\x69\xb0\x09\x0c\x3f\x69\xc7\x60\x4a\x6d\xf3\x1f\xba\x78\x1c\x07\xd5\x8d\xba\xdd\x7c\x85\xa6\x26\xf8\x85\xf0\x9a\x91\x22\x4e\x79\xbd\x68\x79\x3f\x16\x7e\xbd\x8d\xa1\x0e\x5d\xa7\x8c\xfa\x7e\xbf\x10\xa8\xf2\xc9\x00\x3f\xb1\xcd\xd8\x7e\x46\x98\x61\xf3\xed\x23\xd2\x5b\xcb\x14\x53\x0a\x8f\xf8\xd9\x1e\x9e\x0c\x7c\x39\x76\xc3\xaf\xc7\xbd\x50\x05\xcc\xef\x59\xfa\xec\x52\xba\x35\x69\x3d\x0f\x0d\xce\xba\x84\x3a\xdd\x5a\x74\x7e\x0a\xa7\x2f\x09\xf2\xf4\x52\x81\xc9\xd4\xc6\xf1\xbb\x78\x37\x9a\xec\x78\x2c\x64\x81\x0d\xe3\x23\xc8\xab\xac\xc9\xfb\x7e\x7d\xbc\x1e\x29\x13\xa8\x5d\xf0\xbd\xb6\xac\x70\x1a\x68\x26\x9e\x79\xab\x28\x45\x8c\x02\x91\xe1\x84\x0b\x34\xac\xe2\xd0\xdc\xa9\x02\x9f\x6d\x95\x0e\x6e\xf1\xe5\xcb\xb9\x52\x4d\xb5\x01\xdc\x30\x22\x73\x3c\xb1\x0b\xb7\x4e\x9e\x69\x82\x45\xa9\x8d\xff\xe2\x37\x8c\x42\x54\x81\x19\xdd\x60\xf2\xb0\x21\x95\x3b\x30\x0f\x38\x97\x26\x61\xc3\xeb\xdf\x64\xa3\xaf\xb3\xc6\x29\xcc\xa5\xec\x93\x8c\x31\xee\x8c\xb6\x82\xdd\x38\xf3\x58\x18\x12\xf7\xba\x64\x31\xc1\x60\x65\x90\x39\xe7\xcf\xe7\x85\x9b\x1a\xa8\x13\x08\x33\xf1\xf6\x37\x24\xf8\x63\xb3\xe2\xa1\x8f\x9e\xbd\x1e\xa6\x14\xd3\x0d\x28\xbd\x4f\x5b\x8c\x26\x17\xbe\xcd\x8a\x4d\x8b\x3a\x9b\x42\xb8\x5d\x8e\x80\xc8\xfa\xf7\xd9\xcf\x56\x37\xdd\x98\x82\x6a\x10\xb6\x92\x40\x29\x33\xd2\xae\x0e\xa9\x08\xff\x5d\x6c\x22\xfc\x33\x5b\xe0\x06\x14\xa0\xf5\xe7\x00\x4e\xbe\xf7\x1f\xd2\x3d\x3f\x90\x11\x59\x84\xf0\xe4\x6e\x82\xac\x8b\x03\xe5\xd2\xbf\xea\xa2\x19\x23\x33\xc1\xa0\xa9\xfb\x19\xa7\x5b\xdc\x8f\x90\x58\x33\x6e\x86\xf3\xf7\xb3\x0f\x0b\xed\x24\xc4\xb2\x30\xcd\xfc\x92\xa9\x88\x5b\xe5\x1c\x0b\x85\x1c\xd7\xa0\x4a\x62\xfb\x3c\xe4\x7e\x76\x5a\x11\x4e\xf7\x68\x6b\xc7\xd8\x2e\xf5\xe1\xca\x02\x14\xb9\x5b\x64\xe5\x7f\x85\x12\x15\xce\x5a\x47\xdd\xfb\x91\x93\x2c\x85\x4c\x65\x25\xeb\xe7\xf6\xe1\x68\x45\xfa\x22\x5a\x74\x09\x3f\x6a\x26\x80\x08\x5a\x8f\xef\x66\x54\x1f\xc3\x64\x3f\xc8\x14\xc5\xa8\x06\x41\x5f\x70\x68\x8a\x4b\xe7\x7b\xea\xf7\x5d\x71\x02\x6e\x4d\xff\x38\x00\x12\x4b\xde\xc0\xe0\x65\x46\x3e\xdc\x69\x64\x1f\x67\xc7\xc4\x2b\x8e\x02\x5f\x81\x40\x6f\xd4\x89\x6d\x5d\xb8\xe1\x9f\xec\x09\x98\x09\xad\x50\xa9\x8a\x83\xb3\xca\xa8\xfd\x87\x31\x05\x14\xf4\xa7\xaf\xd9\xa9\x70\xc4\x56\x23\x1d\x91\x6b\x26\xd5\xc6\x2b\xc4\x83\x4a\xf9\xbc\x27\x77\xa7\xc7\xd3\xbb\xf5\xf2\xc6\xd8\x28\x93\x5f\x3b\x82\x77\x43\xc0\x92\x22\x32\x8e\x8e\x82\x91\xbb\x28\x3e\xba\x7d\x4b\xc8\x97\x87\x7f\x6e\x50\xa5\xfa\xbc\x77\xab\xf3\x15\x34\xd7\x00\x96\x2e\xde\xcb\x1d\xf4\xee\x12\x28\xa7\x29\xdf\x7d\xa8\x57\x71\xa3\xf1\xe3\x04\x29\xfa\xc9\x93\xd9\x73\x8d\x9d\x67\x28\xbf\x49\x2b\x47\x91\x43\x8c\x3c\xf6\xd5\x9a\xf8\x09\x97\x4a\xec\x44\x80\x98\xc2\x6c\xb3\x79\x1e\x43\x72\x40\x76\xef\x5c\xa9\xc7\x0c\xb3\xf5\x8a\xcc\xb5\x39\x94\x37\x86\xce\x98\xb0\x92\xc9\x65\xa1\x47\xd1\x87\x0a\xd4\x54\x68\x6b\xa5\x79\xc9\xd1\x0a\x61\x31\xd4\xd9\x80\xff\x68\x89\x8f\xb1\x1a\x0a\x9f\x61\xe6\x0a\x86\x42\x7f\x60\x66\x00\x88\x98\x4e\xed\x16\xac\xf6\xd3\x14\x30\x18\x3b\x81\x91\x2a\xdc\xde\x80\x84\x45\x71\x22\xec\xdd\x70\x54\xcf\x3d\xdd\xee\x25\xa9\x75\xfb\x24\x48\xe7\x1a\x27\xae\xdf\x68\x68\x5e\x9e\x8b\xf6\x07\x05\x6d\x68\xd7\x20\x60\x75\x99\xcb\x49\x97\xa1\xd5\x91\xa1\xcc\x17\x4e\xdd\xc6\x6f\x39\x16\x0a\x2e\x55\xee\xe6\xc8\x2b\x21\x8c\x5b\x96\x3a\x02\x68\x11\x7f\xcc\xda\x93\x14\xd7\xde\x3b\x1b\xfd\xf1\xde\x33\x83\x10\x41\x8d\xbb\x11\xf7\x3b\xfc\x1a\x70\x5a\x7f\x12\x56\x0c\x6a\x83\x6e\xbc\x1c\x92\x7d\x14\x27\xeb\x6d\x71\x04\xf9\x42\x70\x5a\x25\xe7\xa7\x94\x88\x76\x8c\x70\x7c\xdd\xb0\x59\xd0\x6f\x4f\x55\xd6\x41\x14\x65\x8b\xb3\x27\x07\x2a\x0f\x24\x8f\x91\x91\xae\xbf\x83\x8c\xcf\x46\x4e\x3d\xb3\x8b\xd0\x15\xc1\xfe\x7e\x0a\x1c\xe8\xc8\x54\xe0\x64\xad\x28\xdf\x20\x85\x4e\xca\xf4\x42\x88\x1d\x5b\x92\x2d\xb3\x32\x7a\x73\xa8\x00\x7f\x84\xaa\xcb\x94\x1b\xc1\x23\x27\x42\xd0\xad\x98\xeb\x8f\x05\xa8\x12\xc7\x95\x7f\xb4\xb6\x88\x52\x2e\xa6\xa1\xd5\xef\x22\xda\xbf\x25\x37\xb5\xf6\x8d\x81\xe0\x6b\x51\x78\x39\xb4\x74\x23\x85\x64\x96\x79\x29\xfa\x82\x31\xeb\x8e\xaa\x9b\xf7\x95\x54\x91\x79\x39\x33\x6f\x71\xed\xad\x5c\x01\x1d\xe4\xa9\x88\x7c\x9d\x8b\xfe\x58\x8c\x17\x47\xb4\x7e\xca\xe6\x41\xae\x07\x6a\x53\xcb\x66\x1d\x34\x46\x59\xed\x82\xa4\xf1\x06\x12\xea\x2e\xe0\x0a\x44\x4d\xe7\xe4\xb1\xa0\xc5\x61\x4d\x4a\x63\x69\xb4\x8c\xfa\xe5\x31\x6e\x83\x89\xcb\x72\x0a\x11\x11\x71\x38\x3a\x78\x79\x80\x31\xaf\x5e\x49\x76\xb8\x91\x75\xac\x1e\xfa\x79\xca\x7d\xd7\x28\xd2\x1c\xf2\x85\x3f\x69\x87\x03\x79\xdc\xd6\x91\xf4\x12\xb0\xda\xbb\x49\xf7\x4d\x48\xf9\x31\x3b\xe4\x58\x95\xe8\xd4\xe7\x8e\x23\xe3\x57\xa9\xa2\x29\x4b\xef\xb1\x73\xce\xcc\xdd\xb7\xde\xc8\x47\x81\x92\x0e\x95\x1e\xcc\x86\x3b\xdc\x84\x3a\xf7\x53\x5e\x72\x1a\x7a\x7f\x5b\xd6\xe0\xd3\x7f\xe9\xe5\xb5\xaf\x3f\x2a\xaa\x62\x96\x71\x12\xc0\xfe\x84\x8d\x3c\x38\xa6\x46\xde\xd7\xde\xba\x1a\xb9\x8d\x40\x88\x1b\xa2\xfc\x91\x8a\x86\x64\xbb\xab\xea\x14\xbe\x6f\x5b\xb9\x2e\x25\x4c\x47\x1b\x32\x4a\x02\x6c\x66\x1d\xe4\xb9\x7b\xa0\xae\x1f\x67\x06\x3f\x41\xa5\x61\x9d\xa8\xa4\x9a\x7a\xd6\xcf\x81\x53\x97\x7a\x4c\x63\x17\x1b\xba\x20\x88\x4b\x73\x44\xc4\x05\xd6\x1b\x9c\xe3\xce\x90\xdd\x0b\x6d\x86\xbe\x27\xc0\x28\xa2\xa4\x8f\xe0\x40\xd6\xf9\xd2\xf5\xdc\x24\x66\xcb\x9f\x74\x5e\x5a\x98\xe5\x26\x64\x98\xb1\x4d\x16\xe3\xfc\xee\x12\x02\x6c\x0f\x46\xb7\xfd\x1d\x30\x07\x65\x05\xcd\x64\xc1\xd6\x0c\x5c\xac\x8c\xb4\x00\xea\x6b\x75\x22\xc1\x65\xb0\x09\x4f\xf0\xff\x65\x6d\x08\x16\x73\x05\x6b\x73\xee\xe3\xef\xcb\xfb\xa2\x60\xff\x87\xe4\x30\x4c\x8e\xb1\x4a\xea\xdf\xda\xa0\x95\x70\xf6\x30\x64\x6c", 8192); *(uint64_t*)0x200000006c80 = 0x2000000036c0; *(uint32_t*)0x2000000036c0 = 0x50; *(uint32_t*)0x2000000036c4 = 0; *(uint64_t*)0x2000000036c8 = 8; *(uint32_t*)0x2000000036d0 = 7; *(uint32_t*)0x2000000036d4 = 0x2d; *(uint32_t*)0x2000000036d8 = 7; *(uint32_t*)0x2000000036dc = 0x8000008; *(uint16_t*)0x2000000036e0 = 7; *(uint16_t*)0x2000000036e2 = 0xfc00; *(uint32_t*)0x2000000036e4 = 0x3ff; *(uint32_t*)0x2000000036e8 = 0x59; *(uint16_t*)0x2000000036ec = 0; *(uint16_t*)0x2000000036ee = 0; *(uint32_t*)0x2000000036f0 = 0xe0; *(uint32_t*)0x2000000036f4 = 0x10000; memset((void*)0x2000000036f8, 0, 24); *(uint64_t*)0x200000006c88 = 0x200000003740; *(uint32_t*)0x200000003740 = 0x18; *(uint32_t*)0x200000003744 = 0; *(uint64_t*)0x200000003748 = 6; *(uint64_t*)0x200000003750 = 0x80000001; *(uint64_t*)0x200000006c90 = 0x200000003780; *(uint32_t*)0x200000003780 = 0x18; *(uint32_t*)0x200000003784 = 0; *(uint64_t*)0x200000003788 = 4; *(uint64_t*)0x200000003790 = 2; *(uint64_t*)0x200000006c98 = 0x2000000037c0; *(uint32_t*)0x2000000037c0 = 0x18; *(uint32_t*)0x2000000037c4 = 0xffffffda; *(uint64_t*)0x2000000037c8 = 0x37; *(uint32_t*)0x2000000037d0 = 0; *(uint32_t*)0x2000000037d4 = 0; *(uint64_t*)0x200000006ca0 = 0x200000003800; *(uint32_t*)0x200000003800 = 0x18; *(uint32_t*)0x200000003804 = 0; *(uint64_t*)0x200000003808 = 1; *(uint32_t*)0x200000003810 = 0xff; *(uint32_t*)0x200000003814 = 0; *(uint64_t*)0x200000006ca8 = 0x200000003840; *(uint32_t*)0x200000003840 = 0x28; *(uint32_t*)0x200000003844 = 0x26; *(uint64_t*)0x200000003848 = 0x7fffffffffffffff; *(uint64_t*)0x200000003850 = 0x7a; *(uint64_t*)0x200000003858 = 8; *(uint32_t*)0x200000003860 = 0; *(uint32_t*)0x200000003864 = 0; *(uint64_t*)0x200000006cb0 = 0x200000003880; *(uint32_t*)0x200000003880 = 0x60; *(uint32_t*)0x200000003884 = 0xfffffff5; *(uint64_t*)0x200000003888 = 1; *(uint64_t*)0x200000003890 = 0x81; *(uint64_t*)0x200000003898 = 6; *(uint64_t*)0x2000000038a0 = 0x3ff; *(uint64_t*)0x2000000038a8 = 2; *(uint64_t*)0x2000000038b0 = 4; *(uint32_t*)0x2000000038b8 = 4; *(uint32_t*)0x2000000038bc = 8; *(uint32_t*)0x2000000038c0 = 2; *(uint32_t*)0x2000000038c4 = 0; memset((void*)0x2000000038c8, 0, 24); *(uint64_t*)0x200000006cb8 = 0x200000003900; *(uint32_t*)0x200000003900 = 0x18; *(uint32_t*)0x200000003904 = 0; *(uint64_t*)0x200000003908 = 0; *(uint32_t*)0x200000003910 = 0xb; *(uint32_t*)0x200000003914 = 0; *(uint64_t*)0x200000006cc0 = 0x200000003940; *(uint32_t*)0x200000003940 = 0x12; *(uint32_t*)0x200000003944 = 0xaeab5fde; *(uint64_t*)0x200000003948 = 9; memcpy((void*)0x200000003950, "^\000", 2); *(uint64_t*)0x200000006cc8 = 0x200000003980; *(uint32_t*)0x200000003980 = 0x20; *(uint32_t*)0x200000003984 = 0; *(uint64_t*)0x200000003988 = 0; *(uint64_t*)0x200000003990 = 0; *(uint32_t*)0x200000003998 = 2; *(uint32_t*)0x20000000399c = 0; *(uint64_t*)0x200000006cd0 = 0x2000000039c0; *(uint32_t*)0x2000000039c0 = 0x78; *(uint32_t*)0x2000000039c4 = 0; *(uint64_t*)0x2000000039c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000039d0 = 3; *(uint32_t*)0x2000000039d8 = 0x67; *(uint32_t*)0x2000000039dc = 0; *(uint64_t*)0x2000000039e0 = 3; *(uint64_t*)0x2000000039e8 = 2; *(uint64_t*)0x2000000039f0 = 5; *(uint64_t*)0x2000000039f8 = 2; *(uint64_t*)0x200000003a00 = 0; *(uint64_t*)0x200000003a08 = 0x5b; *(uint32_t*)0x200000003a10 = 0x200; *(uint32_t*)0x200000003a14 = 6; *(uint32_t*)0x200000003a18 = 0xf0b7; *(uint32_t*)0x200000003a1c = 0x1000; *(uint32_t*)0x200000003a20 = 1; *(uint32_t*)0x200000003a24 = -1; *(uint32_t*)0x200000003a28 = -1; *(uint32_t*)0x200000003a2c = 4; *(uint32_t*)0x200000003a30 = 6; *(uint32_t*)0x200000003a34 = 0; *(uint64_t*)0x200000006cd8 = 0x200000004b00; *(uint32_t*)0x200000004b00 = 0x90; *(uint32_t*)0x200000004b04 = 0; *(uint64_t*)0x200000004b08 = 7; *(uint64_t*)0x200000004b10 = 1; *(uint64_t*)0x200000004b18 = 3; *(uint64_t*)0x200000004b20 = 0x10000; *(uint64_t*)0x200000004b28 = 0x200; *(uint32_t*)0x200000004b30 = 8; *(uint32_t*)0x200000004b34 = 0xa87; *(uint64_t*)0x200000004b38 = 4; *(uint64_t*)0x200000004b40 = 1; *(uint64_t*)0x200000004b48 = 7; *(uint64_t*)0x200000004b50 = 1; *(uint64_t*)0x200000004b58 = 0xfffffffffffffffd; *(uint64_t*)0x200000004b60 = 4; *(uint32_t*)0x200000004b68 = 9; *(uint32_t*)0x200000004b6c = 0xffff; *(uint32_t*)0x200000004b70 = 0x10000000; *(uint32_t*)0x200000004b74 = 0; *(uint32_t*)0x200000004b78 = 0xf40; *(uint32_t*)0x200000004b7c = 0; *(uint32_t*)0x200000004b80 = r[10]; *(uint32_t*)0x200000004b84 = 0x8001; *(uint32_t*)0x200000004b88 = 9; *(uint32_t*)0x200000004b8c = 0; *(uint64_t*)0x200000006ce0 = 0x200000004bc0; *(uint32_t*)0x200000004bc0 = 0x48; *(uint32_t*)0x200000004bc4 = 0; *(uint64_t*)0x200000004bc8 = 0x5c; *(uint64_t*)0x200000004bd0 = 1; *(uint64_t*)0x200000004bd8 = 4; *(uint32_t*)0x200000004be0 = 6; *(uint32_t*)0x200000004be4 = 8; memset((void*)0x200000004be8, 255, 6); *(uint64_t*)0x200000004bf0 = 1; *(uint64_t*)0x200000004bf8 = 8; *(uint32_t*)0x200000004c00 = 0; *(uint32_t*)0x200000004c04 = 0xb; *(uint64_t*)0x200000006ce8 = 0x200000006500; *(uint32_t*)0x200000006500 = 0x478; *(uint32_t*)0x200000006504 = 0; *(uint64_t*)0x200000006508 = 2; *(uint64_t*)0x200000006510 = 1; *(uint64_t*)0x200000006518 = 1; *(uint64_t*)0x200000006520 = 0xf; *(uint64_t*)0x200000006528 = 9; *(uint32_t*)0x200000006530 = 0x7fffffff; *(uint32_t*)0x200000006534 = 0x3ff; *(uint64_t*)0x200000006538 = 5; *(uint64_t*)0x200000006540 = 0xb3fc; *(uint64_t*)0x200000006548 = 3; *(uint64_t*)0x200000006550 = 0xa2d9; *(uint64_t*)0x200000006558 = 3; *(uint64_t*)0x200000006560 = 0x80000000; *(uint32_t*)0x200000006568 = 4; *(uint32_t*)0x20000000656c = 5; *(uint32_t*)0x200000006570 = 2; *(uint32_t*)0x200000006574 = 0x6000; *(uint32_t*)0x200000006578 = 0xfff; *(uint32_t*)0x20000000657c = -1; *(uint32_t*)0x200000006580 = 0xee01; *(uint32_t*)0x200000006584 = 5; *(uint32_t*)0x200000006588 = 6; *(uint32_t*)0x20000000658c = 0; *(uint64_t*)0x200000006590 = 5; *(uint64_t*)0x200000006598 = 9; *(uint32_t*)0x2000000065a0 = 6; *(uint32_t*)0x2000000065a4 = 6; memcpy((void*)0x2000000065a8, "wlan1\000", 6); *(uint64_t*)0x2000000065b0 = 3; *(uint64_t*)0x2000000065b8 = 1; *(uint64_t*)0x2000000065c0 = 4; *(uint64_t*)0x2000000065c8 = 0xf; *(uint32_t*)0x2000000065d0 = 1; *(uint32_t*)0x2000000065d4 = 5; *(uint64_t*)0x2000000065d8 = 4; *(uint64_t*)0x2000000065e0 = 0xffc; *(uint64_t*)0x2000000065e8 = 2; *(uint64_t*)0x2000000065f0 = 0xffffffffffffdbca; *(uint64_t*)0x2000000065f8 = 0x35; *(uint64_t*)0x200000006600 = 0x5fa; *(uint32_t*)0x200000006608 = 8; *(uint32_t*)0x20000000660c = 5; *(uint32_t*)0x200000006610 = 0x16d; *(uint32_t*)0x200000006614 = 0x6000; *(uint32_t*)0x200000006618 = 0x8000; *(uint32_t*)0x20000000661c = r[11]; *(uint32_t*)0x200000006620 = 0xee00; *(uint32_t*)0x200000006624 = 8; *(uint32_t*)0x200000006628 = 2; *(uint32_t*)0x20000000662c = 0; *(uint64_t*)0x200000006630 = 2; *(uint64_t*)0x200000006638 = 0x3e8; *(uint32_t*)0x200000006640 = 0x16; *(uint32_t*)0x200000006644 = 5; memcpy((void*)0x200000006648, "bpf_lsm_path_truncate\000", 22); *(uint64_t*)0x200000006660 = 6; *(uint64_t*)0x200000006668 = 3; *(uint64_t*)0x200000006670 = 0xcff0; *(uint64_t*)0x200000006678 = 0xfffffffffffffbff; *(uint32_t*)0x200000006680 = 3; *(uint32_t*)0x200000006684 = 3; *(uint64_t*)0x200000006688 = 5; *(uint64_t*)0x200000006690 = 4; *(uint64_t*)0x200000006698 = 8; *(uint64_t*)0x2000000066a0 = 9; *(uint64_t*)0x2000000066a8 = 0x10; *(uint64_t*)0x2000000066b0 = 5; *(uint32_t*)0x2000000066b8 = 0x91; *(uint32_t*)0x2000000066bc = 0xfff; *(uint32_t*)0x2000000066c0 = 0xfffffffd; *(uint32_t*)0x2000000066c4 = 0xc000; *(uint32_t*)0x2000000066c8 = 3; *(uint32_t*)0x2000000066cc = r[12]; *(uint32_t*)0x2000000066d0 = 0xee00; *(uint32_t*)0x2000000066d4 = 0x80; *(uint32_t*)0x2000000066d8 = 0x40; *(uint32_t*)0x2000000066dc = 0; *(uint64_t*)0x2000000066e0 = 0; *(uint64_t*)0x2000000066e8 = 8; *(uint32_t*)0x2000000066f0 = 6; *(uint32_t*)0x2000000066f4 = 0x80000001; memcpy((void*)0x2000000066f8, "wlan1\000", 6); *(uint64_t*)0x200000006700 = 3; *(uint64_t*)0x200000006708 = 2; *(uint64_t*)0x200000006710 = 8; *(uint64_t*)0x200000006718 = 9; *(uint32_t*)0x200000006720 = 0x80000000; *(uint32_t*)0x200000006724 = 0xd149; *(uint64_t*)0x200000006728 = 3; *(uint64_t*)0x200000006730 = 4; *(uint64_t*)0x200000006738 = 5; *(uint64_t*)0x200000006740 = 0xe; *(uint64_t*)0x200000006748 = 0x7a; *(uint64_t*)0x200000006750 = 0xd52; *(uint32_t*)0x200000006758 = 0; *(uint32_t*)0x20000000675c = 5; *(uint32_t*)0x200000006760 = 6; *(uint32_t*)0x200000006764 = 0xa000; *(uint32_t*)0x200000006768 = 2; *(uint32_t*)0x20000000676c = r[14]; *(uint32_t*)0x200000006770 = 0; *(uint32_t*)0x200000006774 = 0x7fffffff; *(uint32_t*)0x200000006778 = 5; *(uint32_t*)0x20000000677c = 0; *(uint64_t*)0x200000006780 = 4; *(uint64_t*)0x200000006788 = 0x7ff; *(uint32_t*)0x200000006790 = 2; *(uint32_t*)0x200000006794 = 0x78d; memcpy((void*)0x200000006798, "\300\'", 2); *(uint64_t*)0x2000000067a0 = 2; *(uint64_t*)0x2000000067a8 = 0; *(uint64_t*)0x2000000067b0 = 6; *(uint64_t*)0x2000000067b8 = 0x7fffffff; *(uint32_t*)0x2000000067c0 = 5; *(uint32_t*)0x2000000067c4 = 5; *(uint64_t*)0x2000000067c8 = 2; *(uint64_t*)0x2000000067d0 = 0xc; *(uint64_t*)0x2000000067d8 = 0xbde5; *(uint64_t*)0x2000000067e0 = 5; *(uint64_t*)0x2000000067e8 = 8; *(uint64_t*)0x2000000067f0 = 0x10; *(uint32_t*)0x2000000067f8 = 9; *(uint32_t*)0x2000000067fc = 6; *(uint32_t*)0x200000006800 = 0xe31; *(uint32_t*)0x200000006804 = 0x2000; *(uint32_t*)0x200000006808 = 0x5b8; *(uint32_t*)0x20000000680c = r[16]; *(uint32_t*)0x200000006810 = r[18]; *(uint32_t*)0x200000006814 = 6; *(uint32_t*)0x200000006818 = 8; *(uint32_t*)0x20000000681c = 0; *(uint64_t*)0x200000006820 = 2; *(uint64_t*)0x200000006828 = 0x80; *(uint32_t*)0x200000006830 = 0; *(uint32_t*)0x200000006834 = 0xb6; *(uint64_t*)0x200000006838 = 5; *(uint64_t*)0x200000006840 = 2; *(uint64_t*)0x200000006848 = 0x80000001; *(uint64_t*)0x200000006850 = 2; *(uint32_t*)0x200000006858 = 6; *(uint32_t*)0x20000000685c = 0xff; *(uint64_t*)0x200000006860 = 3; *(uint64_t*)0x200000006868 = 5; *(uint64_t*)0x200000006870 = 8; *(uint64_t*)0x200000006878 = 3; *(uint64_t*)0x200000006880 = 0x8001; *(uint64_t*)0x200000006888 = 5; *(uint32_t*)0x200000006890 = 1; *(uint32_t*)0x200000006894 = 7; *(uint32_t*)0x200000006898 = 2; *(uint32_t*)0x20000000689c = 0x1000; *(uint32_t*)0x2000000068a0 = 1; *(uint32_t*)0x2000000068a4 = 0xee01; *(uint32_t*)0x2000000068a8 = r[19]; *(uint32_t*)0x2000000068ac = 0x10001; *(uint32_t*)0x2000000068b0 = 6; *(uint32_t*)0x2000000068b4 = 0; *(uint64_t*)0x2000000068b8 = 0; *(uint64_t*)0x2000000068c0 = 6; *(uint32_t*)0x2000000068c8 = 5; *(uint32_t*)0x2000000068cc = 6; memset((void*)0x2000000068d0, 170, 5); *(uint64_t*)0x2000000068d8 = 3; *(uint64_t*)0x2000000068e0 = 1; *(uint64_t*)0x2000000068e8 = 0x8000000000000000; *(uint64_t*)0x2000000068f0 = 0x2e; *(uint32_t*)0x2000000068f8 = 5; *(uint32_t*)0x2000000068fc = 7; *(uint64_t*)0x200000006900 = 6; *(uint64_t*)0x200000006908 = 5; *(uint64_t*)0x200000006910 = 5; *(uint64_t*)0x200000006918 = 0xb; *(uint64_t*)0x200000006920 = 0; *(uint64_t*)0x200000006928 = 2; *(uint32_t*)0x200000006930 = 0xffff; *(uint32_t*)0x200000006934 = 0; *(uint32_t*)0x200000006938 = 8; *(uint32_t*)0x20000000693c = 0x2000; *(uint32_t*)0x200000006940 = 9; *(uint32_t*)0x200000006944 = r[20]; *(uint32_t*)0x200000006948 = r[21]; *(uint32_t*)0x20000000694c = 2; *(uint32_t*)0x200000006950 = 7; *(uint32_t*)0x200000006954 = 0; *(uint64_t*)0x200000006958 = 6; *(uint64_t*)0x200000006960 = 0xfffffffffffffffb; *(uint32_t*)0x200000006968 = 5; *(uint32_t*)0x20000000696c = 6; memset((void*)0x200000006970, 170, 5); *(uint64_t*)0x200000006cf0 = 0x200000006980; *(uint32_t*)0x200000006980 = 0xa0; *(uint32_t*)0x200000006984 = 0; *(uint64_t*)0x200000006988 = 0xd05; *(uint64_t*)0x200000006990 = 5; *(uint64_t*)0x200000006998 = 3; *(uint64_t*)0x2000000069a0 = 0x8000000000000001; *(uint64_t*)0x2000000069a8 = 7; *(uint32_t*)0x2000000069b0 = 5; *(uint32_t*)0x2000000069b4 = 2; *(uint64_t*)0x2000000069b8 = 3; *(uint64_t*)0x2000000069c0 = 4; *(uint64_t*)0x2000000069c8 = 5; *(uint64_t*)0x2000000069d0 = 3; *(uint64_t*)0x2000000069d8 = 8; *(uint64_t*)0x2000000069e0 = 1; *(uint32_t*)0x2000000069e8 = 0x8001; *(uint32_t*)0x2000000069ec = 0; *(uint32_t*)0x2000000069f0 = 0xfff; *(uint32_t*)0x2000000069f4 = 0x8000; *(uint32_t*)0x2000000069f8 = 0x101; *(uint32_t*)0x2000000069fc = r[22]; *(uint32_t*)0x200000006a00 = 0xee00; *(uint32_t*)0x200000006a04 = 7; *(uint32_t*)0x200000006a08 = 0xac; *(uint32_t*)0x200000006a0c = 0; *(uint64_t*)0x200000006a10 = 0; *(uint32_t*)0x200000006a18 = 0x10; *(uint32_t*)0x200000006a1c = 0; *(uint64_t*)0x200000006cf8 = 0x200000006a40; *(uint32_t*)0x200000006a40 = 0x20; *(uint32_t*)0x200000006a44 = 0; *(uint64_t*)0x200000006a48 = 0xffffffff; *(uint32_t*)0x200000006a50 = 4; *(uint32_t*)0x200000006a54 = 0; *(uint32_t*)0x200000006a58 = 9; *(uint32_t*)0x200000006a5c = 0xa; *(uint64_t*)0x200000006d00 = 0x200000006b40; *(uint32_t*)0x200000006b40 = 0x130; *(uint32_t*)0x200000006b44 = 0; *(uint64_t*)0x200000006b48 = 0x1ff; *(uint64_t*)0x200000006b50 = 0x6276287e; *(uint32_t*)0x200000006b58 = 7; *(uint32_t*)0x200000006b5c = 0; memset((void*)0x200000006b60, 0, 16); *(uint32_t*)0x200000006b70 = 0x800; *(uint32_t*)0x200000006b74 = 2; *(uint64_t*)0x200000006b78 = 3; *(uint32_t*)0x200000006b80 = 0x1e; *(uint32_t*)0x200000006b84 = -1; *(uint32_t*)0x200000006b88 = r[24]; *(uint16_t*)0x200000006b8c = 0x4000; memset((void*)0x200000006b8e, 0, 2); *(uint64_t*)0x200000006b90 = 0x800; *(uint64_t*)0x200000006b98 = 9; *(uint64_t*)0x200000006ba0 = 8; *(uint64_t*)0x200000006ba8 = 0x32f3fcde; *(uint64_t*)0x200000006bb0 = 6; *(uint32_t*)0x200000006bb8 = 1; *(uint32_t*)0x200000006bbc = 0; *(uint64_t*)0x200000006bc0 = 4; *(uint32_t*)0x200000006bc8 = 0xe30; *(uint32_t*)0x200000006bcc = 0; *(uint64_t*)0x200000006bd0 = 0x4d; *(uint32_t*)0x200000006bd8 = 3; *(uint32_t*)0x200000006bdc = 0; *(uint64_t*)0x200000006be0 = 6; *(uint32_t*)0x200000006be8 = 8; *(uint32_t*)0x200000006bec = 0; *(uint32_t*)0x200000006bf0 = 6; *(uint32_t*)0x200000006bf4 = 2; *(uint32_t*)0x200000006bf8 = 0xfb; *(uint32_t*)0x200000006bfc = 2; memset((void*)0x200000006c00, 0, 112); syz_fuse_handle_req(/*fd=*/r[9], /*buf=*/0x2000000016c0, /*len=*/0x2000, /*res=*/0x200000006c80); break; case 30: memcpy((void*)0x200000006d40, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000006d40, /*fd=*/r[23]); break; case 31: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 32: *(uint32_t*)0x200000006d84 = 0xd0f0; *(uint32_t*)0x200000006d88 = 0x20; *(uint32_t*)0x200000006d8c = 0; *(uint32_t*)0x200000006d90 = 0x1e5; *(uint32_t*)0x200000006d98 = -1; memset((void*)0x200000006d9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x28c2, /*params=*/0x200000006d80, /*ring_ptr=*/0x200000006e00, /*sqes_ptr=*/0x200000006e40); if (res != -1) r[25] = *(uint64_t*)0x200000006e00; break; case 33: syz_io_uring_complete(/*ring_ptr=*/r[25]); break; case 34: *(uint32_t*)0x200000006e84 = 0x979d; *(uint32_t*)0x200000006e88 = 4; *(uint32_t*)0x200000006e8c = 1; *(uint32_t*)0x200000006e90 = 0x206; *(uint32_t*)0x200000006e98 = r[9]; memset((void*)0x200000006e9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x7c1f, /*params=*/0x200000006e80, /*ring_ptr=*/0x200000006f00, /*sqes_ptr=*/0x200000006f40); if (res != -1) { r[26] = res; r[27] = *(uint64_t*)0x200000006f00; r[28] = *(uint64_t*)0x200000006f40; } break; case 35: res = syscall(__NR_io_uring_register, /*fd=*/r[26], /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul); if (res != -1) r[29] = res; break; case 36: *(uint8_t*)0x200000007000 = 0x1c; *(uint8_t*)0x200000007001 = 0x14; *(uint16_t*)0x200000007002 = 0; *(uint32_t*)0x200000007004 = r[23]; *(uint64_t*)0x200000007008 = 0x200000006f80; *(uint64_t*)0x200000006f80 = 0x818480; *(uint64_t*)0x200000006f88 = 0; *(uint64_t*)0x200000006f90 = 0x35; *(uint64_t*)0x200000007010 = 0x200000006fc0; memcpy((void*)0x200000006fc0, "./file0\000", 8); *(uint32_t*)0x200000007018 = 0x18; *(uint32_t*)0x20000000701c = 0; *(uint64_t*)0x200000007020 = 0x23456; *(uint16_t*)0x200000007028 = 0; *(uint16_t*)0x20000000702a = r[29]; memset((void*)0x20000000702c, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[27], /*sqes_ptr=*/r[28], /*sqe=*/0x200000007000); break; case 37: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[9], /*usermem=*/0x200000bfd000); if (res != -1) r[30] = res; break; case 38: *(uint64_t*)0x200000007400 = 0; *(uint64_t*)0x200000007408 = 0x200000007040; *(uint64_t*)0x200000007040 = 0x65; *(uint64_t*)0x200000007048 = 0x20; *(uint64_t*)0x200000007050 = 0x92e; *(uint64_t*)0x200000007058 = 8; *(uint64_t*)0x200000007060 = 0x130; *(uint64_t*)0x200000007068 = 0x18; *(uint64_t*)0x200000007070 = 1; *(uint64_t*)0x200000007078 = 0x68; *(uint64_t*)0x200000007080 = 0x20; *(uint64_t*)0x200000007088 = 1; *(uint64_t*)0x200000007090 = 0; *(uint64_t*)0x200000007098 = 0x17d; *(uint64_t*)0x2000000070a0 = 0x20; *(uint64_t*)0x2000000070a8 = 0xffffffff; *(uint64_t*)0x2000000070b0 = 0xbd0d; *(uint64_t*)0x2000000070b8 = 0x183; *(uint64_t*)0x2000000070c0 = 0x18; *(uint64_t*)0x2000000070c8 = 1; *(uint64_t*)0x2000000070d0 = 0xa; *(uint64_t*)0x2000000070d8 = 0x6a; memcpy((void*)0x2000000070e0, "\x36\x49\x0f\xc7\xaa\xd6\x61\x97\xc0\x26\x66\x0f\x38\x80\x94\x5e\x00\x80\x00\x00\x0f\x01\xba\x00\x80\x00\x00\x8f\xc9\xb8\x9b\x29\x47\x0f\xc7\xae\x20\x00\x00\x00\x45\x0f\x09\xc4\xe2\xd1\x39\x67\xc4\x36\x0f\x01\x7f\x05\x66\x64\x2e\x64\x3e\xd8\xf1\xc7\x44\x24\x00\x25\xfd\x00\x00\xc7\x44\x24\x02\x54\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x14\x24", 89); *(uint8_t*)0x200000007139 = 0xc3; *(uint64_t*)0x20000000713a = 0x180; *(uint64_t*)0x200000007142 = 0x38; *(uint64_t*)0x20000000714a = 0; *(uint64_t*)0x200000007152 = 0xb5; *(uint64_t*)0x20000000715a = 7; *(uint64_t*)0x200000007162 = 5; *(uint64_t*)0x20000000716a = 0; *(uint64_t*)0x200000007172 = 0x12f; *(uint64_t*)0x20000000717a = 0x18; *(uint64_t*)0x200000007182 = 3; *(uint64_t*)0x20000000718a = 0x12c; *(uint64_t*)0x200000007192 = 0x18; *(uint64_t*)0x20000000719a = 0; *(uint64_t*)0x2000000071a2 = 0x154; *(uint64_t*)0x2000000071aa = 0x38; *(uint64_t*)0x2000000071b2 = 3; *(uint64_t*)0x2000000071ba = 4; *(uint64_t*)0x2000000071c2 = 5; *(uint64_t*)0x2000000071ca = 0x1ff; *(uint64_t*)0x2000000071d2 = 8; *(uint64_t*)0x2000000071da = 0x130; *(uint64_t*)0x2000000071e2 = 0x18; *(uint64_t*)0x2000000071ea = 0; *(uint64_t*)0x2000000071f2 = 0x6a; *(uint64_t*)0x2000000071fa = 0x28; *(uint64_t*)0x200000007202 = 0xc636; *(uint64_t*)0x20000000720a = 5; *(uint64_t*)0x200000007212 = 4; *(uint64_t*)0x20000000721a = 0x12c; *(uint64_t*)0x200000007222 = 0x18; *(uint64_t*)0x20000000722a = 0; *(uint64_t*)0x200000007232 = 0x12f; *(uint64_t*)0x20000000723a = 0x18; *(uint64_t*)0x200000007242 = 1; *(uint64_t*)0x20000000724a = 0x65; *(uint64_t*)0x200000007252 = 0x20; *(uint64_t*)0x20000000725a = 0x8a3; *(uint64_t*)0x200000007262 = 9; *(uint64_t*)0x20000000726a = 0x68; *(uint64_t*)0x200000007272 = 0x20; *(uint64_t*)0x20000000727a = 4; *(uint64_t*)0x200000007282 = 6; *(uint64_t*)0x20000000728a = 0x12f; *(uint64_t*)0x200000007292 = 0x18; *(uint64_t*)0x20000000729a = 3; *(uint64_t*)0x2000000072a2 = 0x12d; *(uint64_t*)0x2000000072aa = 0x18; *(uint64_t*)0x2000000072b2 = 2; *(uint64_t*)0x2000000072ba = 0x17d; *(uint64_t*)0x2000000072c2 = 0x20; *(uint64_t*)0x2000000072ca = 0x8080000; *(uint64_t*)0x2000000072d2 = 0x943e; *(uint64_t*)0x2000000072da = 0x17c; *(uint64_t*)0x2000000072e2 = 0x38; *(uint64_t*)0x2000000072ea = 3; *(uint64_t*)0x2000000072f2 = 0x31; *(uint64_t*)0x2000000072fa = 0xc; *(uint64_t*)0x200000007302 = 6; *(uint64_t*)0x20000000730a = 8; *(uint64_t*)0x200000007312 = 0x180; *(uint64_t*)0x20000000731a = 0x38; *(uint64_t*)0x200000007322 = 2; *(uint64_t*)0x20000000732a = 0x36; *(uint64_t*)0x200000007332 = 1; *(uint64_t*)0x20000000733a = 2; *(uint64_t*)0x200000007342 = 3; *(uint64_t*)0x20000000734a = 0x130; *(uint64_t*)0x200000007352 = 0x18; *(uint64_t*)0x20000000735a = 1; *(uint64_t*)0x200000007362 = 0x130; *(uint64_t*)0x20000000736a = 0x18; *(uint64_t*)0x200000007372 = 0; *(uint64_t*)0x20000000737a = 0x180; *(uint64_t*)0x200000007382 = 0x38; *(uint64_t*)0x20000000738a = 3; *(uint64_t*)0x200000007392 = 0x72; *(uint64_t*)0x20000000739a = 2; *(uint64_t*)0x2000000073a2 = 5; *(uint64_t*)0x2000000073aa = 2; *(uint64_t*)0x2000000073b2 = 0x12f; *(uint64_t*)0x2000000073ba = 0x18; *(uint64_t*)0x2000000073c2 = 2; *(uint64_t*)0x2000000073ca = 0x12f; *(uint64_t*)0x2000000073d2 = 0x18; *(uint64_t*)0x2000000073da = 2; *(uint64_t*)0x200000007410 = 0x3a2; syz_kvm_add_vcpu(/*vm=*/r[30], /*text=*/0x200000007400); break; case 39: res = syscall(__NR_ioctl, /*fd=*/r[9], /*cmd=*/0xae01, /*type=*/5ul); if (res != -1) r[31] = res; break; case 40: *(uint64_t*)0x200000007680 = 0; *(uint64_t*)0x200000007688 = 0x200000007440; memcpy((void*)0x200000007440, "\xcd\xfa\xef\x13\x00\x00\x00\x3e\x00\x00\x10\x62\x04\x00\x10\x7a\x00\x00\x10\x66\xc1\x00\x10\x62\xa6\x03\x00\x7e\xb9\xf0\x00\x3e\xe9\x0e\x10\x62\x04\x00\x10\x7a\xa3\x30\x10\x66\x88\x26\x10\x62\xa6\x03\x00\x7e\x24\x00\x00\x4c\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xf6\x63\x60\xba\xaa\x80\x3c\x42\xab\x84\x60\x04\x00\x84\x78\xa5\xa4\x84\x64\xdb\xea\x84\x60\xc7\xb2\xa0\x3c\x4e\xd4\xa5\x60\x04\x00\xa5\x78\x8e\xd5\xa5\x64\xc9\xc4\xa5\x60\xf6\x27\xc0\x3c\x0e\x37\xc6\x60\x04\x00\xc6\x78\x10\x50\xc6\x64\xf3\x3c\xc6\x60\x64\xae\xe0\x3c\x0f\xe0\xe7\x60\x04\x00\xe7\x78\xf8\x33\xe7\x64\x27\xe1\xe7\x60\xf9\xfe\x00\x3d\x88\x3a\x08\x61\x04\x00\x08\x79\xf6\x6c\x08\x65\xcb\x9b\x08\x61\xe7\x22\x20\x3d\xa3\x5b\x29\x61\x04\x00\x29\x79\xbb\xbc\x29\x65\x5e\x83\x29\x61\xd9\x75\x40\x3d\x52\x94\x4a\x61\x04\x00\x4a\x79\xdb\x25\x4a\x65\xf3\x5e\x4a\x61\x02\x00\x00\x44\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x50\xf3\x63\x60\x42\x00\x00\x44\x0d\x0b\xc0\x3e\xa1\xda\xd6\x62\x04\x00\xd6\x7a\xeb\x5a\xd6\x66\x62\x96\xd6\x62\x9c\xb0\x00\x7c\xec\x06\x00\x7c\xa4\x00\x00\x4c\x3d\x6a\xa0\x3e\x17\x1b\xb5\x62\x04\x00\xb5\x7a\x72\x93\xb5\x66\x34\x54\xb5\x62\xa6\x03\xa0\x7e\xd4\x8d\xa0\x3e\x12\xd2\xb5\x62\x04\x00\xb5\x7a\xf6\xf5\xb5\x66\x15\xe0\xb5\x62\xa6\x03\xa0\x7e\x24\x00\x00\x4c\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x05\xc0\x3f\x00\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x00\xc0\x3f\x21\x8c\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf6\x78\xbd\x63\x00\x00\xc0\x3f\x0a\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xfa\x78\xbd\x63\x97\x4b\xc0\x3f\x5c\x3b\xde\x63\x00\x00\xdd\x93\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x49\x30\x84\x64\xf2\x78\x84\x60\x22\x00\x00\x44\x00\x00\x80\x3f\x00\x00\x9c\x63\x04\x00\x9c\x7b\x00\x00\x9c\x67\x1a\x00\x9c\x63\x24\x01\xc0\x7f", 524); *(uint64_t*)0x200000007690 = 0x20c; *(uint64_t*)0x2000000076c0 = 1; *(uint64_t*)0x2000000076c8 = 6; syz_kvm_setup_cpu(/*fd=*/r[31], /*cpufd=*/r[23], /*usermem=*/0x200000fe5000, /*text=*/0x200000007680, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_IR*/2, /*opts=*/0x2000000076c0, /*nopt=*/1); break; case 41: syz_kvm_setup_syzos_vm(/*fd=*/r[23], /*usermem=*/0x200000c00000); break; case 42: *(uint32_t*)0x200000007700 = 0; syz_memcpy_off(/*ring_ptr=*/0, /*flag_off=SQ_FLAGS_OFFSET*/0x114, /*src=*/0x200000007700, /*src_off=*/0, /*nbytes=*/4); break; case 43: memcpy((void*)0x200000007740, "fuse\000", 5); memcpy((void*)0x200000007780, "./file0\000", 8); memcpy((void*)0x2000000077c0, "fd", 2); *(uint8_t*)0x2000000077c2 = 0x3d; sprintf((char*)0x2000000077c3, "0x%016llx", (long long)r[23]); *(uint8_t*)0x2000000077d5 = 0x2c; memcpy((void*)0x2000000077d6, "rootmode", 8); *(uint8_t*)0x2000000077de = 0x3d; sprintf((char*)0x2000000077df, "%023llo", (long long)0x6000); *(uint8_t*)0x2000000077f6 = 0x2c; memcpy((void*)0x2000000077f7, "user_id", 7); *(uint8_t*)0x2000000077fe = 0x3d; sprintf((char*)0x2000000077ff, "%020llu", (long long)r[22]); *(uint8_t*)0x200000007813 = 0x2c; memcpy((void*)0x200000007814, "group_id", 8); *(uint8_t*)0x20000000781c = 0x3d; sprintf((char*)0x20000000781d, "%020llu", (long long)r[13]); *(uint8_t*)0x200000007831 = 0x2c; memcpy((void*)0x200000007832, "max_read", 8); *(uint8_t*)0x20000000783a = 0x3d; sprintf((char*)0x20000000783b, "0x%016llx", (long long)3); *(uint8_t*)0x20000000784d = 0x2c; memcpy((void*)0x20000000784e, "default_permissions", 19); *(uint8_t*)0x200000007861 = 0x2c; memcpy((void*)0x200000007862, "allow_other", 11); *(uint8_t*)0x20000000786d = 0x2c; memcpy((void*)0x20000000786e, "default_permissions", 19); *(uint8_t*)0x200000007881 = 0x2c; memcpy((void*)0x200000007882, "allow_other", 11); *(uint8_t*)0x20000000788d = 0x2c; memcpy((void*)0x20000000788e, "default_permissions", 19); *(uint8_t*)0x2000000078a1 = 0x2c; memcpy((void*)0x2000000078a2, "default_permissions", 19); *(uint8_t*)0x2000000078b5 = 0x2c; memcpy((void*)0x2000000078b6, "allow_other", 11); *(uint8_t*)0x2000000078c1 = 0x2c; memcpy((void*)0x2000000078c2, "permit_directio", 15); *(uint8_t*)0x2000000078d1 = 0x2c; memcpy((void*)0x2000000078d2, "uid<", 4); sprintf((char*)0x2000000078d6, "%020llu", (long long)r[17]); *(uint8_t*)0x2000000078ea = 0x2c; memcpy((void*)0x2000000078eb, "appraise", 8); *(uint8_t*)0x2000000078f3 = 0x2c; memcpy((void*)0x2000000078f4, "smackfshat", 10); *(uint8_t*)0x2000000078fe = 0x3d; memcpy((void*)0x2000000078ff, "\300\'", 2); *(uint8_t*)0x200000007901 = 0x2c; memcpy((void*)0x200000007902, "appraise", 8); *(uint8_t*)0x20000000790a = 0x2c; *(uint8_t*)0x20000000790b = 0; memcpy((void*)0x200000007940, "\xa4\xb2\x22\xdf\x2b\xa1\x0d\xf2\x4f\x54\x81\xe0\xdc\x5e\x93\xb8\x1b\x1b\x82\xe9\xa2\x14\xca\xbc\xe3\x44\x80\x0a\xd5\x4d\xe6\x10\xfa\x1e\xda\x44\xb9\x04\x05\x26\xf2\xdc\x7c\x73\x1c\x54\x73\xc8\xc6\xdc\x94\x19\x2a\x03\x48\x4e\x6d\x62\xbb\x49\x12\x86\x12\x54\x3a\x9d\x01\x6e\xd9\xa3\x73\x0e\x51\x08\x0f\x5c\x86\x0d\x03\xa7\x7e\xd5\x01\x64\xbc\xf9\x9c\x42\xd3\x56\x8a\x97\x4a\x92\x7a\x87\x9d\xe4\x1e\xdc\x2f\x55\x52\x36\x58\x86\x12\x1a\x31\x09\x5b\x97\xaa\x08\xee\x29\x77\x11\x1f\x7c\xc5\x6a\x77\xc0\xf2\xa1\x6b\x32\xb1\x9d\xf5\x0a\x24\x9c\xd3\x05\x8e\x60\xa6\xae\x8c\x96\x34\x9d\x5e\x5c\x00\x97\x59\x4c\xe0\x1c\x1f\xbe\xe5\xee\x94\x60\x6f\xef\x67\x32\x31\xe6\x57\x00\xbc\x71\x5f\x1f\x01\x19\xc8\x4e\xd2\x7b\x8a\xf3\x8e\xd1\x53\xd3\x94\xd6\xb2\x2c\xca\x54\xdb\x55\xa3\x1b\xc2\x5b\x45\xe8\x1d\xec\xa7\xbe\xdb\x69\x66\x91\xae\x6b\x92\xf0\x9e\xea\x3e\x2b\x5e\x8a\xf2\xf9\x96\x33\x9d\xec\x59\x2e\xde\xc5\x89\x7e\x94\xeb", 228); syz_mount_image(/*fs=*/0x200000007740, /*dir=*/0x200000007780, /*flags=MS_PRIVATE*/0x40000, /*opts=*/0x2000000077c0, /*chdir=*/1, /*size=*/0, /*img=*/0x200000007940); break; case 44: memcpy((void*)0x200000007a40, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000007a40, /*id=*/7, /*flags=*/0); break; case 45: memcpy((void*)0x200000007a80, "net/psched\000", 11); syz_open_procfs(/*pid=*/r[4], /*file=*/0x200000007a80); break; case 46: syz_open_pts(/*fd=*/r[9], /*flags=O_PATH|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|FASYNC|0x402*/0x292c02); break; case 47: syz_pidfd_open(/*pid=*/r[15], /*flags=*/0); break; case 48: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=*/0ul); if (res != -1) r[32] = res; break; case 49: syz_pkey_set(/*key=*/r[32], /*val=PKEY_DISABLE_WRITE|PKEY_DISABLE_ACCESS*/3); break; case 50: syz_socket_connect_nvme_tcp(); break; case 51: *(uint8_t*)0x200000007ac0 = 0x12; *(uint8_t*)0x200000007ac1 = 1; *(uint16_t*)0x200000007ac2 = 0x250; *(uint8_t*)0x200000007ac4 = 0x58; *(uint8_t*)0x200000007ac5 = 6; *(uint8_t*)0x200000007ac6 = 0x54; *(uint8_t*)0x200000007ac7 = 8; *(uint16_t*)0x200000007ac8 = 0x13d3; *(uint16_t*)0x200000007aca = 0x3348; *(uint16_t*)0x200000007acc = 0x15b2; *(uint8_t*)0x200000007ace = 1; *(uint8_t*)0x200000007acf = 2; *(uint8_t*)0x200000007ad0 = 3; *(uint8_t*)0x200000007ad1 = 1; *(uint8_t*)0x200000007ad2 = 9; *(uint8_t*)0x200000007ad3 = 2; *(uint16_t*)0x200000007ad4 = 0x283; *(uint8_t*)0x200000007ad6 = 2; *(uint8_t*)0x200000007ad7 = 9; *(uint8_t*)0x200000007ad8 = 2; *(uint8_t*)0x200000007ad9 = 0x10; *(uint8_t*)0x200000007ada = 8; *(uint8_t*)0x200000007adb = 9; *(uint8_t*)0x200000007adc = 4; *(uint8_t*)0x200000007add = 0x26; *(uint8_t*)0x200000007ade = 0xb; *(uint8_t*)0x200000007adf = 5; *(uint8_t*)0x200000007ae0 = 0x83; *(uint8_t*)0x200000007ae1 = 0x18; *(uint8_t*)0x200000007ae2 = 0x74; *(uint8_t*)0x200000007ae3 = 0xee; *(uint8_t*)0x200000007ae4 = 9; *(uint8_t*)0x200000007ae5 = 5; *(uint8_t*)0x200000007ae6 = 0xb; *(uint8_t*)0x200000007ae7 = 3; *(uint16_t*)0x200000007ae8 = 8; *(uint8_t*)0x200000007aea = 4; *(uint8_t*)0x200000007aeb = 0xfb; *(uint8_t*)0x200000007aec = 0x6a; *(uint8_t*)0x200000007aed = 0xbd; *(uint8_t*)0x200000007aee = 0xc; memcpy((void*)0x200000007aef, "\x8b\x82\xbd\x3f\xc8\x13\x7d\x3d\x25\x9c\xe7\xbc\x14\x0d\xe0\x82\x3d\xe2\x22\x2e\xed\x4c\x57\x0e\xdc\xb8\x45\x53\xcd\x1e\xfd\x64\x9d\xd3\x52\xdd\x37\x5d\x81\xda\x8d\xa8\xe6\x86\x3f\xb4\x82\xec\xb3\xa1\x6f\x12\x22\x10\xbf\xf2\x5c\x59\xa3\xaf\xc6\x54\x28\x48\xc0\x6e\x1b\x98\x3f\xbc\x8d\xd0\xde\x62\x7c\xfd\xdf\x9f\x90\x5f\x5c\xb6\xed\x4a\x25\xec\x59\x47\x59\x9b\x15\xb5\x38\xc7\xbb\x0b\x0d\x65\xd4\xa3\x1b\x31\x9f\x73\x83\x95\x5c\xe7\x66\xef\x4c\x66\xd1\x8b\xc7\x5d\x69\xb2\xdd\x7d\x13\x6c\x78\xea\xec\x1e\x22\x03\xeb\x91\x8d\xd6\x16\x09\xde\x40\xf4\xf6\x93\x91\x7e\xeb\x17\xfc\x38\x7b\xb4\x27\x34\x1f\x64\x16\xe0\xb8\xc4\x6a\x24\x45\xa5\xc4\x9b\xd9\xc8\x6d\xfe\x21\xc5\x98\xac\xf1\x7e\xa9\x8f\xfe\xce\x20\x2a\x21\xdc\x93\xa0\xb8\x30\xd2\x9a\xf8\x7c", 187); *(uint8_t*)0x200000007baa = 0xc7; *(uint8_t*)0x200000007bab = 6; memcpy((void*)0x200000007bac, "\xf5\x45\x9e\x11\x78\x00\xd2\x2a\x25\xa4\x86\xd1\x44\x2f\x5c\xbd\x4d\x3d\x77\x6c\xd0\x61\xd2\xc1\x85\xf9\x92\x4e\xae\x6a\x4d\x7b\x14\xc5\x8b\x59\x98\x63\xd3\x21\xe3\xea\x80\xa2\x5f\x6d\x8b\xe5\x1d\x5c\xa7\x0c\x27\x6c\xe0\xe6\xd9\x03\x8f\x88\x77\x6b\x96\x14\x28\x7d\xb7\xee\x21\x13\xf0\xe7\xe1\xf0\x18\x73\xb6\x13\xd7\x63\xda\x5f\x87\xf8\x6c\xd1\x86\x0b\xd6\x23\x46\x3f\xc6\xd9\x3d\x9f\x94\x8d\x0d\x4d\x70\xd7\x2a\x8a\xc1\xde\xc1\xad\xce\xb8\x71\x67\x29\x90\x64\x28\xd5\xb6\xe2\x4b\x01\x49\x9b\xfa\x6a\x0a\xa0\x48\x2e\xed\x8c\x77\x51\xa1\xc7\xec\x94\x4d\xb1\x92\x54\xa7\x4b\x61\x14\x2e\x72\x5a\x7a\x29\x0c\x41\x42\x87\x5d\x34\x7b\x3e\x48\x3f\x4e\x2d\xb8\x37\x3e\xf8\xfe\xad\x81\x18\xce\x07\xd8\x12\x33\x2b\x21\x1d\xa9\x73\x3d\x44\x4f\x7d\x70\x6a\x64\x39\xc2\x9a\xea\xed\xd0\x30\x00\xa2\xa8", 197); *(uint8_t*)0x200000007c71 = 9; *(uint8_t*)0x200000007c72 = 5; *(uint8_t*)0x200000007c73 = 0xa; *(uint8_t*)0x200000007c74 = 0xc; *(uint16_t*)0x200000007c75 = 0x400; *(uint8_t*)0x200000007c77 = 0xc; *(uint8_t*)0x200000007c78 = 0; *(uint8_t*)0x200000007c79 = 0xb5; *(uint8_t*)0x200000007c7a = 7; *(uint8_t*)0x200000007c7b = 0x25; *(uint8_t*)0x200000007c7c = 1; *(uint8_t*)0x200000007c7d = 1; *(uint8_t*)0x200000007c7e = 0xb; *(uint16_t*)0x200000007c7f = 7; *(uint8_t*)0x200000007c81 = 9; *(uint8_t*)0x200000007c82 = 5; *(uint8_t*)0x200000007c83 = 2; *(uint8_t*)0x200000007c84 = 0x10; *(uint16_t*)0x200000007c85 = 0x20; *(uint8_t*)0x200000007c87 = 7; *(uint8_t*)0x200000007c88 = 5; *(uint8_t*)0x200000007c89 = 5; *(uint8_t*)0x200000007c8a = 0x24; *(uint8_t*)0x200000007c8b = 7; memcpy((void*)0x200000007c8c, "\xad\x98\x31\x4a\x82\xd7\xae\xbb\xfc\xe8\x51\x78\x75\x22\x71\xb1\x58\xc0\x5d\xea\x1b\xf5\xa2\x45\x9c\x43\x1d\xf1\x80\xc1\xf3\xb2\xbe\x3b", 34); *(uint8_t*)0x200000007cae = 9; *(uint8_t*)0x200000007caf = 5; *(uint8_t*)0x200000007cb0 = 3; *(uint8_t*)0x200000007cb1 = 2; *(uint16_t*)0x200000007cb2 = 8; *(uint8_t*)0x200000007cb4 = 7; *(uint8_t*)0x200000007cb5 = 0xf3; *(uint8_t*)0x200000007cb6 = 4; *(uint8_t*)0x200000007cb7 = 9; *(uint8_t*)0x200000007cb8 = 5; *(uint8_t*)0x200000007cb9 = 5; *(uint8_t*)0x200000007cba = 0; *(uint16_t*)0x200000007cbb = 0x40; *(uint8_t*)0x200000007cbd = 2; *(uint8_t*)0x200000007cbe = 3; *(uint8_t*)0x200000007cbf = 2; *(uint8_t*)0x200000007cc0 = 0x6a; *(uint8_t*)0x200000007cc1 = 0xa; memcpy((void*)0x200000007cc2, "\xf7\xdd\x67\x50\x5d\x35\x3d\x93\xb6\xe1\xf3\xac\x2d\x8f\x9f\x76\x60\x12\xd2\x04\xe5\x58\xa7\x07\x6c\x6a\x1d\xd6\x64\x8b\x29\x28\xac\xaf\x80\x17\x10\xc8\x55\x50\x67\xe0\x71\x5e\x60\x77\x2d\x9a\x84\xc7\x14\xf6\x3d\x52\x7b\x9f\x15\x32\xa5\xac\x65\x11\x62\x7f\x9e\x84\x00\xe6\x2a\xd6\xbd\x25\xec\x51\xec\x63\x0a\xfc\x10\xe1\xf0\xf2\xfe\x01\xc9\x58\x8e\x28\x97\xef\x26\xd5\xea\x8b\xcf\x97\x0e\x51\xfc\x28\xd8\x4a\x62\x8c", 104); *(uint8_t*)0x200000007d2a = 9; *(uint8_t*)0x200000007d2b = 4; *(uint8_t*)0x200000007d2c = 0x48; *(uint8_t*)0x200000007d2d = 0xe; *(uint8_t*)0x200000007d2e = 3; *(uint8_t*)0x200000007d2f = 0xca; *(uint8_t*)0x200000007d30 = 0x1e; *(uint8_t*)0x200000007d31 = 0x4a; *(uint8_t*)0x200000007d32 = 0xf5; *(uint8_t*)0x200000007d33 = 9; *(uint8_t*)0x200000007d34 = 5; *(uint8_t*)0x200000007d35 = 0xb; *(uint8_t*)0x200000007d36 = 4; *(uint16_t*)0x200000007d37 = 0x400; *(uint8_t*)0x200000007d39 = 5; *(uint8_t*)0x200000007d3a = 0xf7; *(uint8_t*)0x200000007d3b = 0xf6; *(uint8_t*)0x200000007d3c = 9; *(uint8_t*)0x200000007d3d = 5; *(uint8_t*)0x200000007d3e = 0xe; *(uint8_t*)0x200000007d3f = 0x10; *(uint16_t*)0x200000007d40 = 0x3ff; *(uint8_t*)0x200000007d42 = 1; *(uint8_t*)0x200000007d43 = 0xd; *(uint8_t*)0x200000007d44 = 0x80; *(uint8_t*)0x200000007d45 = 9; *(uint8_t*)0x200000007d46 = 5; *(uint8_t*)0x200000007d47 = 5; *(uint8_t*)0x200000007d48 = 0x10; *(uint16_t*)0x200000007d49 = 0x10; *(uint8_t*)0x200000007d4b = 0x95; *(uint8_t*)0x200000007d4c = 3; *(uint8_t*)0x200000007d4d = 0; *(uint8_t*)0x200000007d4e = 7; *(uint8_t*)0x200000007d4f = 0x25; *(uint8_t*)0x200000007d50 = 1; *(uint8_t*)0x200000007d51 = 0x82; *(uint8_t*)0x200000007d52 = 0xae; *(uint16_t*)0x200000007d53 = 0x12; *(uint32_t*)0x200000007ec0 = 0xa; *(uint64_t*)0x200000007ec4 = 0x200000007d80; *(uint8_t*)0x200000007d80 = 0xa; *(uint8_t*)0x200000007d81 = 6; *(uint16_t*)0x200000007d82 = 0x110; *(uint8_t*)0x200000007d84 = 4; *(uint8_t*)0x200000007d85 = 1; *(uint8_t*)0x200000007d86 = 6; *(uint8_t*)0x200000007d87 = 8; *(uint8_t*)0x200000007d88 = 0xe; *(uint8_t*)0x200000007d89 = 0; *(uint32_t*)0x200000007ecc = 0x3b; *(uint64_t*)0x200000007ed0 = 0x200000007dc0; *(uint8_t*)0x200000007dc0 = 5; *(uint8_t*)0x200000007dc1 = 0xf; *(uint16_t*)0x200000007dc2 = 0x3b; *(uint8_t*)0x200000007dc4 = 4; *(uint8_t*)0x200000007dc5 = 0x14; *(uint8_t*)0x200000007dc6 = 0x10; *(uint8_t*)0x200000007dc7 = 4; *(uint8_t*)0x200000007dc8 = 6; memcpy((void*)0x200000007dc9, "\xfd\xf4\x04\x3a\xe7\xf5\x9e\x3e\x81\xfe\x30\x3d\x4d\xe3\xea\x16", 16); *(uint8_t*)0x200000007dd9 = 7; *(uint8_t*)0x200000007dda = 0x10; *(uint8_t*)0x200000007ddb = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007ddc, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007dde, 6, 0, 16); *(uint8_t*)0x200000007de0 = 7; *(uint8_t*)0x200000007de1 = 0x10; *(uint8_t*)0x200000007de2 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007de3, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 7, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 0xd, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de5, 0x95d7, 0, 16); *(uint8_t*)0x200000007de7 = 0x14; *(uint8_t*)0x200000007de8 = 0x10; *(uint8_t*)0x200000007de9 = 4; *(uint8_t*)0x200000007dea = 3; memcpy((void*)0x200000007deb, "\xbc\x6a\x92\x66\xbf\x50\x6e\x90\x62\x0d\x9c\x90\x0e\x18\x01\x43", 16); *(uint32_t*)0x200000007ed8 = 1; *(uint32_t*)0x200000007edc = 0x98; *(uint64_t*)0x200000007ee0 = 0x200000007e00; *(uint8_t*)0x200000007e00 = 0x98; *(uint8_t*)0x200000007e01 = 3; memcpy((void*)0x200000007e02, "\xd9\x5f\x3f\xca\xaa\x58\xf9\xd3\x6d\x03\xe3\xa2\xd5\x56\x6a\x51\x91\xf7\x42\xf7\x23\xfa\x49\xe3\x64\xe0\x3b\x0d\x28\x8a\x7f\xcb\x45\x79\xb5\x8c\x56\xd8\x24\xbe\x57\xf9\xad\x0f\x87\x03\xd3\x01\x1c\xac\x46\x84\x33\xfa\x22\xc2\x3b\xfa\xf1\x5d\xad\x54\x1e\xfb\x01\x38\xc4\x6b\xb8\xf8\x86\x92\x15\x15\x5c\x26\x85\xd6\x9b\x75\xff\xe6\x8c\x0c\xbd\x6e\x71\x74\x3a\xbd\x43\x55\xe1\x2d\x9d\xcb\x7d\xff\x16\xbb\x07\x5d\xa5\x53\xc1\x78\x13\x9e\xde\x2c\x28\x5a\x4a\x28\x45\xe8\x88\x9c\x23\x45\x04\xd9\x68\xd8\x70\xb6\x08\x4a\x7b\x4a\xb0\xdc\xdb\x83\xd4\x3b\xb2\xf4\xe7\xa0\x15\x6b\x80\xa6\x89\x19\xcb\xb7\xda\x84", 150); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0x295, /*dev=*/0x200000007ac0, /*conn_descs=*/0x200000007ec0); if (res != -1) r[33] = res; break; case 52: *(uint8_t*)0x200000007f00 = 0x12; *(uint8_t*)0x200000007f01 = 1; *(uint16_t*)0x200000007f02 = 0x200; *(uint8_t*)0x200000007f04 = -1; *(uint8_t*)0x200000007f05 = -1; *(uint8_t*)0x200000007f06 = -1; *(uint8_t*)0x200000007f07 = 0x40; *(uint16_t*)0x200000007f08 = 0xcf3; *(uint16_t*)0x200000007f0a = 0x9271; *(uint16_t*)0x200000007f0c = 0x108; *(uint8_t*)0x200000007f0e = 1; *(uint8_t*)0x200000007f0f = 2; *(uint8_t*)0x200000007f10 = 3; *(uint8_t*)0x200000007f11 = 1; *(uint8_t*)0x200000007f12 = 9; *(uint8_t*)0x200000007f13 = 2; *(uint16_t*)0x200000007f14 = 0x48; *(uint8_t*)0x200000007f16 = 1; *(uint8_t*)0x200000007f17 = 1; *(uint8_t*)0x200000007f18 = 0; *(uint8_t*)0x200000007f19 = 0x80; *(uint8_t*)0x200000007f1a = 0xfa; *(uint8_t*)0x200000007f1b = 9; *(uint8_t*)0x200000007f1c = 4; *(uint8_t*)0x200000007f1d = 0; *(uint8_t*)0x200000007f1e = 0; *(uint8_t*)0x200000007f1f = 6; *(uint8_t*)0x200000007f20 = -1; *(uint8_t*)0x200000007f21 = 0; *(uint8_t*)0x200000007f22 = 0; *(uint8_t*)0x200000007f23 = 0; *(uint8_t*)0x200000007f24 = 9; *(uint8_t*)0x200000007f25 = 5; *(uint8_t*)0x200000007f26 = 1; *(uint8_t*)0x200000007f27 = 2; *(uint16_t*)0x200000007f28 = 0x200; *(uint8_t*)0x200000007f2a = 0; *(uint8_t*)0x200000007f2b = 0; *(uint8_t*)0x200000007f2c = 0; *(uint8_t*)0x200000007f2d = 9; *(uint8_t*)0x200000007f2e = 5; *(uint8_t*)0x200000007f2f = 0x82; *(uint8_t*)0x200000007f30 = 2; *(uint16_t*)0x200000007f31 = 0x200; *(uint8_t*)0x200000007f33 = 0; *(uint8_t*)0x200000007f34 = 0; *(uint8_t*)0x200000007f35 = 0; *(uint8_t*)0x200000007f36 = 9; *(uint8_t*)0x200000007f37 = 5; *(uint8_t*)0x200000007f38 = 0x83; *(uint8_t*)0x200000007f39 = 3; *(uint16_t*)0x200000007f3a = 0x40; *(uint8_t*)0x200000007f3c = 1; *(uint8_t*)0x200000007f3d = 0; *(uint8_t*)0x200000007f3e = 0; *(uint8_t*)0x200000007f3f = 9; *(uint8_t*)0x200000007f40 = 5; *(uint8_t*)0x200000007f41 = 4; *(uint8_t*)0x200000007f42 = 3; *(uint16_t*)0x200000007f43 = 0x40; *(uint8_t*)0x200000007f45 = 1; *(uint8_t*)0x200000007f46 = 0; *(uint8_t*)0x200000007f47 = 0; *(uint8_t*)0x200000007f48 = 9; *(uint8_t*)0x200000007f49 = 5; *(uint8_t*)0x200000007f4a = 5; *(uint8_t*)0x200000007f4b = 2; *(uint16_t*)0x200000007f4c = 0x200; *(uint8_t*)0x200000007f4e = 0; *(uint8_t*)0x200000007f4f = 0; *(uint8_t*)0x200000007f50 = 0; *(uint8_t*)0x200000007f51 = 9; *(uint8_t*)0x200000007f52 = 5; *(uint8_t*)0x200000007f53 = 6; *(uint8_t*)0x200000007f54 = 2; *(uint16_t*)0x200000007f55 = 0x200; *(uint8_t*)0x200000007f57 = 0; *(uint8_t*)0x200000007f58 = 0; *(uint8_t*)0x200000007f59 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000007f00, /*conn_descs=*/0); if (res != -1) r[34] = res; break; case 53: *(uint8_t*)0x200000007f80 = 0x12; *(uint8_t*)0x200000007f81 = 1; *(uint16_t*)0x200000007f82 = 0x110; *(uint8_t*)0x200000007f84 = 0; *(uint8_t*)0x200000007f85 = 0; *(uint8_t*)0x200000007f86 = 0; *(uint8_t*)0x200000007f87 = 0x40; *(uint16_t*)0x200000007f88 = 0x1d6b; *(uint16_t*)0x200000007f8a = 0x101; *(uint16_t*)0x200000007f8c = 0x40; *(uint8_t*)0x200000007f8e = 1; *(uint8_t*)0x200000007f8f = 2; *(uint8_t*)0x200000007f90 = 3; *(uint8_t*)0x200000007f91 = 1; *(uint8_t*)0x200000007f92 = 9; *(uint8_t*)0x200000007f93 = 2; *(uint16_t*)0x200000007f94 = 0xd3; *(uint8_t*)0x200000007f96 = 3; *(uint8_t*)0x200000007f97 = 1; *(uint8_t*)0x200000007f98 = 1; *(uint8_t*)0x200000007f99 = 0x80; *(uint8_t*)0x200000007f9a = 0x80; *(uint8_t*)0x200000007f9b = 9; *(uint8_t*)0x200000007f9c = 4; *(uint8_t*)0x200000007f9d = 0; *(uint8_t*)0x200000007f9e = 0; *(uint8_t*)0x200000007f9f = 0; *(uint8_t*)0x200000007fa0 = 1; *(uint8_t*)0x200000007fa1 = 1; *(uint8_t*)0x200000007fa2 = 0; *(uint8_t*)0x200000007fa3 = 0; *(uint8_t*)0x200000007fa4 = 0xa; *(uint8_t*)0x200000007fa5 = 0x24; *(uint8_t*)0x200000007fa6 = 1; *(uint16_t*)0x200000007fa7 = 0; *(uint8_t*)0x200000007fa9 = 0x7c; *(uint8_t*)0x200000007faa = 2; *(uint8_t*)0x200000007fab = 1; *(uint8_t*)0x200000007fac = 2; *(uint8_t*)0x200000007fad = 0xd; *(uint8_t*)0x200000007fae = 0x24; *(uint8_t*)0x200000007faf = 8; *(uint8_t*)0x200000007fb0 = 2; *(uint16_t*)0x200000007fb1 = 8; *(uint8_t*)0x200000007fb3 = 9; memcpy((void*)0x200000007fb4, "\x0c\xff\xda\x3f\x22\x7b", 6); *(uint8_t*)0x200000007fba = 9; *(uint8_t*)0x200000007fbb = 4; *(uint8_t*)0x200000007fbc = 1; *(uint8_t*)0x200000007fbd = 0; *(uint8_t*)0x200000007fbe = 0; *(uint8_t*)0x200000007fbf = 1; *(uint8_t*)0x200000007fc0 = 2; *(uint8_t*)0x200000007fc1 = 0; *(uint8_t*)0x200000007fc2 = 0; *(uint8_t*)0x200000007fc3 = 9; *(uint8_t*)0x200000007fc4 = 4; *(uint8_t*)0x200000007fc5 = 1; *(uint8_t*)0x200000007fc6 = 1; *(uint8_t*)0x200000007fc7 = 1; *(uint8_t*)0x200000007fc8 = 1; *(uint8_t*)0x200000007fc9 = 2; *(uint8_t*)0x200000007fca = 0; *(uint8_t*)0x200000007fcb = 0; *(uint8_t*)0x200000007fcc = 0x12; *(uint8_t*)0x200000007fcd = 0x24; *(uint8_t*)0x200000007fce = 2; *(uint8_t*)0x200000007fcf = 2; *(uint16_t*)0x200000007fd0 = 6; *(uint16_t*)0x200000007fd2 = 0x9a; *(uint8_t*)0x200000007fd4 = 0x20; memcpy((void*)0x200000007fd5, "\x2d\xa5\xee\x78\xa2\x8e\x1f\x1a\x41", 9); *(uint8_t*)0x200000007fde = 0xd; *(uint8_t*)0x200000007fdf = 0x24; *(uint8_t*)0x200000007fe0 = 2; *(uint8_t*)0x200000007fe1 = 1; *(uint8_t*)0x200000007fe2 = 0xf8; *(uint8_t*)0x200000007fe3 = 3; *(uint8_t*)0x200000007fe4 = 0x69; *(uint8_t*)0x200000007fe5 = 0x6d; memcpy((void*)0x200000007fe6, "e)", 2); memcpy((void*)0x200000007fe8, "\xbf\x07\x94", 3); *(uint8_t*)0x200000007feb = 0xb; *(uint8_t*)0x200000007fec = 0x24; *(uint8_t*)0x200000007fed = 2; *(uint8_t*)0x200000007fee = 1; *(uint8_t*)0x200000007fef = 5; *(uint8_t*)0x200000007ff0 = 4; *(uint8_t*)0x200000007ff1 = 0x5b; *(uint8_t*)0x200000007ff2 = 3; memset((void*)0x200000007ff3, 68, 1); memcpy((void*)0x200000007ff4, "\x26\x18", 2); *(uint8_t*)0x200000007ff6 = 9; *(uint8_t*)0x200000007ff7 = 0x24; *(uint8_t*)0x200000007ff8 = 2; *(uint8_t*)0x200000007ff9 = 2; *(uint16_t*)0x200000007ffa = 0x7b4; *(uint16_t*)0x200000007ffc = 8; *(uint8_t*)0x200000007ffe = 4; *(uint8_t*)0x200000007fff = 0xc; *(uint8_t*)0x200000008000 = 0x24; *(uint8_t*)0x200000008001 = 2; *(uint8_t*)0x200000008002 = 1; *(uint8_t*)0x200000008003 = 0; *(uint8_t*)0x200000008004 = 3; *(uint8_t*)0x200000008005 = 8; *(uint8_t*)0x200000008006 = 8; memset((void*)0x200000008007, 170, 1); memcpy((void*)0x200000008008, "\xe8\xe5\xb4", 3); *(uint8_t*)0x20000000800b = 9; *(uint8_t*)0x20000000800c = 5; *(uint8_t*)0x20000000800d = 1; *(uint8_t*)0x20000000800e = 9; *(uint16_t*)0x20000000800f = 0x40; *(uint8_t*)0x200000008011 = 6; *(uint8_t*)0x200000008012 = 5; *(uint8_t*)0x200000008013 = 0; *(uint8_t*)0x200000008014 = 7; *(uint8_t*)0x200000008015 = 0x25; *(uint8_t*)0x200000008016 = 1; *(uint8_t*)0x200000008017 = 0x80; *(uint8_t*)0x200000008018 = 1; *(uint16_t*)0x200000008019 = 4; *(uint8_t*)0x20000000801b = 9; *(uint8_t*)0x20000000801c = 4; *(uint8_t*)0x20000000801d = 2; *(uint8_t*)0x20000000801e = 0; *(uint8_t*)0x20000000801f = 0; *(uint8_t*)0x200000008020 = 1; *(uint8_t*)0x200000008021 = 2; *(uint8_t*)0x200000008022 = 0; *(uint8_t*)0x200000008023 = 0; *(uint8_t*)0x200000008024 = 9; *(uint8_t*)0x200000008025 = 4; *(uint8_t*)0x200000008026 = 2; *(uint8_t*)0x200000008027 = 1; *(uint8_t*)0x200000008028 = 1; *(uint8_t*)0x200000008029 = 1; *(uint8_t*)0x20000000802a = 2; *(uint8_t*)0x20000000802b = 0; *(uint8_t*)0x20000000802c = 0; *(uint8_t*)0x20000000802d = 7; *(uint8_t*)0x20000000802e = 0x24; *(uint8_t*)0x20000000802f = 1; *(uint8_t*)0x200000008030 = 3; *(uint8_t*)0x200000008031 = 0x1e; *(uint16_t*)0x200000008032 = 4; *(uint8_t*)0x200000008034 = 7; *(uint8_t*)0x200000008035 = 0x24; *(uint8_t*)0x200000008036 = 1; *(uint8_t*)0x200000008037 = 0x6f; *(uint8_t*)0x200000008038 = 7; *(uint16_t*)0x200000008039 = 0; *(uint8_t*)0x20000000803b = 0xa; *(uint8_t*)0x20000000803c = 0x24; *(uint8_t*)0x20000000803d = 2; *(uint8_t*)0x20000000803e = 2; *(uint16_t*)0x20000000803f = 8; *(uint16_t*)0x200000008041 = 2; *(uint8_t*)0x200000008043 = 8; memset((void*)0x200000008044, 102, 1); *(uint8_t*)0x200000008045 = 0x10; *(uint8_t*)0x200000008046 = 0x24; *(uint8_t*)0x200000008047 = 2; *(uint8_t*)0x200000008048 = 2; *(uint16_t*)0x200000008049 = 9; *(uint16_t*)0x20000000804b = 0x401; *(uint8_t*)0x20000000804d = 5; memcpy((void*)0x20000000804e, "\x53\xb1\x1d\xbc\x8c\xd3\x10", 7); *(uint8_t*)0x200000008055 = 9; *(uint8_t*)0x200000008056 = 5; *(uint8_t*)0x200000008057 = 0x82; *(uint8_t*)0x200000008058 = 9; *(uint16_t*)0x200000008059 = 8; *(uint8_t*)0x20000000805b = 0; *(uint8_t*)0x20000000805c = 0x28; *(uint8_t*)0x20000000805d = 6; *(uint8_t*)0x20000000805e = 7; *(uint8_t*)0x20000000805f = 0x25; *(uint8_t*)0x200000008060 = 1; *(uint8_t*)0x200000008061 = 0x80; *(uint8_t*)0x200000008062 = 5; *(uint16_t*)0x200000008063 = 0xd; *(uint32_t*)0x2000000081c0 = 0xa; *(uint64_t*)0x2000000081c4 = 0x200000008080; *(uint8_t*)0x200000008080 = 0xa; *(uint8_t*)0x200000008081 = 6; *(uint16_t*)0x200000008082 = 0x110; *(uint8_t*)0x200000008084 = 0x59; *(uint8_t*)0x200000008085 = 0xa5; *(uint8_t*)0x200000008086 = 5; *(uint8_t*)0x200000008087 = 0x10; *(uint8_t*)0x200000008088 = 1; *(uint8_t*)0x200000008089 = 0; *(uint32_t*)0x2000000081cc = 0x39; *(uint64_t*)0x2000000081d0 = 0x2000000080c0; *(uint8_t*)0x2000000080c0 = 5; *(uint8_t*)0x2000000080c1 = 0xf; *(uint16_t*)0x2000000080c2 = 0x39; *(uint8_t*)0x2000000080c4 = 5; *(uint8_t*)0x2000000080c5 = 0xb; *(uint8_t*)0x2000000080c6 = 0x10; *(uint8_t*)0x2000000080c7 = 1; *(uint8_t*)0x2000000080c8 = 4; *(uint16_t*)0x2000000080c9 = 8; *(uint8_t*)0x2000000080cb = 3; *(uint8_t*)0x2000000080cc = 0xb8; *(uint16_t*)0x2000000080cd = 9; *(uint8_t*)0x2000000080cf = 4; *(uint8_t*)0x2000000080d0 = 0x14; *(uint8_t*)0x2000000080d1 = 0x10; *(uint8_t*)0x2000000080d2 = 4; *(uint8_t*)0x2000000080d3 = 2; memcpy((void*)0x2000000080d4, "\x9d\x9a\xb0\x97\x8e\x2a\xac\xe2\x6d\xe6\x63\x06\xe6\xe2\x96\x3d", 16); *(uint8_t*)0x2000000080e4 = 0xb; *(uint8_t*)0x2000000080e5 = 0x10; *(uint8_t*)0x2000000080e6 = 1; *(uint8_t*)0x2000000080e7 = 4; *(uint16_t*)0x2000000080e8 = 0; *(uint8_t*)0x2000000080ea = 6; *(uint8_t*)0x2000000080eb = 4; *(uint16_t*)0x2000000080ec = 1; *(uint8_t*)0x2000000080ee = 5; *(uint8_t*)0x2000000080ef = 3; *(uint8_t*)0x2000000080f0 = 0x10; *(uint8_t*)0x2000000080f1 = 0xb; *(uint8_t*)0x2000000080f2 = 7; *(uint8_t*)0x2000000080f3 = 0x10; *(uint8_t*)0x2000000080f4 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000080f5, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f7, 0xfff2, 0, 16); *(uint32_t*)0x2000000081d8 = 1; *(uint32_t*)0x2000000081dc = 0x84; *(uint64_t*)0x2000000081e0 = 0x200000008100; *(uint8_t*)0x200000008100 = 0x84; *(uint8_t*)0x200000008101 = 3; memcpy((void*)0x200000008102, "\x00\x0a\x6c\x9f\x4a\x15\xea\xbc\x97\xa9\x2a\xb6\x65\x23\x1b\x2c\xf9\x05\x73\x21\xeb\x43\x0c\x65\x21\xf4\x97\xa8\xc3\xce\x81\x62\x68\xcb\x33\x7f\xa4\x8d\xee\xcf\xeb\x28\xb2\x30\x5f\xcf\x2d\x2e\x98\x8c\xc8\xb8\xb9\x80\xa1\x33\x2d\xc4\x06\xbc\x34\x69\x5f\xa2\x4d\xc3\x60\x9f\x61\x9d\x7a\xc2\x84\xcc\x3a\xe7\xf0\xaf\xe4\x44\xd5\x78\xc9\x51\xd9\xae\xdc\x4c\x68\x2e\x10\x0c\xfe\xb6\x61\x9b\x98\xa9\x6b\x19\x78\xd8\xed\xe7\x57\x4e\x96\x9f\x8a\xe8\xe3\xdf\xb8\x35\xbd\xe5\xcc\xd9\x22\x13\x3e\x53\x03\x6f\xf4\x4e\xda\x52\xa0\xa9", 130); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0xe5, /*dev=*/0x200000007f80, /*conn_descs=*/0x2000000081c0); if (res != -1) r[35] = res; break; case 54: *(uint32_t*)0x200000008380 = 0x2c; *(uint64_t*)0x200000008384 = 0x200000008200; *(uint8_t*)0x200000008200 = 0x40; *(uint8_t*)0x200000008201 = 0x22; *(uint32_t*)0x200000008202 = 0x31; *(uint8_t*)0x200000008206 = 0x31; *(uint8_t*)0x200000008207 = 5; memcpy((void*)0x200000008208, "\x74\xe8\x3d\xcf\x53\xdd\x2d\x0e\xca\xc0\xaa\x34\x67\xb1\x8d\xfa\x71\xb2\x6c\xdd\x40\x3d\x95\x5c\x0f\xfe\x22\x81\x7b\x01\xfe\x57\x95\xd5\x1c\xf2\x4a\x6a\xe3\xb8\xe3\x2f\x1b\x7a\xc5\xf8\xca", 47); *(uint64_t*)0x20000000838c = 0x200000008240; *(uint8_t*)0x200000008240 = 0; *(uint8_t*)0x200000008241 = 3; *(uint32_t*)0x200000008242 = 0x1e; *(uint8_t*)0x200000008246 = 0x1e; *(uint8_t*)0x200000008247 = 3; memcpy((void*)0x200000008248, "\x89\x57\xa5\x01\xd8\x3c\x69\xe5\x4f\x70\xf6\x2f\x93\x2a\x50\xb6\x55\x06\xc3\x88\xc1\x28\x23\x9d\x36\x22\x9e\xe2", 28); *(uint64_t*)0x200000008394 = 0x200000008280; *(uint8_t*)0x200000008280 = 0; *(uint8_t*)0x200000008281 = 0xf; *(uint32_t*)0x200000008282 = 0x4f; *(uint8_t*)0x200000008286 = 5; *(uint8_t*)0x200000008287 = 0xf; *(uint16_t*)0x200000008288 = 0x4f; *(uint8_t*)0x20000000828a = 6; *(uint8_t*)0x20000000828b = 0x1c; *(uint8_t*)0x20000000828c = 0x10; *(uint8_t*)0x20000000828d = 0xa; *(uint8_t*)0x20000000828e = 0; STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 5, 5, 27); *(uint16_t*)0x200000008293 = 0xf000; *(uint16_t*)0x200000008295 = 0x409; *(uint32_t*)0x200000008297 = 0xc000; *(uint32_t*)0x20000000829b = 0x17f; *(uint32_t*)0x20000000829f = 0xff3f30; *(uint32_t*)0x2000000082a3 = 0xffffaf; *(uint8_t*)0x2000000082a7 = 0x10; *(uint8_t*)0x2000000082a8 = 0x10; *(uint8_t*)0x2000000082a9 = 0xa; *(uint8_t*)0x2000000082aa = 9; STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 4, 5, 27); *(uint16_t*)0x2000000082af = 0xff0f; *(uint16_t*)0x2000000082b1 = 0xf87; *(uint32_t*)0x2000000082b3 = 0xc030; *(uint8_t*)0x2000000082b7 = 7; *(uint8_t*)0x2000000082b8 = 0x10; *(uint8_t*)0x2000000082b9 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000082ba, 4, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bc, 5, 0, 16); *(uint8_t*)0x2000000082be = 0xa; *(uint8_t*)0x2000000082bf = 0x10; *(uint8_t*)0x2000000082c0 = 3; *(uint8_t*)0x2000000082c1 = 0; *(uint16_t*)0x2000000082c2 = 4; *(uint8_t*)0x2000000082c4 = 0xd2; *(uint8_t*)0x2000000082c5 = 3; *(uint16_t*)0x2000000082c6 = 5; *(uint8_t*)0x2000000082c8 = 0xa; *(uint8_t*)0x2000000082c9 = 0x10; *(uint8_t*)0x2000000082ca = 3; *(uint8_t*)0x2000000082cb = 0; *(uint16_t*)0x2000000082cc = 0; *(uint8_t*)0x2000000082ce = 1; *(uint8_t*)0x2000000082cf = 7; *(uint16_t*)0x2000000082d0 = 2; *(uint8_t*)0x2000000082d2 = 3; *(uint8_t*)0x2000000082d3 = 0x10; *(uint8_t*)0x2000000082d4 = 0xb; *(uint64_t*)0x20000000839c = 0x200000008300; *(uint8_t*)0x200000008300 = 0x20; *(uint8_t*)0x200000008301 = 0x29; *(uint32_t*)0x200000008302 = 0xf; *(uint8_t*)0x200000008306 = 0xf; *(uint8_t*)0x200000008307 = 0x29; *(uint8_t*)0x200000008308 = 8; *(uint16_t*)0x200000008309 = 1; *(uint8_t*)0x20000000830b = 7; *(uint8_t*)0x20000000830c = 4; memcpy((void*)0x20000000830d, "\b\r$}", 4); memcpy((void*)0x200000008311, "\x67\x01\x6d\xee", 4); *(uint64_t*)0x2000000083a4 = 0x200000008340; *(uint8_t*)0x200000008340 = 0x20; *(uint8_t*)0x200000008341 = 0x2a; *(uint32_t*)0x200000008342 = 0xc; *(uint8_t*)0x200000008346 = 0xc; *(uint8_t*)0x200000008347 = 0x2a; *(uint8_t*)0x200000008348 = 0x16; *(uint16_t*)0x200000008349 = 0x80; *(uint8_t*)0x20000000834b = 9; *(uint8_t*)0x20000000834c = 3; *(uint8_t*)0x20000000834d = 3; *(uint16_t*)0x20000000834e = 2; *(uint16_t*)0x200000008350 = 0xf000; *(uint32_t*)0x2000000087c0 = 0x84; *(uint64_t*)0x2000000087c4 = 0x2000000083c0; *(uint8_t*)0x2000000083c0 = 0; *(uint8_t*)0x2000000083c1 = 0x11; *(uint32_t*)0x2000000083c2 = 0x1f; memcpy((void*)0x2000000083c6, "\x16\xd6\x0d\x77\x43\x50\x14\x52\xff\xd5\x73\x04\x24\xbc\x4a\x97\x0c\xc6\x49\x0b\xb9\xcc\x85\x93\x86\x99\xed\xf2\x7a\x0c\x7d", 31); *(uint64_t*)0x2000000087cc = 0x200000008400; *(uint8_t*)0x200000008400 = 0; *(uint8_t*)0x200000008401 = 0xa; *(uint32_t*)0x200000008402 = 1; *(uint8_t*)0x200000008406 = 9; *(uint64_t*)0x2000000087d4 = 0x200000008440; *(uint8_t*)0x200000008440 = 0; *(uint8_t*)0x200000008441 = 8; *(uint32_t*)0x200000008442 = 1; *(uint8_t*)0x200000008446 = 4; *(uint64_t*)0x2000000087dc = 0x200000008480; *(uint8_t*)0x200000008480 = 0x20; *(uint8_t*)0x200000008481 = 0; *(uint32_t*)0x200000008482 = 4; *(uint16_t*)0x200000008486 = 0xe554; *(uint16_t*)0x200000008488 = 1; *(uint64_t*)0x2000000087e4 = 0x2000000084c0; *(uint8_t*)0x2000000084c0 = 0x20; *(uint8_t*)0x2000000084c1 = 0; *(uint32_t*)0x2000000084c2 = 4; *(uint16_t*)0x2000000084c6 = 0x200; *(uint16_t*)0x2000000084c8 = 0x2b; *(uint64_t*)0x2000000087ec = 0x200000008500; *(uint8_t*)0x200000008500 = 0x40; *(uint8_t*)0x200000008501 = 7; *(uint32_t*)0x200000008502 = 2; *(uint16_t*)0x200000008506 = 0xfd37; *(uint64_t*)0x2000000087f4 = 0x200000008540; *(uint8_t*)0x200000008540 = 0x40; *(uint8_t*)0x200000008541 = 9; *(uint32_t*)0x200000008542 = 1; *(uint8_t*)0x200000008546 = 0; *(uint64_t*)0x2000000087fc = 0x200000008580; *(uint8_t*)0x200000008580 = 0x40; *(uint8_t*)0x200000008581 = 0xb; *(uint32_t*)0x200000008582 = 2; memcpy((void*)0x200000008586, "E\"", 2); *(uint64_t*)0x200000008804 = 0x2000000085c0; *(uint8_t*)0x2000000085c0 = 0x40; *(uint8_t*)0x2000000085c1 = 0xf; *(uint32_t*)0x2000000085c2 = 2; *(uint16_t*)0x2000000085c6 = 2; *(uint64_t*)0x20000000880c = 0x200000008600; *(uint8_t*)0x200000008600 = 0x40; *(uint8_t*)0x200000008601 = 0x13; *(uint32_t*)0x200000008602 = 6; memcpy((void*)0x200000008606, "\x2f\xa6\xdd\xe0\x3a\x0f", 6); *(uint64_t*)0x200000008814 = 0x200000008640; *(uint8_t*)0x200000008640 = 0x40; *(uint8_t*)0x200000008641 = 0x17; *(uint32_t*)0x200000008642 = 6; memcpy((void*)0x200000008646, "\xde\x1c\x10\x2b\x02\x7e", 6); *(uint64_t*)0x20000000881c = 0x200000008680; *(uint8_t*)0x200000008680 = 0x40; *(uint8_t*)0x200000008681 = 0x19; *(uint32_t*)0x200000008682 = 2; memcpy((void*)0x200000008686, "\x0d\x97", 2); *(uint64_t*)0x200000008824 = 0x2000000086c0; *(uint8_t*)0x2000000086c0 = 0x40; *(uint8_t*)0x2000000086c1 = 0x1a; *(uint32_t*)0x2000000086c2 = 2; *(uint16_t*)0x2000000086c6 = 2; *(uint64_t*)0x20000000882c = 0x200000008700; *(uint8_t*)0x200000008700 = 0x40; *(uint8_t*)0x200000008701 = 0x1c; *(uint32_t*)0x200000008702 = 1; *(uint8_t*)0x200000008706 = 0xfd; *(uint64_t*)0x200000008834 = 0x200000008740; *(uint8_t*)0x200000008740 = 0x40; *(uint8_t*)0x200000008741 = 0x1e; *(uint32_t*)0x200000008742 = 1; *(uint8_t*)0x200000008746 = 0xfd; *(uint64_t*)0x20000000883c = 0x200000008780; *(uint8_t*)0x200000008780 = 0x40; *(uint8_t*)0x200000008781 = 0x21; *(uint32_t*)0x200000008782 = 1; *(uint8_t*)0x200000008786 = 0xc9; syz_usb_control_io(/*fd=*/r[35], /*descs=*/0x200000008380, /*resps=*/0x2000000087c0); break; case 55: syz_usb_disconnect(/*fd=*/r[33]); break; case 56: syz_usb_ep_read(/*fd=*/r[34], /*ep=*/7, /*len=*/0xfc, /*data=*/0x200000008880); break; case 57: *(uint8_t*)0x200000008980 = 0x12; *(uint8_t*)0x200000008981 = 1; *(uint16_t*)0x200000008982 = 0x200; *(uint8_t*)0x200000008984 = 7; *(uint8_t*)0x200000008985 = 1; *(uint8_t*)0x200000008986 = 1; *(uint8_t*)0x200000008987 = 0x20; *(uint16_t*)0x200000008988 = 0x525; *(uint16_t*)0x20000000898a = 0xa4a8; *(uint16_t*)0x20000000898c = 0x40; *(uint8_t*)0x20000000898e = 1; *(uint8_t*)0x20000000898f = 2; *(uint8_t*)0x200000008990 = 3; *(uint8_t*)0x200000008991 = 1; *(uint8_t*)0x200000008992 = 9; *(uint8_t*)0x200000008993 = 2; *(uint16_t*)0x200000008994 = 0x24; *(uint8_t*)0x200000008996 = 1; *(uint8_t*)0x200000008997 = 1; *(uint8_t*)0x200000008998 = 0xf4; *(uint8_t*)0x200000008999 = 0x60; *(uint8_t*)0x20000000899a = 4; *(uint8_t*)0x20000000899b = 9; *(uint8_t*)0x20000000899c = 4; *(uint8_t*)0x20000000899d = 0; *(uint8_t*)0x20000000899e = 3; *(uint8_t*)0x20000000899f = 2; *(uint8_t*)0x2000000089a0 = 0; *(uint8_t*)0x2000000089a1 = 0; *(uint8_t*)0x2000000089a2 = 0; *(uint8_t*)0x2000000089a3 = 0x81; *(uint8_t*)0x2000000089a4 = 9; *(uint8_t*)0x2000000089a5 = 5; *(uint8_t*)0x2000000089a6 = 1; *(uint8_t*)0x2000000089a7 = 2; *(uint16_t*)0x2000000089a8 = 0x400; *(uint8_t*)0x2000000089aa = 0; *(uint8_t*)0x2000000089ab = 8; *(uint8_t*)0x2000000089ac = 2; *(uint8_t*)0x2000000089ad = 9; *(uint8_t*)0x2000000089ae = 5; *(uint8_t*)0x2000000089af = 0x82; *(uint8_t*)0x2000000089b0 = 2; *(uint16_t*)0x2000000089b1 = 0x3ff; *(uint8_t*)0x2000000089b3 = 4; *(uint8_t*)0x2000000089b4 = 0x48; *(uint8_t*)0x2000000089b5 = 8; *(uint32_t*)0x200000008f00 = 0xa; *(uint64_t*)0x200000008f04 = 0x2000000089c0; *(uint8_t*)0x2000000089c0 = 0xa; *(uint8_t*)0x2000000089c1 = 6; *(uint16_t*)0x2000000089c2 = 0x250; *(uint8_t*)0x2000000089c4 = 0x7d; *(uint8_t*)0x2000000089c5 = 0xdd; *(uint8_t*)0x2000000089c6 = 3; *(uint8_t*)0x2000000089c7 = 0x20; *(uint8_t*)0x2000000089c8 = 0xfa; *(uint8_t*)0x2000000089c9 = 0; *(uint32_t*)0x200000008f0c = 0x154; *(uint64_t*)0x200000008f10 = 0x200000008a00; *(uint8_t*)0x200000008a00 = 5; *(uint8_t*)0x200000008a01 = 0xf; *(uint16_t*)0x200000008a02 = 0x154; *(uint8_t*)0x200000008a04 = 6; *(uint8_t*)0x200000008a05 = 0xe8; *(uint8_t*)0x200000008a06 = 0x10; *(uint8_t*)0x200000008a07 = 1; memcpy((void*)0x200000008a08, "\xd0\x31\xa9\x16\x5b\x9e\x27\x3f\xf6\xff\xe5\x55\x84\x9a\xf6\xdc\xa6\x6e\x17\xa6\x8e\xe5\xac\x78\x4d\xca\x23\xe4\xa5\x6d\x46\x16\x9a\xd0\x6e\xad\x2b\x8b\xcd\x99\x7e\xac\x2e\xcb\x8b\x2a\x25\x26\xaa\x20\x0d\xb5\x57\x58\xd0\x86\x59\x46\x92\x83\xd6\xec\xfb\xa9\x82\xc3\x00\xae\x82\xcc\xf4\xa8\xbf\x07\x3d\xbd\xe4\x53\x76\xb4\xf6\xfc\x55\x9b\xe5\x19\xf8\x2e\x8e\x5b\x2c\xf5\x9c\x3a\x3a\xf4\xf2\x90\x70\x7e\x76\x7a\x4e\x27\x68\x51\x09\x0d\x90\xbe\x0a\xb6\x6f\x78\x8e\x77\x60\xcd\x71\xab\x86\x5e\xa8\xb6\xbc\xc5\xf3\x5f\x60\x53\x81\x54\xa0\x99\xc3\x54\xa3\x59\x34\x17\x68\x2f\xc3\x9d\x2a\x6a\x25\x5e\xf4\xbb\x65\xf8\xd9\x7a\xf2\x9b\xeb\x0f\x87\x34\xa6\x8e\xd8\x4e\xf0\x8d\xf6\x9e\x9b\x35\xfa\x2e\x3f\xe6\x5e\x99\x38\xff\x44\x1d\xc3\xe7\x98\x2a\x81\xcc\xca\xf9\x62\x1d\x5d\xbc\x66\x3b\x80\xab\x44\x8c\x97\x5c\xbc\x19\xbb\x6c\x39\x01\xa0\x2c\x16\xb3\x2d\xfa\xf9\xf5\xc2\x20\xfa\x21\x43\x49\x37\xb4\x62\x03\x81\x05\xe6\xd0\x86", 229); *(uint8_t*)0x200000008aed = 0x4b; *(uint8_t*)0x200000008aee = 0x10; *(uint8_t*)0x200000008aef = 3; memcpy((void*)0x200000008af0, "\x10\xbe\xd1\x91\x2f\x7d\xc9\x4a\xc6\xd8\x7c\xbc\x68\x96\x2c\x89\xe7\x77\xcc\x51\xa2\x57\xd0\xca\xd3\x3c\xdc\xf3\x36\xa3\x1a\xc3\x9b\x86\x71\x44\xc2\xc9\x6b\xe4\x0f\xcc\xac\x19\x63\x3a\x54\x77\x87\xbc\x6e\x4f\xe9\x1e\x91\xfa\x47\x59\xdb\x2a\x86\x7d\x85\x9c\xd5\xa6\x0c\x84\xc1\xa3\x8e\x09", 72); *(uint8_t*)0x200000008b38 = 0xb; *(uint8_t*)0x200000008b39 = 0x10; *(uint8_t*)0x200000008b3a = 1; *(uint8_t*)0x200000008b3b = 2; *(uint16_t*)0x200000008b3c = 9; *(uint8_t*)0x200000008b3e = 0x77; *(uint8_t*)0x200000008b3f = 9; *(uint16_t*)0x200000008b40 = 0x2cf; *(uint8_t*)0x200000008b42 = 0; *(uint8_t*)0x200000008b43 = 0xb; *(uint8_t*)0x200000008b44 = 0x10; *(uint8_t*)0x200000008b45 = 1; *(uint8_t*)0x200000008b46 = 0xc; *(uint16_t*)0x200000008b47 = 5; *(uint8_t*)0x200000008b49 = 8; *(uint8_t*)0x200000008b4a = 5; *(uint16_t*)0x200000008b4b = 9; *(uint8_t*)0x200000008b4d = 0x16; *(uint8_t*)0x200000008b4e = 3; *(uint8_t*)0x200000008b4f = 0x10; *(uint8_t*)0x200000008b50 = 0xb; *(uint8_t*)0x200000008b51 = 3; *(uint8_t*)0x200000008b52 = 0x10; *(uint8_t*)0x200000008b53 = 0xb; *(uint32_t*)0x200000008f18 = 0xa; *(uint32_t*)0x200000008f1c = 4; *(uint64_t*)0x200000008f20 = 0x200000008b80; *(uint8_t*)0x200000008b80 = 4; *(uint8_t*)0x200000008b81 = 3; *(uint16_t*)0x200000008b82 = 0x40e; *(uint32_t*)0x200000008f28 = 4; *(uint64_t*)0x200000008f2c = 0x200000008bc0; *(uint8_t*)0x200000008bc0 = 4; *(uint8_t*)0x200000008bc1 = 3; *(uint16_t*)0x200000008bc2 = 0x427; *(uint32_t*)0x200000008f34 = 4; *(uint64_t*)0x200000008f38 = 0x200000008c00; *(uint8_t*)0x200000008c00 = 4; *(uint8_t*)0x200000008c01 = 3; *(uint16_t*)0x200000008c02 = 0x415; *(uint32_t*)0x200000008f40 = 4; *(uint64_t*)0x200000008f44 = 0x200000008c40; *(uint8_t*)0x200000008c40 = 4; *(uint8_t*)0x200000008c41 = 3; *(uint16_t*)0x200000008c42 = 0x1c0a; *(uint32_t*)0x200000008f4c = 4; *(uint64_t*)0x200000008f50 = 0x200000008c80; *(uint8_t*)0x200000008c80 = 4; *(uint8_t*)0x200000008c81 = 3; *(uint16_t*)0x200000008c82 = 0x83e; *(uint32_t*)0x200000008f58 = 4; *(uint64_t*)0x200000008f5c = 0x200000008cc0; *(uint8_t*)0x200000008cc0 = 4; *(uint8_t*)0x200000008cc1 = 3; *(uint16_t*)0x200000008cc2 = 0x300a; *(uint32_t*)0x200000008f64 = 4; *(uint64_t*)0x200000008f68 = 0x200000008d00; *(uint8_t*)0x200000008d00 = 4; *(uint8_t*)0x200000008d01 = 3; *(uint16_t*)0x200000008d02 = 0x300a; *(uint32_t*)0x200000008f70 = 4; *(uint64_t*)0x200000008f74 = 0x200000008d40; *(uint8_t*)0x200000008d40 = 4; *(uint8_t*)0x200000008d41 = 3; *(uint16_t*)0x200000008d42 = 0x423; *(uint32_t*)0x200000008f7c = 0x9f; *(uint64_t*)0x200000008f80 = 0x200000008d80; *(uint8_t*)0x200000008d80 = 0x9f; *(uint8_t*)0x200000008d81 = 3; memcpy((void*)0x200000008d82, "\xd4\x8e\x87\x24\x64\x9a\x28\x41\x92\x3d\x48\xb8\xb2\x35\xfd\xc4\x31\x5e\x0d\xfb\xe1\xb8\xa8\xa0\x83\x53\xaf\x5b\x63\x0b\xeb\x6e\xca\x1d\x6b\xe0\x3d\x88\xd5\x58\x79\x33\xd6\xad\xe1\x22\xb2\xad\x4c\x55\x80\x40\xe7\xf2\x03\xd8\xc7\xaf\x79\x0a\xf8\x5d\xe3\x6e\x84\x1e\xb9\x48\x0a\xfa\x1a\xaf\x9a\x22\x6f\x4d\xe2\x8c\xd4\x44\x15\x57\x41\x1c\x77\x37\xf7\x4d\x7d\x60\x31\x3c\xd3\xd0\x51\x28\x4f\xce\xb5\xb3\x27\x83\x73\xf6\x3c\x72\xa8\x4e\x8d\xe4\xe2\x3b\xf6\x4e\x2a\x69\xc0\x57\x91\x06\xc9\x33\x18\x03\xe2\xef\x32\xfd\x09\x88\x9a\xdc\xe7\xbc\xd7\xeb\x61\x34\xc4\x65\xed\x17\x38\x6d\x3f\x97\xa4\xe8\xa4\xe9\xc4\x19\xf9\xc6\xeb\x2d\x32", 157); *(uint32_t*)0x200000008f88 = 0xa4; *(uint64_t*)0x200000008f8c = 0x200000008e40; *(uint8_t*)0x200000008e40 = 0xa4; *(uint8_t*)0x200000008e41 = 3; memcpy((void*)0x200000008e42, "\x81\x10\x3e\x0d\x22\x88\x43\x34\x4b\x9a\x28\x85\x67\x53\x24\xf5\x79\xdf\x27\x8e\x6d\x25\x06\x59\x98\xbd\xbb\x69\xb8\xee\xd0\xe1\xdb\x8d\xf1\x6b\x19\x64\x6d\x92\xc5\xd0\x35\x21\xf7\x73\xc1\x6c\x24\xde\xea\xe5\x56\xbe\x69\xb0\x4e\x1e\x96\x6f\xeb\xfb\xf3\x7f\x3b\xbc\x6d\xd6\x4c\x83\xf4\xc2\xa8\x7d\xaf\x95\xfb\x91\xe1\x0a\x36\xc0\x06\x9f\x4d\x51\x7b\xf3\x96\x21\x11\xd8\xf9\xc8\x45\x32\x3c\x0b\x91\xe6\x8d\xea\x34\xb2\x77\xb4\x10\x72\x0b\xdf\x4a\x58\x64\xfe\x06\x9b\xde\xe8\x4f\xa9\xe4\x46\x55\x49\x71\x3f\xb3\x33\xaa\xed\x85\x5b\xaf\x29\x53\x27\xe1\xfb\x65\x17\x29\xfe\x4a\xcf\x1d\x9e\xbf\x80\xd6\x4c\x29\xfc\xd3\x68\xee\x16\x11\xe5\x50\xd7\xb6\x7a", 162); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_SUPER*/5, /*dev_len=*/0x36, /*dev=*/0x200000008980, /*conn_descs=*/0x200000008f00); if (res != -1) r[36] = res; break; case 58: memcpy((void*)0x200000008fc0, "\x18\x15\x12\xf6\x08\x38\x97\xf1\xb9\x4a\xd0\x1c\x9d\x8c\xc9\xeb\x6d\x7c\x14\x9c\x5e\xdf\x5e\xcf\x21\xcf\x4a\x2b\x2a\x9f\xf0\x2e\x0d\x8f\x8a\x4f\x60\xf7\xb3\x1a\xd0\xb2\x55\x2e\x14\x87\x8f\x84\x0f\x51\xa9\x7c\x25\x63\xb6\x19\xb1\x01\xea\x77\x61\x3b\x97\x52\x36\x7f\x0f\x6e\x6a\x62\x37\x81\xa3\x83\xe4\x99\xdc\x26\xfe\xd6\x0a\xfe\x6f\x15\x6d\x32\x6b\xc1\x41\xd6\x61\x5d\x18\xb6\x1a\x5c\x06\xcb\x49\xd9\xe0\x08\xe0\x5f\x65\x37\x6a\xef\xb5\xec\x21\xed\xc4\x68\xb8\x43\x4a\x0c\x9e\x39\xd1\x20\xbc\xd3\x11\x32\xf0\x75\x5c\x1f\xca\xf9\x1f\xec\xb2\x73\x3f\x98\x18\x42\x56\xd2\xf7\x9e\x80\x45\x2d\xc8\x6c\xf3\x19\x85\x08\x2e\x38\x60\x17\xeb\xe8\x21\x25\xc7\x8b\xee\x42\xf9\x49\xca\x67\x98\x67\x34\x33\xfb\x0a\x20\xd9\x16\x1b\x69\x8f\x04\x66\xb0\xea\x53\x58\x7a\x3f\x08\xcc\x34\x35\xbb\x7c\x19\x3f\x4a\xdc\xd2\xe5\xe1\x04\xf3\x3e\x3e\x1c\xdd\x33\xba\x95\x1f\xc9\xf7\x6b\x10\x8a\x40\x74\xc8\x07\x2b\x16\x46\x59\x62\xeb\x28\xe1\x38\xc9\x18\x8c\x3e\x54\xa0\x0a\xfb\x4f\xb1\x71\x0a\x27\x3a\x1f\x1c\x53\x0a\xda\x0d\x50", 251); syz_usb_ep_write(/*fd=*/r[36], /*ep=*/0xf9, /*len=*/0xfb, /*data=*/0x200000008fc0); break; case 59: syz_usbip_server_init(/*speed=USB_SPEED_FULL*/2); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_leak())) printf("the reproducer may not work as expected: leak checking setup failed: %s\n", reason); if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :6067:17: error: '__NR_socketcall' undeclared (first use in this function) :6067:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor3132125498 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/24 (1.14s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$IMCTRLREQ(0xffffffffffffffff, 0x80044945, &(0x7f0000000000)={0x4006, 0xd, 0x2, 0x8}) (fail_nth: 1) ioctl$SNDRV_TIMER_IOCTL_GINFO(0xffffffffffffffff, 0xc0f85403, &(0x7f0000000040)={{0x0, 0x1, 0x4, 0x2, 0x5}, 0x81, 0x0, 'id1\x00', 'timer0\x00', 0x0, 0x6, 0x3, 0x70a, 0x9}) (async) r0 = syz_open_dev$ircomm(&(0x7f0000000140), 0x0, 0x0) (rerun: 4) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTA3D_RGXCREATERENDERCONTEXT(0xffffffffffffffff, 0xc0206440, &(0x7f0000000340)={0x82, 0x8, &(0x7f0000000280)={0x1, 0x0, 0xc0, &(0x7f0000000180)="5b58ac0ed1d27b217d3fdc6299cdde4d85321f7bbaa064d361519cdde43b225cf00658ddbfbd914cf79eceb348f18692315c3c69ec148e2dd928ac7ee62f5111b9dccaca88524912341955f79b0f2206b80e6e5a7e681a629694a34f9b0e39877eefde60a068cdc44545d6fe45d0000c9961a1ff168747447e346b16460875c691de1183b2d7b032cfae85497d0d8848d4baa9adc6caaccd9af6019ea2ba6f3b4e6018df94cacabeddec7b600230ea7790019399d0beb61f427df8359cc34893", 0x0, 0x0, &(0x7f0000000240), 0x10000, 0x0, 0x0, 0x81, 0xe}, &(0x7f0000000300)={0x0}, 0x44, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXCMP_RGXGETLASTCOMPUTECONTEXTRESETREASON(r0, 0xc0206440, &(0x7f0000000400)={0x81, 0x4, &(0x7f0000000380)={r1}, &(0x7f00000003c0), 0x8, 0xc}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r0, 0xc08c5335, &(0x7f0000000440)={0x3, 0x6, 0x1, 'queue1\x00', 0xdae}) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000540), r0) sendmsg$TIPC_NL_BEARER_GET(r0, &(0x7f0000000880)={&(0x7f0000000500)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000840)={&(0x7f0000000580)={0x2b4, r2, 0x400, 0x70bd2d, 0x25dfdbfb, {}, [@TIPC_NLA_PUBL={0x44, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3f}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x2}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x4c00000}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x67c}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x7}]}, @TIPC_NLA_LINK={0x3c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_PROP={0x2c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x220a}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9c0}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x101}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x8}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x6}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}]}, @TIPC_NLA_BEARER={0xb8, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_PROP={0x24, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8}]}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz2\x00'}, @TIPC_NLA_BEARER_PROP={0xc, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}]}, @TIPC_NLA_BEARER_PROP={0x1c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}]}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @multicast2}}, {0x14, 0x2, @in={0x2, 0x4e20, @broadcast}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0xb}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz1\x00'}]}, @TIPC_NLA_NET={0x20, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x8}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x6}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x80}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK={0x10c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x187}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x40}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x10}]}, @TIPC_NLA_LINK_PROP={0x24, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xc0fb}, @TIPC_NLA_PROP_TOL={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x18}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x80000000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xfffffff2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xd0}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xf}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x401}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK_PROP={0x54, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0xe6a9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x10000}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x81}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3ff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x79}]}]}, 0x2b4}, 0x1, 0x0, 0x0, 0x4040811}, 0x0) read$snddsp(r0, &(0x7f00000008c0)=""/29, 0x1d) ioctl$KBASE_IOCTL_STICKY_RESOURCE_MAP(0xffffffffffffffff, 0x4010801d, &(0x7f0000000980)={0x6, &(0x7f0000000940)=[0x904e, 0x1, 0x9, 0x6, 0xe, 0x5]}) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@mgmt_frame=@deauth={{{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x4}, @device_a, @broadcast, @from_mac=@device_b, {0x1, 0x7f}}, 0x1f, @val={0x8c, 0x18, {0x5d9, "8e85144c6433", @long="e023fbed513011c5707e452472e2055d"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@random="3a386465f389380e26b0cb13f98a36e2214f099ee0d0b29b754e31d6efc82c04", 0x20, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_path_truncate\x00') r3 = syz_clone(0x4004000, &(0x7f0000000140)="daa4ed40f7cf4da86377e864d8e6c6d4fc5486af4a6f23dea58b3243a291b0180dbaf5c92758af73f9", 0x29, &(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)="40f276856b8191c4f312759d795a22c3c7edc91678794f4eeac45746fcc9930722c8189ba59565f7327cbcd4506164eb9f6ff175f1f08d60247091772c185ac38304e9b5b3") r4 = getpgrp(r3) r5 = syz_clone3(&(0x7f0000000500)={0x800, &(0x7f0000000280)=0xffffffffffffffff, &(0x7f00000002c0)=0x0, &(0x7f0000000300)=0x0, {0x12}, &(0x7f0000000340)=""/102, 0x66, &(0x7f00000003c0)=""/198, &(0x7f00000004c0)=[r3, r3, r3, r4], 0x4}, 0x58) syz_create_resource$binfmt(&(0x7f0000000580)='./file0\x00') syz_emit_ethernet(0x101a, &(0x7f00000005c0)={@remote, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}, @val={@void, {0x8100, 0x7, 0x0, 0x3}}, {@llc_tr={0x11, {@snap={0xab, 0x1fe, "fe", "1622d0", 0x1b, "e65515bded2366eb29e120fec39b24808c92d09c78d7f5b7b11d8a64fe8fb0e0ea7a265610503e40fe69ea35f6a592cca6605cbab30ca2b6e81defbfa8975d3233a7b511fa76cb1b755c8d00c96c16443f2b1682d6f197dea702f3216131e4d76b49c13ecc66674fc2fe47ae163527636f868d604cca513f5112bb56c3ab4ba6aea3059e1a484546566112328bdd5ba37697af7f361913e718bf091a66aed625deb89ea8c63fb756c958819dd3d2467301b0cd35eafbcc0f96ca0aaf82d82c8156f5fa27ea2d1d298f564f94160fd4b81af8f9e62eaffd504a2cd9412d4b6df66b447e1029b1a015a3f9207dbf1957660c19a6e0e73660325510e34133ffc4275e4e1d6d7acab29f9b371d0217382faee8c77911aa3f5378b09a5f6523357d2adec78972e15295abedbaa9969f37f316d474b2347dc11b523a88a0cd5745ae30ad7612f830013d78a6b149f3b332e6e7c5fb13bb95845924c3f180c3c6f347bb328022e5d07f540ec60bdbd9e8352d385e1b943062aa0bf38206a1d95e2f42e15838ade610c0c44e038b790096b521d1112f35c9922cbee2bfb184d6f979a7721cf0e6fd69fa705ae3e253113d2fc772ca741e96db42fc8ca72abd6d3d43c4bb64f13d2e5a5a8c433baf25ce3286c2e2355fc130e86841cde79482c3539d57122eecf25f3e35751e81980de375a713c18f9bcd952bde4bf36610a52ae2317c8b6689deb1810a091169200b2a9eeebeff191dafc5bc32b774cad960c8414ff0eee708563daefbfb26f59f6a8f289ea5fcba17412119f3faf53001a0f5a44f9c6dd6ac8d3380273e07c6ffdba5a224636ded1974137a40175f4944941ede7117cd3ddbb800defc6f8306e3f0435eeb74d44e021c9abdc636052b5170da68981617b28471a581a1eb095c6d3c977ef0fce842b5f260f2b276ac6cf24b2297f3e75479c7412f405e48343f4db14e4210bee79d3273bdef00d8175dd603b442210632bc8cb2ebfc4392bf8aefd9d4a264a63341f15189f8ac9add56f605e8797e2d70863afedb792eaf982ffac60ea0af41ceaadd6b2878511c8edd8bb273914bccf17a2d4393d4e235144be8ae79fd28a47d3c33bfc8ac4d199fdc73cf8e03cb6f15f4134599f2d95c46cb1a6e77d816080ae7e1ef85edab4b4553cee197da9594104139276ad2b9099def507e600efbb6a9877d8d7569e0599318aa400ea4674cc2bc0b86efdd2ddfb3966647ab570d200094b6ec63403274201d65481378db16529bd775feed537223c0d4e710125cafea8b65b9ef669cf32592fc3a93dd2d21a95e54ad2362302b1d5db5e6fe547edbac508c82d6b39a820b25bf1078418accf067c018443c430f9f2338afebe9705a654d50bc1595073615c52bc93703e446fe6befd76149bdfa9d69cff69b9d9b4f3fa0bb04900737116e49b4d0c08848215dbf90dbd523e9abff71319cf0a358be976598c41fd6d16edc3f0856ebbcc1e4086e79621a233991554e01420215c5ada574b6442e0134a744db4eddc1142f2936f7d9412dbb63cacddd60b2563fee5623ab0ece52481dac6fae957b61918a871c32652e0e7f73f2c2b424d4dffd636665e06bd0422195a1aa8cf62e89fb47fc0708ebf49a5f3b586ac088f570b11ed8d069dcf88ef1e849a22560ca8b60aec9859719983916a4a4b9246ea2ddb8409b0ec2d36728647a8f7462f2d4c4706c4b1888098d61d3231d89ee15026e63b55e1af3845bd60a72493af19313188400870de9bff53eb68011928201c34828ffcd88b35e4fca14c06a6790b5f28e8f85f0c906e1ea44ef4f6c50bcfa0213d0462fbf90324dcad6fc0008d575e5df11a98b7b231884c0626890f9cb18dcf85063f426fac0025bc6bd16e74c53eabb81423633df7391be5cb1ccd73ea25c7e7055fed3146202b97fd7f1a85890d444a20ce0d051efa2a3357d32f8585c0f798a3607c350f22ddb5c9912ce3684b2d7aa6c785b792504c31c7edb6dc5fa6d069f0352e3e9f771e146ab80ac39a120d005452e190a9147cb48fa8539f3a3c1d88716575003248e021a7038bd63657d46440402571949c24555432d26dbaa9d2cd2906ce0cf746dcd9348433bef36297b4a7a07faf2688249297c960a0fd8a3257534ea1372a3af5cdba9a6a48fbc95a07549a82bdd6181b1fa3fddc71d77b3460c6a32405589b89edf715a910fcc72449d9c36967fa9768a0ee59b23418561cf4f6b0fd9cbe02d19c7997e55259550dfdd97616015d2224c18c15a80b743ef8857d181d7efe40499f66d20158c0f62e4c692b3bd64ef3825a32bd662d9f580779d60a34669150e7874a45a7101af48cb3a6e3f763db20c5014edef61d07887c79d5711ed11be5306f7c4c2b7bba2bc8236c93a49bd2a252c4510785e0cebf75fbe5c69d928d8e48fe9f56a33ce6e0552630f338ab632320e750c32ede137447aa9aa69e3c3ea8ce4daf6eeb91d0a339974ce9875ccc30fcc08ecb203c3e4a7da99224b71d6ebf77331721fbb6ada6403d43eba812c0bddc6018062ca1231994de110586bff4589e52b8ab440baf13c24b35883ba4ae2ea8cc1fcfb49a7123bd6fafbb7291adb7f81fc58208cb7559ee5cfd779f899c11ee49ad92b0057e8dd79dfaa1f15bf659c360c8228eb36a9d17e0d479a88b9da28f3e962bedc108e22332bf55144f0b2ba0e21a334acd8bed5922128dbc75eeed571e1049e2689dda8992e2f9539373f0dd20e2bd43cb5ba34080ad38bf160a37cb0b7c39c015918202dd8349c4eacc0e4a40436b8d1eee12f9a6b9e2dbac9ca7c190c1bedc390dde78f896bd2837ce30d8ea888db6971930feee72206e308c7ada862b664b4b48b11d39dc7b1816d3da555778998eca5e3b4ac20c83c55021db6406eb6ab125f2bb2ec1a2c8fbda5bb0df736393dc62f9078de52e46872b4c18bde2959b18fea581e0eb42038522fb7af7ed40538ea7fd08e865102f5a9929c24a9fe936230655a7b131ab9eaeb9c491ef98d407dbbbded8852c387d6fd7741179775ea4a4562eaf0dee83f87ef117178086544f4cda982d3c0cf618bd1ed663cc9f4bdc77632398d24fe3002a7a78c079d0a5f5ac3bbdabd85309090aa0b5a8c269468ac8b7fa4428bd98bab7bd5643c721dd7d92810bbfde6bf8bf2013ee5e587d0da9991c66f58ccfa0fe497d0d743f0be668cef72d8a922fec8e10f368934227c98e9abe1f85bac46f80f17a15ccea46d256e1f56710e489cd7106fac936aea65f0e8a5d79d43730989a2642ee7ad9f35d8ea7a80647e15fb4db645efd8ca830469261efe740a2288bcc72b5c40a665d51812ce9a1df192dc4d9604153e84b86b8709fbce27aa27a99c73cc948a10561c1d4fcd0aca5e4f52d43b17f6790f1f79f00b90ed573b6a621bf3d64200274321292a04379e0ea3366bfad2d1fcfe3a05608d9be0e459cebc878ba6ad6de83922154a7ecbd01f5cfc77299c69c670a2763660b2ab98539c3050a64f10a89099a8bc54e234512250d273136455fe5825d5dbb4e9b733ee28dc11d0e2b3f9f4072b048771509c017af5d6d64385a54924f55c8d16cc1a72d8519301194f445c424e51d49f6616016580d2ea70ba1e0c86670926c738779ee67c3926bd2f90376e211ec1d7860737af1136446b2faa01baba239b7a5868f40780cdd13329fd67730bdfd298b20d63f1448e9fcff309e9091c39ccc75aabf18e598ecf0342ba94fc420373aedf83d4cbf0e5f176ea4bca7f0cc72faef9bdb6797be191e1d304704659b6b63b2066358d4eca8ea898cdde509cd2b9145c55adc3c46fbd2989817ad2403d4a0d6b6e6aaad0b2311d43d216e6cc8446b0d946e43916e662c5e687bffee3f3f21d9f34ea1624074d1d90273f0683f202b6cc24300b8f5a6325d6ce06bd69c9a95d6c8af3be8967e3bd49efc3e9c5f27ab9aaddc0ffabf87e7ed08d4253844f1f48f08a9fa268e13e0d73dc6af0abfadc5443a9a1daf12b4dbfd5f7902a5d41313683355d5e716f3a65a315170749bbaf8846dfd332bef6cd1443729abf2147120e53018bf2d062dd07bd5e20e30bf58bb4900db9aaea54a6402cc1ad562e8a59233868f38d666afd7b96aca5f9ec2aa94b4c22f6dd54924a1f5d98eaff57f742b01378d3b1c6322781b99d8774b07fd5b4af2b88bd4915f6eae83e33b469afa153324ee889105a74d3680d39e55a4a39183416961346447fc5a8532832031c52517a3896360d51fe593ef5a639eeee83df74db9e4d3218dd901db76a6130aef73955dbc866778a2c3421d4090b1df7648a42c558af46150e902b3129e5fe1071458ac93abc76d495e744412fb98ae401cbe04427d0f30e314eb6047513adffdd11a566f9734e058fa3bd2d1d6506122ae869725e3a6f4252ee5e971c430cd02cff254759c908943953ba8c978f1cae5ddf28c5d9dc85d27c2d4c19a16e34e094f1ca9172397cd4c5615e384715605452919ad74e70c78c282c0cce1bc618ae012f5283d1081399fd79c95e52a523f3729a180780547f9766507e21109254831787c1131ccd4ce8e5e9f3d24750ed3676fbff23dd4218e05eb68efc0a7be9cef8189c08e186f938ba691172d235fa32ca4b0e30b111189f32d15daf3cfff0a429a446aa68ec18c0c0755efc080733e9c3548f029e8dd634b3b6b69ba749486704d0f9ad702961773251624117f56945c04b8c6f0350a3d99a7b6e033f13ac7c01a1ffcb5a4cd7412bc176f50af905b0b6aa36d67289ceb12a6572c4eb872fb06f96735d31e8a153ff9bde2181e235868ad7dde54705c187130ae0fce01bdf3bf64e6ac86842bec3e0ef09b60a4c691134d89b6c6c6465ca949b58ef63a556918bd5c7f835c0e002f2cb4123d66481c737470f26b590fee1ad40eb641e73ec3501c69ca4fa50b75d9f23ae9e041c88df37a8947bbd0722f22911aba12976db4759af63f2b143ac155bf56333f6f6a69219453b92e5361843581802fb722a2c3ce2dec3e1e278444020ec6ee424ec7fc559d9cfcf68b2010eaaa9b391b071b6d53df5a2788cafe84a081bc3f0810194818039e68fc1b76de13ddba48a741b11bc963b8422a510a1a132d870153c2d01305c767c9d188c64b5d14979e1563aa7fdea0b85ff3de913fae64b3a7ccf087e933ab15ccc0c77fdafe42acd070780f2a7cc15a117a2bdd9576e574b10b56a00e007d69291985b50ef1296f37ec9b74c4623da3f94e0bb69f46e52c8765569b8817af5482532a50232f050635e67e235aec75c8f69efbe25383467cc82f43a214a142a8b76817f22338aeb3d4f0d39fc1dd1023a07b53adbe754884af3b789cb2dd9f386b26378d0d54267c47efa0ea5a7c26cc80d9bf9cf16bd217754a1951e9fd7fbe64335610faa909f0d7f77786f974c1becec9cb49be7f79e7bfbe29ea82cd13c197fbaa48f46019617ce6c6ad08c9a1d41c716baef284a4e4d77c06e4ddc07a46c3534beafd3729088ad142cd22bd5a220e589314c242a304581e88a246b51790d238c131ec7b09de7e1c618708363335fccf56eee3000466ce5fd70c5b3f35884a467469673d2dd5a8a2362e6028206a2ecde709d7cb1888bfe78cf6803f05ab0b11eae6d935ae116b3fd841a2717ed52790dd4f802cdcf72e4409d68c086a542d66eb14538421564ac9ed37617987ef2f4b83f43022394a2479c764b30f56c6ea76c1a056f82ad78ad980d1b5603a0ecbb72437bc2a1838b9ae37cd6ddefd2927e9d9adb7d56a98695c78ecb1f65739fe094edbfafce3f"}}}}}, 0x0) syz_emit_vhci(&(0x7f0000001600)=@HCI_VENDOR_PKT, 0x2) syz_extract_tcp_res(&(0x7f0000001640), 0x401, 0x8001) r9 = socketcall$auto_SYS_ACCEPT(0x5, &(0x7f0000001680)=0x4) shmctl$auto_SHM_UNLOCK(0x6, 0xc, &(0x7f0000004a80)={{0x80000000, 0xee01, 0xee01, 0x5, 0xfffffff8, 0x1, 0x6bc1}, 0x40, 0xffff, 0x2265, 0xfffffffffffffff8, @inferred=r3, @inferred=r8, 0xfffa, 0x0, &(0x7f0000003a40)="8917f96eff001e006491da948f25c3ac3665392d077a2878a0c47186fbb59600e8725c574893c0d645651cd496d4d6c43dd8d9e3ceca2e2a35fd60785cd77ec5c5eed5ea44a853769a52cb3e89d06c0995f77e9b7ecc68fa521ac4b193ee67dccec0a7d13f3c068ee046a9a142011cd4ba8e67f381e16745d81a2b5bf11f4ef0014330c95f0f5bc89d00f16129a9637782e5a6f4d922e0f07457ee515e1bbf5654906d887ba02bee664da72a51b5dcdf4becca2d8067e35753c0312359efb6da86149afc1010d0c6c86cc9c8831ca1276ca968811c87baab121c9d817273196e97ae66f397667e023fc23319c24fa823572226fb748ac54ff528236b0781a20ed52e116927a22b11e0b8aceb36d2cf4a78eb3465fcb9c9493eadd44686766fb26d4d0a54d028273a5c605388534e4937f18ca90532445f946651f3634e9b365bb8ed7242b91231ba06347eab1f320096374fbd8a7a94c2fa7154415c923fd66cd626489e7c79cad39b66b0674b9439b57b79ec7903d35ec314db9d7e415df3c4f75514b1c83e9b6b271dabebd3b793a78ad5baef25393934bc1b4969eb6128d3521490470f25e7a47b13ee0c4772d0473da518441b7bd362bc99b09cf696beb9e5f9d3d5e88e9e960e259e4fe67cfa3b2abde10010f3c6a60d269ad13e59052e8ab951401dde345c4fed4fea6d91b84daeeebf45fa7998ee41da06875e7bc48d9de54de36d9e27495fe7e88e024e7dd3587dcbc71cd433b71a4d972b026559efbf17c2b02b2357b9d913a764c95c5aa7b32fd2c0b62b47f27e4785e76d8562b4e43edc6d610d2b97dd1a1ee65bd1ef89e0110b14c2025b04b8cf16f0c2c1ab89ad30bdbd8b9894278b4be8d08155ec0cd20f544f18a4f26a980decac1ce2942127d8d0350dc4a9a32930af33531822319dd139e27cf769d068879608c2517d59965fbffe9879afd487875ad239586bbecad1b00e1377203abe3fc582faaf4f9e08e57658812209b3a8653bf39e126b79474ced54b74fd477b03a80906e346dfc7f5a86410f6bbc64a7ff88c37aa1d1871331ad2a63fecea9b43d3fad062de70ddd1c773ae62568ff3be804583d3a5a10796813cd4b51f67b09910b427eb92804e7f27adcd8ec9afb24e3151b48a38cc5992799df37e5cf6ad577941ad7e2caf15619236927342e87b5b260473716a9bad70b3951f7265c20c000852667fde0c4b7f27a32b7ee133cbc65ba4dc3910c2375e195ba7654e2d2d45f916e47f107595adc63247840df4ecaeb9640fb661986add0dd02796d5810f51c93fdcf8974da1f1014f2f4adb16f04e733b53ac2e8b4a853e93a935a732028c8e3ec120fc541e5126f2d88dd4bbca06fa610163464cb17f45e7a2be0e51d8e45e37c5091d762ce5bfdb69353bafb955c25544702dcf7d1394aac7a49a0787ff1687425a375249ca378bc4f4aa24abca24a871fd67425b2f66093b5b9872499ec85faeffbf43f0a4d3efb5ceae705a1a8e1f2bf79f553c1c9f38bd09f93a822beb454744dd1177eea67b7bd6c421e58246202ab902f79e0155f1de2bf226f61bb39bfc2fba3479f25eea7f01f70bc08a98e8874e5d1384283b99607eaa52e895490bdb21c81cb3b3791c1dece0ebce67cc45bcba299bb892c9d1950bf335e954fd303c65e1afec48a3d3e10a404352a1302efcebe1254eb2b25d6f450b26a3f1bd7f577e54c95e5661174d32782fe6b11996542fe1b9751396288d27a47e3c98d1cc3f3ab558ba3e82a6c3ed4840f4e3d79369573c37534073e79adfd2323832b65e7a6c45b72579138e226291d2700dac3a1cc916140f54cb28b3470856189812544366f757c0a294ee2b5bf6c308ad4df230d5a743b8cf7a1f64a3061983f223850262c7574ae480a02f68c043ba7aa822ff645d4e4482c14cbb58c15f65c98d1692f939d0d95585045424abe5e58651477f91d0c1dafb3f33af9e69b794e13eb0c429de9b92bbc5f9282a2e6c9119f6fd8603fe11af2d516c9a7ad38e3337b969c3d9593f0d4ac95c44e7f47e810f6970a1a6f18f209fedc35656dc5c536b0396aedaf83ca46655edcc4088c6fcffa689a878309c1767b2187c9b5fa575efd80e0574a577673b45edac8b1c912ce60cd18290d31025c80eba3d997e4792be23a49c0094ee28548fa33275e6c280bb6e0a0aa8e7904c641cbcb3d994946f0e4c6d6b191d3465364793a697f2c25d130923c799a3a8d7169a37ac29bddfb766d5130b5e4bd43978aad3549052cf6f564768052032346aef8f5844b9704842c0f1fa7d26c697188c0e8641658d6d299a61ff140a4b94f04f6ec06ffca6e574bdd600372ed5d166aeeae4f24e1ec3c212f05aa8537f0ab831e472f32164a0887c6f4e42532565f055a8cd435e9cc9108967e422c6d0e740633c9778471efa8a44ab55a06bdb6b817f8a6cc55d52ace6ec438ad4fbee7c64e00fc65c76a3616c35fb71bb6084f44f8083dff56d771e1d323584b82f105e0a211ceae9afc0f5e61a2649476440cf68d9abffb48decd0e8d2ed10907d35e390daa1eef83dac8ab44e2ac5886f6235f6bd7b69ff3c098b558894908d4cd28247fb6ec4bb5b163f6b2eef386e7ce26de759bd6e24e46aa2b38f0a4e6a4785af14bd6035a326c29af215a4c1c45ae767bd7e6db1bae69be045ef0b1eb3934ac5ebe3a4c1dd59bb96053beeb5561b521c47852d9a2c66cfaf82c2a016e5de729ea0e0ce4f98085792b5e5a802cd7fbac9ef38e203ebb3651f1b30af6ea29fa179f8b192641604be02929daffadd6c97ba4cd56790cc243d0470eb8c1ae7812da666b0b329fb3f04f78e25ad17b4b39781382ad937e08ad3448b63238185b982242190fd1e4ad8fbba55d6abf96e016e1d98d37d51c2ee1e41f54f8ac7e038e3616f569d024690ea303bec698beb98b9ea49f6b87e3f7104997a6ad7d33db8fb79ada8c5f7f54ee17f7b3d86aa1532b439cd8de90b5fd7fc3325680061d9319d1835e603faf7933bfd60d733965f0f25adf3945092bb99e95346602faf6aabeb33cbca3b219b4f8afafe825c6627c0c7b00c33875b69d01c08b90e6fa64f09b42932e1ccc9b3da36771667d5bb7531a2ac174bc412dffad7c6f8fd4dad330fb415a97e8136cd5c0bb7d00d2b2c956936c9f5f747e3c9a361d79d048cb3f528f187f9bba5d78d7309b1b256fbb349cd52945541a5a57809f2d71a8e80557b23be4fb31caddc59553b6bc0faa165e4ab1f8279ca6e307ce7920c43bdbadec04ef8be70d57af598d1d8a896a0952b23cba464e0e9b3625f993dc12c8f774e87da051eca49bd14e4e2e270cf75dc8343b2ad4b0a2178cb557c6d0eb1a0b23ed92580ce5ada78c2bb10ddd25d4bb147d61a00f5e1d1d5c888d47424c04de7d41384e2c688a57358d05814ad917135a80eccd1d1f147242a5da4dad0838322e9a2fa531fbb6b0832b6700f87279846ce2331679b82f04fe1be1e8ce9f610b63ff30ad0b76977817739a295c9ec9dcf11f81a67619407304c1d594c5196db1bdebfe03f22adaac9253d753967138bc9d2cf4735491d2745c23e5d229c74627dd191bc6c038513914dbdcfacb8bcb2814dc525edad889520999fce64469c60694405961518441c3e84453afa3499e3a8983b57f94593e8664719d5e6598422bb8cbc51620b259413bea16490bbe6c9a72bf21f6b4d499371ad9fc8277dd3f2f7523cc5e6ceebf74fc3944136b2d56daa2040374319a1c83c3bb0c962d321d8039170b98b604c8ed42c596314a01139c9d36ccd6f2cbd3113b2c9d4e19f08694463610a368f8ac74f29794f14560e0a3d481c673410ad9466581aa2a334ff380a100fb049ad8196eb4784ea1bedc139a7054f18a8d44bca0a3d0122f5dc3a1c4d29bde35e332bdf28cb9b98543ad3e33143af87903b5624f62305598de275833208ec8370682ad9f0f9ac64c439044a2de3033468734f49266138859695b60a6fb45d794b871c19cbedf59b764453b78cfead4c501b1f8c0ff827b70297392697adb13ceff2f139bff3ba238798a07fe5f55a0ef5b75ccb498bb8943bab4a671f125fb06f2e59f77fdb02cb23e8687568dc0d5c4860994a37ccab365d7a70803c6a6f48f5b3ff1cbdd51d8961f973c703375d252e6c5a0ff133b59724313f988841bd61ec29767a4608a5bc45b104e4fc98261e4540a10382a495d64dd5f6c039066d9d358efb16671178e884f070a07fd02a00b63b7f575f642bf91eec3bb90dba9a21df3179cf12ea9525d0974d6fc44bf69fc54f8a5ff986706678d7ce06cce44df2974b966e67aca314e0b58acc41554a442ef3587abbaf18295eca59ca8a10edd3fbd1fac0b06013de5f7333751c57deb4daef9e4c55e93741ed1d2f7f963cdedc6efdb5d8b14d7d612e2612f30966f4e6760d1a46fbee50dccffc0b2e5177b1c6027adaee09075b655cf85ddbb4e4483d5de7b38a910f996711c058c1b97e6212748c8cc7de8cf7a56af75e291867c2688e999c6553d7aaf3d2f62c2f53bf88cf2044007dbe929856531b0ad6b48a6118bf35cce827e5d0cd2a19b3fc37395e1ced2137f0c726f5cc991333a0f0794da0b6d757374217eaebcbb6d87431f089a57102ca5373b8d730a92026059c6a88094e9c629d81eccf86b4e8f091d325563d1f4016c97972c584bc76d1fb4ed94b721344d00cc6724f5649dfed84dc511583e1a08a43c2409934172ff3f0dfc93996b8479c050dc19309aa998f709eda3b3cf806bec717e1718b8cc10060b335c46f17c522ac0bb696fb4393a9450be5fa755ea0d71b30a8431515c446390154bc2a4951b3f15f419ce20b0302bd90025d83c47a018f6886ab1fbb7577d5c066bab23d84189ccff6340a3ca41df5c6d994b26b8fc34c690dfb229c83760224bdce8e867d1f5a097736d3f19d8229f9143ac037093d4cc32ab104b5828f1cc84495a68d767b7fbd725d434719a3601b5fb23364a5e4151c6f915ce53f7debbb9f15b811cb02bb87394ffb61e8b8ae5749dc7432b516b8a627990537b9cdfd2a09439b7dc043997e0f59036ab3470af1bc7671011e5b472e3f6ad456ba706d550661cbcf6107e9b7ee49a82052d901bb79fb18d82216aeefa2e76390f80943cc856a008c7256b84d8857fa634ad7dd4501386bbabe238a58aecb77a0de5ffaaa563a1968b72b92ba58d1a1ef6f9ed049ff38b7fc34227461631fec653e781f157ec7386362b66778afc8982cdae50e129f4329bfe35cd9da3d5752204fa7275ccbc01abf85c6cf3ab9eabb2ea7a1c779e673d0f9516b185154dc83cc5f69370e314198b7fa83ce5c5c91c2c50e54489b3a670a330a4e49fca517c83a9532cbc7edc840cd010b37ecc7537453016ed1ab445e45fc1238b14e2f8f93166cbf7d38b8528baa0fad3e9e76f4b32eebb60526881620bca5b11ac063dbe2169e5437843f6d2d486855ad5f192b268b2f3eb25deeabd2de89c48ba28f1ee2c84658656c337339b53acf988baf29ac5c9199ec7912b28940934bc02b131d1461354626b690835ba09abafa0ca7f515579e533c4bbfda2bc9f2faedd3538ce8c1e3606ea98395e0ff88492045f47cca85f4af16f950abbf3f2229de58ea2b45692d4ba843e70e5aeed29f68807138aaf5c994b30d47311ebb969107677dcf007f64d0b32c3600cd32bd42ca69ee46d786cf0cf9496bc51602c989fc54f76c4d383ce414af45fc948e5b971e3020af447c589b09956c9033d0904d6445d7e9fff7c903939f79c2d4c30b6", &(0x7f0000004a40)="884f381309896a88173889994e74c60694f7baa45be088e59bc3e939728257e8d2db71"}) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000004c40)={{{@in, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast1}, 0x0, @in=@remote}}, &(0x7f0000004d40)=0xe8) shmctl$auto(0x5, 0x2, &(0x7f0000004e00)={{0x7, 0xee00, 0xffffffffffffffff, 0x8, 0x80, 0x5, 0xfffc}, 0x1, 0x7, 0x5, 0xbed1, @inferred=r5, @inferred=r7, 0x1, 0x0, &(0x7f0000004d80), &(0x7f0000004dc0)="05c9215687a3ff1747cae5c18cb186ed5c62984337f90f0ab5948e21c63d1686f1da1459a89718a9f84930b892c2ad4de61f714ab8"}) msgctl$auto_IPC_RMID(0x4, 0x0, &(0x7f0000004f00)={{0x7, 0xffffffffffffffff, 0xffffffffffffffff, 0x1, 0x0, 0x98, 0x4}, &(0x7f0000004e80)=0x6, &(0x7f0000004ec0)=0x5, 0xc, 0x1ff800000, 0x8, 0x7f, 0x3, 0x101, 0x8, 0x1000, @inferred=r5, @inferred=r8}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000004f80)={{{@in6=@mcast1, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@multicast2}}, &(0x7f0000005080)=0xe8) shmctl$auto(0x2, 0x5, &(0x7f00000052c0)={{0x8, 0x0, 0x0, 0x7f, 0x5, 0x80000001, 0x43}, 0x7, 0x2, 0x0, 0xffffffffffffffff, @raw=0xf, @inferred=r7, 0x2, 0x0, &(0x7f00000050c0)="bcc4b5d86e91b02b73e16c4665dc3088f7cc9826da7807f9a8300d9d8980de67a1a2a153e95466e76d2c38c41558c08efe37ee81d9904674ced86dda9b2b6cc7c97b199758bef8d92dd20e0e69864d6fcd03a80ca012019cf41e5166475038fcd360338436e7827ef730469187e6a495f5bf018ee7caa71c804a386756c3242b30eca0b841166d7839e94a5639d08fbc06dac1f861494456d8d153de7fc30387d452304e7c3069bbfb424391d04fab12037c6d6ae6025df869fa3a45e03148c2dd052c", &(0x7f00000051c0)="0b7d67852a6f3d8968f476adad1672e6dcfcebe8e6249d8cc72d1a05c28acd3deda6431481c88ee1c2c09944ee7333d9d16b3f9bd186be36210e7e52fdac24099773c07af6f1a940e4baec3ada4766e38014ad527a5df77c9061c5a4caccc48bcf1562207f8db04d608a823c71979bdaf702b9a6ec8f62f23d316b69a8e40f1cd792585f34d8ff6c705641dbc09a0245efad326ca84d8ca39d29cc33a4a3fbe76c240d055e261e16d6bb5d9c231fe3c9e84fe59565befc53fe9d119eb50ce04e6e3c1df216ae69c313d80bb6a77e219b94516572eeaa398bfea649335ae8114cb0574236f4613167d9758b53b66cb6ba75d75af92f3c6e638b82"}) stat$auto(&(0x7f0000005340)='./file0\x00', &(0x7f0000005380)={0x355, 0x100000001, 0x5, 0x7, 0xffffffffffffffff, 0xee01, 0x0, 0x7, 0x2, 0x2, 0x6, 0xfffffffffffffff7, 0x7, 0x4, 0xfff, 0x17b, 0xffffffffffff27a1}) shmctl$auto(0x8001, 0xfffffee8, &(0x7f0000006480)={{0x7, 0xee00, 0x0, 0x0, 0x7, 0x8, 0x3ff}, 0x10, 0x2, 0x8, 0x7fffffff, @inferred=r8, @raw=0xffff, 0xffff, 0x0, &(0x7f0000005440)="4cf77c89a8a36d9b71d16c43ca99caec6590564d8951864cccc348102a7779cd97d951003ae876a9a0301c11867ff6432c9c54bd04ee433fce5f5db9eb71b76221d284c78dc7db27840ca0b1e9a5a119f0d74ff6485b52a986a6717f3cfd726d0a6a038bed2189344a3d14c2f119bf2e543fe4e716bc4c5bec83767da2f97d1cce4b2696bc5f9989fd42dc97a0c16cdc2fa967adaaa2bac730e2cbda744dc3121e3f015b66eae89156b262639f95bb014aba78bf2a4801499bf38268d77d99494aef486b9b388a1ebacb4b771a52bfa29990e93618af03762f953e3480fe01dde92ca7835ccd5e8864dbc9100d25c4fa632c9febddfdb1e77f1bcd7679ea4689d2c8504e50af6952c889d328c12c66c90d8ead369270d94e5aa342fb2387dc7cfe6ede705464985f301feb34b002ccefb80fde10d9fc1cb39b5f877524986dd12447a7c96f63507cb4d88068edfd7748fb2b667ae1aedbb416377574d70a3f6de46e4a3e5c149a64a4364666bd99fdb0e413a1335ba932575d1e9228508d614b663ab17acb21b2ac4d3618a65943804d5ba52cbb043a9619861202b505140e4844b8ceb6faf5024223d9636cb0be384a4cc1dd3d4f357629521a07698418dd1a97c39417196f861afb05bd702f4ccdc3d44b5a4193378b936f53c5c4b09c9858be95e349baeb7eb4da309400a4dbb08a24d0bb3772bee7a3873cf8d76e06df6f7ce591f40bdc849ea04cade886f075e1458f021f1b730b0cb5c328b911412aee9616ab5fdc831e34cea69de1a40806aafd4e64d3cd70c1a6c6f636d3bb94c995977c594f0f4e90d7aec43fec4c8aa707d00dfa26ff9db8a45e6ac65b5e5ceac43f78b50f1e4f494c85827b3f0ea1f7a4fe3bbbd390e3616628ed4770dd366694893513dc1cd252d3887a2f19a846d18ee7baf8b5680e61800baaf0041810a5a21fe06cba83e0621b2626c3ec5ba62dfe1f94ae16114c9f89e89458a069222b43b4504dca5fd969c06666dcf982434631597babaad465cb739e72835f69ad699b0efbe216a12cc188d54beb66861c78c80225438deb75b3af96a60a084e68edceca252c22225b4f3e56e99f976c2a082a29f4a5bc3d0c251f9122b584661f39bfd18dfb9d57a591c6d7013b420bd1e4c47e804cc40edffa4dc90cda1de0a6e5f0d7a4d1c0a02bf92582900643f97f8f2cc13768374cc13610f27c3ab9d6931479d0215c4ad669ef802e32928788c525f752edae477ff89ea3f0c87d9ec7eb1ef512dcab1037284291861322f872aa261fa46746edd83985ee320fef53b11518f5d58f846819b88b16588c13dd019058a1ce865b4e685e9478539b9b9af69a13126d6ad30b2bacb144c02ffb153966d20f565684a8749131c7def88f2c87e48eac6c0af576cc861118a9b718dca2eafbc5413bb6e7513746479bd801f07b9465bd80d0dc3d83eeb7d688f913bbc787b23a90a8637c579884a1585d5323b04a449feebd0cbe2bc32721244e92e5d033e20d0b2ccf8ed5e23900199dc5ecdea429a25961c907af8d93d57d5d0d7ff990310ac092dc447e88cf81617b67754ad8ee0b12532c7313d15fd65c9f65c0a94b755a09d24078bde275a44457eca4c8b2b3bc0dfd4c8acb9d2c6c4a8daa22a6cd961b4476b07880f8cf0988bce7dd8d3c3fbd9cfdb6563b681034b272fb3cde591de803d0b68405d25dea801ee8713aeb5498198395799db2ab19fbcedbaa3ced3e124d293d63ee8c12d931079fd94ca0fb5c456932a07ac665b9410d1237735872766764c05e852e061dc399bb31ed488d1ba5aef53ac7b4536c6e5fc45c96a99385512fe6ee8a2278a06be19a7cddf3ca678bdd73c255c159ea073557d666f67b9d1b9968e023f636c693a8adfc923acff108ed4370bb966b0f4c05034b08576c2bc89ceeb57c633d2a7c87665be7e75ffb30edb5fe9fcdc7256a0112d49f52031800b70f698038f0f1f81223cbe0e30b47e80570971d4fa84da58099f875ac76323c5ac25b69c5eaf67825ab8ac98cbd6dc0163751a47a1e52998e00e05c1c6901f504340318727902b1ed2bd2cff2d2ed09601a8cedf4528c1c13a670375fe3a685c7cb14723b559ce2786ca2955ae351eff839758c311e99ed53ff128372bf9fc38c570bd900b497c93161c34d8b4e4806ebccda1611445ea9d676bdc146ea5ba100fc5d995b2ca60709fabbf6aabb01ef243a129a3c6738cf66f6d3e3b00320be0f85e754878937e39762debbf5a3e7a811103566340fdf7dac8450e68eff102cbfd495a801de06e74df57fe06e15edfba4da71a43339c5248f422ee29a22efa493690d97246e2083be24c21ee4f2f1d60d753b2da75a15408af7f4ffc3f11673b89345795750c2ea6b6c789c9e4ed093056171e9fd9a675486a4a51afa967e009c5ab5da74fb7fcd00044ab94b287b54217848d47848d6a116aed41d454cdcbf4ad8d86e629997e308b86e23ea1bf1a4d25296b19fa79f2a8c9b13702b7628c89f71ba6d5c3aa656d4318c4ec3305b9d7ae29374e9356709c46d401c6b745118bc70d1ac74fbc57d9248b1a915de03df367a9a1044752775e3b336a935bc082a2c88299fad16993f6e3f4373de0c488af1af00adb940cb45f5cfd5372d6c0a4c696f96636d52d27939de729974a9a5be21f99b49fc6d4c65aca98c2874f3671de29264941cd4a4a6be0b2021ac02adcd1756bfcff10e7655db958bb999810d8b3fee9832646dedbeee86892eceb4fa04b7284fdce5669dc7eeb775d009ca176d82bbddd4262716efbbe18c8c79f6c76cb59bfa82a19a6681e0d5a49dbd642933648af881c56940e8c5e18fb8288c35e130e1f62817af3f187d002d1b9a1d584b662ebc5c9c9520c4d516649f2d99363efff116348caed43556b58ea9b7c4255fd27efb05edece75535963d32ef597eb133495dc6ff0117d923027f108dbc64cbaa4bedd565e057a0e28649908d87ab0164a1155abe4603ec3f81c3b5327ed0d5e1fc890162510afca7b91d61857573f6184386a7a7cbfba8eff79fb883d04aa6bb7f93f776a375565f67a037e475e28b57f42ca0fc54a30b9d91eed124cdc1bc53feaa475828f20db8ba50815c812a1e9c7454cd4144eb9a423e6d172edee0bad94cd150bbeb4deabc6e98e3e5f7c6bb47f35f110eec4ba632e9c426af699a5bd6c2331ef0c11d24a5a3f3888fae3a36a89fb8a0dbdba9cadfb9e052a93f00ed75755b4d78d99aaa84f69dcc6a6ab05eadd817b9f704e9a7697a315f36ac99d299b5cb8a2f0c7cd53aa16fdad2331947d81a52734dc38efd0309b4837fcc18c88a0cb8bf5f96e4209192266a2c7f60371d41fc8c7d050ae43bf5f67407b54f4b731e0f7195659cd71ecccf87e68e1b4bb874707336ca5bce6ae7d588d6d68e2f66eaf0faa26d488ef0a1a0b59686af8120558fd76c9d19590a9611d5f3eca00e148194d9b69594124be005cdde6d57b26c53ac6488236de7dc8ef17eee67cd948e32d8c11f14bd2478b5d7e2c1d39d02b47595cebe0851f99448960dd64c14a84dac887ce5b39309b1530b71295c36b1b19592242d6617f9ba315c8d0a9d39792541d11c0ec999975169e8af06a444b716c45240b315a08961fac6a69681d832198aad3de10ef3a488f507ab56fd194f6d94376d24968d5caadf3f2c3efb667dd1d19b18dc8dab53df92c2dc0fb4ad49aa8034cf6f9eae6220beaec08784cac765da9e98219ecae0fba094240d3df34f3c89539b206a9af38dac75874b0beeedc9b3795d5f1d1f9065a81ac5e15588c179c4b0effcba466b9170b12e72fb525acc0e2bf5b8c43efbdf53279e5c9fee04b029db5220ba82d4930e96374baf4338aef5550fb5922015a1f9f076f3615ee6d814da808d1bbcad1b176d5bb20b795882476c0c72345eb16134807a82b9d86c9d7a4d84d189be309ba025303eea1889b05cdcea4c2073cfb30bb3b90f35bcd6ee790f1360f963dcd6be81168de75e1d04e8150d2c00005df7fadeac9e5c3d2026799cbb2a2db4268e4d1cb614f158ef12a0b2282e42ba33ff9d67ceda79320f1d897277f486588a0dc0e46c1c0fa223be06cdaca909483358be8b182b37e3789f7c93959c0b45335b2c00cad1a70f8d04081383a79c3fd595fc8647bb6552c6081c26c720ed1b229a192b9a91fa1e12cd31840f86e0dad7feb7dadeadd232709bc99aa8fbc3a87af0d5c82e53aceb6122bf9b71b7bc92a0a063957cc666fafbad1f688bd911608bfc7681c64d8191c5d0c80f7dedd5a9ad4ebccd04e2618d9aad121fd9aa8b8d6848720a736722c7eced31540419659c0911a06e039e959c84dd5cc1640eba08505ea489a121ddca4a09c63b2e271d1edb91aea042e92bea12939ab6d4157efa94a68d07b5f9b2058bccaef5826ebd37657a99be45134aa30a84a4c4e08e463b75645c2b726c14f35750efa680408d1ea9f3f56feb1060c7b8e8114681c24992aa2e1e65219a036afc034dba75a390afce2963d756c7eaf67d213c75371935f9eab4d428c54322e32498a4340254cc41fbb55cf63b4f3f43c8930101f3ae3542fb96ac776263789a984a3a62bb46c5a4a41b85f9d66b47fb28ea765bbcdb52b01f4c15ebe188b454c3ae277dc8a9f8a1c634163c631bd5430a8a80b80b3733413a1e00eb3fff34bc5aa8d907d79de8866cbc6f10661356277716c88474be9b393018a7d8b9b3e1ce4b7a326b77f62fcfa9494e1b7c0280c3a25ee346c94ae4cb3af3fe09534e63836d5a00a62808742f5cc926088a6ed11ea2051a33c60b2dedd2069fc9fc2f2cd45366618e11000216ef8017163aa828eae1d15f02067aa46af467750cfdd36f7ecba0fd1f7382c2a78aa40ccb037ed72490759f08e4a257b73e1b4519ec4720d9081dd464a47ad468f8881ca3023e753100ae0a1b2989ac574ebb9ac9134bf16202ce61aeaafdf7689bb921c4a39a46f03a14decffec78cf9ffd01b4fca7d7bd40030fefa02591a28451bd35da746db7b5cdfd5ee9eb6c51b3be05fb0cd5d39e8103b0e903eec110b3ff1f9df981232a558234281039b46637641849d6412feb74a37b1393c31513cd994ad239e20addc7b6be2be448857bacb20cb1469fe9446946b6d60349ff39219f7c002ecb4dbfd317f79d950b395dd77cfd49a6fad36be0bd4591e4d2ca837fe7374a36792ccb0b2b027c69dcb0852749309b937177272f4a80d8e2a24997ffca208b7f528be82116556d235f17d574d17acc1c4b58363f03f6b2177a2d9bd31d7da8b2d37ea2a5eace2b4f3eab549cc55b38e0f1731cc82ef548a5cb6a7564b442a86da7312a94a1315e270f390a197b91e435fa70443f387cf53738f775a2362a87217b574f8f63ca63613375205dc194498a0c929ff130014d7426af7c0d098d69aff0da1027b123c023e732e0ca1eb695b4210adcaef9285fec8c83fea7efb3b5a09ab0e26a2c0926e158ee17089ef7f8eab5375718ba2e8ab683d2a1eefe25c2e303f419ed01423799867e02eb01ae20002207136a60a875077393a019ae7df3aadc5d4aed4d459cedde966d84fa64c2e564860172be41b9fbdcc9bb29cc2af86bcb8da14d1d7efd6d90fefd473fbac5b0559ac2bdc110c7fdaa921d920731f362f95d426680b73312da58facc4d0a1d7ba590b3e91c03bf3b5f500a5cae46bed373702129ee2f25b0500219bbec050285949f2de4948328964329b1a46a38421c137cb95b99290b4f6cb46b576697c95b9378e7c15caa04ab0e8a04b8df8bc46d615fa29", &(0x7f0000006440)="1c3d61efc1467b6b61e9e5f06fa3d1dcc0e70035dcc9c6c3b00df58900"}) r21 = getgid() r22 = geteuid() ioctl$auto_XFS_IOC_SWAPEXT(0xffffffffffffffff, 0xc0c0586d, &(0x7f0000006a80)={0xfff, @raw=0xd, @inferred=r6, 0x7, 0x2, '\x00', {0xf, 0x0, 0x46, 0xffffffffffffffff, 0x0, 0xfffffffd, 0xf7, 0x7f, {0x8, 0x9}, {0x3, 0x200}, {0x4, 0x5}, 0x62, 0x5, 0xff, 0x6cbf, 0x48, 0x0, 0x8001, 0x7f, 0x6, 0x8, '\x00', 0x40, 0xffff, 0xa, 0xb04b}}) syz_fuse_handle_req(r9, &(0x7f00000016c0)="27fe2ffe47404c4ac0a1ecab30bbcb864ead78fed0c0e175ac9994f22c05a47188988b3ff7cddec1f6f39e606160f4f199d3745e26e2748d68e35a99f1bc4ac32084634f2c0ba5d1e0000e2d5bee777a2ab509e7c94c43f297b825934378ffa3bb7942256fc52a69e23820cd520e7559ed9a31a954df955de5bc7c1855d974b95ff00a84dc2d9ad67964334434d528bce5934808b48f8e251a179eb47dee2a108b50092f559816136cffe9bd6e0a34004e62d50f73c14b23ce17518f954c4bc61e6175756c1204e2f27c182b9e3a7e3b823dc2d210e5232c7ad0e8d8e049f0e92060b620499b0b8f4b4b971d29a97ae94ce3cea6fb4e4296f72e3deabff562e79243933cfc5300e3c41c6ab9c0559ae24b21ce45bc69b7a1eb56c08b822ba10fbcb0bd238f6fcd60ed24092b3f47f1900e3d3373379649daa3959bcb319d7a74ab3e62bb5fbdfa42f9d3b3e7340efd12d9db738b9a7a581d914f4deb34005aacaee865dd595ad5f007c48b5168e699e52decc666509f0bac516d5d8b1ecc1c99e601b8f85af1c67623fd2cff7b883841aecddf3a85239980d3ea2ae6378d59cc242b2abcda91e918487cfea037839017eefbed85e0de24148b3c67ecadc8bbe51ffdd0696a55d8ff21523178a6829ec4d3f25977433b85e9238fe5d8b1437c54a93382fa152549cfca4e4700705f3ce5a260a4b943dd3e532cc196c8129518225566e93e29a8c6f02f054a94ee5fe21e5ad5bf55dd7fde9ac641f347a992e8197fe5fc4b9c65ef4d687921dff0f6cb82a3a96f6df1cfaedffced7cb06b21de9b83cde5f96bdad6ee4c617b9da766cc443712f84ef7c38708070bd19db90abe251009d9bbcce7c419bf7efa7ea70086a95a27e7359d3bcf81899bb6b7560c58227db92bbe342e60019ff0cdbeec13bdb56c5b5fdfdbce7e2f5a7d971dbbc64c59c5111d0b452af57980e21785d5af0884822d12f4081e8381d16e0f411936274b9030215c4b0b47074dab09b9fa2322a88050a62448ffb2bdbb9d6b87521b3bfeb5de7736a4de11ff4e56d41aaed90061e8f13c3789a44a63e76902c4ee9b6fc735ab8ff9525af0ab52167e04d3479667852b755d0074cc95078094dfe03926007fcf4b2b68e262d117df6c918127cd6a5642b80c30bf916a1e51520229e1e0ece35ac9b909fd5ff92b930aa55ae60a2a7f5274e047ae70cd1d894c3a93094d5e88ca4ff4a1f7a74c2572c591f254ec0946de4f96248388b06f7f0a7daa490f4359184a76a56a9bbca593c6f6fe479c675fb02c63547d0804963bbbfe5c668769f3cf16be9cd51178030d64cc2bb9d82634399db8859e4887c8cece4c852f5cb76ce70a6c4edd0e8a465cbf7827b21b5538579771fb56b79974aa36288516bd08a9394900160f75d6bbe89de70f8b5ceacc9419fc5a3d5ee5ea783d0ca808a6248c13ad17c873bc93e0e50a39487fb25ec3233070d7776e7ce8ba022ccd8e2db5645594e0b2d874ede739f93b617ffefaf3d8468e66eecc8561fdb81dd4fe7c779dd93cce317a8f5cb86551c26166c7824c87140d9647508cbbc15c1d3b7208609168909e890e9e9fd2671d3a9a7527a734471f2c7480926d8d18ba6e24da6d6cee422aebfb14d1f12a915ffb7375ccb3ecc9863c45534a97a922433217dde2203545aa983e2a6c546511d8626428aabe7cec1d0e8124de1983d5ab1ed6e9dee82f0df4699f4ab70706c34c754d0cd8b6de541ca8a71d5f9825fc13158480d5980e6415cca05c5757894169223b43cc2963091824cf953fcf54530558ad5ce422fce99f5f2650b7dec702fe12bbb08c28519f08b6354cf58d01f027237070cb438fe4807b7b1f7ebc27f274fd50ef37ad060a7adcdf65962f8a52c04b569d7db3d86a0feb6c78ed1adb361866f7d5606569d910c6727cdd76c6bb2a405ed12dfc2edc81666787f3a3a239c62f65d2d98d8b07c5911355a3a6206646fe74c075a6778072870fd652aa4df9aa3b96f145c3afa74f5aaa8d7ff0427c9389dd5462af0eb6828f3aa54c752bb4c89d1821076172a925f146aef789deb14c6b6cb2873388cbe0be062871048c49679d72c3f325c77ea319ed28fa27861040f6be5d4f32cf29cac11243da042becf2125d21e735493ac7694aa961ee92443fc588c2adc0f97ac7b5fae10d43ddb81f31128582185b9aa124fe6ed780ac954f84421767f90f5c0b569443d63beac0684ed68bc5039a27567bd233b8f2675e1afa140df8e1e64f0a90ec553b52172739d0d6b3884947f2666929cb5dd7931942c06e9df9ec7917f1d93a2f0fbe5cd0f573c0102ff0205e4d59ddd603db5da56694bd92873ee21fe7786a87428bdf19a1a87d72ba697fbe0ed975db5bb3a705177f3a1369e29dec7581d43aea3855943ff4efa4d7af3622c319d78b31083788d20310208299ca0347afffe54ecaf1fbece6e0935abc7aa8f8553f9996ff1d46b88b78df2fe267f1699f2ebf1925b8e50cb46c8a103cfb556510155ddb84276e1e0aef3f411c7af3d20593b6fec7006aa7a4ee33802aad168949dad9fa911888d7f61bf16db2265003416fb576de44f80b9c901ace454d2b04b374f3dcfc38fdd6edcfab24d367aff3f6d8298a4133d081563de1365beaff74da252b248fa61d80e72cbbd58533e7518dbae1a925d9912bfe70fbc64b8c81ce262530bd11ae83f366e38c53bfd5a0dac9785b922bcdd1a3b683f43f8d485dfcc6dd00b6cddea064f846fb2693d48fa97b5263f537eabf6c0e549a78d2bcadb2e8fdb2b1b0f47fd49dc61ca1058bb8882aa1ca2ed341feb737d5eaae0ea08f945a04a38b6e3137f961a7563ad13cec30072b9143e4f9c7824e7cbda2df89b74c142dadaf5ca24b6fe909ce3a1ff37ee5a0b661d30739ef0c372cf7a1b4c6a0e519b48b40dc794cd61356756609f68dd58f724bdd86db7f2649b90e163530ca69f0696addfcef84efc9f9e04d9d6e18ed17f74ff807e92b0f330fb6e06e0e2f193ea03a181c8673950a19eba22fd6b1b56ebb336e0248c64f936cafd3311fd50c50fc916156bb28156d15d7f4d5a798d8626afc6ba7d217d2c9f1a98fede62b1bacfc314dfa89e8cbb8c37bd526dd53ede81b1953cef517703babce446e863bf9d246b03b88502c7fdbac4d87f1eaad86ed170d710d81eaf395aef60dc164d9116601a5a58c79a89275c95d28912e8708fee2472e6b87d2e077d362c0ba8f4bc6a5e38745eae91046bc61e6a040cbfe38204f17e604f0e1405e8ee07d7141b698bc2be7690a8f0bf31d58ae906cb70e4fe5fe035631d76533b7a7b032e1b1eee21428084afbcc930a9f28e9f17e269a6997af838f95e2fb395b540a1d49f3d4290274d2d31f760835ff7351d25b62e135adf59e0118872d17843d99154f4660fa8f48b6c4868b1fbc6b84da61f98123167b067370a54fc6c5a688e31d4201ac4c4d5646f9a4a4a804a175167cf79dda22f4d6867281cb0b3e0999fad7bf26512d131440a8f9ec75fe9df680547855d8c9b3b3f0d514197c2af0d672991373b8d4ac1dd51e1f907450d62101b5e2613ea289c194d0735e1c5e166909eb71ee2a4ee5ff99140c0becca2672faf6944938c61809d8bf2faa561f9b56dab85ded7ee735d300c8da84c57f067b2fe50929cae139875abbab084742c90706bc31fc4c68538889718769d1c6da0ee1826ecde1f60ea66ced44c24fe2875dcbc87a3572af96455edf31e051e5422a8e2910c7d975df6448da0c0f833f61f7150598fb47fae938357a7b645e406df9a4a30cdd1cef6ddb263c9f06b268767a9a0f92c4ea1380e5e36f5f2a3e90bf87d6818c5aefc3439c4f4de2cfb4db145756848b27b618c22feea3f9f4601557f53c2aae71dbc0e9468243f1bf3b086b4dcab2734d6128c5441546903d2fea40c7ca4840ac4b1b3ea8897cf037623e427fb1ef9c0e7deb9eba0f8e5a5b29d422923f2fc8c5dc1369fe526709247c2776f5b7687ccf420b0dc84461105c2a31cce9decca30b746bfe43440d49c4775a2dfc88f049e23a30e2de2ce634549bbc0c263097ebb8044b4b9bb6f5f95a4a499a3dce9c11b99487d996eb57d654090b436dfe0b94796e93feae2b63d01320af7323a8006bc75f95a0c6ce53691802a097108881bda64a2cf8ed8f6752e19815e71e2b8554fac0301875262109331151915f6b19362c2d82c3047478525a649ae4c9a41f756083f138156f6ec4ea04b44f652ab1e66c5c630e6130062a260be553f10b8b700e6c6b089f0b09ce117ca78d45aec4339764dc2e39b5bb955602d57323e40d49ecf8987184a12d21993c03b458fca98c773071c2242d90596599336e1c69ff551af3ef27aaa74c547f231a1ef64a2fbe5498f5bffd9e597b8d871a073e82f13f5bdf2189d361649dbe144e7c2fb26a518884c4f276afa04450b3b1261511a1861507e94be4b0c301e62471bb953363e54a80ac90b2551b012d74a5621e265bf91260a467fe7606e79592272aa208b12935a8991dfb817a5cb05acba79dccb97d0a0f9eb5825e16d124a77224c9a09a5335f1ced785636ae3581598af5c28e54ea8dcc4c722e4a658a33fa7c473f3b5e74ed5625680f07c7d472966ab646ac3ac2d67469c43dbab6b886779def79417698cfed9472fdcab0f8079f221285441881eaae4c211a814e6d4e6c25d49a5706738b03b35c0d284fcd675505b0adc88d04390f3a1b0c82785ba7bf029aa46187131dbdc36aaed980b90888e67e8a8be7c1f7c5e3ad4442e97aa77c7e1d286c29d8b761ec91250529bfffc56ce2d1f4e79cf74237f02050afb6e25d5436545da66622970e89e4cb9e77e0e9a6672feb03328568d75d51465772b5e408e40ebc9676e7e5ee7ab0cbfca5ff0c023b393529464668b774ae1b5cef76d67f1d735b87281555b396c7858701c6d42b0f365b253e7bccb64c2dc39bfed645906ae68bc5ebc3cda73f386b4b97953b3ca6c735f7c47e4762925d3599480e7c17633e5276af75a60332bab2d8c039e4f980a7de81229bd174f6e50e5de20d20b518c418b6eb6a06ee93789fb6f4a6ecb8b01691ad1eb2ae951a42f976e018ac4b585bbc3f42da79e55d1b7f24e909fcee23436b727dd9ce47b41b3bcaa883715d316acdc55e0fcab97ef90da859a80ebebc6dfd0af9524e8a36b3f71ebd703b0afcbd7acc6aa413648ad935e7094a293f1ad659bf55951511b8feaa0390b982c91b1a1bc04cb1e158b132e8ff2fe46667f10312a25468f07324810a97ddfad6df0d61ee5db1929580227ea260682a8937d0379bbcd796aa13fe92f793e958d28d8e4564bfdd4944d7ebadddd673392c6772d0961cebe60a3d9e9f96e4a4ca07e55d31e9d9425e00171aba02f0aef4b8f5e43ec62327a950fe292427d513476c31839a5d11e03f7949cb2d8343ef4b98268797190344a7a6891cddde29faef1333f7fb75069a74e806a4121addf986835281f4868f15c7343e1307d237bb50a7ec6764b9f4325b6e41357edc33d247a583e285735faffc5bebc400476af6c5cdd349137470860d159a976ef3c4761285ebb8c53a7ef569ee2e710d41819eb85cb3e38c6d6ccd03587fb0828f631c19900153a6f1edb812a58ead041c63a6ac6283806d3cfb69b65591a829baba97a367c9b0f2497b44f3ca85a0731e5942b57ecf9c2dee01ef7ea533f8ba317f74c30f49bd69489735361092292205509c574200663f771cf4d1d484fe5a9c4cd3b0cc432e925b302fab0574b53606f2777563d6794fb5fe487d5ce7b5beab399bf7727b67eebf9b9dacf5c5678ec9821a34dc030d036d04d7025ed5b1782965cf262bba0b3de34974d1e77a63e9bb52dc659de690e47b35f4bbca66f8d5e0a271a04a289435f5dc9013c0652633dcce4102fcbe47fb4c5eb9a6eaff5463c73c11e37e8df9dab0932334922fed80d5e3ed125dde3764f48d496f4f3b49f0322a9b9b968ff75efedb369b4b1c9afc5d27e68d76d17c216c4fed82dc2487aabc660bb55b2ee17d68365da8408c45af38783ac2be54772bbea41f5868456ee66a27a36be499a5e5dd3396f4805e22a2cdc229079c2a53c9299559269ed1c512213544f2bf331388e1cb85e5550915f8f27a47ba9fc9a50ce01cd2b53b37f357966f1d00bd340e050c9d84f2914b8abd4294826e7500b0dcae9cd4d284d17345653ccb469c5ee3a31058eae14fed75585cde2fd71b88ebf517359774e9023466ea5a47956b8225671792df45b9f38b10ab03f9ede1ddb2e157d61c095d9b82b977cc09d929745560fe8106503ff7dd228db22b251776897ee15b180b4b4631f85ecf6a6074efd2cdf40a448dad62331c27ed8b3377fde4b1533126a4dc708b77202f6f8c015966ef711c4c496e9034cf15a33bc998a43265edfe436342d7eb4973be8ab0ae6719a1aaa41e0d76d952b06808dff02fd81603429a36ff7440e0b215d9ebc908efc145b6e1b7feb53bd5e175c7d1a7764f9040744b81db86fd22c0a38a2daf7440bbfe8835009d4aebbb11a0e9148bc04951fc06ec1c2a268a05cc2cc76791b82269f963d3d2f564ae03789601940d56f28e5ab0152acf663e481195209efc1a3a1b472536e0acf9ae383b5951dfbb6bd4d1eb5550102c3d7fa2365a36fb7c5949cc727ce57311dec52a4c3b91f0d5ec3677c265d5835535f16006985ce846ef12a46cb8662cff85af2ffd4b3b35085705d45df3e8c60ee4963823cea99dd55c0c33da9de354f709f2a4583561325c4a5954a34e2ab32738c2f3fbfb2786aa57828ef3091122e5932058c12d50d0e89ee5dc1e3ee4135d38c0c984daf3947670272714de8935720c1f3d3dd9fc57529a75013d85946484233ce69257718d3cd667cd0886d1f3c257ccac6b48ee5cdc03eb6c6aa2a78d68e2a9c2253954450915762f3f2fade0ac78593cc38e55cef3bc0bfb938ebd0a61c739c024addaf443406a7b6026360a7fc87c274a9bdcdb2eb5cf470b53f7fc1bd4ed05ceaa66528cef79e9de78da42b167c82cf4dadca5707d0a166b0f41b7f7e3421a8f88f6d88d24cfd9981b50b6c342bb49cce4b823f3cfdb17bba24fdb1601ba060a4792c0909a7c7cebf0c33e8ff27fb6e327c8877fb31efd8bb0b9fca2829cac2c143f4a5bd0afba4324548af32f05f581ae264c9e20d0f1604e112c6e2bc518b78097c145d871a3c0287371b0cf6bdcf17266371c7464d87a55f52e01e297866d6d498868ac01648249c1edd314580bfc35834b15d108ddbaf6ca3536aa43161019c3af0b331d9d071eb0a50442355a2a2e195474e13b7971d956ad54ed590b429d6a1ec7e38d41a27536bbbfadad1b35fc8f827a92e0baffabb811816cfb4cdac4b98c5f6f71cdcf30649536f7800eb6b7cee222d64165e0ca9504693b6d8459bc327e5da2e6f38a4ee2472ca5e6caa0811d042f8fb32a99bd36101cf19acceeed73b44e3deb223cf282ecd4c439f55f5c274e2c756c67c23c00ef7bffa4b6012a1334d0c97f816a6123cbcb77ace8e7be0515269248622028b7a9c0e49f1c8dde866d3bb0c53db9c67b10b20d4bb263f2c5a0185baccfa7b8fe825657078fabab003b9318a84f765daafc37f496efbbce9fa5d2c1f0a4b2ad0cf9269618440713bc3d92985ffbd6cc19afc86703044370eabc4de11f3bcbfb221dddc51bba352dc28fd49c084047fb0ed8b9742a96e53ef4ccb94ce4cad746e9caeeec843f72b779cc58d25fe931c1af8a795e195685c92185803adbec6066cddd87e0b9a5380afcd80798f580859eab317cb2783112af7b362a59ae7a824749440e66661b788b8560549a0b1350dfb7a5e88928d558cbc8a26a0d74e67634ee9ec1c1ca08afc5beb43da65f4ae0ac7eb257442c9990edcf93b1dadfea90bc292bbf1d823c61ee969249f67be07d70df8afc7c3e5bf145f28a2d06c880eff9a181127c13460a06b3664a94c888b07af77e84d60deab764228ffea21633f0204a5d7ec4a0b303fb08fb76728c43d9073800183c8b99e22d605a5e6399c049f7f887cb9d7fba94db323084bf94df544f6ce2dd49a21d2cab54df04397482a64d2900bb40fa87f42ec75d68bab17714a934bcdf36f87074f6028f9d61a00adffc06d624bc64297059682cc8adc7e2fb210bd22fbd4ad3d3515f71b933126759ec4c001ed5cdbace7cce4319b7ab50ffc8f2f8f1bb81ac07f81dfff335450acf08e13912d3c5f3aa12581811ebdb4416eada259651c070b06ea7e18a8f0c400575a0e7fdc4c88645d35c2d36a8ce6a2972f355d1a5d832cd7ef2c611fd11059da390ec8c87491d4964fa40b80839057362e676455c7172a23154efeba6fc9ab4c15a737e299c1f14daa8f3497e3370a523ec15c52bad987109003f8dcee4ac6c90b0f8e4b7491978788a9c1b23a14396b508aa95175fe3bd6a8b4a9c217f4c9842c1c339d4d95db83ce6e7e7ac88eae0413961055220b65693d49a2f696f641421925b42f77b0f9431239527fd6d86d6f9abdf3d27c0a79a6b05a61dd7d993de2d4ee9973b778ff195d1240db1836a5258b4f574497ca2f9b34977800e728297d983e1e585faf45381b476d2531e86cc6e835a972c3a5bbccba7d852edc83bbad4c852064007087bbd36bf8a800f91eea0a72d9a75f5db35b1098686d51340a172c701bc47b140ce52ef47502d0071e545597975a55ca1e91217645e3cfebf4a6201a8481f65113860f592863af1dd473383b1b79ab32cfcd46e6ace2958d42cce5f9b2347681f7707ab4a35f9af521d4c1bad7513033a5f7af2b7a2d3a4914d38462b16b85d69fa60c0c5ef54ba2fb78fb156a947cf80b1daccd589fdd0791b3a9eb835b61534a16f8f4b1cabbd386b4c21ba97de916d2cf48b7208c1bda77ecf81677cbce25582ccab9a65a2b73dd34b002c234948a42b5664d56d824429a78b6970367ec170d1b110b2223175872bdc866318de066fea560151d8825dee82d344b816fb55aaa524e860862ac0c36cb6b6e81f4123da59cb3effe29ce7698e2aa0c6036820c457f404233e32261319a46bc8bd3de3c948dc52e27ca527df7ad68e6c4d4ba8f6b4313a29402981059a148797fa0880257fe0427011928af752f81b8186802108f0590195039c838257202421410b8a359e69ddcd47470f4d05ae289834be304caf49bbbacfdbe927f423be9b87882b0fab4f50bc7cdbff6ef101f33f703556d45b6ace1643cd7e75acf74063e3e34e963db19f0d19f14829c91c450661d0e809d5b7909695ba15446c876a167ecca09fc00e1737cbd4ef4f70a50e3a00fc96f0e1023e5c81e67d247ae0ec7ec267252804a65b301b91a599b8ce37d95a93dd9a911dfb395f361924e82ea281efd7a2e015aadaf6485fceaee0ab905e1396c125603aff4ca165f749c23310250f800b2a87917b9421b0b4cdec9d86414eb822374b0d4325358b2bf43e0e312588879765c25c098d1718653bea52768dd7f100fbd2b6afccf0213469a7fa25b5f77c6b56ca09df886a16ed24f51e21d078f25c48887da12dea57c8f4825f27ae3d9160196eb6be09f7be8b239a05dbf6aaeca9637090d1e6f76eb9369274c3aada336243b8b9c59c3f9c91ab43fc9273bb5bf2b59de8fbc506c9436565e4c9ba29650b3784d87f337a4a4b528ca2a280cedc369b0090c3f69c7604a6df31fba781c07d58dbadd7c85a626f885f09a91224e79bd68793f167ebd8da10e5da78cfa7ebf10a8f2c9003fb1cdd87e469861f3ed23d25bcb14530a8ff8d91e9e0c7c3976c3afc7bd5005ccef59faec52ba35693d0f0dceba843add5a747e0aa72f09f2f45281c9d4c6f1bb78379aec782c64810de323c8abacc9fb7e7dbc1e2913a85df0bdb6ac701a68269e79ab28458c0291e1840b34ace2d0dca9029f6d950e6ef1e5cbb9524db501dc3022733cb10bb74e9e698245a98dffe2378c42548119dd60f2b021953b300f38972661c3ebdf64a3afb3c629cca5ec938c31ee8cb682dd38f3581812f7ba6431c160659039e7cfe7859b1aa8130833f1f63724f863b3e2a18f9ebd1ea614d30d28bd4f5b8c2617becd8a4d8b3a9b42b85d8e80c8faf7d9cf5637dd98826a10b692402933d2ae0ea908ff5d6c22fc335be00614a0f5e7004ebef71fd23d3f90115984f0e46e82ac8b03e5d2bfeaa2192333c1a0a9fb19a75bdc8f9058336e86f3f7b30f0bed24c4b230cdfc92a9885be51c0b851cd7a04a62fb3ce47e765a114ef7686bc7d82ef5e1ca0214b95b64e57f851215ce5a47ddfb91932c854c6525ebe7f6e16845fa225a74093f6a2680085a8fef66541fc3643fc814c5a806415f70688a4be77beaf75d71026e4dff3800124bdec0e065463edc69641f67c7c42b8e025f81406fd4896d5db8e19fec099809ad50a98a83b3caa8fd87310514f4a7afd9a970c456231d916b26d5c62bc4834af9bc2777a7c7d3bbf5f2c6d828935f3b827743c09222328e8e8291bb283eba7d4bc897877f6e50a5fabc77abf31534d700962edecb1df4ee1228a729df7da85771a3f1e30429fac993d9738d9d6728bf492b4791438c3cf6d59af809974aec448098c26cb3791e43724076ef5ca9c70cb3f58accb539943786ce98b092c965a147d1870ad454686ba579c9d10a6131d4d980ff68898fb11a0a9f61e60a86427f60660088984eed16acf6d31430183b81912adcde8084457122ecdd7054cf3dddee25a975fb2448e71a27aedf68685e9e8bf607056d68d720607599cb4997a1d591a1cc174eddc66f39160a2e55eee6c82b218c5b963a0268117fccda9314d7de3b1bfdf1de338310418dbb11f73bfc1a705a7f12560c6a836ebc1c927d1427eb6d7104f942705a25e7a79488768c707cddb059d06f4f55d64114658bb327072a0f248f9191aebf838ccf464e3db38bd015c1fe7e0a1ce8c854e064ad28df20854ecaf442881d5b922db3327a73a8007f84aacb941bc1232742d0ad98eb8f05a812c7957fb4b688522ea6a1d5ef22dabf2537b5f68d81e06b517839b474238564967929fa8231eb8eaa9bf79554917939336f71edad5c011de4a9887c9d8bfe588c1747b47ecae641ae076a53cb661d344659ed82a4f10612ea2ee00a444de7e4b1a0c5614d4a6369b48cfae5316e8389cb720a111171383a78798031af5e4976b89175ac1efa79ca7dd728d21cf2853f69870379dcd691f412b0dabb49f74d48f9313be45895e8d4e78e23e357a9a2294befb173ceccddb7dec84781920e951ecc863bdc843af7535e721a7a7f5bd6e0d37fe9e5b5af3f2aaa62967112c0fe848d3c38a646ded7deba1ab98d40881ba2fc918a8664bbabea14be6f5bb92e254c471b324a026c661de4b97ba0ae1f67063f41a5619da8a49a7ad6cf8153977a4c63171bba20884b7344c405d61b9ce3ce90dd0b6d86be27c028a2a48fe040d6f9d2f5dc2466cb9f745e5a98e5266498b14d16e3fcee12026c0f46b7fd1d30076505cd64c1d60c5cac8cb400ea6b7522c165b0094ff0ff656d081673056b73eee3efcbfba260ff87e4304c8eb14aeadfdaa09570f630646c", 0x2000, &(0x7f0000006c80)={&(0x7f00000036c0)={0x50, 0x0, 0x8, {0x7, 0x2d, 0x7, 0x8000008, 0x7, 0xfc00, 0x3ff, 0x59, 0x0, 0x0, 0xe0, 0x10000}}, &(0x7f0000003740)={0x18, 0x0, 0x6, {0x80000001}}, &(0x7f0000003780)={0x18, 0x0, 0x4, {0x2}}, &(0x7f00000037c0)={0x18, 0xffffffffffffffda, 0x37}, &(0x7f0000003800)={0x18, 0x0, 0x1, {0xff}}, &(0x7f0000003840)={0x28, 0x26, 0x7fffffffffffffff, {{0x7a, 0x8}}}, &(0x7f0000003880)={0x60, 0xfffffffffffffff5, 0x1, {{0x81, 0x6, 0x3ff, 0x2, 0x4, 0x4, 0x8, 0x2}}}, &(0x7f0000003900)={0x18, 0x0, 0x0, {0xb}}, &(0x7f0000003940)={0x12, 0xf92c178daeab5fde, 0x9, {'^\x00'}}, &(0x7f0000003980)={0x20, 0x0, 0x0, {0x0, 0x2}}, &(0x7f00000039c0)={0x78, 0x0, 0xfffffffffffffff7, {0x3, 0x67, 0x0, {0x3, 0x2, 0x5, 0x2, 0x0, 0x5b, 0x200, 0x6, 0xf0b7, 0x1000, 0x1, 0xffffffffffffffff, 0xffffffffffffffff, 0x4, 0x6}}}, &(0x7f0000004b00)={0x90, 0x0, 0x7, {0x1, 0x3, 0x10000, 0x200, 0x8, 0xa87, {0x4, 0x1, 0x7, 0x1, 0xfffffffffffffffd, 0x4, 0x9, 0xffff, 0x10000000, 0x0, 0xf40, 0x0, r10, 0x8001, 0x9}}}, &(0x7f0000004bc0)={0x48, 0x0, 0x5c, [{0x1, 0x4, 0x6, 0x8, '\xff\xff\xff\xff\xff\xff'}, {0x1, 0x8, 0x0, 0xb}]}, &(0x7f0000006500)={0x478, 0x0, 0x2, [{{0x1, 0x1, 0xf, 0x9, 0x7fffffff, 0x3ff, {0x5, 0xb3fc, 0x3, 0xa2d9, 0x3, 0x80000000, 0x4, 0x5, 0x2, 0x6000, 0xfff, 0xffffffffffffffff, 0xee01, 0x5, 0x6}}, {0x5, 0x9, 0x6, 0x6, 'wlan1\x00'}}, {{0x3, 0x1, 0x4, 0xf, 0x1, 0x5, {0x4, 0xffc, 0x2, 0xffffffffffffdbca, 0x35, 0x5fa, 0x8, 0x5, 0x16d, 0x6000, 0x8000, r11, 0xee00, 0x8, 0x2}}, {0x2, 0x3e8, 0x16, 0x5, 'bpf_lsm_path_truncate\x00'}}, {{0x6, 0x3, 0xcff0, 0xfffffffffffffbff, 0x3, 0x3, {0x5, 0x4, 0x8, 0x9, 0x10, 0x5, 0x91, 0xfff, 0xfffffffd, 0xc000, 0x3, r12, 0xee00, 0x80, 0x40}}, {0x0, 0x8, 0x6, 0x80000001, 'wlan1\x00'}}, {{0x3, 0x2, 0x8, 0x9, 0x80000000, 0xd149, {0x3, 0x4, 0x5, 0xe, 0x7a, 0xd52, 0x0, 0x5, 0x6, 0xa000, 0x2, r14, 0x0, 0x7fffffff, 0x5}}, {0x4, 0x7ff, 0x2, 0x78d, '\xc0\''}}, {{0x2, 0x0, 0x6, 0x7fffffff, 0x5, 0x5, {0x2, 0xc, 0xbde5, 0x5, 0x8, 0x10, 0x9, 0x6, 0xe31, 0x2000, 0x5b8, r16, r18, 0x6, 0x8}}, {0x2, 0x80, 0x0, 0xb6}}, {{0x5, 0x2, 0x80000001, 0x2, 0x6, 0xff, {0x3, 0x5, 0x8, 0x3, 0x8001, 0x5, 0x1, 0x7, 0x2, 0x1000, 0x1, 0xee01, r19, 0x10001, 0x6}}, {0x0, 0x6, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}, {{0x3, 0x1, 0x8000000000000000, 0x2e, 0x5, 0x7, {0x6, 0x5, 0x5, 0xb, 0x0, 0x2, 0xffff, 0x0, 0x8, 0x2000, 0x9, r20, r21, 0x2, 0x7}}, {0x6, 0xfffffffffffffffb, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000006980)={0xa0, 0x0, 0xd05, {{0x5, 0x3, 0x8000000000000001, 0x7, 0x5, 0x2, {0x3, 0x4, 0x5, 0x3, 0x8, 0x1, 0x8001, 0x0, 0xfff, 0x8000, 0x101, r22, 0xee00, 0x7, 0xac}}, {0x0, 0x10}}}, &(0x7f0000006a40)={0x20, 0x0, 0xffffffff, {0x4, 0x0, 0x9, 0xa}}, &(0x7f0000006b40)={0x130, 0x0, 0x1ff, {0x6276287e, 0x7, 0x0, '\x00', {0x800, 0x2, 0x3, 0x1e, 0xffffffffffffffff, r24, 0x4000, '\x00', 0x800, 0x9, 0x8, 0x32f3fcde, {0x6, 0x1}, {0x4, 0xe30}, {0x4d, 0x3}, {0x6, 0x8}, 0x6, 0x2, 0xfb, 0x2}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000006d40), r23) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) syz_io_uring_setup(0x28c2, &(0x7f0000006d80)={0x0, 0xd0f0, 0x20, 0x0, 0x1e5}, &(0x7f0000006e00)=0x0, &(0x7f0000006e40)) syz_io_uring_complete(r25) r26 = syz_io_uring_setup(0x7c1f, &(0x7f0000006e80)={0x0, 0x979d, 0x4, 0x1, 0x206, 0x0, r9}, &(0x7f0000006f00)=0x0, &(0x7f0000006f40)=0x0) r29 = io_uring_register$IORING_REGISTER_PERSONALITY(r26, 0x9, 0x0, 0x0) syz_io_uring_submit(r27, r28, &(0x7f0000007000)=@IORING_OP_OPENAT2={0x1c, 0x14, 0x0, r23, &(0x7f0000006f80)={0x818480, 0x0, 0x35}, &(0x7f0000006fc0)='./file0\x00', 0x18, 0x0, 0x23456, {0x0, r29}}) r30 = syz_kvm_setup_syzos_vm$x86(r9, &(0x7f0000bfd000/0x400000)=nil) syz_kvm_add_vcpu$x86(r30, &(0x7f0000007400)={0x0, &(0x7f0000007040)=[@wrmsr={0x65, 0x20, {0x92e, 0x8}}, @nested_vmresume={0x130, 0x18, 0x1}, @wr_drn={0x68, 0x20, {0x1}}, @nested_amd_invlpga={0x17d, 0x20, {0xffffffff, 0xbd0d}}, @nested_amd_vmsave={0x183, 0x18, 0x1}, @code={0xa, 0x6a, {"36490fc7aad66197c026660f3880945e008000000f01ba008000008fc9b89b29470fc7ae20000000450f09c4e2d13967c4360f017f0566642e643ed8f1c744240025fd0000c744240254000000c7442406000000000f011424"}}, @nested_amd_inject_event={0x180, 0x38, {0x0, 0xb5, 0x7, 0x5}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @enable_nested={0x12c, 0x18}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x3, @control16=0x4, 0x5, 0x1ff, 0x8}}, @nested_vmresume={0x130, 0x18}, @out_dx={0x6a, 0x28, {0xc636, 0x5, 0x4}}, @enable_nested={0x12c, 0x18}, @nested_vmlaunch={0x12f, 0x18, 0x1}, @wrmsr={0x65, 0x20, {0x8a3, 0x9}}, @wr_drn={0x68, 0x20, {0x4, 0x6}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @nested_create_vm={0x12d, 0x18, 0x2}, @nested_amd_invlpga={0x17d, 0x20, {0x8080000, 0x943e}}, @nested_amd_vmcb_write_mask={0x17c, 0x38, {0x3, @control_area=0x31, 0xc, 0x6, 0x8}}, @nested_amd_inject_event={0x180, 0x38, {0x2, 0x36, 0x1, 0x2, 0x3}}, @nested_vmresume={0x130, 0x18, 0x1}, @nested_vmresume={0x130, 0x18}, @nested_amd_inject_event={0x180, 0x38, {0x3, 0x72, 0x2, 0x5, 0x2}}, @nested_vmlaunch={0x12f, 0x18, 0x2}, @nested_vmlaunch={0x12f, 0x18, 0x2}], 0x3a2}) r31 = ioctl$KVM_CREATE_VM(r9, 0xae01, 0x5) syz_kvm_setup_cpu$ppc64(r31, r23, &(0x7f0000fe5000/0x18000)=nil, &(0x7f0000007680)=[{0x0, &(0x7f0000007440)="cdfaef130000003e000010620400107a00001066c1001062a603007eb9f0003ee90e10620400107aa330106688261062a603007e2400004c0000603c0000636004006378000063640cf66360baaa803c42ab846004008478a5a48464dbea8460c7b2a03c4ed4a5600400a5788ed5a564c9c4a560f627c03c0e37c6600400c6781050c664f33cc66064aee03c0fe0e7600400e778f833e76427e1e760f9fe003d883a086104000879f66c0865cb9b0861e722203da35b296104002979bbbc29655e832961d975403d52944a6104004a79db254a65f35e4a61020000440000603c00006360040063780000636450f36360420000440d0bc03ea1dad6620400d67aeb5ad6666296d6629cb0007cec06007ca400004c3d6aa03e171bb5620400b57a7293b5663454b562a603a07ed48da03e12d2b5620400b57af6f5b56615e0b562a603a07e2400004c0000a03f0000bd630400bd7b4930bd67f278bd630005c03f0000de630000dd930000a03f0000bd630400bd7b4930bd67f278bd630000c03f218cde630000dd930000a03f0000bd630400bd7b4930bd67f678bd630000c03f0a00de630000dd930000a03f0000bd630400bd7b4930bd67fa78bd63974bc03f5c3bde630000dd930000603c00006360040063780000636400f063600000803c000084600400847849308464f2788460220000440000803f00009c6304009c7b00009c671a009c632401c07f", 0x20c}], 0x1, 0x2, &(0x7f00000076c0)=[@featur2={0x1, 0x6}], 0x1) syz_kvm_setup_syzos_vm$x86(r23, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(0x0, 0x114, &(0x7f0000007700), 0x0, 0x4) syz_mount_image$fuse(&(0x7f0000007740), &(0x7f0000007780)='./file0\x00', 0x40000, &(0x7f00000077c0)={{'fd', 0x3d, r23}, 0x2c, {'rootmode', 0x3d, 0x6000}, 0x2c, {'user_id', 0x3d, r22}, 0x2c, {'group_id', 0x3d, r13}, 0x2c, {[{@max_read={'max_read', 0x3d, 0x3}}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@default_permissions}, {@allow_other}], [{@permit_directio}, {@uid_lt={'uid<', r17}}, {@appraise}, {@smackfshat={'smackfshat', 0x3d, '\xc0\''}}, {@appraise}]}}, 0x1, 0x0, &(0x7f0000007940)="a4b222df2ba10df24f5481e0dc5e93b81b1b82e9a214cabce344800ad54de610fa1eda44b9040526f2dc7c731c5473c8c6dc94192a03484e6d62bb49128612543a9d016ed9a3730e51080f5c860d03a77ed50164bcf99c42d3568a974a927a879de41edc2f5552365886121a31095b97aa08ee2977111f7cc56a77c0f2a16b32b19df50a249cd3058e60a6ae8c96349d5e5c0097594ce01c1fbee5ee94606fef673231e65700bc715f1f0119c84ed27b8af38ed153d394d6b22cca54db55a31bc25b45e81deca7bedb696691ae6b92f09eea3e2b5e8af2f996339dec592edec5897e94eb") syz_open_dev$I2C(&(0x7f0000007a40), 0x7, 0x0) syz_open_procfs(r4, &(0x7f0000007a80)='net/psched\x00') syz_open_pts(r9, 0x292c02) syz_pidfd_open(r15, 0x0) r32 = pkey_alloc(0x0, 0x0) syz_pkey_set(r32, 0x3) syz_socket_connect_nvme_tcp() r33 = syz_usb_connect(0x1, 0x295, &(0x7f0000007ac0)={{0x12, 0x1, 0x250, 0x58, 0x6, 0x54, 0x8, 0x13d3, 0x3348, 0x15b2, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x283, 0x2, 0x9, 0x2, 0x10, 0x8, [{{0x9, 0x4, 0x26, 0xb, 0x5, 0x83, 0x18, 0x74, 0xee, [], [{{0x9, 0x5, 0xb, 0x3, 0x8, 0x4, 0xfb, 0x6a, [@generic={0xbd, 0xc, "8b82bd3fc8137d3d259ce7bc140de0823de2222eed4c570edcb84553cd1efd649dd352dd375d81da8da8e6863fb482ecb3a16f122210bff25c59a3afc6542848c06e1b983fbc8dd0de627cfddf9f905f5cb6ed4a25ec5947599b15b538c7bb0b0d65d4a31b319f7383955ce766ef4c66d18bc75d69b2dd7d136c78eaec1e2203eb918dd61609de40f4f693917eeb17fc387bb427341f6416e0b8c46a2445a5c49bd9c86dfe21c598acf17ea98ffece202a21dc93a0b830d29af87c"}, @generic={0xc7, 0x6, "f5459e117800d22a25a486d1442f5cbd4d3d776cd061d2c185f9924eae6a4d7b14c58b599863d321e3ea80a25f6d8be51d5ca70c276ce0e6d9038f88776b9614287db7ee2113f0e7e1f01873b613d763da5f87f86cd1860bd623463fc6d93d9f948d0d4d70d72a8ac1dec1adceb8716729906428d5b6e24b01499bfa6a0aa0482eed8c7751a1c7ec944db19254a74b61142e725a7a290c4142875d347b3e483f4e2db8373ef8fead8118ce07d812332b211da9733d444f7d706a6439c29aeaedd03000a2a8"}]}}, {{0x9, 0x5, 0xa, 0xc, 0x400, 0xc, 0x0, 0xb5, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0xb, 0x7}]}}, {{0x9, 0x5, 0x2, 0x10, 0x20, 0x7, 0x5, 0x5, [@generic={0x24, 0x7, "ad98314a82d7aebbfce85178752271b158c05dea1bf5a2459c431df180c1f3b2be3b"}]}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x7, 0xf3, 0x4}}, {{0x9, 0x5, 0x5, 0x0, 0x40, 0x2, 0x3, 0x2, [@generic={0x6a, 0xa, "f7dd67505d353d93b6e1f3ac2d8f9f766012d204e558a7076c6a1dd6648b2928acaf801710c8555067e0715e60772d9a84c714f63d527b9f1532a5ac6511627f9e8400e62ad6bd25ec51ec630afc10e1f0f2fe01c9588e2897ef26d5ea8bcf970e51fc28d84a628c"}]}}]}}, {{0x9, 0x4, 0x48, 0xe, 0x3, 0xca, 0x1e, 0x4a, 0xf5, [], [{{0x9, 0x5, 0xb, 0x4, 0x400, 0x5, 0xf7, 0xf6}}, {{0x9, 0x5, 0xe, 0x10, 0x3ff, 0x1, 0xd, 0x80}}, {{0x9, 0x5, 0x5, 0x10, 0x10, 0x95, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xae, 0x12}]}}]}}]}}]}}, &(0x7f0000007ec0)={0xa, &(0x7f0000007d80)={0xa, 0x6, 0x110, 0x4, 0x1, 0x6, 0x8, 0xe}, 0x3b, &(0x7f0000007dc0)={0x5, 0xf, 0x3b, 0x4, [@ss_container_id={0x14, 0x10, 0x4, 0x6, "fdf4043ae7f59e3e81fe303d4de3ea16"}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x8, 0x6, 0x6}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x7, 0xd, 0x95d7}, @ss_container_id={0x14, 0x10, 0x4, 0x3, "bc6a9266bf506e90620d9c900e180143"}]}, 0x1, [{0x98, &(0x7f0000007e00)=@string={0x98, 0x3, "d95f3fcaaa58f9d36d03e3a2d5566a5191f742f723fa49e364e03b0d288a7fcb4579b58c56d824be57f9ad0f8703d3011cac468433fa22c23bfaf15dad541efb0138c46bb8f8869215155c2685d69b75ffe68c0cbd6e71743abd4355e12d9dcb7dff16bb075da553c178139ede2c285a4a2845e8889c234504d968d870b6084a7b4ab0dcdb83d43bb2f4e7a0156b80a68919cbb7da84"}}]}) r34 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007f00)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r35 = syz_usb_connect$uac1(0x3, 0xe5, &(0x7f0000007f80)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xd3, 0x3, 0x1, 0x1, 0x80, 0x80, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x0, 0x7c}, [@extension_unit={0xd, 0x24, 0x8, 0x2, 0x8, 0x9, "0cffda3f227b"}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x6, 0x9a, 0x20, "2da5ee78a28e1f1a41"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0xf8, 0x3, 0x69, 0x6d, 'e)', "bf0794"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x5, 0x4, 0x5b, 0x3, 'D', "2618"}, @format_type_ii_discrete={0x9, 0x24, 0x2, 0x2, 0x7b4, 0x8, 0x4}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x0, 0x3, 0x8, 0x8, "aa", "e8e5b4"}]}, {{0x9, 0x5, 0x1, 0x9, 0x40, 0x6, 0x5, 0x0, {0x7, 0x25, 0x1, 0x80, 0x1, 0x4}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@as_header={0x7, 0x24, 0x1, 0x3, 0x1e, 0x4}, @as_header={0x7, 0x24, 0x1, 0x6f, 0x7}, @format_type_ii_discrete={0xa, 0x24, 0x2, 0x2, 0x8, 0x2, 0x8, 'f'}, @format_type_ii_discrete={0x10, 0x24, 0x2, 0x2, 0x9, 0x401, 0x5, "53b11dbc8cd310"}]}, {{0x9, 0x5, 0x82, 0x9, 0x8, 0x0, 0x28, 0x6, {0x7, 0x25, 0x1, 0x80, 0x5, 0xd}}}}}}}]}}, &(0x7f00000081c0)={0xa, &(0x7f0000008080)={0xa, 0x6, 0x110, 0x59, 0xa5, 0x5, 0x10, 0x1}, 0x39, &(0x7f00000080c0)={0x5, 0xf, 0x39, 0x5, [@wireless={0xb, 0x10, 0x1, 0x4, 0x8, 0x3, 0xb8, 0x9, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0x2, "9d9ab0978e2aace26de66306e6e2963d"}, @wireless={0xb, 0x10, 0x1, 0x4, 0x0, 0x6, 0x4, 0x1, 0x5}, @ptm_cap={0x3}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x5, 0x6, 0xfff2}]}, 0x1, [{0x84, &(0x7f0000008100)=@string={0x84, 0x3, "000a6c9f4a15eabc97a92ab665231b2cf9057321eb430c6521f497a8c3ce816268cb337fa48deecfeb28b2305fcf2d2e988cc8b8b980a1332dc406bc34695fa24dc3609f619d7ac284cc3ae7f0afe444d578c951d9aedc4c682e100cfeb6619b98a96b1978d8ede7574e969f8ae8e3dfb835bde5ccd922133e53036ff44eda52a0a9"}}]}) syz_usb_control_io(r35, &(0x7f0000008380)={0x2c, &(0x7f0000008200)={0x40, 0x22, 0x31, {0x31, 0x5, "74e83dcf53dd2d0ecac0aa3467b18dfa71b26cdd403d955c0ffe22817b01fe5795d51cf24a6ae3b8e32f1b7ac5f8ca"}}, &(0x7f0000008240)={0x0, 0x3, 0x1e, @string={0x1e, 0x3, "8957a501d83c69e54f70f62f932a50b65506c388c128239d36229ee2"}}, &(0x7f0000008280)={0x0, 0xf, 0x4f, {0x5, 0xf, 0x4f, 0x6, [@ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x5, 0xf000, 0x409, [0xc000, 0x17f, 0xff3f30, 0xffffaf]}, @ssp_cap={0x10, 0x10, 0xa, 0x9, 0x1, 0x4, 0xff0f, 0xf87, [0xc030]}, @ext_cap={0x7, 0x10, 0x2, 0x4, 0x1, 0x4, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x4, 0xd2, 0x3, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x1, 0x7, 0x2}, @ptm_cap={0x3}]}}, &(0x7f0000008300)={0x20, 0x29, 0xf, {0xf, 0x29, 0x8, 0x1, 0x7, 0x4, '\b\r$}', "67016dee"}}, &(0x7f0000008340)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x16, 0x80, 0x9, 0x3, 0x3, 0x2, 0xf000}}}, &(0x7f00000087c0)={0x84, &(0x7f00000083c0)={0x0, 0x11, 0x1f, "16d60d7743501452ffd5730424bc4a970cc6490bb9cc85938699edf27a0c7d"}, &(0x7f0000008400)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000008440)={0x0, 0x8, 0x1, 0x4}, &(0x7f0000008480)={0x20, 0x0, 0x4, {0x2f1050d721a8e554, 0x1}}, &(0x7f00000084c0)={0x20, 0x0, 0x4, {0x200, 0x2b}}, &(0x7f0000008500)={0x40, 0x7, 0x2, 0xfd37}, &(0x7f0000008540)={0x40, 0x9, 0x1}, &(0x7f0000008580)={0x40, 0xb, 0x2, 'E\"'}, &(0x7f00000085c0)={0x40, 0xf, 0x2, 0x2}, &(0x7f0000008600)={0x40, 0x13, 0x6, @random="2fa6dde03a0f"}, &(0x7f0000008640)={0x40, 0x17, 0x6, @random="de1c102b027e"}, &(0x7f0000008680)={0x40, 0x19, 0x2, "0d97"}, &(0x7f00000086c0)={0x40, 0x1a, 0x2, 0x2}, &(0x7f0000008700)={0x40, 0x1c, 0x1, 0xfd}, &(0x7f0000008740)={0x40, 0x1e, 0x1, 0xfd}, &(0x7f0000008780)={0x40, 0x21, 0x1, 0xc9}}) syz_usb_disconnect(r33) syz_usb_ep_read(r34, 0x7, 0xfc, &(0x7f0000008880)=""/252) r36 = syz_usb_connect$printer(0x5, 0x36, &(0x7f0000008980)={{0x12, 0x1, 0x200, 0x7, 0x1, 0x1, 0x20, 0x525, 0xa4a8, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0xf4, 0x60, 0x4, [{{0x9, 0x4, 0x0, 0x3, 0x2, 0x0, 0x0, 0x0, 0x81, "", {{{0x9, 0x5, 0x1, 0x2, 0x400, 0x0, 0x8, 0x2}}, [{{0x9, 0x5, 0x82, 0x2, 0x3ff, 0x4, 0x48, 0x8}}]}}}]}}]}}, &(0x7f0000008f00)={0xa, &(0x7f00000089c0)={0xa, 0x6, 0x250, 0x7d, 0xdd, 0x3, 0x20, 0xfa}, 0x154, &(0x7f0000008a00)={0x5, 0xf, 0x154, 0x6, [@generic={0xe8, 0x10, 0x1, "d031a9165b9e273ff6ffe555849af6dca66e17a68ee5ac784dca23e4a56d46169ad06ead2b8bcd997eac2ecb8b2a2526aa200db55758d08659469283d6ecfba982c300ae82ccf4a8bf073dbde45376b4f6fc559be519f82e8e5b2cf59c3a3af4f290707e767a4e276851090d90be0ab66f788e7760cd71ab865ea8b6bcc5f35f60538154a099c354a3593417682fc39d2a6a255ef4bb65f8d97af29beb0f8734a68ed84ef08df69e9b35fa2e3fe65e9938ff441dc3e7982a81cccaf9621d5dbc663b80ab448c975cbc19bb6c3901a02c16b32dfaf9f5c220fa21434937b462038105e6d086"}, @generic={0x4b, 0x10, 0x3, "10bed1912f7dc94ac6d87cbc68962c89e777cc51a257d0cad33cdcf336a31ac39b867144c2c96be40fccac19633a547787bc6e4fe91e91fa4759db2a867d859cd5a60c84c1a38e09"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x9, 0x77, 0x9, 0x2cf}, @wireless={0xb, 0x10, 0x1, 0xc, 0x5, 0x8, 0x5, 0x9, 0x16}, @ptm_cap={0x3}, @ptm_cap={0x3}]}, 0xa, [{0x4, &(0x7f0000008b80)=@lang_id={0x4, 0x3, 0x40e}}, {0x4, &(0x7f0000008bc0)=@lang_id={0x4, 0x3, 0x427}}, {0x4, &(0x7f0000008c00)=@lang_id={0x4, 0x3, 0x415}}, {0x4, &(0x7f0000008c40)=@lang_id={0x4, 0x3, 0x1c0a}}, {0x4, &(0x7f0000008c80)=@lang_id={0x4, 0x3, 0x83e}}, {0x4, &(0x7f0000008cc0)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d00)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d40)=@lang_id={0x4, 0x3, 0x423}}, {0x9f, &(0x7f0000008d80)=@string={0x9f, 0x3, "d48e8724649a2841923d48b8b235fdc4315e0dfbe1b8a8a08353af5b630beb6eca1d6be03d88d5587933d6ade122b2ad4c558040e7f203d8c7af790af85de36e841eb9480afa1aaf9a226f4de28cd4441557411c7737f74d7d60313cd3d051284fceb5b3278373f63c72a84e8de4e23bf64e2a69c0579106c9331803e2ef32fd09889adce7bcd7eb6134c465ed17386d3f97a4e8a4e9c419f9c6eb2d32"}}, {0xa4, &(0x7f0000008e40)=@string={0xa4, 0x3, "81103e0d228843344b9a2885675324f579df278e6d25065998bdbb69b8eed0e1db8df16b19646d92c5d03521f773c16c24deeae556be69b04e1e966febfbf37f3bbc6dd64c83f4c2a87daf95fb91e10a36c0069f4d517bf3962111d8f9c845323c0b91e68dea34b277b410720bdf4a5864fe069bdee84fa9e4465549713fb333aaed855baf295327e1fb651729fe4acf1d9ebf80d64c29fcd368ee1611e550d7b67a"}}]}) syz_usb_ep_write(r36, 0xf9, 0xfb, &(0x7f0000008fc0)="181512f6083897f1b94ad01c9d8cc9eb6d7c149c5edf5ecf21cf4a2b2a9ff02e0d8f8a4f60f7b31ad0b2552e14878f840f51a97c2563b619b101ea77613b9752367f0f6e6a623781a383e499dc26fed60afe6f156d326bc141d6615d18b61a5c06cb49d9e008e05f65376aefb5ec21edc468b8434a0c9e39d120bcd31132f0755c1fcaf91fecb2733f98184256d2f79e80452dc86cf31985082e386017ebe82125c78bee42f949ca6798673433fb0a20d9161b698f0466b0ea53587a3f08cc3435bb7c193f4adcd2e5e104f33e3e1cdd33ba951fc9f76b108a4074c8072b16465962eb28e138c9188c3e54a00afb4fb1710a273a1f1c530ada0d50") syz_usbip_server_init(0x2) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } #define BTPROTO_HCI 1 #define ACL_LINK 1 #define SCAN_PAGE 2 typedef struct { uint8_t b[6]; } __attribute__((packed)) bdaddr_t; #define HCI_COMMAND_PKT 1 #define HCI_EVENT_PKT 4 #define HCI_VENDOR_PKT 0xff struct hci_command_hdr { uint16_t opcode; uint8_t plen; } __attribute__((packed)); struct hci_event_hdr { uint8_t evt; uint8_t plen; } __attribute__((packed)); #define HCI_EV_CONN_COMPLETE 0x03 struct hci_ev_conn_complete { uint8_t status; uint16_t handle; bdaddr_t bdaddr; uint8_t link_type; uint8_t encr_mode; } __attribute__((packed)); #define HCI_EV_CONN_REQUEST 0x04 struct hci_ev_conn_request { bdaddr_t bdaddr; uint8_t dev_class[3]; uint8_t link_type; } __attribute__((packed)); #define HCI_EV_REMOTE_FEATURES 0x0b struct hci_ev_remote_features { uint8_t status; uint16_t handle; uint8_t features[8]; } __attribute__((packed)); #define HCI_EV_CMD_COMPLETE 0x0e struct hci_ev_cmd_complete { uint8_t ncmd; uint16_t opcode; } __attribute__((packed)); #define HCI_OP_WRITE_SCAN_ENABLE 0x0c1a #define HCI_OP_READ_BUFFER_SIZE 0x1005 struct hci_rp_read_buffer_size { uint8_t status; uint16_t acl_mtu; uint8_t sco_mtu; uint16_t acl_max_pkt; uint16_t sco_max_pkt; } __attribute__((packed)); #define HCI_OP_READ_BD_ADDR 0x1009 struct hci_rp_read_bd_addr { uint8_t status; bdaddr_t bdaddr; } __attribute__((packed)); #define HCI_EV_LE_META 0x3e struct hci_ev_le_meta { uint8_t subevent; } __attribute__((packed)); #define HCI_EV_LE_CONN_COMPLETE 0x01 struct hci_ev_le_conn_complete { uint8_t status; uint16_t handle; uint8_t role; uint8_t bdaddr_type; bdaddr_t bdaddr; uint16_t interval; uint16_t latency; uint16_t supervision_timeout; uint8_t clk_accurancy; } __attribute__((packed)); struct hci_dev_req { uint16_t dev_id; uint32_t dev_opt; }; struct vhci_vendor_pkt_request { uint8_t type; uint8_t opcode; } __attribute__((packed)); struct vhci_pkt { uint8_t type; union { struct { uint8_t opcode; uint16_t id; } __attribute__((packed)) vendor_pkt; struct hci_command_hdr command_hdr; }; } __attribute__((packed)); #define HCIDEVUP _IOW('H', 201, int) #define HCISETSCAN _IOW('H', 221, int) static int vhci_fd = -1; static void rfkill_unblock_all() { int fd = open("/dev/rfkill", O_WRONLY); if (fd < 0) exit(1); struct rfkill_event event = {0}; event.idx = 0; event.type = RFKILL_TYPE_ALL; event.op = RFKILL_OP_CHANGE_ALL; event.soft = 0; event.hard = 0; if (write(fd, &event, sizeof(event)) < 0) exit(1); close(fd); } static void hci_send_event_packet(int fd, uint8_t evt, void* data, size_t data_len) { struct iovec iv[3]; struct hci_event_hdr hdr; hdr.evt = evt; hdr.plen = data_len; uint8_t type = HCI_EVENT_PKT; iv[0].iov_base = &type; iv[0].iov_len = sizeof(type); iv[1].iov_base = &hdr; iv[1].iov_len = sizeof(hdr); iv[2].iov_base = data; iv[2].iov_len = data_len; if (writev(fd, iv, sizeof(iv) / sizeof(struct iovec)) < 0) exit(1); } static void hci_send_event_cmd_complete(int fd, uint16_t opcode, void* data, size_t data_len) { struct iovec iv[4]; struct hci_event_hdr hdr; hdr.evt = HCI_EV_CMD_COMPLETE; hdr.plen = sizeof(struct hci_ev_cmd_complete) + data_len; struct hci_ev_cmd_complete evt_hdr; evt_hdr.ncmd = 1; evt_hdr.opcode = opcode; uint8_t type = HCI_EVENT_PKT; iv[0].iov_base = &type; iv[0].iov_len = sizeof(type); iv[1].iov_base = &hdr; iv[1].iov_len = sizeof(hdr); iv[2].iov_base = &evt_hdr; iv[2].iov_len = sizeof(evt_hdr); iv[3].iov_base = data; iv[3].iov_len = data_len; if (writev(fd, iv, sizeof(iv) / sizeof(struct iovec)) < 0) exit(1); } static bool process_command_pkt(int fd, char* buf, ssize_t buf_size) { struct hci_command_hdr* hdr = (struct hci_command_hdr*)buf; if (buf_size < (ssize_t)sizeof(struct hci_command_hdr) || hdr->plen != buf_size - sizeof(struct hci_command_hdr)) exit(1); switch (hdr->opcode) { case HCI_OP_WRITE_SCAN_ENABLE: { uint8_t status = 0; hci_send_event_cmd_complete(fd, hdr->opcode, &status, sizeof(status)); return true; } case HCI_OP_READ_BD_ADDR: { struct hci_rp_read_bd_addr rp = {0}; rp.status = 0; memset(&rp.bdaddr, 0xaa, 6); hci_send_event_cmd_complete(fd, hdr->opcode, &rp, sizeof(rp)); return false; } case HCI_OP_READ_BUFFER_SIZE: { struct hci_rp_read_buffer_size rp = {0}; rp.status = 0; rp.acl_mtu = 1021; rp.sco_mtu = 96; rp.acl_max_pkt = 4; rp.sco_max_pkt = 6; hci_send_event_cmd_complete(fd, hdr->opcode, &rp, sizeof(rp)); return false; } } char dummy[0xf9] = {0}; hci_send_event_cmd_complete(fd, hdr->opcode, dummy, sizeof(dummy)); return false; } static void* event_thread(void* arg) { while (1) { char buf[1024] = {0}; ssize_t buf_size = read(vhci_fd, buf, sizeof(buf)); if (buf_size < 0) exit(1); if (buf_size > 0 && buf[0] == HCI_COMMAND_PKT) { if (process_command_pkt(vhci_fd, buf + 1, buf_size - 1)) break; } } return NULL; } #define HCI_HANDLE_1 200 #define HCI_HANDLE_2 201 #define HCI_PRIMARY 0 #define HCI_OP_RESET 0x0c03 static void initialize_vhci() { int hci_sock = socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI); if (hci_sock < 0) exit(1); vhci_fd = open("/dev/vhci", O_RDWR); if (vhci_fd == -1) exit(1); const int kVhciFd = 202; if (dup2(vhci_fd, kVhciFd) < 0) exit(1); close(vhci_fd); vhci_fd = kVhciFd; struct vhci_vendor_pkt_request vendor_pkt_req = {HCI_VENDOR_PKT, HCI_PRIMARY}; if (write(vhci_fd, &vendor_pkt_req, sizeof(vendor_pkt_req)) != sizeof(vendor_pkt_req)) exit(1); struct vhci_pkt vhci_pkt; if (read(vhci_fd, &vhci_pkt, sizeof(vhci_pkt)) != sizeof(vhci_pkt)) exit(1); if (vhci_pkt.type == HCI_COMMAND_PKT && vhci_pkt.command_hdr.opcode == HCI_OP_RESET) { char response[1] = {0}; hci_send_event_cmd_complete(vhci_fd, HCI_OP_RESET, response, sizeof(response)); if (read(vhci_fd, &vhci_pkt, sizeof(vhci_pkt)) != sizeof(vhci_pkt)) exit(1); } if (vhci_pkt.type != HCI_VENDOR_PKT) exit(1); int dev_id = vhci_pkt.vendor_pkt.id; pthread_t th; if (pthread_create(&th, NULL, event_thread, NULL)) exit(1); int ret = ioctl(hci_sock, HCIDEVUP, dev_id); if (ret) { if (errno == ERFKILL) { rfkill_unblock_all(); ret = ioctl(hci_sock, HCIDEVUP, dev_id); } if (ret && errno != EALREADY) exit(1); } struct hci_dev_req dr = {0}; dr.dev_id = dev_id; dr.dev_opt = SCAN_PAGE; if (ioctl(hci_sock, HCISETSCAN, &dr)) exit(1); struct hci_ev_conn_request request; memset(&request, 0, sizeof(request)); memset(&request.bdaddr, 0xaa, 6); *(uint8_t*)&request.bdaddr.b[5] = 0x10; request.link_type = ACL_LINK; hci_send_event_packet(vhci_fd, HCI_EV_CONN_REQUEST, &request, sizeof(request)); struct hci_ev_conn_complete complete; memset(&complete, 0, sizeof(complete)); complete.status = 0; complete.handle = HCI_HANDLE_1; memset(&complete.bdaddr, 0xaa, 6); *(uint8_t*)&complete.bdaddr.b[5] = 0x10; complete.link_type = ACL_LINK; complete.encr_mode = 0; hci_send_event_packet(vhci_fd, HCI_EV_CONN_COMPLETE, &complete, sizeof(complete)); struct hci_ev_remote_features features; memset(&features, 0, sizeof(features)); features.status = 0; features.handle = HCI_HANDLE_1; hci_send_event_packet(vhci_fd, HCI_EV_REMOTE_FEATURES, &features, sizeof(features)); struct { struct hci_ev_le_meta le_meta; struct hci_ev_le_conn_complete le_conn; } le_conn; memset(&le_conn, 0, sizeof(le_conn)); le_conn.le_meta.subevent = HCI_EV_LE_CONN_COMPLETE; memset(&le_conn.le_conn.bdaddr, 0xaa, 6); *(uint8_t*)&le_conn.le_conn.bdaddr.b[5] = 0x11; le_conn.le_conn.role = 1; le_conn.le_conn.handle = HCI_HANDLE_2; hci_send_event_packet(vhci_fd, HCI_EV_LE_META, &le_conn, sizeof(le_conn)); pthread_join(th, NULL); close(hci_sock); } static long syz_emit_vhci(volatile long a0, volatile long a1) { if (vhci_fd < 0) return (uintptr_t)-1; char* data = (char*)a0; uint32_t length = a1; return write(vhci_fd, data, length); } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_PT_POOL 0x5000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x70000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x200000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 8) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t size, uint64_t cpu) { uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; if (cmd->call >= SYZOS_API_STOP) return; if (cmd->size > size) return; volatile uint64_t call = cmd->call; if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit((uint64_t)-1); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; *ptr = exit_code; } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_pdpt_addr = l2_pml4_addr + KVM_PAGE_SIZE; uint64_t l2_pd_addr = l2_pml4_addr + 2 * KVM_PAGE_SIZE; uint64_t l2_pt_addr = l2_pml4_addr + 3 * KVM_PAGE_SIZE; volatile uint64_t* pml4 = (volatile uint64_t*)l2_pml4_addr; volatile uint64_t* pdpt = (volatile uint64_t*)l2_pdpt_addr; volatile uint64_t* pd = (volatile uint64_t*)l2_pd_addr; volatile uint64_t* pt = (volatile uint64_t*)l2_pt_addr; guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pdpt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pd_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id), 0, KVM_PAGE_SIZE); uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; pml4[0] = l2_pdpt_addr | flags; pdpt[0] = l2_pd_addr | flags; pd[0] = l2_pt_addr | flags; uint64_t pt_flags = flags; if (vendor == CPU_VENDOR_INTEL) { pt_flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { pt_flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } for (int i = 0; i < 512; i++) pt[i] = (i * KVM_PAGE_SIZE) | pt_flags; } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%rax push %%rbx push %%rcx push %%rdx push %%rsi push %%rdi push %%rbp push %%r8 push %%r9 push %%r10 push %%r11 push %%r12 push %%r13 push %%r14 push %%r15 mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[stack_cleanup_size], %%rsp jmp after_vmentry_label )" : : [stack_cleanup_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, 0); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); uint64_t tmpreg = 0; asm volatile("mov %%rsp, %0" : "=r"(tmpreg)); vmwrite(VMCS_HOST_RSP, tmpreg); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, VMX_AR_TSS_AVAILABLE); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_DEBUGCTL, 0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR6, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR7, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, efer & ~X86_EFER_SCE); vmcb_write64(vmcb_addr, VMCB_GUEST_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_addr, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline __optnone void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { uint64_t vmx_error_code = 0; uint8_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); if (is_launch) { asm volatile(R"( vmlaunch setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } else { asm volatile(R"( vmresume setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } asm volatile(".globl after_vmentry_label\nafter_vmentry_label:"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile uint8_t* vmcb_ptr = (volatile uint8_t*)vmcb_addr; uint8_t fail_flag = 0; asm volatile( "mov %1, %%rax\n\t" "vmrun\n\t" "setc %0\n\t" : "=q"(fail_flag) : "m"(vmcb_addr) : "rax", "cc", "memory"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } uint64_t exit_reason = vmcb_read64(vmcb_ptr, VMCB_EXIT_CODE); nested_vm_exit_handler_amd(exit_reason, cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 48, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, }; struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; }; #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)((uint64_t)vm->host_mem + sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static void map_4k_page(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)(host_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = (uint64_t*)(host_mem + (pml4[pml4_idx] & PAGE_MASK)); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = (uint64_t*)(host_mem + (pdpt[pdpt_idx] & PAGE_MASK)); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = (uint64_t*)(host_mem + (pd[pd_idx] & PAGE_MASK)); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(host_mem, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; uint64_t host_mem = (uint64_t)vm->gpa0_mem; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + 32 * KVM_PAGE_SIZE}; for (uint64_t i = 0; i < (alloc.last_page - alloc.next_page); i += KVM_PAGE_SIZE) memset((void*)(host_mem + alloc.next_page + i), 0, KVM_PAGE_SIZE); for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) total -= map_4k_region(host_mem, &alloc, syzos_mem_regions[i].gpa, syzos_mem_regions[i].pages); map_4k_region(host_mem, &alloc, X86_SYZOS_ADDR_UNUSED, total); } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = 0, .base_mid = 0, .access = 0x89, .limit_high_and_flags = 0x00, .base_high = 0}; } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)((uint64_t)vm->host_mem + sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)((uint64_t)vm->host_mem + X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); setup_pg_table(vm); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, int cpu_id, size_t text_size) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = executor_fn_guest_addr(guest_main); regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = text_size; regs.rsi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd); setup_cpuid(cpufd); reset_cpu_regs(cpufd, cpu_id, text_size); } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; struct addr_size next = alloc_guest_mem(&allocator, r->pages * KVM_PAGE_SIZE); uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); } struct addr_size next = alloc_guest_mem(&allocator, allocator.size); vm_set_user_memory_region(vmfd, slot++, 0, X86_SYZOS_ADDR_UNUSED, next.size, (uintptr_t)next.addr); } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); initialize_vhci(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 61; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 52 ? 3000 : 0) + (call == 53 ? 3000 : 0) + (call == 54 ? 3000 : 0) + (call == 55 ? 300 : 0) + (call == 56 ? 300 : 0) + (call == 57 ? 300 : 0) + (call == 58 ? 3000 : 0) + (call == 59 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[37] = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x200000000000 = 0x4006; *(uint32_t*)0x200000000004 = 0xd; *(uint32_t*)0x200000000008 = 2; *(uint32_t*)0x20000000000c = 8; inject_fault(1); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x80044945, /*arg=*/0x200000000000ul); break; case 1: *(uint32_t*)0x200000000040 = 0; *(uint32_t*)0x200000000044 = 1; *(uint32_t*)0x200000000048 = 4; *(uint32_t*)0x20000000004c = 2; *(uint32_t*)0x200000000050 = 5; *(uint32_t*)0x200000000054 = 0x81; *(uint32_t*)0x200000000058 = 0; memcpy((void*)0x20000000005c, "id1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); memcpy((void*)0x20000000009c, "timer0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 80); *(uint64_t*)0x2000000000f0 = 0; *(uint64_t*)0x2000000000f8 = 6; *(uint64_t*)0x200000000100 = 3; *(uint64_t*)0x200000000108 = 0x70a; *(uint32_t*)0x200000000110 = 9; memset((void*)0x200000000114, 0, 32); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0f85403, /*arg=*/0x200000000040ul); break; case 2: memcpy((void*)0x200000000140, "/dev/ircomm#\000", 13); res = -1; res = syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); for (int i = 0; i < 4; i++) { syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); } if (res != -1) r[0] = res; break; case 3: *(uint32_t*)0x200000000340 = 0x82; *(uint32_t*)0x200000000344 = 8; *(uint64_t*)0x200000000348 = 0x200000000280; *(uint32_t*)0x200000000280 = 1; *(uint64_t*)0x200000000284 = 0; *(uint32_t*)0x20000000028c = 0xc0; *(uint64_t*)0x200000000290 = 0x200000000180; memcpy((void*)0x200000000180, "\x5b\x58\xac\x0e\xd1\xd2\x7b\x21\x7d\x3f\xdc\x62\x99\xcd\xde\x4d\x85\x32\x1f\x7b\xba\xa0\x64\xd3\x61\x51\x9c\xdd\xe4\x3b\x22\x5c\xf0\x06\x58\xdd\xbf\xbd\x91\x4c\xf7\x9e\xce\xb3\x48\xf1\x86\x92\x31\x5c\x3c\x69\xec\x14\x8e\x2d\xd9\x28\xac\x7e\xe6\x2f\x51\x11\xb9\xdc\xca\xca\x88\x52\x49\x12\x34\x19\x55\xf7\x9b\x0f\x22\x06\xb8\x0e\x6e\x5a\x7e\x68\x1a\x62\x96\x94\xa3\x4f\x9b\x0e\x39\x87\x7e\xef\xde\x60\xa0\x68\xcd\xc4\x45\x45\xd6\xfe\x45\xd0\x00\x0c\x99\x61\xa1\xff\x16\x87\x47\x44\x7e\x34\x6b\x16\x46\x08\x75\xc6\x91\xde\x11\x83\xb2\xd7\xb0\x32\xcf\xae\x85\x49\x7d\x0d\x88\x48\xd4\xba\xa9\xad\xc6\xca\xac\xcd\x9a\xf6\x01\x9e\xa2\xba\x6f\x3b\x4e\x60\x18\xdf\x94\xca\xca\xbe\xdd\xec\x7b\x60\x02\x30\xea\x77\x90\x01\x93\x99\xd0\xbe\xb6\x1f\x42\x7d\xf8\x35\x9c\xc3\x48\x93", 192); *(uint64_t*)0x200000000298 = 0; *(uint32_t*)0x2000000002a0 = 0; *(uint64_t*)0x2000000002a4 = 0x200000000240; *(uint32_t*)0x2000000002ac = 0x10000; *(uint32_t*)0x2000000002b0 = 0; *(uint64_t*)0x2000000002b4 = 0; *(uint32_t*)0x2000000002bc = 0x81; *(uint32_t*)0x2000000002c0 = 0xe; *(uint64_t*)0x200000000350 = 0x200000000300; *(uint32_t*)0x200000000358 = 0x44; *(uint32_t*)0x20000000035c = 0xc; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0206440, /*arg=*/0x200000000340ul); if (res != -1) r[1] = *(uint64_t*)0x200000000300; break; case 4: *(uint32_t*)0x200000000400 = 0x81; *(uint32_t*)0x200000000404 = 4; *(uint64_t*)0x200000000408 = 0x200000000380; *(uint64_t*)0x200000000380 = r[1]; *(uint64_t*)0x200000000410 = 0x2000000003c0; *(uint32_t*)0x200000000418 = 8; *(uint32_t*)0x20000000041c = 0xc; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000400ul); break; case 5: *(uint32_t*)0x200000000440 = 3; *(uint32_t*)0x200000000444 = 6; STORE_BY_BITMASK(uint32_t, , 0x200000000448, 1, 0, 1); memcpy((void*)0x200000000449, "queue1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); *(uint32_t*)0x20000000048c = 0xdae; memset((void*)0x200000000490, 0, 60); syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc08c5335, /*arg=*/0x200000000440ul); break; case 6: memcpy((void*)0x200000000540, "TIPCv2\000", 7); res = -1; res = syz_genetlink_get_family_id(/*name=*/0x200000000540, /*fd=*/r[0]); if (res != -1) r[2] = res; break; case 7: *(uint64_t*)0x200000000880 = 0x200000000500; *(uint16_t*)0x200000000500 = 0x10; *(uint16_t*)0x200000000502 = 0; *(uint32_t*)0x200000000504 = 0; *(uint32_t*)0x200000000508 = 0x1000000; *(uint32_t*)0x200000000888 = 0xc; *(uint64_t*)0x200000000890 = 0x200000000840; *(uint64_t*)0x200000000840 = 0x200000000580; *(uint32_t*)0x200000000580 = 0x2b4; *(uint16_t*)0x200000000584 = r[2]; *(uint16_t*)0x200000000586 = 0x400; *(uint32_t*)0x200000000588 = 0x70bd2d; *(uint32_t*)0x20000000058c = 0x25dfdbfb; *(uint8_t*)0x200000000590 = 4; *(uint8_t*)0x200000000591 = 0; *(uint16_t*)0x200000000592 = 0; *(uint16_t*)0x200000000594 = 0x44; STORE_BY_BITMASK(uint16_t, , 0x200000000596, 3, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 1, 7, 1); *(uint16_t*)0x200000000598 = 8; *(uint16_t*)0x20000000059a = 1; *(uint32_t*)0x20000000059c = 6; *(uint16_t*)0x2000000005a0 = 8; *(uint16_t*)0x2000000005a2 = 1; *(uint32_t*)0x2000000005a4 = 0x3f; *(uint16_t*)0x2000000005a8 = 8; *(uint16_t*)0x2000000005aa = 1; *(uint32_t*)0x2000000005ac = 2; *(uint16_t*)0x2000000005b0 = 8; *(uint16_t*)0x2000000005b2 = 1; *(uint32_t*)0x2000000005b4 = 0x4c00000; *(uint16_t*)0x2000000005b8 = 8; *(uint16_t*)0x2000000005ba = 1; *(uint32_t*)0x2000000005bc = 3; *(uint16_t*)0x2000000005c0 = 8; *(uint16_t*)0x2000000005c2 = 1; *(uint32_t*)0x2000000005c4 = 6; *(uint16_t*)0x2000000005c8 = 8; *(uint16_t*)0x2000000005ca = 3; *(uint32_t*)0x2000000005cc = 0x67c; *(uint16_t*)0x2000000005d0 = 8; *(uint16_t*)0x2000000005d2 = 1; *(uint32_t*)0x2000000005d4 = 7; *(uint16_t*)0x2000000005d8 = 0x3c; STORE_BY_BITMASK(uint16_t, , 0x2000000005da, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 1, 7, 1); *(uint16_t*)0x2000000005dc = 9; *(uint16_t*)0x2000000005de = 1; memcpy((void*)0x2000000005e0, "syz1\000", 5); *(uint16_t*)0x2000000005e8 = 0x2c; STORE_BY_BITMASK(uint16_t, , 0x2000000005ea, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 1, 7, 1); *(uint16_t*)0x2000000005ec = 8; *(uint16_t*)0x2000000005ee = 3; *(uint32_t*)0x2000000005f0 = 0x220a; *(uint16_t*)0x2000000005f4 = 8; *(uint16_t*)0x2000000005f6 = 4; *(uint32_t*)0x2000000005f8 = 0x9c0; *(uint16_t*)0x2000000005fc = 8; *(uint16_t*)0x2000000005fe = 2; *(uint32_t*)0x200000000600 = 0x101; *(uint16_t*)0x200000000604 = 8; *(uint16_t*)0x200000000606 = 4; *(uint32_t*)0x200000000608 = 3; *(uint16_t*)0x20000000060c = 8; *(uint16_t*)0x20000000060e = 1; *(uint32_t*)0x200000000610 = 8; *(uint16_t*)0x200000000614 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000616, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 1, 7, 1); *(uint16_t*)0x200000000618 = 8; *(uint16_t*)0x20000000061a = 2; *(uint32_t*)0x20000000061c = 6; *(uint16_t*)0x200000000620 = 8; *(uint16_t*)0x200000000622 = 1; *(uint32_t*)0x200000000624 = 1; *(uint16_t*)0x200000000628 = 0xb8; STORE_BY_BITMASK(uint16_t, , 0x20000000062a, 1, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 1, 7, 1); *(uint16_t*)0x20000000062c = 0x24; STORE_BY_BITMASK(uint16_t, , 0x20000000062e, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 1, 7, 1); *(uint16_t*)0x200000000630 = 8; *(uint16_t*)0x200000000632 = 2; *(uint32_t*)0x200000000634 = 9; *(uint16_t*)0x200000000638 = 8; *(uint16_t*)0x20000000063a = 4; *(uint32_t*)0x20000000063c = 7; *(uint16_t*)0x200000000640 = 8; *(uint16_t*)0x200000000642 = 2; *(uint32_t*)0x200000000644 = 5; *(uint16_t*)0x200000000648 = 8; *(uint16_t*)0x20000000064a = 2; *(uint32_t*)0x20000000064c = 2; *(uint16_t*)0x200000000650 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000652, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 1, 7, 1); *(uint16_t*)0x200000000654 = 8; *(uint16_t*)0x200000000656 = 3; *(uint32_t*)0x200000000658 = 6; *(uint16_t*)0x20000000065c = 8; *(uint16_t*)0x20000000065e = 4; *(uint32_t*)0x200000000660 = 0; *(uint16_t*)0x200000000664 = 0xd; *(uint16_t*)0x200000000666 = 1; memcpy((void*)0x200000000668, "udp:syz2\000", 9); *(uint16_t*)0x200000000674 = 0xc; STORE_BY_BITMASK(uint16_t, , 0x200000000676, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 1, 7, 1); *(uint16_t*)0x200000000678 = 8; *(uint16_t*)0x20000000067a = 4; *(uint32_t*)0x20000000067c = 7; *(uint16_t*)0x200000000680 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000682, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 1, 7, 1); *(uint16_t*)0x200000000684 = 8; *(uint16_t*)0x200000000686 = 1; *(uint32_t*)0x200000000688 = 0x17; *(uint16_t*)0x20000000068c = 8; *(uint16_t*)0x20000000068e = 1; *(uint32_t*)0x200000000690 = 0x17; *(uint16_t*)0x200000000694 = 8; *(uint16_t*)0x200000000696 = 1; *(uint32_t*)0x200000000698 = 0x12; *(uint16_t*)0x20000000069c = 0x2c; *(uint16_t*)0x20000000069e = 4; *(uint16_t*)0x2000000006a0 = 0x14; *(uint16_t*)0x2000000006a2 = 1; *(uint16_t*)0x2000000006a4 = 2; *(uint16_t*)0x2000000006a6 = htobe16(0x4e21); *(uint32_t*)0x2000000006a8 = htobe32(0xe0000002); *(uint16_t*)0x2000000006b4 = 0x14; *(uint16_t*)0x2000000006b6 = 2; *(uint16_t*)0x2000000006b8 = 2; *(uint16_t*)0x2000000006ba = htobe16(0x4e20); *(uint32_t*)0x2000000006bc = htobe32(-1); *(uint16_t*)0x2000000006c8 = 8; *(uint16_t*)0x2000000006ca = 3; *(uint32_t*)0x2000000006cc = 0xb; *(uint16_t*)0x2000000006d0 = 0xd; *(uint16_t*)0x2000000006d2 = 1; memcpy((void*)0x2000000006d4, "udp:syz1\000", 9); *(uint16_t*)0x2000000006e0 = 0x20; STORE_BY_BITMASK(uint16_t, , 0x2000000006e2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 1, 7, 1); *(uint16_t*)0x2000000006e4 = 8; *(uint16_t*)0x2000000006e6 = 1; *(uint32_t*)0x2000000006e8 = 8; *(uint16_t*)0x2000000006ec = 0xc; *(uint16_t*)0x2000000006ee = 3; *(uint64_t*)0x2000000006f0 = 6; *(uint16_t*)0x2000000006f8 = 8; *(uint16_t*)0x2000000006fa = 1; *(uint32_t*)0x2000000006fc = 0x80; *(uint16_t*)0x200000000700 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000702, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 1, 7, 1); *(uint16_t*)0x200000000704 = 8; *(uint16_t*)0x200000000706 = 1; *(uint32_t*)0x200000000708 = 2; *(uint16_t*)0x20000000070c = 8; *(uint16_t*)0x20000000070e = 1; *(uint32_t*)0x200000000710 = 9; *(uint16_t*)0x200000000714 = 0x10c; STORE_BY_BITMASK(uint16_t, , 0x200000000716, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 1, 7, 1); *(uint16_t*)0x200000000718 = 9; *(uint16_t*)0x20000000071a = 1; memcpy((void*)0x20000000071c, "syz1\000", 5); *(uint16_t*)0x200000000724 = 0x13; *(uint16_t*)0x200000000726 = 1; memcpy((void*)0x200000000728, "broadcast-link\000", 15); *(uint16_t*)0x200000000738 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000073a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 1, 7, 1); *(uint16_t*)0x20000000073c = 8; *(uint16_t*)0x20000000073e = 2; *(uint32_t*)0x200000000740 = 0x187; *(uint16_t*)0x200000000744 = 8; *(uint16_t*)0x200000000746 = 4; *(uint32_t*)0x200000000748 = 0x40; *(uint16_t*)0x20000000074c = 8; *(uint16_t*)0x20000000074e = 1; *(uint32_t*)0x200000000750 = 0x10; *(uint16_t*)0x200000000754 = 0x24; STORE_BY_BITMASK(uint16_t, , 0x200000000756, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 1, 7, 1); *(uint16_t*)0x200000000758 = 8; *(uint16_t*)0x20000000075a = 2; *(uint32_t*)0x20000000075c = 0xc0fb; *(uint16_t*)0x200000000760 = 8; *(uint16_t*)0x200000000762 = 2; *(uint32_t*)0x200000000764 = 0; *(uint16_t*)0x200000000768 = 8; *(uint16_t*)0x20000000076a = 2; *(uint32_t*)0x20000000076c = 3; *(uint16_t*)0x200000000770 = 8; *(uint16_t*)0x200000000772 = 4; *(uint32_t*)0x200000000774 = 6; *(uint16_t*)0x200000000778 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000077a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 1, 7, 1); *(uint16_t*)0x20000000077c = 8; *(uint16_t*)0x20000000077e = 1; *(uint32_t*)0x200000000780 = 0x18; *(uint16_t*)0x200000000784 = 8; *(uint16_t*)0x200000000786 = 2; *(uint32_t*)0x200000000788 = 0x80000000; *(uint16_t*)0x20000000078c = 8; *(uint16_t*)0x20000000078e = 2; *(uint32_t*)0x200000000790 = 2; *(uint16_t*)0x200000000794 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000796, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 1, 7, 1); *(uint16_t*)0x200000000798 = 8; *(uint16_t*)0x20000000079a = 4; *(uint32_t*)0x20000000079c = 0xfffffff2; *(uint16_t*)0x2000000007a0 = 8; *(uint16_t*)0x2000000007a2 = 3; *(uint32_t*)0x2000000007a4 = 7; *(uint16_t*)0x2000000007a8 = 8; *(uint16_t*)0x2000000007aa = 3; *(uint32_t*)0x2000000007ac = 0xd0; *(uint16_t*)0x2000000007b0 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x2000000007b2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 1, 7, 1); *(uint16_t*)0x2000000007b4 = 8; *(uint16_t*)0x2000000007b6 = 1; *(uint32_t*)0x2000000007b8 = 0xf; *(uint16_t*)0x2000000007bc = 8; *(uint16_t*)0x2000000007be = 4; *(uint32_t*)0x2000000007c0 = 0x401; *(uint16_t*)0x2000000007c4 = 8; *(uint16_t*)0x2000000007c6 = 1; *(uint32_t*)0x2000000007c8 = 9; *(uint16_t*)0x2000000007cc = 0x54; STORE_BY_BITMASK(uint16_t, , 0x2000000007ce, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 1, 7, 1); *(uint16_t*)0x2000000007d0 = 8; *(uint16_t*)0x2000000007d2 = 3; *(uint32_t*)0x2000000007d4 = 0xe6a9; *(uint16_t*)0x2000000007d8 = 8; *(uint16_t*)0x2000000007da = 4; *(uint32_t*)0x2000000007dc = 7; *(uint16_t*)0x2000000007e0 = 8; *(uint16_t*)0x2000000007e2 = 3; *(uint32_t*)0x2000000007e4 = 0x10000; *(uint16_t*)0x2000000007e8 = 8; *(uint16_t*)0x2000000007ea = 3; *(uint32_t*)0x2000000007ec = 0x2000; *(uint16_t*)0x2000000007f0 = 8; *(uint16_t*)0x2000000007f2 = 2; *(uint32_t*)0x2000000007f4 = 9; *(uint16_t*)0x2000000007f8 = 8; *(uint16_t*)0x2000000007fa = 3; *(uint32_t*)0x2000000007fc = 6; *(uint16_t*)0x200000000800 = 8; *(uint16_t*)0x200000000802 = 4; *(uint32_t*)0x200000000804 = 0x81; *(uint16_t*)0x200000000808 = 8; *(uint16_t*)0x20000000080a = 3; *(uint32_t*)0x20000000080c = 0x3ff; *(uint16_t*)0x200000000810 = 8; *(uint16_t*)0x200000000812 = 1; *(uint32_t*)0x200000000814 = 0x19; *(uint16_t*)0x200000000818 = 8; *(uint16_t*)0x20000000081a = 1; *(uint32_t*)0x20000000081c = 0x1a; *(uint16_t*)0x200000000820 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000822, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 1, 7, 1); *(uint16_t*)0x200000000824 = 8; *(uint16_t*)0x200000000826 = 1; *(uint32_t*)0x200000000828 = 1; *(uint16_t*)0x20000000082c = 8; *(uint16_t*)0x20000000082e = 2; *(uint32_t*)0x200000000830 = 0x79; *(uint64_t*)0x200000000848 = 0x2b4; *(uint64_t*)0x200000000898 = 1; *(uint64_t*)0x2000000008a0 = 0; *(uint64_t*)0x2000000008a8 = 0; *(uint32_t*)0x2000000008b0 = 0x4040811; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x200000000880ul, /*f=*/0ul); break; case 8: syscall(__NR_read, /*fd=*/r[0], /*data=*/0x2000000008c0ul, /*len=*/0x1dul); break; case 9: *(uint64_t*)0x200000000980 = 6; *(uint64_t*)0x200000000988 = 0x200000000940; *(uint64_t*)0x200000000940 = 0x904e; *(uint64_t*)0x200000000948 = 1; *(uint64_t*)0x200000000950 = 9; *(uint64_t*)0x200000000958 = 6; *(uint64_t*)0x200000000960 = 0xe; *(uint64_t*)0x200000000968 = 5; syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x4010801d, /*arg=*/0x200000000980ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 4, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 0; memset((void*)0x20000000004a, 255, 6); *(uint8_t*)0x200000000050 = 8; *(uint8_t*)0x200000000051 = 2; *(uint8_t*)0x200000000052 = 0x11; *(uint8_t*)0x200000000053 = 0; *(uint8_t*)0x200000000054 = 0; *(uint8_t*)0x200000000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x200000000056, 1, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 0x7f, 4, 12); *(uint16_t*)0x200000000058 = 0x1f; *(uint8_t*)0x20000000005a = 0x8c; *(uint8_t*)0x20000000005b = 0x18; *(uint16_t*)0x20000000005c = 0x5d9; memcpy((void*)0x20000000005e, "\x8e\x85\x14\x4c\x64\x33", 6); memcpy((void*)0x200000000064, "\xe0\x23\xfb\xed\x51\x30\x11\xc5\x70\x7e\x45\x24\x72\xe2\x05\x5d", 16); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x34); break; case 11: memcpy((void*)0x200000000080, "wlan1\000", 6); memcpy((void*)0x2000000000c0, "\x3a\x38\x64\x65\xf3\x89\x38\x0e\x26\xb0\xcb\x13\xf9\x8a\x36\xe2\x21\x4f\x09\x9e\xe0\xd0\xb2\x9b\x75\x4e\x31\xd6\xef\xc8\x2c\x04", 32); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/0x20, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_path_truncate\000", 22); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\xda\xa4\xed\x40\xf7\xcf\x4d\xa8\x63\x77\xe8\x64\xd8\xe6\xc6\xd4\xfc\x54\x86\xaf\x4a\x6f\x23\xde\xa5\x8b\x32\x43\xa2\x91\xb0\x18\x0d\xba\xf5\xc9\x27\x58\xaf\x73\xf9", 41); memcpy((void*)0x200000000200, "\x40\xf2\x76\x85\x6b\x81\x91\xc4\xf3\x12\x75\x9d\x79\x5a\x22\xc3\xc7\xed\xc9\x16\x78\x79\x4f\x4e\xea\xc4\x57\x46\xfc\xc9\x93\x07\x22\xc8\x18\x9b\xa5\x95\x65\xf7\x32\x7c\xbc\xd4\x50\x61\x64\xeb\x9f\x6f\xf1\x75\xf1\xf0\x8d\x60\x24\x70\x91\x77\x2c\x18\x5a\xc3\x83\x04\xe9\xb5\xb3", 69); res = -1; res = syz_clone(/*flags=CLONE_NEWUTS|CLONE_VFORK*/0x4004000, /*stack=*/0x200000000140, /*stack_len=*/0x29, /*parentid=*/0x200000000180, /*childtid=*/0x2000000001c0, /*tls=*/0x200000000200); if (res != -1) r[3] = res; break; case 14: res = syscall(__NR_getpgrp, /*pid=*/r[3]); if (res != -1) r[4] = res; break; case 15: *(uint64_t*)0x200000000500 = 0x800; *(uint64_t*)0x200000000508 = 0x200000000280; *(uint64_t*)0x200000000510 = 0x2000000002c0; *(uint64_t*)0x200000000518 = 0x200000000300; *(uint32_t*)0x200000000520 = 0x12; *(uint64_t*)0x200000000528 = 0x200000000340; *(uint64_t*)0x200000000530 = 0x66; *(uint64_t*)0x200000000538 = 0x2000000003c0; *(uint64_t*)0x200000000540 = 0x2000000004c0; *(uint32_t*)0x2000000004c0 = r[3]; *(uint32_t*)0x2000000004c4 = r[3]; *(uint32_t*)0x2000000004c8 = r[3]; *(uint32_t*)0x2000000004cc = r[4]; *(uint64_t*)0x200000000548 = 4; *(uint32_t*)0x200000000550 = -1; res = -1; res = syz_clone3(/*args=*/0x200000000500, /*size=*/0x58); if (res != -1) { r[5] = res; r[6] = *(uint32_t*)0x200000000280; r[7] = *(uint32_t*)0x2000000002c0; r[8] = *(uint32_t*)0x200000000300; } break; case 16: memcpy((void*)0x200000000580, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000580); break; case 17: *(uint8_t*)0x200000001600 = -1; *(uint8_t*)0x200000001601 = 0; syz_emit_vhci(/*data=*/0x200000001600, /*size=*/2); break; case 18: *(uint64_t*)0x200000001680 = 4; res = syscall(__NR_socketcall, /*call=*/5ul, /*args=*/0x200000001680ul); if (res != -1) r[9] = res; break; case 19: *(uint32_t*)0x200000004a80 = 0x80000000; *(uint32_t*)0x200000004a84 = 0xee01; *(uint32_t*)0x200000004a88 = 0xee01; *(uint32_t*)0x200000004a8c = 5; *(uint32_t*)0x200000004a90 = 0xfffffff8; *(uint32_t*)0x200000004a94 = 1; *(uint16_t*)0x200000004a98 = 0x6bc1; *(uint32_t*)0x200000004a9c = 0x40; *(uint64_t*)0x200000004aa0 = 0xffff; *(uint64_t*)0x200000004aa8 = 0x2265; *(uint64_t*)0x200000004ab0 = 0xfffffffffffffff8; *(uint32_t*)0x200000004ab8 = r[3]; *(uint32_t*)0x200000004abc = r[8]; *(uint16_t*)0x200000004ac0 = 0xfffa; *(uint16_t*)0x200000004ac2 = 0; *(uint64_t*)0x200000004ac8 = 0x200000003a40; memcpy((void*)0x200000003a40, "\x89\x17\xf9\x6e\xff\x00\x1e\x00\x64\x91\xda\x94\x8f\x25\xc3\xac\x36\x65\x39\x2d\x07\x7a\x28\x78\xa0\xc4\x71\x86\xfb\xb5\x96\x00\xe8\x72\x5c\x57\x48\x93\xc0\xd6\x45\x65\x1c\xd4\x96\xd4\xd6\xc4\x3d\xd8\xd9\xe3\xce\xca\x2e\x2a\x35\xfd\x60\x78\x5c\xd7\x7e\xc5\xc5\xee\xd5\xea\x44\xa8\x53\x76\x9a\x52\xcb\x3e\x89\xd0\x6c\x09\x95\xf7\x7e\x9b\x7e\xcc\x68\xfa\x52\x1a\xc4\xb1\x93\xee\x67\xdc\xce\xc0\xa7\xd1\x3f\x3c\x06\x8e\xe0\x46\xa9\xa1\x42\x01\x1c\xd4\xba\x8e\x67\xf3\x81\xe1\x67\x45\xd8\x1a\x2b\x5b\xf1\x1f\x4e\xf0\x01\x43\x30\xc9\x5f\x0f\x5b\xc8\x9d\x00\xf1\x61\x29\xa9\x63\x77\x82\xe5\xa6\xf4\xd9\x22\xe0\xf0\x74\x57\xee\x51\x5e\x1b\xbf\x56\x54\x90\x6d\x88\x7b\xa0\x2b\xee\x66\x4d\xa7\x2a\x51\xb5\xdc\xdf\x4b\xec\xca\x2d\x80\x67\xe3\x57\x53\xc0\x31\x23\x59\xef\xb6\xda\x86\x14\x9a\xfc\x10\x10\xd0\xc6\xc8\x6c\xc9\xc8\x83\x1c\xa1\x27\x6c\xa9\x68\x81\x1c\x87\xba\xab\x12\x1c\x9d\x81\x72\x73\x19\x6e\x97\xae\x66\xf3\x97\x66\x7e\x02\x3f\xc2\x33\x19\xc2\x4f\xa8\x23\x57\x22\x26\xfb\x74\x8a\xc5\x4f\xf5\x28\x23\x6b\x07\x81\xa2\x0e\xd5\x2e\x11\x69\x27\xa2\x2b\x11\xe0\xb8\xac\xeb\x36\xd2\xcf\x4a\x78\xeb\x34\x65\xfc\xb9\xc9\x49\x3e\xad\xd4\x46\x86\x76\x6f\xb2\x6d\x4d\x0a\x54\xd0\x28\x27\x3a\x5c\x60\x53\x88\x53\x4e\x49\x37\xf1\x8c\xa9\x05\x32\x44\x5f\x94\x66\x51\xf3\x63\x4e\x9b\x36\x5b\xb8\xed\x72\x42\xb9\x12\x31\xba\x06\x34\x7e\xab\x1f\x32\x00\x96\x37\x4f\xbd\x8a\x7a\x94\xc2\xfa\x71\x54\x41\x5c\x92\x3f\xd6\x6c\xd6\x26\x48\x9e\x7c\x79\xca\xd3\x9b\x66\xb0\x67\x4b\x94\x39\xb5\x7b\x79\xec\x79\x03\xd3\x5e\xc3\x14\xdb\x9d\x7e\x41\x5d\xf3\xc4\xf7\x55\x14\xb1\xc8\x3e\x9b\x6b\x27\x1d\xab\xeb\xd3\xb7\x93\xa7\x8a\xd5\xba\xef\x25\x39\x39\x34\xbc\x1b\x49\x69\xeb\x61\x28\xd3\x52\x14\x90\x47\x0f\x25\xe7\xa4\x7b\x13\xee\x0c\x47\x72\xd0\x47\x3d\xa5\x18\x44\x1b\x7b\xd3\x62\xbc\x99\xb0\x9c\xf6\x96\xbe\xb9\xe5\xf9\xd3\xd5\xe8\x8e\x9e\x96\x0e\x25\x9e\x4f\xe6\x7c\xfa\x3b\x2a\xbd\xe1\x00\x10\xf3\xc6\xa6\x0d\x26\x9a\xd1\x3e\x59\x05\x2e\x8a\xb9\x51\x40\x1d\xde\x34\x5c\x4f\xed\x4f\xea\x6d\x91\xb8\x4d\xae\xee\xbf\x45\xfa\x79\x98\xee\x41\xda\x06\x87\x5e\x7b\xc4\x8d\x9d\xe5\x4d\xe3\x6d\x9e\x27\x49\x5f\xe7\xe8\x8e\x02\x4e\x7d\xd3\x58\x7d\xcb\xc7\x1c\xd4\x33\xb7\x1a\x4d\x97\x2b\x02\x65\x59\xef\xbf\x17\xc2\xb0\x2b\x23\x57\xb9\xd9\x13\xa7\x64\xc9\x5c\x5a\xa7\xb3\x2f\xd2\xc0\xb6\x2b\x47\xf2\x7e\x47\x85\xe7\x6d\x85\x62\xb4\xe4\x3e\xdc\x6d\x61\x0d\x2b\x97\xdd\x1a\x1e\xe6\x5b\xd1\xef\x89\xe0\x11\x0b\x14\xc2\x02\x5b\x04\xb8\xcf\x16\xf0\xc2\xc1\xab\x89\xad\x30\xbd\xbd\x8b\x98\x94\x27\x8b\x4b\xe8\xd0\x81\x55\xec\x0c\xd2\x0f\x54\x4f\x18\xa4\xf2\x6a\x98\x0d\xec\xac\x1c\xe2\x94\x21\x27\xd8\xd0\x35\x0d\xc4\xa9\xa3\x29\x30\xaf\x33\x53\x18\x22\x31\x9d\xd1\x39\xe2\x7c\xf7\x69\xd0\x68\x87\x96\x08\xc2\x51\x7d\x59\x96\x5f\xbf\xfe\x98\x79\xaf\xd4\x87\x87\x5a\xd2\x39\x58\x6b\xbe\xca\xd1\xb0\x0e\x13\x77\x20\x3a\xbe\x3f\xc5\x82\xfa\xaf\x4f\x9e\x08\xe5\x76\x58\x81\x22\x09\xb3\xa8\x65\x3b\xf3\x9e\x12\x6b\x79\x47\x4c\xed\x54\xb7\x4f\xd4\x77\xb0\x3a\x80\x90\x6e\x34\x6d\xfc\x7f\x5a\x86\x41\x0f\x6b\xbc\x64\xa7\xff\x88\xc3\x7a\xa1\xd1\x87\x13\x31\xad\x2a\x63\xfe\xce\xa9\xb4\x3d\x3f\xad\x06\x2d\xe7\x0d\xdd\x1c\x77\x3a\xe6\x25\x68\xff\x3b\xe8\x04\x58\x3d\x3a\x5a\x10\x79\x68\x13\xcd\x4b\x51\xf6\x7b\x09\x91\x0b\x42\x7e\xb9\x28\x04\xe7\xf2\x7a\xdc\xd8\xec\x9a\xfb\x24\xe3\x15\x1b\x48\xa3\x8c\xc5\x99\x27\x99\xdf\x37\xe5\xcf\x6a\xd5\x77\x94\x1a\xd7\xe2\xca\xf1\x56\x19\x23\x69\x27\x34\x2e\x87\xb5\xb2\x60\x47\x37\x16\xa9\xba\xd7\x0b\x39\x51\xf7\x26\x5c\x20\xc0\x00\x85\x26\x67\xfd\xe0\xc4\xb7\xf2\x7a\x32\xb7\xee\x13\x3c\xbc\x65\xba\x4d\xc3\x91\x0c\x23\x75\xe1\x95\xba\x76\x54\xe2\xd2\xd4\x5f\x91\x6e\x47\xf1\x07\x59\x5a\xdc\x63\x24\x78\x40\xdf\x4e\xca\xeb\x96\x40\xfb\x66\x19\x86\xad\xd0\xdd\x02\x79\x6d\x58\x10\xf5\x1c\x93\xfd\xcf\x89\x74\xda\x1f\x10\x14\xf2\xf4\xad\xb1\x6f\x04\xe7\x33\xb5\x3a\xc2\xe8\xb4\xa8\x53\xe9\x3a\x93\x5a\x73\x20\x28\xc8\xe3\xec\x12\x0f\xc5\x41\xe5\x12\x6f\x2d\x88\xdd\x4b\xbc\xa0\x6f\xa6\x10\x16\x34\x64\xcb\x17\xf4\x5e\x7a\x2b\xe0\xe5\x1d\x8e\x45\xe3\x7c\x50\x91\xd7\x62\xce\x5b\xfd\xb6\x93\x53\xba\xfb\x95\x5c\x25\x54\x47\x02\xdc\xf7\xd1\x39\x4a\xac\x7a\x49\xa0\x78\x7f\xf1\x68\x74\x25\xa3\x75\x24\x9c\xa3\x78\xbc\x4f\x4a\xa2\x4a\xbc\xa2\x4a\x87\x1f\xd6\x74\x25\xb2\xf6\x60\x93\xb5\xb9\x87\x24\x99\xec\x85\xfa\xef\xfb\xf4\x3f\x0a\x4d\x3e\xfb\x5c\xea\xe7\x05\xa1\xa8\xe1\xf2\xbf\x79\xf5\x53\xc1\xc9\xf3\x8b\xd0\x9f\x93\xa8\x22\xbe\xb4\x54\x74\x4d\xd1\x17\x7e\xea\x67\xb7\xbd\x6c\x42\x1e\x58\x24\x62\x02\xab\x90\x2f\x79\xe0\x15\x5f\x1d\xe2\xbf\x22\x6f\x61\xbb\x39\xbf\xc2\xfb\xa3\x47\x9f\x25\xee\xa7\xf0\x1f\x70\xbc\x08\xa9\x8e\x88\x74\xe5\xd1\x38\x42\x83\xb9\x96\x07\xea\xa5\x2e\x89\x54\x90\xbd\xb2\x1c\x81\xcb\x3b\x37\x91\xc1\xde\xce\x0e\xbc\xe6\x7c\xc4\x5b\xcb\xa2\x99\xbb\x89\x2c\x9d\x19\x50\xbf\x33\x5e\x95\x4f\xd3\x03\xc6\x5e\x1a\xfe\xc4\x8a\x3d\x3e\x10\xa4\x04\x35\x2a\x13\x02\xef\xce\xbe\x12\x54\xeb\x2b\x25\xd6\xf4\x50\xb2\x6a\x3f\x1b\xd7\xf5\x77\xe5\x4c\x95\xe5\x66\x11\x74\xd3\x27\x82\xfe\x6b\x11\x99\x65\x42\xfe\x1b\x97\x51\x39\x62\x88\xd2\x7a\x47\xe3\xc9\x8d\x1c\xc3\xf3\xab\x55\x8b\xa3\xe8\x2a\x6c\x3e\xd4\x84\x0f\x4e\x3d\x79\x36\x95\x73\xc3\x75\x34\x07\x3e\x79\xad\xfd\x23\x23\x83\x2b\x65\xe7\xa6\xc4\x5b\x72\x57\x91\x38\xe2\x26\x29\x1d\x27\x00\xda\xc3\xa1\xcc\x91\x61\x40\xf5\x4c\xb2\x8b\x34\x70\x85\x61\x89\x81\x25\x44\x36\x6f\x75\x7c\x0a\x29\x4e\xe2\xb5\xbf\x6c\x30\x8a\xd4\xdf\x23\x0d\x5a\x74\x3b\x8c\xf7\xa1\xf6\x4a\x30\x61\x98\x3f\x22\x38\x50\x26\x2c\x75\x74\xae\x48\x0a\x02\xf6\x8c\x04\x3b\xa7\xaa\x82\x2f\xf6\x45\xd4\xe4\x48\x2c\x14\xcb\xb5\x8c\x15\xf6\x5c\x98\xd1\x69\x2f\x93\x9d\x0d\x95\x58\x50\x45\x42\x4a\xbe\x5e\x58\x65\x14\x77\xf9\x1d\x0c\x1d\xaf\xb3\xf3\x3a\xf9\xe6\x9b\x79\x4e\x13\xeb\x0c\x42\x9d\xe9\xb9\x2b\xbc\x5f\x92\x82\xa2\xe6\xc9\x11\x9f\x6f\xd8\x60\x3f\xe1\x1a\xf2\xd5\x16\xc9\xa7\xad\x38\xe3\x33\x7b\x96\x9c\x3d\x95\x93\xf0\xd4\xac\x95\xc4\x4e\x7f\x47\xe8\x10\xf6\x97\x0a\x1a\x6f\x18\xf2\x09\xfe\xdc\x35\x65\x6d\xc5\xc5\x36\xb0\x39\x6a\xed\xaf\x83\xca\x46\x65\x5e\xdc\xc4\x08\x8c\x6f\xcf\xfa\x68\x9a\x87\x83\x09\xc1\x76\x7b\x21\x87\xc9\xb5\xfa\x57\x5e\xfd\x80\xe0\x57\x4a\x57\x76\x73\xb4\x5e\xda\xc8\xb1\xc9\x12\xce\x60\xcd\x18\x29\x0d\x31\x02\x5c\x80\xeb\xa3\xd9\x97\xe4\x79\x2b\xe2\x3a\x49\xc0\x09\x4e\xe2\x85\x48\xfa\x33\x27\x5e\x6c\x28\x0b\xb6\xe0\xa0\xaa\x8e\x79\x04\xc6\x41\xcb\xcb\x3d\x99\x49\x46\xf0\xe4\xc6\xd6\xb1\x91\xd3\x46\x53\x64\x79\x3a\x69\x7f\x2c\x25\xd1\x30\x92\x3c\x79\x9a\x3a\x8d\x71\x69\xa3\x7a\xc2\x9b\xdd\xfb\x76\x6d\x51\x30\xb5\xe4\xbd\x43\x97\x8a\xad\x35\x49\x05\x2c\xf6\xf5\x64\x76\x80\x52\x03\x23\x46\xae\xf8\xf5\x84\x4b\x97\x04\x84\x2c\x0f\x1f\xa7\xd2\x6c\x69\x71\x88\xc0\xe8\x64\x16\x58\xd6\xd2\x99\xa6\x1f\xf1\x40\xa4\xb9\x4f\x04\xf6\xec\x06\xff\xca\x6e\x57\x4b\xdd\x60\x03\x72\xed\x5d\x16\x6a\xee\xae\x4f\x24\xe1\xec\x3c\x21\x2f\x05\xaa\x85\x37\xf0\xab\x83\x1e\x47\x2f\x32\x16\x4a\x08\x87\xc6\xf4\xe4\x25\x32\x56\x5f\x05\x5a\x8c\xd4\x35\xe9\xcc\x91\x08\x96\x7e\x42\x2c\x6d\x0e\x74\x06\x33\xc9\x77\x84\x71\xef\xa8\xa4\x4a\xb5\x5a\x06\xbd\xb6\xb8\x17\xf8\xa6\xcc\x55\xd5\x2a\xce\x6e\xc4\x38\xad\x4f\xbe\xe7\xc6\x4e\x00\xfc\x65\xc7\x6a\x36\x16\xc3\x5f\xb7\x1b\xb6\x08\x4f\x44\xf8\x08\x3d\xff\x56\xd7\x71\xe1\xd3\x23\x58\x4b\x82\xf1\x05\xe0\xa2\x11\xce\xae\x9a\xfc\x0f\x5e\x61\xa2\x64\x94\x76\x44\x0c\xf6\x8d\x9a\xbf\xfb\x48\xde\xcd\x0e\x8d\x2e\xd1\x09\x07\xd3\x5e\x39\x0d\xaa\x1e\xef\x83\xda\xc8\xab\x44\xe2\xac\x58\x86\xf6\x23\x5f\x6b\xd7\xb6\x9f\xf3\xc0\x98\xb5\x58\x89\x49\x08\xd4\xcd\x28\x24\x7f\xb6\xec\x4b\xb5\xb1\x63\xf6\xb2\xee\xf3\x86\xe7\xce\x26\xde\x75\x9b\xd6\xe2\x4e\x46\xaa\x2b\x38\xf0\xa4\xe6\xa4\x78\x5a\xf1\x4b\xd6\x03\x5a\x32\x6c\x29\xaf\x21\x5a\x4c\x1c\x45\xae\x76\x7b\xd7\xe6\xdb\x1b\xae\x69\xbe\x04\x5e\xf0\xb1\xeb\x39\x34\xac\x5e\xbe\x3a\x4c\x1d\xd5\x9b\xb9\x60\x53\xbe\xeb\x55\x61\xb5\x21\xc4\x78\x52\xd9\xa2\xc6\x6c\xfa\xf8\x2c\x2a\x01\x6e\x5d\xe7\x29\xea\x0e\x0c\xe4\xf9\x80\x85\x79\x2b\x5e\x5a\x80\x2c\xd7\xfb\xac\x9e\xf3\x8e\x20\x3e\xbb\x36\x51\xf1\xb3\x0a\xf6\xea\x29\xfa\x17\x9f\x8b\x19\x26\x41\x60\x4b\xe0\x29\x29\xda\xff\xad\xd6\xc9\x7b\xa4\xcd\x56\x79\x0c\xc2\x43\xd0\x47\x0e\xb8\xc1\xae\x78\x12\xda\x66\x6b\x0b\x32\x9f\xb3\xf0\x4f\x78\xe2\x5a\xd1\x7b\x4b\x39\x78\x13\x82\xad\x93\x7e\x08\xad\x34\x48\xb6\x32\x38\x18\x5b\x98\x22\x42\x19\x0f\xd1\xe4\xad\x8f\xbb\xa5\x5d\x6a\xbf\x96\xe0\x16\xe1\xd9\x8d\x37\xd5\x1c\x2e\xe1\xe4\x1f\x54\xf8\xac\x7e\x03\x8e\x36\x16\xf5\x69\xd0\x24\x69\x0e\xa3\x03\xbe\xc6\x98\xbe\xb9\x8b\x9e\xa4\x9f\x6b\x87\xe3\xf7\x10\x49\x97\xa6\xad\x7d\x33\xdb\x8f\xb7\x9a\xda\x8c\x5f\x7f\x54\xee\x17\xf7\xb3\xd8\x6a\xa1\x53\x2b\x43\x9c\xd8\xde\x90\xb5\xfd\x7f\xc3\x32\x56\x80\x06\x1d\x93\x19\xd1\x83\x5e\x60\x3f\xaf\x79\x33\xbf\xd6\x0d\x73\x39\x65\xf0\xf2\x5a\xdf\x39\x45\x09\x2b\xb9\x9e\x95\x34\x66\x02\xfa\xf6\xaa\xbe\xb3\x3c\xbc\xa3\xb2\x19\xb4\xf8\xaf\xaf\xe8\x25\xc6\x62\x7c\x0c\x7b\x00\xc3\x38\x75\xb6\x9d\x01\xc0\x8b\x90\xe6\xfa\x64\xf0\x9b\x42\x93\x2e\x1c\xcc\x9b\x3d\xa3\x67\x71\x66\x7d\x5b\xb7\x53\x1a\x2a\xc1\x74\xbc\x41\x2d\xff\xad\x7c\x6f\x8f\xd4\xda\xd3\x30\xfb\x41\x5a\x97\xe8\x13\x6c\xd5\xc0\xbb\x7d\x00\xd2\xb2\xc9\x56\x93\x6c\x9f\x5f\x74\x7e\x3c\x9a\x36\x1d\x79\xd0\x48\xcb\x3f\x52\x8f\x18\x7f\x9b\xba\x5d\x78\xd7\x30\x9b\x1b\x25\x6f\xbb\x34\x9c\xd5\x29\x45\x54\x1a\x5a\x57\x80\x9f\x2d\x71\xa8\xe8\x05\x57\xb2\x3b\xe4\xfb\x31\xca\xdd\xc5\x95\x53\xb6\xbc\x0f\xaa\x16\x5e\x4a\xb1\xf8\x27\x9c\xa6\xe3\x07\xce\x79\x20\xc4\x3b\xdb\xad\xec\x04\xef\x8b\xe7\x0d\x57\xaf\x59\x8d\x1d\x8a\x89\x6a\x09\x52\xb2\x3c\xba\x46\x4e\x0e\x9b\x36\x25\xf9\x93\xdc\x12\xc8\xf7\x74\xe8\x7d\xa0\x51\xec\xa4\x9b\xd1\x4e\x4e\x2e\x27\x0c\xf7\x5d\xc8\x34\x3b\x2a\xd4\xb0\xa2\x17\x8c\xb5\x57\xc6\xd0\xeb\x1a\x0b\x23\xed\x92\x58\x0c\xe5\xad\xa7\x8c\x2b\xb1\x0d\xdd\x25\xd4\xbb\x14\x7d\x61\xa0\x0f\x5e\x1d\x1d\x5c\x88\x8d\x47\x42\x4c\x04\xde\x7d\x41\x38\x4e\x2c\x68\x8a\x57\x35\x8d\x05\x81\x4a\xd9\x17\x13\x5a\x80\xec\xcd\x1d\x1f\x14\x72\x42\xa5\xda\x4d\xad\x08\x38\x32\x2e\x9a\x2f\xa5\x31\xfb\xb6\xb0\x83\x2b\x67\x00\xf8\x72\x79\x84\x6c\xe2\x33\x16\x79\xb8\x2f\x04\xfe\x1b\xe1\xe8\xce\x9f\x61\x0b\x63\xff\x30\xad\x0b\x76\x97\x78\x17\x73\x9a\x29\x5c\x9e\xc9\xdc\xf1\x1f\x81\xa6\x76\x19\x40\x73\x04\xc1\xd5\x94\xc5\x19\x6d\xb1\xbd\xeb\xfe\x03\xf2\x2a\xda\xac\x92\x53\xd7\x53\x96\x71\x38\xbc\x9d\x2c\xf4\x73\x54\x91\xd2\x74\x5c\x23\xe5\xd2\x29\xc7\x46\x27\xdd\x19\x1b\xc6\xc0\x38\x51\x39\x14\xdb\xdc\xfa\xcb\x8b\xcb\x28\x14\xdc\x52\x5e\xda\xd8\x89\x52\x09\x99\xfc\xe6\x44\x69\xc6\x06\x94\x40\x59\x61\x51\x84\x41\xc3\xe8\x44\x53\xaf\xa3\x49\x9e\x3a\x89\x83\xb5\x7f\x94\x59\x3e\x86\x64\x71\x9d\x5e\x65\x98\x42\x2b\xb8\xcb\xc5\x16\x20\xb2\x59\x41\x3b\xea\x16\x49\x0b\xbe\x6c\x9a\x72\xbf\x21\xf6\xb4\xd4\x99\x37\x1a\xd9\xfc\x82\x77\xdd\x3f\x2f\x75\x23\xcc\x5e\x6c\xee\xbf\x74\xfc\x39\x44\x13\x6b\x2d\x56\xda\xa2\x04\x03\x74\x31\x9a\x1c\x83\xc3\xbb\x0c\x96\x2d\x32\x1d\x80\x39\x17\x0b\x98\xb6\x04\xc8\xed\x42\xc5\x96\x31\x4a\x01\x13\x9c\x9d\x36\xcc\xd6\xf2\xcb\xd3\x11\x3b\x2c\x9d\x4e\x19\xf0\x86\x94\x46\x36\x10\xa3\x68\xf8\xac\x74\xf2\x97\x94\xf1\x45\x60\xe0\xa3\xd4\x81\xc6\x73\x41\x0a\xd9\x46\x65\x81\xaa\x2a\x33\x4f\xf3\x80\xa1\x00\xfb\x04\x9a\xd8\x19\x6e\xb4\x78\x4e\xa1\xbe\xdc\x13\x9a\x70\x54\xf1\x8a\x8d\x44\xbc\xa0\xa3\xd0\x12\x2f\x5d\xc3\xa1\xc4\xd2\x9b\xde\x35\xe3\x32\xbd\xf2\x8c\xb9\xb9\x85\x43\xad\x3e\x33\x14\x3a\xf8\x79\x03\xb5\x62\x4f\x62\x30\x55\x98\xde\x27\x58\x33\x20\x8e\xc8\x37\x06\x82\xad\x9f\x0f\x9a\xc6\x4c\x43\x90\x44\xa2\xde\x30\x33\x46\x87\x34\xf4\x92\x66\x13\x88\x59\x69\x5b\x60\xa6\xfb\x45\xd7\x94\xb8\x71\xc1\x9c\xbe\xdf\x59\xb7\x64\x45\x3b\x78\xcf\xea\xd4\xc5\x01\xb1\xf8\xc0\xff\x82\x7b\x70\x29\x73\x92\x69\x7a\xdb\x13\xce\xff\x2f\x13\x9b\xff\x3b\xa2\x38\x79\x8a\x07\xfe\x5f\x55\xa0\xef\x5b\x75\xcc\xb4\x98\xbb\x89\x43\xba\xb4\xa6\x71\xf1\x25\xfb\x06\xf2\xe5\x9f\x77\xfd\xb0\x2c\xb2\x3e\x86\x87\x56\x8d\xc0\xd5\xc4\x86\x09\x94\xa3\x7c\xca\xb3\x65\xd7\xa7\x08\x03\xc6\xa6\xf4\x8f\x5b\x3f\xf1\xcb\xdd\x51\xd8\x96\x1f\x97\x3c\x70\x33\x75\xd2\x52\xe6\xc5\xa0\xff\x13\x3b\x59\x72\x43\x13\xf9\x88\x84\x1b\xd6\x1e\xc2\x97\x67\xa4\x60\x8a\x5b\xc4\x5b\x10\x4e\x4f\xc9\x82\x61\xe4\x54\x0a\x10\x38\x2a\x49\x5d\x64\xdd\x5f\x6c\x03\x90\x66\xd9\xd3\x58\xef\xb1\x66\x71\x17\x8e\x88\x4f\x07\x0a\x07\xfd\x02\xa0\x0b\x63\xb7\xf5\x75\xf6\x42\xbf\x91\xee\xc3\xbb\x90\xdb\xa9\xa2\x1d\xf3\x17\x9c\xf1\x2e\xa9\x52\x5d\x09\x74\xd6\xfc\x44\xbf\x69\xfc\x54\xf8\xa5\xff\x98\x67\x06\x67\x8d\x7c\xe0\x6c\xce\x44\xdf\x29\x74\xb9\x66\xe6\x7a\xca\x31\x4e\x0b\x58\xac\xc4\x15\x54\xa4\x42\xef\x35\x87\xab\xba\xf1\x82\x95\xec\xa5\x9c\xa8\xa1\x0e\xdd\x3f\xbd\x1f\xac\x0b\x06\x01\x3d\xe5\xf7\x33\x37\x51\xc5\x7d\xeb\x4d\xae\xf9\xe4\xc5\x5e\x93\x74\x1e\xd1\xd2\xf7\xf9\x63\xcd\xed\xc6\xef\xdb\x5d\x8b\x14\xd7\xd6\x12\xe2\x61\x2f\x30\x96\x6f\x4e\x67\x60\xd1\xa4\x6f\xbe\xe5\x0d\xcc\xff\xc0\xb2\xe5\x17\x7b\x1c\x60\x27\xad\xae\xe0\x90\x75\xb6\x55\xcf\x85\xdd\xbb\x4e\x44\x83\xd5\xde\x7b\x38\xa9\x10\xf9\x96\x71\x1c\x05\x8c\x1b\x97\xe6\x21\x27\x48\xc8\xcc\x7d\xe8\xcf\x7a\x56\xaf\x75\xe2\x91\x86\x7c\x26\x88\xe9\x99\xc6\x55\x3d\x7a\xaf\x3d\x2f\x62\xc2\xf5\x3b\xf8\x8c\xf2\x04\x40\x07\xdb\xe9\x29\x85\x65\x31\xb0\xad\x6b\x48\xa6\x11\x8b\xf3\x5c\xce\x82\x7e\x5d\x0c\xd2\xa1\x9b\x3f\xc3\x73\x95\xe1\xce\xd2\x13\x7f\x0c\x72\x6f\x5c\xc9\x91\x33\x3a\x0f\x07\x94\xda\x0b\x6d\x75\x73\x74\x21\x7e\xae\xbc\xbb\x6d\x87\x43\x1f\x08\x9a\x57\x10\x2c\xa5\x37\x3b\x8d\x73\x0a\x92\x02\x60\x59\xc6\xa8\x80\x94\xe9\xc6\x29\xd8\x1e\xcc\xf8\x6b\x4e\x8f\x09\x1d\x32\x55\x63\xd1\xf4\x01\x6c\x97\x97\x2c\x58\x4b\xc7\x6d\x1f\xb4\xed\x94\xb7\x21\x34\x4d\x00\xcc\x67\x24\xf5\x64\x9d\xfe\xd8\x4d\xc5\x11\x58\x3e\x1a\x08\xa4\x3c\x24\x09\x93\x41\x72\xff\x3f\x0d\xfc\x93\x99\x6b\x84\x79\xc0\x50\xdc\x19\x30\x9a\xa9\x98\xf7\x09\xed\xa3\xb3\xcf\x80\x6b\xec\x71\x7e\x17\x18\xb8\xcc\x10\x06\x0b\x33\x5c\x46\xf1\x7c\x52\x2a\xc0\xbb\x69\x6f\xb4\x39\x3a\x94\x50\xbe\x5f\xa7\x55\xea\x0d\x71\xb3\x0a\x84\x31\x51\x5c\x44\x63\x90\x15\x4b\xc2\xa4\x95\x1b\x3f\x15\xf4\x19\xce\x20\xb0\x30\x2b\xd9\x00\x25\xd8\x3c\x47\xa0\x18\xf6\x88\x6a\xb1\xfb\xb7\x57\x7d\x5c\x06\x6b\xab\x23\xd8\x41\x89\xcc\xff\x63\x40\xa3\xca\x41\xdf\x5c\x6d\x99\x4b\x26\xb8\xfc\x34\xc6\x90\xdf\xb2\x29\xc8\x37\x60\x22\x4b\xdc\xe8\xe8\x67\xd1\xf5\xa0\x97\x73\x6d\x3f\x19\xd8\x22\x9f\x91\x43\xac\x03\x70\x93\xd4\xcc\x32\xab\x10\x4b\x58\x28\xf1\xcc\x84\x49\x5a\x68\xd7\x67\xb7\xfb\xd7\x25\xd4\x34\x71\x9a\x36\x01\xb5\xfb\x23\x36\x4a\x5e\x41\x51\xc6\xf9\x15\xce\x53\xf7\xde\xbb\xb9\xf1\x5b\x81\x1c\xb0\x2b\xb8\x73\x94\xff\xb6\x1e\x8b\x8a\xe5\x74\x9d\xc7\x43\x2b\x51\x6b\x8a\x62\x79\x90\x53\x7b\x9c\xdf\xd2\xa0\x94\x39\xb7\xdc\x04\x39\x97\xe0\xf5\x90\x36\xab\x34\x70\xaf\x1b\xc7\x67\x10\x11\xe5\xb4\x72\xe3\xf6\xad\x45\x6b\xa7\x06\xd5\x50\x66\x1c\xbc\xf6\x10\x7e\x9b\x7e\xe4\x9a\x82\x05\x2d\x90\x1b\xb7\x9f\xb1\x8d\x82\x21\x6a\xee\xfa\x2e\x76\x39\x0f\x80\x94\x3c\xc8\x56\xa0\x08\xc7\x25\x6b\x84\xd8\x85\x7f\xa6\x34\xad\x7d\xd4\x50\x13\x86\xbb\xab\xe2\x38\xa5\x8a\xec\xb7\x7a\x0d\xe5\xff\xaa\xa5\x63\xa1\x96\x8b\x72\xb9\x2b\xa5\x8d\x1a\x1e\xf6\xf9\xed\x04\x9f\xf3\x8b\x7f\xc3\x42\x27\x46\x16\x31\xfe\xc6\x53\xe7\x81\xf1\x57\xec\x73\x86\x36\x2b\x66\x77\x8a\xfc\x89\x82\xcd\xae\x50\xe1\x29\xf4\x32\x9b\xfe\x35\xcd\x9d\xa3\xd5\x75\x22\x04\xfa\x72\x75\xcc\xbc\x01\xab\xf8\x5c\x6c\xf3\xab\x9e\xab\xb2\xea\x7a\x1c\x77\x9e\x67\x3d\x0f\x95\x16\xb1\x85\x15\x4d\xc8\x3c\xc5\xf6\x93\x70\xe3\x14\x19\x8b\x7f\xa8\x3c\xe5\xc5\xc9\x1c\x2c\x50\xe5\x44\x89\xb3\xa6\x70\xa3\x30\xa4\xe4\x9f\xca\x51\x7c\x83\xa9\x53\x2c\xbc\x7e\xdc\x84\x0c\xd0\x10\xb3\x7e\xcc\x75\x37\x45\x30\x16\xed\x1a\xb4\x45\xe4\x5f\xc1\x23\x8b\x14\xe2\xf8\xf9\x31\x66\xcb\xf7\xd3\x8b\x85\x28\xba\xa0\xfa\xd3\xe9\xe7\x6f\x4b\x32\xee\xbb\x60\x52\x68\x81\x62\x0b\xca\x5b\x11\xac\x06\x3d\xbe\x21\x69\xe5\x43\x78\x43\xf6\xd2\xd4\x86\x85\x5a\xd5\xf1\x92\xb2\x68\xb2\xf3\xeb\x25\xde\xea\xbd\x2d\xe8\x9c\x48\xba\x28\xf1\xee\x2c\x84\x65\x86\x56\xc3\x37\x33\x9b\x53\xac\xf9\x88\xba\xf2\x9a\xc5\xc9\x19\x9e\xc7\x91\x2b\x28\x94\x09\x34\xbc\x02\xb1\x31\xd1\x46\x13\x54\x62\x6b\x69\x08\x35\xba\x09\xab\xaf\xa0\xca\x7f\x51\x55\x79\xe5\x33\xc4\xbb\xfd\xa2\xbc\x9f\x2f\xae\xdd\x35\x38\xce\x8c\x1e\x36\x06\xea\x98\x39\x5e\x0f\xf8\x84\x92\x04\x5f\x47\xcc\xa8\x5f\x4a\xf1\x6f\x95\x0a\xbb\xf3\xf2\x22\x9d\xe5\x8e\xa2\xb4\x56\x92\xd4\xba\x84\x3e\x70\xe5\xae\xed\x29\xf6\x88\x07\x13\x8a\xaf\x5c\x99\x4b\x30\xd4\x73\x11\xeb\xb9\x69\x10\x76\x77\xdc\xf0\x07\xf6\x4d\x0b\x32\xc3\x60\x0c\xd3\x2b\xd4\x2c\xa6\x9e\xe4\x6d\x78\x6c\xf0\xcf\x94\x96\xbc\x51\x60\x2c\x98\x9f\xc5\x4f\x76\xc4\xd3\x83\xce\x41\x4a\xf4\x5f\xc9\x48\xe5\xb9\x71\xe3\x02\x0a\xf4\x47\xc5\x89\xb0\x99\x56\xc9\x03\x3d\x09\x04\xd6\x44\x5d\x7e\x9f\xff\x7c\x90\x39\x39\xf7\x9c\x2d\x4c\x30\xb6", 4096); *(uint64_t*)0x200000004ad0 = 0x200000004a40; memcpy((void*)0x200000004a40, "\x88\x4f\x38\x13\x09\x89\x6a\x88\x17\x38\x89\x99\x4e\x74\xc6\x06\x94\xf7\xba\xa4\x5b\xe0\x88\xe5\x9b\xc3\xe9\x39\x72\x82\x57\xe8\xd2\xdb\x71", 35); res = syscall(__NR_shmctl, /*shmid=*/6, /*cmd=*/0xcul, /*buf=*/0x200000004a80ul); if (res != -1) r[10] = *(uint32_t*)0x200000004a88; break; case 20: *(uint32_t*)0x200000004d40 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x23, /*optval=*/0x200000004c40ul, /*optlen=*/0x200000004d40ul); if (res != -1) r[11] = *(uint32_t*)0x200000004c74; break; case 21: *(uint32_t*)0x200000004e00 = 7; *(uint32_t*)0x200000004e04 = 0xee00; *(uint32_t*)0x200000004e08 = -1; *(uint32_t*)0x200000004e0c = 8; *(uint32_t*)0x200000004e10 = 0x80; *(uint32_t*)0x200000004e14 = 5; *(uint16_t*)0x200000004e18 = 0xfffc; *(uint32_t*)0x200000004e1c = 1; *(uint64_t*)0x200000004e20 = 7; *(uint64_t*)0x200000004e28 = 5; *(uint64_t*)0x200000004e30 = 0xbed1; *(uint32_t*)0x200000004e38 = r[5]; *(uint32_t*)0x200000004e3c = r[7]; *(uint16_t*)0x200000004e40 = 1; *(uint16_t*)0x200000004e42 = 0; *(uint64_t*)0x200000004e48 = 0x200000004d80; *(uint64_t*)0x200000004e50 = 0x200000004dc0; memcpy((void*)0x200000004dc0, "\x05\xc9\x21\x56\x87\xa3\xff\x17\x47\xca\xe5\xc1\x8c\xb1\x86\xed\x5c\x62\x98\x43\x37\xf9\x0f\x0a\xb5\x94\x8e\x21\xc6\x3d\x16\x86\xf1\xda\x14\x59\xa8\x97\x18\xa9\xf8\x49\x30\xb8\x92\xc2\xad\x4d\xe6\x1f\x71\x4a\xb8", 53); res = syscall(__NR_shmctl, /*shmid=*/5, /*cmd=*/2, /*buf=*/0x200000004e00ul); if (res != -1) { r[12] = *(uint32_t*)0x200000004e04; r[13] = *(uint32_t*)0x200000004e08; } break; case 22: *(uint32_t*)0x200000004f00 = 7; *(uint32_t*)0x200000004f04 = -1; *(uint32_t*)0x200000004f08 = -1; *(uint32_t*)0x200000004f0c = 1; *(uint32_t*)0x200000004f10 = 0; *(uint32_t*)0x200000004f14 = 0x98; *(uint16_t*)0x200000004f18 = 4; *(uint64_t*)0x200000004f20 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 6; *(uint64_t*)0x200000004f28 = 0x200000004ec0; *(uint8_t*)0x200000004ec0 = 5; *(uint64_t*)0x200000004f30 = 0xc; *(uint64_t*)0x200000004f38 = 0x1ff800000; *(uint64_t*)0x200000004f40 = 8; *(uint64_t*)0x200000004f48 = 0x7f; *(uint64_t*)0x200000004f50 = 3; *(uint16_t*)0x200000004f58 = 0x101; *(uint16_t*)0x200000004f5a = 8; *(uint16_t*)0x200000004f5c = 0x1000; *(uint32_t*)0x200000004f60 = r[5]; *(uint32_t*)0x200000004f64 = r[8]; res = syscall(__NR_msgctl, /*msqid=*/4, /*cmd=*/0ul, /*buf=*/0x200000004f00ul); if (res != -1) { r[14] = *(uint32_t*)0x200000004f04; r[15] = *(uint32_t*)0x200000004f60; } break; case 23: *(uint32_t*)0x200000005080 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x22, /*optval=*/0x200000004f80ul, /*optlen=*/0x200000005080ul); if (res != -1) r[16] = *(uint32_t*)0x200000004fb4; break; case 24: *(uint32_t*)0x2000000052c0 = 8; *(uint32_t*)0x2000000052c4 = 0; *(uint32_t*)0x2000000052c8 = 0; *(uint32_t*)0x2000000052cc = 0x7f; *(uint32_t*)0x2000000052d0 = 5; *(uint32_t*)0x2000000052d4 = 0x80000001; *(uint16_t*)0x2000000052d8 = 0x43; *(uint32_t*)0x2000000052dc = 7; *(uint64_t*)0x2000000052e0 = 2; *(uint64_t*)0x2000000052e8 = 0; *(uint64_t*)0x2000000052f0 = -1; *(uint32_t*)0x2000000052f8 = 0xf; *(uint32_t*)0x2000000052fc = r[7]; *(uint16_t*)0x200000005300 = 2; *(uint16_t*)0x200000005302 = 0; *(uint64_t*)0x200000005308 = 0x2000000050c0; memcpy((void*)0x2000000050c0, "\xbc\xc4\xb5\xd8\x6e\x91\xb0\x2b\x73\xe1\x6c\x46\x65\xdc\x30\x88\xf7\xcc\x98\x26\xda\x78\x07\xf9\xa8\x30\x0d\x9d\x89\x80\xde\x67\xa1\xa2\xa1\x53\xe9\x54\x66\xe7\x6d\x2c\x38\xc4\x15\x58\xc0\x8e\xfe\x37\xee\x81\xd9\x90\x46\x74\xce\xd8\x6d\xda\x9b\x2b\x6c\xc7\xc9\x7b\x19\x97\x58\xbe\xf8\xd9\x2d\xd2\x0e\x0e\x69\x86\x4d\x6f\xcd\x03\xa8\x0c\xa0\x12\x01\x9c\xf4\x1e\x51\x66\x47\x50\x38\xfc\xd3\x60\x33\x84\x36\xe7\x82\x7e\xf7\x30\x46\x91\x87\xe6\xa4\x95\xf5\xbf\x01\x8e\xe7\xca\xa7\x1c\x80\x4a\x38\x67\x56\xc3\x24\x2b\x30\xec\xa0\xb8\x41\x16\x6d\x78\x39\xe9\x4a\x56\x39\xd0\x8f\xbc\x06\xda\xc1\xf8\x61\x49\x44\x56\xd8\xd1\x53\xde\x7f\xc3\x03\x87\xd4\x52\x30\x4e\x7c\x30\x69\xbb\xfb\x42\x43\x91\xd0\x4f\xab\x12\x03\x7c\x6d\x6a\xe6\x02\x5d\xf8\x69\xfa\x3a\x45\xe0\x31\x48\xc2\xdd\x05\x2c", 195); *(uint64_t*)0x200000005310 = 0x2000000051c0; memcpy((void*)0x2000000051c0, "\x0b\x7d\x67\x85\x2a\x6f\x3d\x89\x68\xf4\x76\xad\xad\x16\x72\xe6\xdc\xfc\xeb\xe8\xe6\x24\x9d\x8c\xc7\x2d\x1a\x05\xc2\x8a\xcd\x3d\xed\xa6\x43\x14\x81\xc8\x8e\xe1\xc2\xc0\x99\x44\xee\x73\x33\xd9\xd1\x6b\x3f\x9b\xd1\x86\xbe\x36\x21\x0e\x7e\x52\xfd\xac\x24\x09\x97\x73\xc0\x7a\xf6\xf1\xa9\x40\xe4\xba\xec\x3a\xda\x47\x66\xe3\x80\x14\xad\x52\x7a\x5d\xf7\x7c\x90\x61\xc5\xa4\xca\xcc\xc4\x8b\xcf\x15\x62\x20\x7f\x8d\xb0\x4d\x60\x8a\x82\x3c\x71\x97\x9b\xda\xf7\x02\xb9\xa6\xec\x8f\x62\xf2\x3d\x31\x6b\x69\xa8\xe4\x0f\x1c\xd7\x92\x58\x5f\x34\xd8\xff\x6c\x70\x56\x41\xdb\xc0\x9a\x02\x45\xef\xad\x32\x6c\xa8\x4d\x8c\xa3\x9d\x29\xcc\x33\xa4\xa3\xfb\xe7\x6c\x24\x0d\x05\x5e\x26\x1e\x16\xd6\xbb\x5d\x9c\x23\x1f\xe3\xc9\xe8\x4f\xe5\x95\x65\xbe\xfc\x53\xfe\x9d\x11\x9e\xb5\x0c\xe0\x4e\x6e\x3c\x1d\xf2\x16\xae\x69\xc3\x13\xd8\x0b\xb6\xa7\x7e\x21\x9b\x94\x51\x65\x72\xee\xaa\x39\x8b\xfe\xa6\x49\x33\x5a\xe8\x11\x4c\xb0\x57\x42\x36\xf4\x61\x31\x67\xd9\x75\x8b\x53\xb6\x6c\xb6\xba\x75\xd7\x5a\xf9\x2f\x3c\x6e\x63\x8b\x82", 250); res = syscall(__NR_shmctl, /*shmid=*/2, /*cmd=*/5, /*buf=*/0x2000000052c0ul); if (res != -1) { r[17] = *(uint32_t*)0x2000000052c4; r[18] = *(uint32_t*)0x2000000052c8; } break; case 25: memcpy((void*)0x200000005340, "./file0\000", 8); *(uint64_t*)0x200000005380 = 0x355; *(uint64_t*)0x200000005388 = 0x100000001; *(uint64_t*)0x200000005390 = 5; *(uint32_t*)0x200000005398 = 7; *(uint32_t*)0x20000000539c = -1; *(uint32_t*)0x2000000053a0 = 0xee01; *(uint32_t*)0x2000000053a4 = 0; *(uint64_t*)0x2000000053a8 = 7; *(uint64_t*)0x2000000053b0 = 2; *(uint64_t*)0x2000000053b8 = 2; *(uint64_t*)0x2000000053c0 = 6; *(uint64_t*)0x2000000053c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000053d0 = 7; *(uint64_t*)0x2000000053d8 = 4; *(uint64_t*)0x2000000053e0 = 0xfff; *(uint64_t*)0x2000000053e8 = 0x17b; *(uint64_t*)0x2000000053f0 = 0xffffffffffff27a1; memset((void*)0x2000000053f8, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000005340ul, /*statbuf=*/0x200000005380ul); if (res != -1) r[19] = *(uint32_t*)0x2000000053a0; break; case 26: *(uint32_t*)0x200000006480 = 7; *(uint32_t*)0x200000006484 = 0xee00; *(uint32_t*)0x200000006488 = 0; *(uint32_t*)0x20000000648c = 0; *(uint32_t*)0x200000006490 = 7; *(uint32_t*)0x200000006494 = 8; *(uint16_t*)0x200000006498 = 0x3ff; *(uint32_t*)0x20000000649c = 0x10; *(uint64_t*)0x2000000064a0 = 2; *(uint64_t*)0x2000000064a8 = 8; *(uint64_t*)0x2000000064b0 = 0x7fffffff; *(uint32_t*)0x2000000064b8 = r[8]; *(uint32_t*)0x2000000064bc = 0xffff; *(uint16_t*)0x2000000064c0 = -1; *(uint16_t*)0x2000000064c2 = 0; *(uint64_t*)0x2000000064c8 = 0x200000005440; memcpy((void*)0x200000005440, "\x4c\xf7\x7c\x89\xa8\xa3\x6d\x9b\x71\xd1\x6c\x43\xca\x99\xca\xec\x65\x90\x56\x4d\x89\x51\x86\x4c\xcc\xc3\x48\x10\x2a\x77\x79\xcd\x97\xd9\x51\x00\x3a\xe8\x76\xa9\xa0\x30\x1c\x11\x86\x7f\xf6\x43\x2c\x9c\x54\xbd\x04\xee\x43\x3f\xce\x5f\x5d\xb9\xeb\x71\xb7\x62\x21\xd2\x84\xc7\x8d\xc7\xdb\x27\x84\x0c\xa0\xb1\xe9\xa5\xa1\x19\xf0\xd7\x4f\xf6\x48\x5b\x52\xa9\x86\xa6\x71\x7f\x3c\xfd\x72\x6d\x0a\x6a\x03\x8b\xed\x21\x89\x34\x4a\x3d\x14\xc2\xf1\x19\xbf\x2e\x54\x3f\xe4\xe7\x16\xbc\x4c\x5b\xec\x83\x76\x7d\xa2\xf9\x7d\x1c\xce\x4b\x26\x96\xbc\x5f\x99\x89\xfd\x42\xdc\x97\xa0\xc1\x6c\xdc\x2f\xa9\x67\xad\xaa\xa2\xba\xc7\x30\xe2\xcb\xda\x74\x4d\xc3\x12\x1e\x3f\x01\x5b\x66\xea\xe8\x91\x56\xb2\x62\x63\x9f\x95\xbb\x01\x4a\xba\x78\xbf\x2a\x48\x01\x49\x9b\xf3\x82\x68\xd7\x7d\x99\x49\x4a\xef\x48\x6b\x9b\x38\x8a\x1e\xba\xcb\x4b\x77\x1a\x52\xbf\xa2\x99\x90\xe9\x36\x18\xaf\x03\x76\x2f\x95\x3e\x34\x80\xfe\x01\xdd\xe9\x2c\xa7\x83\x5c\xcd\x5e\x88\x64\xdb\xc9\x10\x0d\x25\xc4\xfa\x63\x2c\x9f\xeb\xdd\xfd\xb1\xe7\x7f\x1b\xcd\x76\x79\xea\x46\x89\xd2\xc8\x50\x4e\x50\xaf\x69\x52\xc8\x89\xd3\x28\xc1\x2c\x66\xc9\x0d\x8e\xad\x36\x92\x70\xd9\x4e\x5a\xa3\x42\xfb\x23\x87\xdc\x7c\xfe\x6e\xde\x70\x54\x64\x98\x5f\x30\x1f\xeb\x34\xb0\x02\xcc\xef\xb8\x0f\xde\x10\xd9\xfc\x1c\xb3\x9b\x5f\x87\x75\x24\x98\x6d\xd1\x24\x47\xa7\xc9\x6f\x63\x50\x7c\xb4\xd8\x80\x68\xed\xfd\x77\x48\xfb\x2b\x66\x7a\xe1\xae\xdb\xb4\x16\x37\x75\x74\xd7\x0a\x3f\x6d\xe4\x6e\x4a\x3e\x5c\x14\x9a\x64\xa4\x36\x46\x66\xbd\x99\xfd\xb0\xe4\x13\xa1\x33\x5b\xa9\x32\x57\x5d\x1e\x92\x28\x50\x8d\x61\x4b\x66\x3a\xb1\x7a\xcb\x21\xb2\xac\x4d\x36\x18\xa6\x59\x43\x80\x4d\x5b\xa5\x2c\xbb\x04\x3a\x96\x19\x86\x12\x02\xb5\x05\x14\x0e\x48\x44\xb8\xce\xb6\xfa\xf5\x02\x42\x23\xd9\x63\x6c\xb0\xbe\x38\x4a\x4c\xc1\xdd\x3d\x4f\x35\x76\x29\x52\x1a\x07\x69\x84\x18\xdd\x1a\x97\xc3\x94\x17\x19\x6f\x86\x1a\xfb\x05\xbd\x70\x2f\x4c\xcd\xc3\xd4\x4b\x5a\x41\x93\x37\x8b\x93\x6f\x53\xc5\xc4\xb0\x9c\x98\x58\xbe\x95\xe3\x49\xba\xeb\x7e\xb4\xda\x30\x94\x00\xa4\xdb\xb0\x8a\x24\xd0\xbb\x37\x72\xbe\xe7\xa3\x87\x3c\xf8\xd7\x6e\x06\xdf\x6f\x7c\xe5\x91\xf4\x0b\xdc\x84\x9e\xa0\x4c\xad\xe8\x86\xf0\x75\xe1\x45\x8f\x02\x1f\x1b\x73\x0b\x0c\xb5\xc3\x28\xb9\x11\x41\x2a\xee\x96\x16\xab\x5f\xdc\x83\x1e\x34\xce\xa6\x9d\xe1\xa4\x08\x06\xaa\xfd\x4e\x64\xd3\xcd\x70\xc1\xa6\xc6\xf6\x36\xd3\xbb\x94\xc9\x95\x97\x7c\x59\x4f\x0f\x4e\x90\xd7\xae\xc4\x3f\xec\x4c\x8a\xa7\x07\xd0\x0d\xfa\x26\xff\x9d\xb8\xa4\x5e\x6a\xc6\x5b\x5e\x5c\xea\xc4\x3f\x78\xb5\x0f\x1e\x4f\x49\x4c\x85\x82\x7b\x3f\x0e\xa1\xf7\xa4\xfe\x3b\xbb\xd3\x90\xe3\x61\x66\x28\xed\x47\x70\xdd\x36\x66\x94\x89\x35\x13\xdc\x1c\xd2\x52\xd3\x88\x7a\x2f\x19\xa8\x46\xd1\x8e\xe7\xba\xf8\xb5\x68\x0e\x61\x80\x0b\xaa\xf0\x04\x18\x10\xa5\xa2\x1f\xe0\x6c\xba\x83\xe0\x62\x1b\x26\x26\xc3\xec\x5b\xa6\x2d\xfe\x1f\x94\xae\x16\x11\x4c\x9f\x89\xe8\x94\x58\xa0\x69\x22\x2b\x43\xb4\x50\x4d\xca\x5f\xd9\x69\xc0\x66\x66\xdc\xf9\x82\x43\x46\x31\x59\x7b\xab\xaa\xd4\x65\xcb\x73\x9e\x72\x83\x5f\x69\xad\x69\x9b\x0e\xfb\xe2\x16\xa1\x2c\xc1\x88\xd5\x4b\xeb\x66\x86\x1c\x78\xc8\x02\x25\x43\x8d\xeb\x75\xb3\xaf\x96\xa6\x0a\x08\x4e\x68\xed\xce\xca\x25\x2c\x22\x22\x5b\x4f\x3e\x56\xe9\x9f\x97\x6c\x2a\x08\x2a\x29\xf4\xa5\xbc\x3d\x0c\x25\x1f\x91\x22\xb5\x84\x66\x1f\x39\xbf\xd1\x8d\xfb\x9d\x57\xa5\x91\xc6\xd7\x01\x3b\x42\x0b\xd1\xe4\xc4\x7e\x80\x4c\xc4\x0e\xdf\xfa\x4d\xc9\x0c\xda\x1d\xe0\xa6\xe5\xf0\xd7\xa4\xd1\xc0\xa0\x2b\xf9\x25\x82\x90\x06\x43\xf9\x7f\x8f\x2c\xc1\x37\x68\x37\x4c\xc1\x36\x10\xf2\x7c\x3a\xb9\xd6\x93\x14\x79\xd0\x21\x5c\x4a\xd6\x69\xef\x80\x2e\x32\x92\x87\x88\xc5\x25\xf7\x52\xed\xae\x47\x7f\xf8\x9e\xa3\xf0\xc8\x7d\x9e\xc7\xeb\x1e\xf5\x12\xdc\xab\x10\x37\x28\x42\x91\x86\x13\x22\xf8\x72\xaa\x26\x1f\xa4\x67\x46\xed\xd8\x39\x85\xee\x32\x0f\xef\x53\xb1\x15\x18\xf5\xd5\x8f\x84\x68\x19\xb8\x8b\x16\x58\x8c\x13\xdd\x01\x90\x58\xa1\xce\x86\x5b\x4e\x68\x5e\x94\x78\x53\x9b\x9b\x9a\xf6\x9a\x13\x12\x6d\x6a\xd3\x0b\x2b\xac\xb1\x44\xc0\x2f\xfb\x15\x39\x66\xd2\x0f\x56\x56\x84\xa8\x74\x91\x31\xc7\xde\xf8\x8f\x2c\x87\xe4\x8e\xac\x6c\x0a\xf5\x76\xcc\x86\x11\x18\xa9\xb7\x18\xdc\xa2\xea\xfb\xc5\x41\x3b\xb6\xe7\x51\x37\x46\x47\x9b\xd8\x01\xf0\x7b\x94\x65\xbd\x80\xd0\xdc\x3d\x83\xee\xb7\xd6\x88\xf9\x13\xbb\xc7\x87\xb2\x3a\x90\xa8\x63\x7c\x57\x98\x84\xa1\x58\x5d\x53\x23\xb0\x4a\x44\x9f\xee\xbd\x0c\xbe\x2b\xc3\x27\x21\x24\x4e\x92\xe5\xd0\x33\xe2\x0d\x0b\x2c\xcf\x8e\xd5\xe2\x39\x00\x19\x9d\xc5\xec\xde\xa4\x29\xa2\x59\x61\xc9\x07\xaf\x8d\x93\xd5\x7d\x5d\x0d\x7f\xf9\x90\x31\x0a\xc0\x92\xdc\x44\x7e\x88\xcf\x81\x61\x7b\x67\x75\x4a\xd8\xee\x0b\x12\x53\x2c\x73\x13\xd1\x5f\xd6\x5c\x9f\x65\xc0\xa9\x4b\x75\x5a\x09\xd2\x40\x78\xbd\xe2\x75\xa4\x44\x57\xec\xa4\xc8\xb2\xb3\xbc\x0d\xfd\x4c\x8a\xcb\x9d\x2c\x6c\x4a\x8d\xaa\x22\xa6\xcd\x96\x1b\x44\x76\xb0\x78\x80\xf8\xcf\x09\x88\xbc\xe7\xdd\x8d\x3c\x3f\xbd\x9c\xfd\xb6\x56\x3b\x68\x10\x34\xb2\x72\xfb\x3c\xde\x59\x1d\xe8\x03\xd0\xb6\x84\x05\xd2\x5d\xea\x80\x1e\xe8\x71\x3a\xeb\x54\x98\x19\x83\x95\x79\x9d\xb2\xab\x19\xfb\xce\xdb\xaa\x3c\xed\x3e\x12\x4d\x29\x3d\x63\xee\x8c\x12\xd9\x31\x07\x9f\xd9\x4c\xa0\xfb\x5c\x45\x69\x32\xa0\x7a\xc6\x65\xb9\x41\x0d\x12\x37\x73\x58\x72\x76\x67\x64\xc0\x5e\x85\x2e\x06\x1d\xc3\x99\xbb\x31\xed\x48\x8d\x1b\xa5\xae\xf5\x3a\xc7\xb4\x53\x6c\x6e\x5f\xc4\x5c\x96\xa9\x93\x85\x51\x2f\xe6\xee\x8a\x22\x78\xa0\x6b\xe1\x9a\x7c\xdd\xf3\xca\x67\x8b\xdd\x73\xc2\x55\xc1\x59\xea\x07\x35\x57\xd6\x66\xf6\x7b\x9d\x1b\x99\x68\xe0\x23\xf6\x36\xc6\x93\xa8\xad\xfc\x92\x3a\xcf\xf1\x08\xed\x43\x70\xbb\x96\x6b\x0f\x4c\x05\x03\x4b\x08\x57\x6c\x2b\xc8\x9c\xee\xb5\x7c\x63\x3d\x2a\x7c\x87\x66\x5b\xe7\xe7\x5f\xfb\x30\xed\xb5\xfe\x9f\xcd\xc7\x25\x6a\x01\x12\xd4\x9f\x52\x03\x18\x00\xb7\x0f\x69\x80\x38\xf0\xf1\xf8\x12\x23\xcb\xe0\xe3\x0b\x47\xe8\x05\x70\x97\x1d\x4f\xa8\x4d\xa5\x80\x99\xf8\x75\xac\x76\x32\x3c\x5a\xc2\x5b\x69\xc5\xea\xf6\x78\x25\xab\x8a\xc9\x8c\xbd\x6d\xc0\x16\x37\x51\xa4\x7a\x1e\x52\x99\x8e\x00\xe0\x5c\x1c\x69\x01\xf5\x04\x34\x03\x18\x72\x79\x02\xb1\xed\x2b\xd2\xcf\xf2\xd2\xed\x09\x60\x1a\x8c\xed\xf4\x52\x8c\x1c\x13\xa6\x70\x37\x5f\xe3\xa6\x85\xc7\xcb\x14\x72\x3b\x55\x9c\xe2\x78\x6c\xa2\x95\x5a\xe3\x51\xef\xf8\x39\x75\x8c\x31\x1e\x99\xed\x53\xff\x12\x83\x72\xbf\x9f\xc3\x8c\x57\x0b\xd9\x00\xb4\x97\xc9\x31\x61\xc3\x4d\x8b\x4e\x48\x06\xeb\xcc\xda\x16\x11\x44\x5e\xa9\xd6\x76\xbd\xc1\x46\xea\x5b\xa1\x00\xfc\x5d\x99\x5b\x2c\xa6\x07\x09\xfa\xbb\xf6\xaa\xbb\x01\xef\x24\x3a\x12\x9a\x3c\x67\x38\xcf\x66\xf6\xd3\xe3\xb0\x03\x20\xbe\x0f\x85\xe7\x54\x87\x89\x37\xe3\x97\x62\xde\xbb\xf5\xa3\xe7\xa8\x11\x10\x35\x66\x34\x0f\xdf\x7d\xac\x84\x50\xe6\x8e\xff\x10\x2c\xbf\xd4\x95\xa8\x01\xde\x06\xe7\x4d\xf5\x7f\xe0\x6e\x15\xed\xfb\xa4\xda\x71\xa4\x33\x39\xc5\x24\x8f\x42\x2e\xe2\x9a\x22\xef\xa4\x93\x69\x0d\x97\x24\x6e\x20\x83\xbe\x24\xc2\x1e\xe4\xf2\xf1\xd6\x0d\x75\x3b\x2d\xa7\x5a\x15\x40\x8a\xf7\xf4\xff\xc3\xf1\x16\x73\xb8\x93\x45\x79\x57\x50\xc2\xea\x6b\x6c\x78\x9c\x9e\x4e\xd0\x93\x05\x61\x71\xe9\xfd\x9a\x67\x54\x86\xa4\xa5\x1a\xfa\x96\x7e\x00\x9c\x5a\xb5\xda\x74\xfb\x7f\xcd\x00\x04\x4a\xb9\x4b\x28\x7b\x54\x21\x78\x48\xd4\x78\x48\xd6\xa1\x16\xae\xd4\x1d\x45\x4c\xdc\xbf\x4a\xd8\xd8\x6e\x62\x99\x97\xe3\x08\xb8\x6e\x23\xea\x1b\xf1\xa4\xd2\x52\x96\xb1\x9f\xa7\x9f\x2a\x8c\x9b\x13\x70\x2b\x76\x28\xc8\x9f\x71\xba\x6d\x5c\x3a\xa6\x56\xd4\x31\x8c\x4e\xc3\x30\x5b\x9d\x7a\xe2\x93\x74\xe9\x35\x67\x09\xc4\x6d\x40\x1c\x6b\x74\x51\x18\xbc\x70\xd1\xac\x74\xfb\xc5\x7d\x92\x48\xb1\xa9\x15\xde\x03\xdf\x36\x7a\x9a\x10\x44\x75\x27\x75\xe3\xb3\x36\xa9\x35\xbc\x08\x2a\x2c\x88\x29\x9f\xad\x16\x99\x3f\x6e\x3f\x43\x73\xde\x0c\x48\x8a\xf1\xaf\x00\xad\xb9\x40\xcb\x45\xf5\xcf\xd5\x37\x2d\x6c\x0a\x4c\x69\x6f\x96\x63\x6d\x52\xd2\x79\x39\xde\x72\x99\x74\xa9\xa5\xbe\x21\xf9\x9b\x49\xfc\x6d\x4c\x65\xac\xa9\x8c\x28\x74\xf3\x67\x1d\xe2\x92\x64\x94\x1c\xd4\xa4\xa6\xbe\x0b\x20\x21\xac\x02\xad\xcd\x17\x56\xbf\xcf\xf1\x0e\x76\x55\xdb\x95\x8b\xb9\x99\x81\x0d\x8b\x3f\xee\x98\x32\x64\x6d\xed\xbe\xee\x86\x89\x2e\xce\xb4\xfa\x04\xb7\x28\x4f\xdc\xe5\x66\x9d\xc7\xee\xb7\x75\xd0\x09\xca\x17\x6d\x82\xbb\xdd\xd4\x26\x27\x16\xef\xbb\xe1\x8c\x8c\x79\xf6\xc7\x6c\xb5\x9b\xfa\x82\xa1\x9a\x66\x81\xe0\xd5\xa4\x9d\xbd\x64\x29\x33\x64\x8a\xf8\x81\xc5\x69\x40\xe8\xc5\xe1\x8f\xb8\x28\x8c\x35\xe1\x30\xe1\xf6\x28\x17\xaf\x3f\x18\x7d\x00\x2d\x1b\x9a\x1d\x58\x4b\x66\x2e\xbc\x5c\x9c\x95\x20\xc4\xd5\x16\x64\x9f\x2d\x99\x36\x3e\xff\xf1\x16\x34\x8c\xae\xd4\x35\x56\xb5\x8e\xa9\xb7\xc4\x25\x5f\xd2\x7e\xfb\x05\xed\xec\xe7\x55\x35\x96\x3d\x32\xef\x59\x7e\xb1\x33\x49\x5d\xc6\xff\x01\x17\xd9\x23\x02\x7f\x10\x8d\xbc\x64\xcb\xaa\x4b\xed\xd5\x65\xe0\x57\xa0\xe2\x86\x49\x90\x8d\x87\xab\x01\x64\xa1\x15\x5a\xbe\x46\x03\xec\x3f\x81\xc3\xb5\x32\x7e\xd0\xd5\xe1\xfc\x89\x01\x62\x51\x0a\xfc\xa7\xb9\x1d\x61\x85\x75\x73\xf6\x18\x43\x86\xa7\xa7\xcb\xfb\xa8\xef\xf7\x9f\xb8\x83\xd0\x4a\xa6\xbb\x7f\x93\xf7\x76\xa3\x75\x56\x5f\x67\xa0\x37\xe4\x75\xe2\x8b\x57\xf4\x2c\xa0\xfc\x54\xa3\x0b\x9d\x91\xee\xd1\x24\xcd\xc1\xbc\x53\xfe\xaa\x47\x58\x28\xf2\x0d\xb8\xba\x50\x81\x5c\x81\x2a\x1e\x9c\x74\x54\xcd\x41\x44\xeb\x9a\x42\x3e\x6d\x17\x2e\xde\xe0\xba\xd9\x4c\xd1\x50\xbb\xeb\x4d\xea\xbc\x6e\x98\xe3\xe5\xf7\xc6\xbb\x47\xf3\x5f\x11\x0e\xec\x4b\xa6\x32\xe9\xc4\x26\xaf\x69\x9a\x5b\xd6\xc2\x33\x1e\xf0\xc1\x1d\x24\xa5\xa3\xf3\x88\x8f\xae\x3a\x36\xa8\x9f\xb8\xa0\xdb\xdb\xa9\xca\xdf\xb9\xe0\x52\xa9\x3f\x00\xed\x75\x75\x5b\x4d\x78\xd9\x9a\xaa\x84\xf6\x9d\xcc\x6a\x6a\xb0\x5e\xad\xd8\x17\xb9\xf7\x04\xe9\xa7\x69\x7a\x31\x5f\x36\xac\x99\xd2\x99\xb5\xcb\x8a\x2f\x0c\x7c\xd5\x3a\xa1\x6f\xda\xd2\x33\x19\x47\xd8\x1a\x52\x73\x4d\xc3\x8e\xfd\x03\x09\xb4\x83\x7f\xcc\x18\xc8\x8a\x0c\xb8\xbf\x5f\x96\xe4\x20\x91\x92\x26\x6a\x2c\x7f\x60\x37\x1d\x41\xfc\x8c\x7d\x05\x0a\xe4\x3b\xf5\xf6\x74\x07\xb5\x4f\x4b\x73\x1e\x0f\x71\x95\x65\x9c\xd7\x1e\xcc\xcf\x87\xe6\x8e\x1b\x4b\xb8\x74\x70\x73\x36\xca\x5b\xce\x6a\xe7\xd5\x88\xd6\xd6\x8e\x2f\x66\xea\xf0\xfa\xa2\x6d\x48\x8e\xf0\xa1\xa0\xb5\x96\x86\xaf\x81\x20\x55\x8f\xd7\x6c\x9d\x19\x59\x0a\x96\x11\xd5\xf3\xec\xa0\x0e\x14\x81\x94\xd9\xb6\x95\x94\x12\x4b\xe0\x05\xcd\xde\x6d\x57\xb2\x6c\x53\xac\x64\x88\x23\x6d\xe7\xdc\x8e\xf1\x7e\xee\x67\xcd\x94\x8e\x32\xd8\xc1\x1f\x14\xbd\x24\x78\xb5\xd7\xe2\xc1\xd3\x9d\x02\xb4\x75\x95\xce\xbe\x08\x51\xf9\x94\x48\x96\x0d\xd6\x4c\x14\xa8\x4d\xac\x88\x7c\xe5\xb3\x93\x09\xb1\x53\x0b\x71\x29\x5c\x36\xb1\xb1\x95\x92\x24\x2d\x66\x17\xf9\xba\x31\x5c\x8d\x0a\x9d\x39\x79\x25\x41\xd1\x1c\x0e\xc9\x99\x97\x51\x69\xe8\xaf\x06\xa4\x44\xb7\x16\xc4\x52\x40\xb3\x15\xa0\x89\x61\xfa\xc6\xa6\x96\x81\xd8\x32\x19\x8a\xad\x3d\xe1\x0e\xf3\xa4\x88\xf5\x07\xab\x56\xfd\x19\x4f\x6d\x94\x37\x6d\x24\x96\x8d\x5c\xaa\xdf\x3f\x2c\x3e\xfb\x66\x7d\xd1\xd1\x9b\x18\xdc\x8d\xab\x53\xdf\x92\xc2\xdc\x0f\xb4\xad\x49\xaa\x80\x34\xcf\x6f\x9e\xae\x62\x20\xbe\xae\xc0\x87\x84\xca\xc7\x65\xda\x9e\x98\x21\x9e\xca\xe0\xfb\xa0\x94\x24\x0d\x3d\xf3\x4f\x3c\x89\x53\x9b\x20\x6a\x9a\xf3\x8d\xac\x75\x87\x4b\x0b\xee\xed\xc9\xb3\x79\x5d\x5f\x1d\x1f\x90\x65\xa8\x1a\xc5\xe1\x55\x88\xc1\x79\xc4\xb0\xef\xfc\xba\x46\x6b\x91\x70\xb1\x2e\x72\xfb\x52\x5a\xcc\x0e\x2b\xf5\xb8\xc4\x3e\xfb\xdf\x53\x27\x9e\x5c\x9f\xee\x04\xb0\x29\xdb\x52\x20\xba\x82\xd4\x93\x0e\x96\x37\x4b\xaf\x43\x38\xae\xf5\x55\x0f\xb5\x92\x20\x15\xa1\xf9\xf0\x76\xf3\x61\x5e\xe6\xd8\x14\xda\x80\x8d\x1b\xbc\xad\x1b\x17\x6d\x5b\xb2\x0b\x79\x58\x82\x47\x6c\x0c\x72\x34\x5e\xb1\x61\x34\x80\x7a\x82\xb9\xd8\x6c\x9d\x7a\x4d\x84\xd1\x89\xbe\x30\x9b\xa0\x25\x30\x3e\xea\x18\x89\xb0\x5c\xdc\xea\x4c\x20\x73\xcf\xb3\x0b\xb3\xb9\x0f\x35\xbc\xd6\xee\x79\x0f\x13\x60\xf9\x63\xdc\xd6\xbe\x81\x16\x8d\xe7\x5e\x1d\x04\xe8\x15\x0d\x2c\x00\x00\x5d\xf7\xfa\xde\xac\x9e\x5c\x3d\x20\x26\x79\x9c\xbb\x2a\x2d\xb4\x26\x8e\x4d\x1c\xb6\x14\xf1\x58\xef\x12\xa0\xb2\x28\x2e\x42\xba\x33\xff\x9d\x67\xce\xda\x79\x32\x0f\x1d\x89\x72\x77\xf4\x86\x58\x8a\x0d\xc0\xe4\x6c\x1c\x0f\xa2\x23\xbe\x06\xcd\xac\xa9\x09\x48\x33\x58\xbe\x8b\x18\x2b\x37\xe3\x78\x9f\x7c\x93\x95\x9c\x0b\x45\x33\x5b\x2c\x00\xca\xd1\xa7\x0f\x8d\x04\x08\x13\x83\xa7\x9c\x3f\xd5\x95\xfc\x86\x47\xbb\x65\x52\xc6\x08\x1c\x26\xc7\x20\xed\x1b\x22\x9a\x19\x2b\x9a\x91\xfa\x1e\x12\xcd\x31\x84\x0f\x86\xe0\xda\xd7\xfe\xb7\xda\xde\xad\xd2\x32\x70\x9b\xc9\x9a\xa8\xfb\xc3\xa8\x7a\xf0\xd5\xc8\x2e\x53\xac\xeb\x61\x22\xbf\x9b\x71\xb7\xbc\x92\xa0\xa0\x63\x95\x7c\xc6\x66\xfa\xfb\xad\x1f\x68\x8b\xd9\x11\x60\x8b\xfc\x76\x81\xc6\x4d\x81\x91\xc5\xd0\xc8\x0f\x7d\xed\xd5\xa9\xad\x4e\xbc\xcd\x04\xe2\x61\x8d\x9a\xad\x12\x1f\xd9\xaa\x8b\x8d\x68\x48\x72\x0a\x73\x67\x22\xc7\xec\xed\x31\x54\x04\x19\x65\x9c\x09\x11\xa0\x6e\x03\x9e\x95\x9c\x84\xdd\x5c\xc1\x64\x0e\xba\x08\x50\x5e\xa4\x89\xa1\x21\xdd\xca\x4a\x09\xc6\x3b\x2e\x27\x1d\x1e\xdb\x91\xae\xa0\x42\xe9\x2b\xea\x12\x93\x9a\xb6\xd4\x15\x7e\xfa\x94\xa6\x8d\x07\xb5\xf9\xb2\x05\x8b\xcc\xae\xf5\x82\x6e\xbd\x37\x65\x7a\x99\xbe\x45\x13\x4a\xa3\x0a\x84\xa4\xc4\xe0\x8e\x46\x3b\x75\x64\x5c\x2b\x72\x6c\x14\xf3\x57\x50\xef\xa6\x80\x40\x8d\x1e\xa9\xf3\xf5\x6f\xeb\x10\x60\xc7\xb8\xe8\x11\x46\x81\xc2\x49\x92\xaa\x2e\x1e\x65\x21\x9a\x03\x6a\xfc\x03\x4d\xba\x75\xa3\x90\xaf\xce\x29\x63\xd7\x56\xc7\xea\xf6\x7d\x21\x3c\x75\x37\x19\x35\xf9\xea\xb4\xd4\x28\xc5\x43\x22\xe3\x24\x98\xa4\x34\x02\x54\xcc\x41\xfb\xb5\x5c\xf6\x3b\x4f\x3f\x43\xc8\x93\x01\x01\xf3\xae\x35\x42\xfb\x96\xac\x77\x62\x63\x78\x9a\x98\x4a\x3a\x62\xbb\x46\xc5\xa4\xa4\x1b\x85\xf9\xd6\x6b\x47\xfb\x28\xea\x76\x5b\xbc\xdb\x52\xb0\x1f\x4c\x15\xeb\xe1\x88\xb4\x54\xc3\xae\x27\x7d\xc8\xa9\xf8\xa1\xc6\x34\x16\x3c\x63\x1b\xd5\x43\x0a\x8a\x80\xb8\x0b\x37\x33\x41\x3a\x1e\x00\xeb\x3f\xff\x34\xbc\x5a\xa8\xd9\x07\xd7\x9d\xe8\x86\x6c\xbc\x6f\x10\x66\x13\x56\x27\x77\x16\xc8\x84\x74\xbe\x9b\x39\x30\x18\xa7\xd8\xb9\xb3\xe1\xce\x4b\x7a\x32\x6b\x77\xf6\x2f\xcf\xa9\x49\x4e\x1b\x7c\x02\x80\xc3\xa2\x5e\xe3\x46\xc9\x4a\xe4\xcb\x3a\xf3\xfe\x09\x53\x4e\x63\x83\x6d\x5a\x00\xa6\x28\x08\x74\x2f\x5c\xc9\x26\x08\x8a\x6e\xd1\x1e\xa2\x05\x1a\x33\xc6\x0b\x2d\xed\xd2\x06\x9f\xc9\xfc\x2f\x2c\xd4\x53\x66\x61\x8e\x11\x00\x02\x16\xef\x80\x17\x16\x3a\xa8\x28\xea\xe1\xd1\x5f\x02\x06\x7a\xa4\x6a\xf4\x67\x75\x0c\xfd\xd3\x6f\x7e\xcb\xa0\xfd\x1f\x73\x82\xc2\xa7\x8a\xa4\x0c\xcb\x03\x7e\xd7\x24\x90\x75\x9f\x08\xe4\xa2\x57\xb7\x3e\x1b\x45\x19\xec\x47\x20\xd9\x08\x1d\xd4\x64\xa4\x7a\xd4\x68\xf8\x88\x1c\xa3\x02\x3e\x75\x31\x00\xae\x0a\x1b\x29\x89\xac\x57\x4e\xbb\x9a\xc9\x13\x4b\xf1\x62\x02\xce\x61\xae\xaa\xfd\xf7\x68\x9b\xb9\x21\xc4\xa3\x9a\x46\xf0\x3a\x14\xde\xcf\xfe\xc7\x8c\xf9\xff\xd0\x1b\x4f\xca\x7d\x7b\xd4\x00\x30\xfe\xfa\x02\x59\x1a\x28\x45\x1b\xd3\x5d\xa7\x46\xdb\x7b\x5c\xdf\xd5\xee\x9e\xb6\xc5\x1b\x3b\xe0\x5f\xb0\xcd\x5d\x39\xe8\x10\x3b\x0e\x90\x3e\xec\x11\x0b\x3f\xf1\xf9\xdf\x98\x12\x32\xa5\x58\x23\x42\x81\x03\x9b\x46\x63\x76\x41\x84\x9d\x64\x12\xfe\xb7\x4a\x37\xb1\x39\x3c\x31\x51\x3c\xd9\x94\xad\x23\x9e\x20\xad\xdc\x7b\x6b\xe2\xbe\x44\x88\x57\xba\xcb\x20\xcb\x14\x69\xfe\x94\x46\x94\x6b\x6d\x60\x34\x9f\xf3\x92\x19\xf7\xc0\x02\xec\xb4\xdb\xfd\x31\x7f\x79\xd9\x50\xb3\x95\xdd\x77\xcf\xd4\x9a\x6f\xad\x36\xbe\x0b\xd4\x59\x1e\x4d\x2c\xa8\x37\xfe\x73\x74\xa3\x67\x92\xcc\xb0\xb2\xb0\x27\xc6\x9d\xcb\x08\x52\x74\x93\x09\xb9\x37\x17\x72\x72\xf4\xa8\x0d\x8e\x2a\x24\x99\x7f\xfc\xa2\x08\xb7\xf5\x28\xbe\x82\x11\x65\x56\xd2\x35\xf1\x7d\x57\x4d\x17\xac\xc1\xc4\xb5\x83\x63\xf0\x3f\x6b\x21\x77\xa2\xd9\xbd\x31\xd7\xda\x8b\x2d\x37\xea\x2a\x5e\xac\xe2\xb4\xf3\xea\xb5\x49\xcc\x55\xb3\x8e\x0f\x17\x31\xcc\x82\xef\x54\x8a\x5c\xb6\xa7\x56\x4b\x44\x2a\x86\xda\x73\x12\xa9\x4a\x13\x15\xe2\x70\xf3\x90\xa1\x97\xb9\x1e\x43\x5f\xa7\x04\x43\xf3\x87\xcf\x53\x73\x8f\x77\x5a\x23\x62\xa8\x72\x17\xb5\x74\xf8\xf6\x3c\xa6\x36\x13\x37\x52\x05\xdc\x19\x44\x98\xa0\xc9\x29\xff\x13\x00\x14\xd7\x42\x6a\xf7\xc0\xd0\x98\xd6\x9a\xff\x0d\xa1\x02\x7b\x12\x3c\x02\x3e\x73\x2e\x0c\xa1\xeb\x69\x5b\x42\x10\xad\xca\xef\x92\x85\xfe\xc8\xc8\x3f\xea\x7e\xfb\x3b\x5a\x09\xab\x0e\x26\xa2\xc0\x92\x6e\x15\x8e\xe1\x70\x89\xef\x7f\x8e\xab\x53\x75\x71\x8b\xa2\xe8\xab\x68\x3d\x2a\x1e\xef\xe2\x5c\x2e\x30\x3f\x41\x9e\xd0\x14\x23\x79\x98\x67\xe0\x2e\xb0\x1a\xe2\x00\x02\x20\x71\x36\xa6\x0a\x87\x50\x77\x39\x3a\x01\x9a\xe7\xdf\x3a\xad\xc5\xd4\xae\xd4\xd4\x59\xce\xdd\xe9\x66\xd8\x4f\xa6\x4c\x2e\x56\x48\x60\x17\x2b\xe4\x1b\x9f\xbd\xcc\x9b\xb2\x9c\xc2\xaf\x86\xbc\xb8\xda\x14\xd1\xd7\xef\xd6\xd9\x0f\xef\xd4\x73\xfb\xac\x5b\x05\x59\xac\x2b\xdc\x11\x0c\x7f\xda\xa9\x21\xd9\x20\x73\x1f\x36\x2f\x95\xd4\x26\x68\x0b\x73\x31\x2d\xa5\x8f\xac\xc4\xd0\xa1\xd7\xba\x59\x0b\x3e\x91\xc0\x3b\xf3\xb5\xf5\x00\xa5\xca\xe4\x6b\xed\x37\x37\x02\x12\x9e\xe2\xf2\x5b\x05\x00\x21\x9b\xbe\xc0\x50\x28\x59\x49\xf2\xde\x49\x48\x32\x89\x64\x32\x9b\x1a\x46\xa3\x84\x21\xc1\x37\xcb\x95\xb9\x92\x90\xb4\xf6\xcb\x46\xb5\x76\x69\x7c\x95\xb9\x37\x8e\x7c\x15\xca\xa0\x4a\xb0\xe8\xa0\x4b\x8d\xf8\xbc\x46\xd6\x15\xfa\x29", 4096); *(uint64_t*)0x2000000064d0 = 0x200000006440; memcpy((void*)0x200000006440, "\x1c\x3d\x61\xef\xc1\x46\x7b\x6b\x61\xe9\xe5\xf0\x6f\xa3\xd1\xdc\xc0\xe7\x00\x35\xdc\xc9\xc6\xc3\xb0\x0d\xf5\x89\x00", 29); res = syscall(__NR_shmctl, /*shmid=*/0x8001, /*cmd=*/0xfffffee8, /*buf=*/0x200000006480ul); if (res != -1) r[20] = *(uint32_t*)0x200000006484; break; case 27: res = syscall(__NR_getgid); if (res != -1) r[21] = res; break; case 28: res = syscall(__NR_geteuid); if (res != -1) r[22] = res; break; case 29: *(uint64_t*)0x200000006a80 = 0xfff; *(uint64_t*)0x200000006a88 = 0xd; *(uint32_t*)0x200000006a90 = r[6]; *(uint64_t*)0x200000006a98 = 7; *(uint64_t*)0x200000006aa0 = 2; memset((void*)0x200000006aa8, 0, 16); *(uint64_t*)0x200000006ab8 = 0xf; *(uint16_t*)0x200000006ac0 = 0; *(uint16_t*)0x200000006ac2 = 0x46; *(uint32_t*)0x200000006ac4 = -1; *(uint32_t*)0x200000006ac8 = 0; *(uint32_t*)0x200000006acc = 0xfffffffd; *(uint32_t*)0x200000006ad0 = 0xf7; *(uint64_t*)0x200000006ad8 = 0x7f; *(uint64_t*)0x200000006ae0 = 8; *(uint32_t*)0x200000006ae8 = 9; *(uint64_t*)0x200000006af0 = 3; *(uint32_t*)0x200000006af8 = 0x200; *(uint64_t*)0x200000006b00 = 4; *(uint32_t*)0x200000006b08 = 5; *(uint64_t*)0x200000006b10 = 0x62; *(uint32_t*)0x200000006b18 = 5; *(uint32_t*)0x200000006b1c = 0xff; *(uint32_t*)0x200000006b20 = 0x6cbf; *(uint32_t*)0x200000006b24 = 0x48; *(uint16_t*)0x200000006b28 = 0; *(uint16_t*)0x200000006b2a = 0x8001; *(uint16_t*)0x200000006b2c = 0x7f; *(uint16_t*)0x200000006b2e = 6; *(uint16_t*)0x200000006b30 = 8; memset((void*)0x200000006b32, 0, 2); *(uint32_t*)0x200000006b34 = 0x40; *(uint32_t*)0x200000006b38 = 0xffff; *(uint16_t*)0x200000006b3c = 0xa; *(uint16_t*)0x200000006b3e = 0xb04b; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0c0586d, /*arg=*/0x200000006a80ul); if (res != -1) { r[23] = *(uint32_t*)0x200000006a90; r[24] = *(uint32_t*)0x200000006ac8; } break; case 30: memcpy((void*)0x2000000016c0, "\x27\xfe\x2f\xfe\x47\x40\x4c\x4a\xc0\xa1\xec\xab\x30\xbb\xcb\x86\x4e\xad\x78\xfe\xd0\xc0\xe1\x75\xac\x99\x94\xf2\x2c\x05\xa4\x71\x88\x98\x8b\x3f\xf7\xcd\xde\xc1\xf6\xf3\x9e\x60\x61\x60\xf4\xf1\x99\xd3\x74\x5e\x26\xe2\x74\x8d\x68\xe3\x5a\x99\xf1\xbc\x4a\xc3\x20\x84\x63\x4f\x2c\x0b\xa5\xd1\xe0\x00\x0e\x2d\x5b\xee\x77\x7a\x2a\xb5\x09\xe7\xc9\x4c\x43\xf2\x97\xb8\x25\x93\x43\x78\xff\xa3\xbb\x79\x42\x25\x6f\xc5\x2a\x69\xe2\x38\x20\xcd\x52\x0e\x75\x59\xed\x9a\x31\xa9\x54\xdf\x95\x5d\xe5\xbc\x7c\x18\x55\xd9\x74\xb9\x5f\xf0\x0a\x84\xdc\x2d\x9a\xd6\x79\x64\x33\x44\x34\xd5\x28\xbc\xe5\x93\x48\x08\xb4\x8f\x8e\x25\x1a\x17\x9e\xb4\x7d\xee\x2a\x10\x8b\x50\x09\x2f\x55\x98\x16\x13\x6c\xff\xe9\xbd\x6e\x0a\x34\x00\x4e\x62\xd5\x0f\x73\xc1\x4b\x23\xce\x17\x51\x8f\x95\x4c\x4b\xc6\x1e\x61\x75\x75\x6c\x12\x04\xe2\xf2\x7c\x18\x2b\x9e\x3a\x7e\x3b\x82\x3d\xc2\xd2\x10\xe5\x23\x2c\x7a\xd0\xe8\xd8\xe0\x49\xf0\xe9\x20\x60\xb6\x20\x49\x9b\x0b\x8f\x4b\x4b\x97\x1d\x29\xa9\x7a\xe9\x4c\xe3\xce\xa6\xfb\x4e\x42\x96\xf7\x2e\x3d\xea\xbf\xf5\x62\xe7\x92\x43\x93\x3c\xfc\x53\x00\xe3\xc4\x1c\x6a\xb9\xc0\x55\x9a\xe2\x4b\x21\xce\x45\xbc\x69\xb7\xa1\xeb\x56\xc0\x8b\x82\x2b\xa1\x0f\xbc\xb0\xbd\x23\x8f\x6f\xcd\x60\xed\x24\x09\x2b\x3f\x47\xf1\x90\x0e\x3d\x33\x73\x37\x96\x49\xda\xa3\x95\x9b\xcb\x31\x9d\x7a\x74\xab\x3e\x62\xbb\x5f\xbd\xfa\x42\xf9\xd3\xb3\xe7\x34\x0e\xfd\x12\xd9\xdb\x73\x8b\x9a\x7a\x58\x1d\x91\x4f\x4d\xeb\x34\x00\x5a\xac\xae\xe8\x65\xdd\x59\x5a\xd5\xf0\x07\xc4\x8b\x51\x68\xe6\x99\xe5\x2d\xec\xc6\x66\x50\x9f\x0b\xac\x51\x6d\x5d\x8b\x1e\xcc\x1c\x99\xe6\x01\xb8\xf8\x5a\xf1\xc6\x76\x23\xfd\x2c\xff\x7b\x88\x38\x41\xae\xcd\xdf\x3a\x85\x23\x99\x80\xd3\xea\x2a\xe6\x37\x8d\x59\xcc\x24\x2b\x2a\xbc\xda\x91\xe9\x18\x48\x7c\xfe\xa0\x37\x83\x90\x17\xee\xfb\xed\x85\xe0\xde\x24\x14\x8b\x3c\x67\xec\xad\xc8\xbb\xe5\x1f\xfd\xd0\x69\x6a\x55\xd8\xff\x21\x52\x31\x78\xa6\x82\x9e\xc4\xd3\xf2\x59\x77\x43\x3b\x85\xe9\x23\x8f\xe5\xd8\xb1\x43\x7c\x54\xa9\x33\x82\xfa\x15\x25\x49\xcf\xca\x4e\x47\x00\x70\x5f\x3c\xe5\xa2\x60\xa4\xb9\x43\xdd\x3e\x53\x2c\xc1\x96\xc8\x12\x95\x18\x22\x55\x66\xe9\x3e\x29\xa8\xc6\xf0\x2f\x05\x4a\x94\xee\x5f\xe2\x1e\x5a\xd5\xbf\x55\xdd\x7f\xde\x9a\xc6\x41\xf3\x47\xa9\x92\xe8\x19\x7f\xe5\xfc\x4b\x9c\x65\xef\x4d\x68\x79\x21\xdf\xf0\xf6\xcb\x82\xa3\xa9\x6f\x6d\xf1\xcf\xae\xdf\xfc\xed\x7c\xb0\x6b\x21\xde\x9b\x83\xcd\xe5\xf9\x6b\xda\xd6\xee\x4c\x61\x7b\x9d\xa7\x66\xcc\x44\x37\x12\xf8\x4e\xf7\xc3\x87\x08\x07\x0b\xd1\x9d\xb9\x0a\xbe\x25\x10\x09\xd9\xbb\xcc\xe7\xc4\x19\xbf\x7e\xfa\x7e\xa7\x00\x86\xa9\x5a\x27\xe7\x35\x9d\x3b\xcf\x81\x89\x9b\xb6\xb7\x56\x0c\x58\x22\x7d\xb9\x2b\xbe\x34\x2e\x60\x01\x9f\xf0\xcd\xbe\xec\x13\xbd\xb5\x6c\x5b\x5f\xdf\xdb\xce\x7e\x2f\x5a\x7d\x97\x1d\xbb\xc6\x4c\x59\xc5\x11\x1d\x0b\x45\x2a\xf5\x79\x80\xe2\x17\x85\xd5\xaf\x08\x84\x82\x2d\x12\xf4\x08\x1e\x83\x81\xd1\x6e\x0f\x41\x19\x36\x27\x4b\x90\x30\x21\x5c\x4b\x0b\x47\x07\x4d\xab\x09\xb9\xfa\x23\x22\xa8\x80\x50\xa6\x24\x48\xff\xb2\xbd\xbb\x9d\x6b\x87\x52\x1b\x3b\xfe\xb5\xde\x77\x36\xa4\xde\x11\xff\x4e\x56\xd4\x1a\xae\xd9\x00\x61\xe8\xf1\x3c\x37\x89\xa4\x4a\x63\xe7\x69\x02\xc4\xee\x9b\x6f\xc7\x35\xab\x8f\xf9\x52\x5a\xf0\xab\x52\x16\x7e\x04\xd3\x47\x96\x67\x85\x2b\x75\x5d\x00\x74\xcc\x95\x07\x80\x94\xdf\xe0\x39\x26\x00\x7f\xcf\x4b\x2b\x68\xe2\x62\xd1\x17\xdf\x6c\x91\x81\x27\xcd\x6a\x56\x42\xb8\x0c\x30\xbf\x91\x6a\x1e\x51\x52\x02\x29\xe1\xe0\xec\xe3\x5a\xc9\xb9\x09\xfd\x5f\xf9\x2b\x93\x0a\xa5\x5a\xe6\x0a\x2a\x7f\x52\x74\xe0\x47\xae\x70\xcd\x1d\x89\x4c\x3a\x93\x09\x4d\x5e\x88\xca\x4f\xf4\xa1\xf7\xa7\x4c\x25\x72\xc5\x91\xf2\x54\xec\x09\x46\xde\x4f\x96\x24\x83\x88\xb0\x6f\x7f\x0a\x7d\xaa\x49\x0f\x43\x59\x18\x4a\x76\xa5\x6a\x9b\xbc\xa5\x93\xc6\xf6\xfe\x47\x9c\x67\x5f\xb0\x2c\x63\x54\x7d\x08\x04\x96\x3b\xbb\xfe\x5c\x66\x87\x69\xf3\xcf\x16\xbe\x9c\xd5\x11\x78\x03\x0d\x64\xcc\x2b\xb9\xd8\x26\x34\x39\x9d\xb8\x85\x9e\x48\x87\xc8\xce\xce\x4c\x85\x2f\x5c\xb7\x6c\xe7\x0a\x6c\x4e\xdd\x0e\x8a\x46\x5c\xbf\x78\x27\xb2\x1b\x55\x38\x57\x97\x71\xfb\x56\xb7\x99\x74\xaa\x36\x28\x85\x16\xbd\x08\xa9\x39\x49\x00\x16\x0f\x75\xd6\xbb\xe8\x9d\xe7\x0f\x8b\x5c\xea\xcc\x94\x19\xfc\x5a\x3d\x5e\xe5\xea\x78\x3d\x0c\xa8\x08\xa6\x24\x8c\x13\xad\x17\xc8\x73\xbc\x93\xe0\xe5\x0a\x39\x48\x7f\xb2\x5e\xc3\x23\x30\x70\xd7\x77\x6e\x7c\xe8\xba\x02\x2c\xcd\x8e\x2d\xb5\x64\x55\x94\xe0\xb2\xd8\x74\xed\xe7\x39\xf9\x3b\x61\x7f\xfe\xfa\xf3\xd8\x46\x8e\x66\xee\xcc\x85\x61\xfd\xb8\x1d\xd4\xfe\x7c\x77\x9d\xd9\x3c\xce\x31\x7a\x8f\x5c\xb8\x65\x51\xc2\x61\x66\xc7\x82\x4c\x87\x14\x0d\x96\x47\x50\x8c\xbb\xc1\x5c\x1d\x3b\x72\x08\x60\x91\x68\x90\x9e\x89\x0e\x9e\x9f\xd2\x67\x1d\x3a\x9a\x75\x27\xa7\x34\x47\x1f\x2c\x74\x80\x92\x6d\x8d\x18\xba\x6e\x24\xda\x6d\x6c\xee\x42\x2a\xeb\xfb\x14\xd1\xf1\x2a\x91\x5f\xfb\x73\x75\xcc\xb3\xec\xc9\x86\x3c\x45\x53\x4a\x97\xa9\x22\x43\x32\x17\xdd\xe2\x20\x35\x45\xaa\x98\x3e\x2a\x6c\x54\x65\x11\xd8\x62\x64\x28\xaa\xbe\x7c\xec\x1d\x0e\x81\x24\xde\x19\x83\xd5\xab\x1e\xd6\xe9\xde\xe8\x2f\x0d\xf4\x69\x9f\x4a\xb7\x07\x06\xc3\x4c\x75\x4d\x0c\xd8\xb6\xde\x54\x1c\xa8\xa7\x1d\x5f\x98\x25\xfc\x13\x15\x84\x80\xd5\x98\x0e\x64\x15\xcc\xa0\x5c\x57\x57\x89\x41\x69\x22\x3b\x43\xcc\x29\x63\x09\x18\x24\xcf\x95\x3f\xcf\x54\x53\x05\x58\xad\x5c\xe4\x22\xfc\xe9\x9f\x5f\x26\x50\xb7\xde\xc7\x02\xfe\x12\xbb\xb0\x8c\x28\x51\x9f\x08\xb6\x35\x4c\xf5\x8d\x01\xf0\x27\x23\x70\x70\xcb\x43\x8f\xe4\x80\x7b\x7b\x1f\x7e\xbc\x27\xf2\x74\xfd\x50\xef\x37\xad\x06\x0a\x7a\xdc\xdf\x65\x96\x2f\x8a\x52\xc0\x4b\x56\x9d\x7d\xb3\xd8\x6a\x0f\xeb\x6c\x78\xed\x1a\xdb\x36\x18\x66\xf7\xd5\x60\x65\x69\xd9\x10\xc6\x72\x7c\xdd\x76\xc6\xbb\x2a\x40\x5e\xd1\x2d\xfc\x2e\xdc\x81\x66\x67\x87\xf3\xa3\xa2\x39\xc6\x2f\x65\xd2\xd9\x8d\x8b\x07\xc5\x91\x13\x55\xa3\xa6\x20\x66\x46\xfe\x74\xc0\x75\xa6\x77\x80\x72\x87\x0f\xd6\x52\xaa\x4d\xf9\xaa\x3b\x96\xf1\x45\xc3\xaf\xa7\x4f\x5a\xaa\x8d\x7f\xf0\x42\x7c\x93\x89\xdd\x54\x62\xaf\x0e\xb6\x82\x8f\x3a\xa5\x4c\x75\x2b\xb4\xc8\x9d\x18\x21\x07\x61\x72\xa9\x25\xf1\x46\xae\xf7\x89\xde\xb1\x4c\x6b\x6c\xb2\x87\x33\x88\xcb\xe0\xbe\x06\x28\x71\x04\x8c\x49\x67\x9d\x72\xc3\xf3\x25\xc7\x7e\xa3\x19\xed\x28\xfa\x27\x86\x10\x40\xf6\xbe\x5d\x4f\x32\xcf\x29\xca\xc1\x12\x43\xda\x04\x2b\xec\xf2\x12\x5d\x21\xe7\x35\x49\x3a\xc7\x69\x4a\xa9\x61\xee\x92\x44\x3f\xc5\x88\xc2\xad\xc0\xf9\x7a\xc7\xb5\xfa\xe1\x0d\x43\xdd\xb8\x1f\x31\x12\x85\x82\x18\x5b\x9a\xa1\x24\xfe\x6e\xd7\x80\xac\x95\x4f\x84\x42\x17\x67\xf9\x0f\x5c\x0b\x56\x94\x43\xd6\x3b\xea\xc0\x68\x4e\xd6\x8b\xc5\x03\x9a\x27\x56\x7b\xd2\x33\xb8\xf2\x67\x5e\x1a\xfa\x14\x0d\xf8\xe1\xe6\x4f\x0a\x90\xec\x55\x3b\x52\x17\x27\x39\xd0\xd6\xb3\x88\x49\x47\xf2\x66\x69\x29\xcb\x5d\xd7\x93\x19\x42\xc0\x6e\x9d\xf9\xec\x79\x17\xf1\xd9\x3a\x2f\x0f\xbe\x5c\xd0\xf5\x73\xc0\x10\x2f\xf0\x20\x5e\x4d\x59\xdd\xd6\x03\xdb\x5d\xa5\x66\x94\xbd\x92\x87\x3e\xe2\x1f\xe7\x78\x6a\x87\x42\x8b\xdf\x19\xa1\xa8\x7d\x72\xba\x69\x7f\xbe\x0e\xd9\x75\xdb\x5b\xb3\xa7\x05\x17\x7f\x3a\x13\x69\xe2\x9d\xec\x75\x81\xd4\x3a\xea\x38\x55\x94\x3f\xf4\xef\xa4\xd7\xaf\x36\x22\xc3\x19\xd7\x8b\x31\x08\x37\x88\xd2\x03\x10\x20\x82\x99\xca\x03\x47\xaf\xff\xe5\x4e\xca\xf1\xfb\xec\xe6\xe0\x93\x5a\xbc\x7a\xa8\xf8\x55\x3f\x99\x96\xff\x1d\x46\xb8\x8b\x78\xdf\x2f\xe2\x67\xf1\x69\x9f\x2e\xbf\x19\x25\xb8\xe5\x0c\xb4\x6c\x8a\x10\x3c\xfb\x55\x65\x10\x15\x5d\xdb\x84\x27\x6e\x1e\x0a\xef\x3f\x41\x1c\x7a\xf3\xd2\x05\x93\xb6\xfe\xc7\x00\x6a\xa7\xa4\xee\x33\x80\x2a\xad\x16\x89\x49\xda\xd9\xfa\x91\x18\x88\xd7\xf6\x1b\xf1\x6d\xb2\x26\x50\x03\x41\x6f\xb5\x76\xde\x44\xf8\x0b\x9c\x90\x1a\xce\x45\x4d\x2b\x04\xb3\x74\xf3\xdc\xfc\x38\xfd\xd6\xed\xcf\xab\x24\xd3\x67\xaf\xf3\xf6\xd8\x29\x8a\x41\x33\xd0\x81\x56\x3d\xe1\x36\x5b\xea\xff\x74\xda\x25\x2b\x24\x8f\xa6\x1d\x80\xe7\x2c\xbb\xd5\x85\x33\xe7\x51\x8d\xba\xe1\xa9\x25\xd9\x91\x2b\xfe\x70\xfb\xc6\x4b\x8c\x81\xce\x26\x25\x30\xbd\x11\xae\x83\xf3\x66\xe3\x8c\x53\xbf\xd5\xa0\xda\xc9\x78\x5b\x92\x2b\xcd\xd1\xa3\xb6\x83\xf4\x3f\x8d\x48\x5d\xfc\xc6\xdd\x00\xb6\xcd\xde\xa0\x64\xf8\x46\xfb\x26\x93\xd4\x8f\xa9\x7b\x52\x63\xf5\x37\xea\xbf\x6c\x0e\x54\x9a\x78\xd2\xbc\xad\xb2\xe8\xfd\xb2\xb1\xb0\xf4\x7f\xd4\x9d\xc6\x1c\xa1\x05\x8b\xb8\x88\x2a\xa1\xca\x2e\xd3\x41\xfe\xb7\x37\xd5\xea\xae\x0e\xa0\x8f\x94\x5a\x04\xa3\x8b\x6e\x31\x37\xf9\x61\xa7\x56\x3a\xd1\x3c\xec\x30\x07\x2b\x91\x43\xe4\xf9\xc7\x82\x4e\x7c\xbd\xa2\xdf\x89\xb7\x4c\x14\x2d\xad\xaf\x5c\xa2\x4b\x6f\xe9\x09\xce\x3a\x1f\xf3\x7e\xe5\xa0\xb6\x61\xd3\x07\x39\xef\x0c\x37\x2c\xf7\xa1\xb4\xc6\xa0\xe5\x19\xb4\x8b\x40\xdc\x79\x4c\xd6\x13\x56\x75\x66\x09\xf6\x8d\xd5\x8f\x72\x4b\xdd\x86\xdb\x7f\x26\x49\xb9\x0e\x16\x35\x30\xca\x69\xf0\x69\x6a\xdd\xfc\xef\x84\xef\xc9\xf9\xe0\x4d\x9d\x6e\x18\xed\x17\xf7\x4f\xf8\x07\xe9\x2b\x0f\x33\x0f\xb6\xe0\x6e\x0e\x2f\x19\x3e\xa0\x3a\x18\x1c\x86\x73\x95\x0a\x19\xeb\xa2\x2f\xd6\xb1\xb5\x6e\xbb\x33\x6e\x02\x48\xc6\x4f\x93\x6c\xaf\xd3\x31\x1f\xd5\x0c\x50\xfc\x91\x61\x56\xbb\x28\x15\x6d\x15\xd7\xf4\xd5\xa7\x98\xd8\x62\x6a\xfc\x6b\xa7\xd2\x17\xd2\xc9\xf1\xa9\x8f\xed\xe6\x2b\x1b\xac\xfc\x31\x4d\xfa\x89\xe8\xcb\xb8\xc3\x7b\xd5\x26\xdd\x53\xed\xe8\x1b\x19\x53\xce\xf5\x17\x70\x3b\xab\xce\x44\x6e\x86\x3b\xf9\xd2\x46\xb0\x3b\x88\x50\x2c\x7f\xdb\xac\x4d\x87\xf1\xea\xad\x86\xed\x17\x0d\x71\x0d\x81\xea\xf3\x95\xae\xf6\x0d\xc1\x64\xd9\x11\x66\x01\xa5\xa5\x8c\x79\xa8\x92\x75\xc9\x5d\x28\x91\x2e\x87\x08\xfe\xe2\x47\x2e\x6b\x87\xd2\xe0\x77\xd3\x62\xc0\xba\x8f\x4b\xc6\xa5\xe3\x87\x45\xea\xe9\x10\x46\xbc\x61\xe6\xa0\x40\xcb\xfe\x38\x20\x4f\x17\xe6\x04\xf0\xe1\x40\x5e\x8e\xe0\x7d\x71\x41\xb6\x98\xbc\x2b\xe7\x69\x0a\x8f\x0b\xf3\x1d\x58\xae\x90\x6c\xb7\x0e\x4f\xe5\xfe\x03\x56\x31\xd7\x65\x33\xb7\xa7\xb0\x32\xe1\xb1\xee\xe2\x14\x28\x08\x4a\xfb\xcc\x93\x0a\x9f\x28\xe9\xf1\x7e\x26\x9a\x69\x97\xaf\x83\x8f\x95\xe2\xfb\x39\x5b\x54\x0a\x1d\x49\xf3\xd4\x29\x02\x74\xd2\xd3\x1f\x76\x08\x35\xff\x73\x51\xd2\x5b\x62\xe1\x35\xad\xf5\x9e\x01\x18\x87\x2d\x17\x84\x3d\x99\x15\x4f\x46\x60\xfa\x8f\x48\xb6\xc4\x86\x8b\x1f\xbc\x6b\x84\xda\x61\xf9\x81\x23\x16\x7b\x06\x73\x70\xa5\x4f\xc6\xc5\xa6\x88\xe3\x1d\x42\x01\xac\x4c\x4d\x56\x46\xf9\xa4\xa4\xa8\x04\xa1\x75\x16\x7c\xf7\x9d\xda\x22\xf4\xd6\x86\x72\x81\xcb\x0b\x3e\x09\x99\xfa\xd7\xbf\x26\x51\x2d\x13\x14\x40\xa8\xf9\xec\x75\xfe\x9d\xf6\x80\x54\x78\x55\xd8\xc9\xb3\xb3\xf0\xd5\x14\x19\x7c\x2a\xf0\xd6\x72\x99\x13\x73\xb8\xd4\xac\x1d\xd5\x1e\x1f\x90\x74\x50\xd6\x21\x01\xb5\xe2\x61\x3e\xa2\x89\xc1\x94\xd0\x73\x5e\x1c\x5e\x16\x69\x09\xeb\x71\xee\x2a\x4e\xe5\xff\x99\x14\x0c\x0b\xec\xca\x26\x72\xfa\xf6\x94\x49\x38\xc6\x18\x09\xd8\xbf\x2f\xaa\x56\x1f\x9b\x56\xda\xb8\x5d\xed\x7e\xe7\x35\xd3\x00\xc8\xda\x84\xc5\x7f\x06\x7b\x2f\xe5\x09\x29\xca\xe1\x39\x87\x5a\xbb\xab\x08\x47\x42\xc9\x07\x06\xbc\x31\xfc\x4c\x68\x53\x88\x89\x71\x87\x69\xd1\xc6\xda\x0e\xe1\x82\x6e\xcd\xe1\xf6\x0e\xa6\x6c\xed\x44\xc2\x4f\xe2\x87\x5d\xcb\xc8\x7a\x35\x72\xaf\x96\x45\x5e\xdf\x31\xe0\x51\xe5\x42\x2a\x8e\x29\x10\xc7\xd9\x75\xdf\x64\x48\xda\x0c\x0f\x83\x3f\x61\xf7\x15\x05\x98\xfb\x47\xfa\xe9\x38\x35\x7a\x7b\x64\x5e\x40\x6d\xf9\xa4\xa3\x0c\xdd\x1c\xef\x6d\xdb\x26\x3c\x9f\x06\xb2\x68\x76\x7a\x9a\x0f\x92\xc4\xea\x13\x80\xe5\xe3\x6f\x5f\x2a\x3e\x90\xbf\x87\xd6\x81\x8c\x5a\xef\xc3\x43\x9c\x4f\x4d\xe2\xcf\xb4\xdb\x14\x57\x56\x84\x8b\x27\xb6\x18\xc2\x2f\xee\xa3\xf9\xf4\x60\x15\x57\xf5\x3c\x2a\xae\x71\xdb\xc0\xe9\x46\x82\x43\xf1\xbf\x3b\x08\x6b\x4d\xca\xb2\x73\x4d\x61\x28\xc5\x44\x15\x46\x90\x3d\x2f\xea\x40\xc7\xca\x48\x40\xac\x4b\x1b\x3e\xa8\x89\x7c\xf0\x37\x62\x3e\x42\x7f\xb1\xef\x9c\x0e\x7d\xeb\x9e\xba\x0f\x8e\x5a\x5b\x29\xd4\x22\x92\x3f\x2f\xc8\xc5\xdc\x13\x69\xfe\x52\x67\x09\x24\x7c\x27\x76\xf5\xb7\x68\x7c\xcf\x42\x0b\x0d\xc8\x44\x61\x10\x5c\x2a\x31\xcc\xe9\xde\xcc\xa3\x0b\x74\x6b\xfe\x43\x44\x0d\x49\xc4\x77\x5a\x2d\xfc\x88\xf0\x49\xe2\x3a\x30\xe2\xde\x2c\xe6\x34\x54\x9b\xbc\x0c\x26\x30\x97\xeb\xb8\x04\x4b\x4b\x9b\xb6\xf5\xf9\x5a\x4a\x49\x9a\x3d\xce\x9c\x11\xb9\x94\x87\xd9\x96\xeb\x57\xd6\x54\x09\x0b\x43\x6d\xfe\x0b\x94\x79\x6e\x93\xfe\xae\x2b\x63\xd0\x13\x20\xaf\x73\x23\xa8\x00\x6b\xc7\x5f\x95\xa0\xc6\xce\x53\x69\x18\x02\xa0\x97\x10\x88\x81\xbd\xa6\x4a\x2c\xf8\xed\x8f\x67\x52\xe1\x98\x15\xe7\x1e\x2b\x85\x54\xfa\xc0\x30\x18\x75\x26\x21\x09\x33\x11\x51\x91\x5f\x6b\x19\x36\x2c\x2d\x82\xc3\x04\x74\x78\x52\x5a\x64\x9a\xe4\xc9\xa4\x1f\x75\x60\x83\xf1\x38\x15\x6f\x6e\xc4\xea\x04\xb4\x4f\x65\x2a\xb1\xe6\x6c\x5c\x63\x0e\x61\x30\x06\x2a\x26\x0b\xe5\x53\xf1\x0b\x8b\x70\x0e\x6c\x6b\x08\x9f\x0b\x09\xce\x11\x7c\xa7\x8d\x45\xae\xc4\x33\x97\x64\xdc\x2e\x39\xb5\xbb\x95\x56\x02\xd5\x73\x23\xe4\x0d\x49\xec\xf8\x98\x71\x84\xa1\x2d\x21\x99\x3c\x03\xb4\x58\xfc\xa9\x8c\x77\x30\x71\xc2\x24\x2d\x90\x59\x65\x99\x33\x6e\x1c\x69\xff\x55\x1a\xf3\xef\x27\xaa\xa7\x4c\x54\x7f\x23\x1a\x1e\xf6\x4a\x2f\xbe\x54\x98\xf5\xbf\xfd\x9e\x59\x7b\x8d\x87\x1a\x07\x3e\x82\xf1\x3f\x5b\xdf\x21\x89\xd3\x61\x64\x9d\xbe\x14\x4e\x7c\x2f\xb2\x6a\x51\x88\x84\xc4\xf2\x76\xaf\xa0\x44\x50\xb3\xb1\x26\x15\x11\xa1\x86\x15\x07\xe9\x4b\xe4\xb0\xc3\x01\xe6\x24\x71\xbb\x95\x33\x63\xe5\x4a\x80\xac\x90\xb2\x55\x1b\x01\x2d\x74\xa5\x62\x1e\x26\x5b\xf9\x12\x60\xa4\x67\xfe\x76\x06\xe7\x95\x92\x27\x2a\xa2\x08\xb1\x29\x35\xa8\x99\x1d\xfb\x81\x7a\x5c\xb0\x5a\xcb\xa7\x9d\xcc\xb9\x7d\x0a\x0f\x9e\xb5\x82\x5e\x16\xd1\x24\xa7\x72\x24\xc9\xa0\x9a\x53\x35\xf1\xce\xd7\x85\x63\x6a\xe3\x58\x15\x98\xaf\x5c\x28\xe5\x4e\xa8\xdc\xc4\xc7\x22\xe4\xa6\x58\xa3\x3f\xa7\xc4\x73\xf3\xb5\xe7\x4e\xd5\x62\x56\x80\xf0\x7c\x7d\x47\x29\x66\xab\x64\x6a\xc3\xac\x2d\x67\x46\x9c\x43\xdb\xab\x6b\x88\x67\x79\xde\xf7\x94\x17\x69\x8c\xfe\xd9\x47\x2f\xdc\xab\x0f\x80\x79\xf2\x21\x28\x54\x41\x88\x1e\xaa\xe4\xc2\x11\xa8\x14\xe6\xd4\xe6\xc2\x5d\x49\xa5\x70\x67\x38\xb0\x3b\x35\xc0\xd2\x84\xfc\xd6\x75\x50\x5b\x0a\xdc\x88\xd0\x43\x90\xf3\xa1\xb0\xc8\x27\x85\xba\x7b\xf0\x29\xaa\x46\x18\x71\x31\xdb\xdc\x36\xaa\xed\x98\x0b\x90\x88\x8e\x67\xe8\xa8\xbe\x7c\x1f\x7c\x5e\x3a\xd4\x44\x2e\x97\xaa\x77\xc7\xe1\xd2\x86\xc2\x9d\x8b\x76\x1e\xc9\x12\x50\x52\x9b\xff\xfc\x56\xce\x2d\x1f\x4e\x79\xcf\x74\x23\x7f\x02\x05\x0a\xfb\x6e\x25\xd5\x43\x65\x45\xda\x66\x62\x29\x70\xe8\x9e\x4c\xb9\xe7\x7e\x0e\x9a\x66\x72\xfe\xb0\x33\x28\x56\x8d\x75\xd5\x14\x65\x77\x2b\x5e\x40\x8e\x40\xeb\xc9\x67\x6e\x7e\x5e\xe7\xab\x0c\xbf\xca\x5f\xf0\xc0\x23\xb3\x93\x52\x94\x64\x66\x8b\x77\x4a\xe1\xb5\xce\xf7\x6d\x67\xf1\xd7\x35\xb8\x72\x81\x55\x5b\x39\x6c\x78\x58\x70\x1c\x6d\x42\xb0\xf3\x65\xb2\x53\xe7\xbc\xcb\x64\xc2\xdc\x39\xbf\xed\x64\x59\x06\xae\x68\xbc\x5e\xbc\x3c\xda\x73\xf3\x86\xb4\xb9\x79\x53\xb3\xca\x6c\x73\x5f\x7c\x47\xe4\x76\x29\x25\xd3\x59\x94\x80\xe7\xc1\x76\x33\xe5\x27\x6a\xf7\x5a\x60\x33\x2b\xab\x2d\x8c\x03\x9e\x4f\x98\x0a\x7d\xe8\x12\x29\xbd\x17\x4f\x6e\x50\xe5\xde\x20\xd2\x0b\x51\x8c\x41\x8b\x6e\xb6\xa0\x6e\xe9\x37\x89\xfb\x6f\x4a\x6e\xcb\x8b\x01\x69\x1a\xd1\xeb\x2a\xe9\x51\xa4\x2f\x97\x6e\x01\x8a\xc4\xb5\x85\xbb\xc3\xf4\x2d\xa7\x9e\x55\xd1\xb7\xf2\x4e\x90\x9f\xce\xe2\x34\x36\xb7\x27\xdd\x9c\xe4\x7b\x41\xb3\xbc\xaa\x88\x37\x15\xd3\x16\xac\xdc\x55\xe0\xfc\xab\x97\xef\x90\xda\x85\x9a\x80\xeb\xeb\xc6\xdf\xd0\xaf\x95\x24\xe8\xa3\x6b\x3f\x71\xeb\xd7\x03\xb0\xaf\xcb\xd7\xac\xc6\xaa\x41\x36\x48\xad\x93\x5e\x70\x94\xa2\x93\xf1\xad\x65\x9b\xf5\x59\x51\x51\x1b\x8f\xea\xa0\x39\x0b\x98\x2c\x91\xb1\xa1\xbc\x04\xcb\x1e\x15\x8b\x13\x2e\x8f\xf2\xfe\x46\x66\x7f\x10\x31\x2a\x25\x46\x8f\x07\x32\x48\x10\xa9\x7d\xdf\xad\x6d\xf0\xd6\x1e\xe5\xdb\x19\x29\x58\x02\x27\xea\x26\x06\x82\xa8\x93\x7d\x03\x79\xbb\xcd\x79\x6a\xa1\x3f\xe9\x2f\x79\x3e\x95\x8d\x28\xd8\xe4\x56\x4b\xfd\xd4\x94\x4d\x7e\xba\xdd\xdd\x67\x33\x92\xc6\x77\x2d\x09\x61\xce\xbe\x60\xa3\xd9\xe9\xf9\x6e\x4a\x4c\xa0\x7e\x55\xd3\x1e\x9d\x94\x25\xe0\x01\x71\xab\xa0\x2f\x0a\xef\x4b\x8f\x5e\x43\xec\x62\x32\x7a\x95\x0f\xe2\x92\x42\x7d\x51\x34\x76\xc3\x18\x39\xa5\xd1\x1e\x03\xf7\x94\x9c\xb2\xd8\x34\x3e\xf4\xb9\x82\x68\x79\x71\x90\x34\x4a\x7a\x68\x91\xcd\xdd\xe2\x9f\xae\xf1\x33\x3f\x7f\xb7\x50\x69\xa7\x4e\x80\x6a\x41\x21\xad\xdf\x98\x68\x35\x28\x1f\x48\x68\xf1\x5c\x73\x43\xe1\x30\x7d\x23\x7b\xb5\x0a\x7e\xc6\x76\x4b\x9f\x43\x25\xb6\xe4\x13\x57\xed\xc3\x3d\x24\x7a\x58\x3e\x28\x57\x35\xfa\xff\xc5\xbe\xbc\x40\x04\x76\xaf\x6c\x5c\xdd\x34\x91\x37\x47\x08\x60\xd1\x59\xa9\x76\xef\x3c\x47\x61\x28\x5e\xbb\x8c\x53\xa7\xef\x56\x9e\xe2\xe7\x10\xd4\x18\x19\xeb\x85\xcb\x3e\x38\xc6\xd6\xcc\xd0\x35\x87\xfb\x08\x28\xf6\x31\xc1\x99\x00\x15\x3a\x6f\x1e\xdb\x81\x2a\x58\xea\xd0\x41\xc6\x3a\x6a\xc6\x28\x38\x06\xd3\xcf\xb6\x9b\x65\x59\x1a\x82\x9b\xab\xa9\x7a\x36\x7c\x9b\x0f\x24\x97\xb4\x4f\x3c\xa8\x5a\x07\x31\xe5\x94\x2b\x57\xec\xf9\xc2\xde\xe0\x1e\xf7\xea\x53\x3f\x8b\xa3\x17\xf7\x4c\x30\xf4\x9b\xd6\x94\x89\x73\x53\x61\x09\x22\x92\x20\x55\x09\xc5\x74\x20\x06\x63\xf7\x71\xcf\x4d\x1d\x48\x4f\xe5\xa9\xc4\xcd\x3b\x0c\xc4\x32\xe9\x25\xb3\x02\xfa\xb0\x57\x4b\x53\x60\x6f\x27\x77\x56\x3d\x67\x94\xfb\x5f\xe4\x87\xd5\xce\x7b\x5b\xea\xb3\x99\xbf\x77\x27\xb6\x7e\xeb\xf9\xb9\xda\xcf\x5c\x56\x78\xec\x98\x21\xa3\x4d\xc0\x30\xd0\x36\xd0\x4d\x70\x25\xed\x5b\x17\x82\x96\x5c\xf2\x62\xbb\xa0\xb3\xde\x34\x97\x4d\x1e\x77\xa6\x3e\x9b\xb5\x2d\xc6\x59\xde\x69\x0e\x47\xb3\x5f\x4b\xbc\xa6\x6f\x8d\x5e\x0a\x27\x1a\x04\xa2\x89\x43\x5f\x5d\xc9\x01\x3c\x06\x52\x63\x3d\xcc\xe4\x10\x2f\xcb\xe4\x7f\xb4\xc5\xeb\x9a\x6e\xaf\xf5\x46\x3c\x73\xc1\x1e\x37\xe8\xdf\x9d\xab\x09\x32\x33\x49\x22\xfe\xd8\x0d\x5e\x3e\xd1\x25\xdd\xe3\x76\x4f\x48\xd4\x96\xf4\xf3\xb4\x9f\x03\x22\xa9\xb9\xb9\x68\xff\x75\xef\xed\xb3\x69\xb4\xb1\xc9\xaf\xc5\xd2\x7e\x68\xd7\x6d\x17\xc2\x16\xc4\xfe\xd8\x2d\xc2\x48\x7a\xab\xc6\x60\xbb\x55\xb2\xee\x17\xd6\x83\x65\xda\x84\x08\xc4\x5a\xf3\x87\x83\xac\x2b\xe5\x47\x72\xbb\xea\x41\xf5\x86\x84\x56\xee\x66\xa2\x7a\x36\xbe\x49\x9a\x5e\x5d\xd3\x39\x6f\x48\x05\xe2\x2a\x2c\xdc\x22\x90\x79\xc2\xa5\x3c\x92\x99\x55\x92\x69\xed\x1c\x51\x22\x13\x54\x4f\x2b\xf3\x31\x38\x8e\x1c\xb8\x5e\x55\x50\x91\x5f\x8f\x27\xa4\x7b\xa9\xfc\x9a\x50\xce\x01\xcd\x2b\x53\xb3\x7f\x35\x79\x66\xf1\xd0\x0b\xd3\x40\xe0\x50\xc9\xd8\x4f\x29\x14\xb8\xab\xd4\x29\x48\x26\xe7\x50\x0b\x0d\xca\xe9\xcd\x4d\x28\x4d\x17\x34\x56\x53\xcc\xb4\x69\xc5\xee\x3a\x31\x05\x8e\xae\x14\xfe\xd7\x55\x85\xcd\xe2\xfd\x71\xb8\x8e\xbf\x51\x73\x59\x77\x4e\x90\x23\x46\x6e\xa5\xa4\x79\x56\xb8\x22\x56\x71\x79\x2d\xf4\x5b\x9f\x38\xb1\x0a\xb0\x3f\x9e\xde\x1d\xdb\x2e\x15\x7d\x61\xc0\x95\xd9\xb8\x2b\x97\x7c\xc0\x9d\x92\x97\x45\x56\x0f\xe8\x10\x65\x03\xff\x7d\xd2\x28\xdb\x22\xb2\x51\x77\x68\x97\xee\x15\xb1\x80\xb4\xb4\x63\x1f\x85\xec\xf6\xa6\x07\x4e\xfd\x2c\xdf\x40\xa4\x48\xda\xd6\x23\x31\xc2\x7e\xd8\xb3\x37\x7f\xde\x4b\x15\x33\x12\x6a\x4d\xc7\x08\xb7\x72\x02\xf6\xf8\xc0\x15\x96\x6e\xf7\x11\xc4\xc4\x96\xe9\x03\x4c\xf1\x5a\x33\xbc\x99\x8a\x43\x26\x5e\xdf\xe4\x36\x34\x2d\x7e\xb4\x97\x3b\xe8\xab\x0a\xe6\x71\x9a\x1a\xaa\x41\xe0\xd7\x6d\x95\x2b\x06\x80\x8d\xff\x02\xfd\x81\x60\x34\x29\xa3\x6f\xf7\x44\x0e\x0b\x21\x5d\x9e\xbc\x90\x8e\xfc\x14\x5b\x6e\x1b\x7f\xeb\x53\xbd\x5e\x17\x5c\x7d\x1a\x77\x64\xf9\x04\x07\x44\xb8\x1d\xb8\x6f\xd2\x2c\x0a\x38\xa2\xda\xf7\x44\x0b\xbf\xe8\x83\x50\x09\xd4\xae\xbb\xb1\x1a\x0e\x91\x48\xbc\x04\x95\x1f\xc0\x6e\xc1\xc2\xa2\x68\xa0\x5c\xc2\xcc\x76\x79\x1b\x82\x26\x9f\x96\x3d\x3d\x2f\x56\x4a\xe0\x37\x89\x60\x19\x40\xd5\x6f\x28\xe5\xab\x01\x52\xac\xf6\x63\xe4\x81\x19\x52\x09\xef\xc1\xa3\xa1\xb4\x72\x53\x6e\x0a\xcf\x9a\xe3\x83\xb5\x95\x1d\xfb\xb6\xbd\x4d\x1e\xb5\x55\x01\x02\xc3\xd7\xfa\x23\x65\xa3\x6f\xb7\xc5\x94\x9c\xc7\x27\xce\x57\x31\x1d\xec\x52\xa4\xc3\xb9\x1f\x0d\x5e\xc3\x67\x7c\x26\x5d\x58\x35\x53\x5f\x16\x00\x69\x85\xce\x84\x6e\xf1\x2a\x46\xcb\x86\x62\xcf\xf8\x5a\xf2\xff\xd4\xb3\xb3\x50\x85\x70\x5d\x45\xdf\x3e\x8c\x60\xee\x49\x63\x82\x3c\xea\x99\xdd\x55\xc0\xc3\x3d\xa9\xde\x35\x4f\x70\x9f\x2a\x45\x83\x56\x13\x25\xc4\xa5\x95\x4a\x34\xe2\xab\x32\x73\x8c\x2f\x3f\xbf\xb2\x78\x6a\xa5\x78\x28\xef\x30\x91\x12\x2e\x59\x32\x05\x8c\x12\xd5\x0d\x0e\x89\xee\x5d\xc1\xe3\xee\x41\x35\xd3\x8c\x0c\x98\x4d\xaf\x39\x47\x67\x02\x72\x71\x4d\xe8\x93\x57\x20\xc1\xf3\xd3\xdd\x9f\xc5\x75\x29\xa7\x50\x13\xd8\x59\x46\x48\x42\x33\xce\x69\x25\x77\x18\xd3\xcd\x66\x7c\xd0\x88\x6d\x1f\x3c\x25\x7c\xca\xc6\xb4\x8e\xe5\xcd\xc0\x3e\xb6\xc6\xaa\x2a\x78\xd6\x8e\x2a\x9c\x22\x53\x95\x44\x50\x91\x57\x62\xf3\xf2\xfa\xde\x0a\xc7\x85\x93\xcc\x38\xe5\x5c\xef\x3b\xc0\xbf\xb9\x38\xeb\xd0\xa6\x1c\x73\x9c\x02\x4a\xdd\xaf\x44\x34\x06\xa7\xb6\x02\x63\x60\xa7\xfc\x87\xc2\x74\xa9\xbd\xcd\xb2\xeb\x5c\xf4\x70\xb5\x3f\x7f\xc1\xbd\x4e\xd0\x5c\xea\xa6\x65\x28\xce\xf7\x9e\x9d\xe7\x8d\xa4\x2b\x16\x7c\x82\xcf\x4d\xad\xca\x57\x07\xd0\xa1\x66\xb0\xf4\x1b\x7f\x7e\x34\x21\xa8\xf8\x8f\x6d\x88\xd2\x4c\xfd\x99\x81\xb5\x0b\x6c\x34\x2b\xb4\x9c\xce\x4b\x82\x3f\x3c\xfd\xb1\x7b\xba\x24\xfd\xb1\x60\x1b\xa0\x60\xa4\x79\x2c\x09\x09\xa7\xc7\xce\xbf\x0c\x33\xe8\xff\x27\xfb\x6e\x32\x7c\x88\x77\xfb\x31\xef\xd8\xbb\x0b\x9f\xca\x28\x29\xca\xc2\xc1\x43\xf4\xa5\xbd\x0a\xfb\xa4\x32\x45\x48\xaf\x32\xf0\x5f\x58\x1a\xe2\x64\xc9\xe2\x0d\x0f\x16\x04\xe1\x12\xc6\xe2\xbc\x51\x8b\x78\x09\x7c\x14\x5d\x87\x1a\x3c\x02\x87\x37\x1b\x0c\xf6\xbd\xcf\x17\x26\x63\x71\xc7\x46\x4d\x87\xa5\x5f\x52\xe0\x1e\x29\x78\x66\xd6\xd4\x98\x86\x8a\xc0\x16\x48\x24\x9c\x1e\xdd\x31\x45\x80\xbf\xc3\x58\x34\xb1\x5d\x10\x8d\xdb\xaf\x6c\xa3\x53\x6a\xa4\x31\x61\x01\x9c\x3a\xf0\xb3\x31\xd9\xd0\x71\xeb\x0a\x50\x44\x23\x55\xa2\xa2\xe1\x95\x47\x4e\x13\xb7\x97\x1d\x95\x6a\xd5\x4e\xd5\x90\xb4\x29\xd6\xa1\xec\x7e\x38\xd4\x1a\x27\x53\x6b\xbb\xfa\xda\xd1\xb3\x5f\xc8\xf8\x27\xa9\x2e\x0b\xaf\xfa\xbb\x81\x18\x16\xcf\xb4\xcd\xac\x4b\x98\xc5\xf6\xf7\x1c\xdc\xf3\x06\x49\x53\x6f\x78\x00\xeb\x6b\x7c\xee\x22\x2d\x64\x16\x5e\x0c\xa9\x50\x46\x93\xb6\xd8\x45\x9b\xc3\x27\xe5\xda\x2e\x6f\x38\xa4\xee\x24\x72\xca\x5e\x6c\xaa\x08\x11\xd0\x42\xf8\xfb\x32\xa9\x9b\xd3\x61\x01\xcf\x19\xac\xce\xee\xd7\x3b\x44\xe3\xde\xb2\x23\xcf\x28\x2e\xcd\x4c\x43\x9f\x55\xf5\xc2\x74\xe2\xc7\x56\xc6\x7c\x23\xc0\x0e\xf7\xbf\xfa\x4b\x60\x12\xa1\x33\x4d\x0c\x97\xf8\x16\xa6\x12\x3c\xbc\xb7\x7a\xce\x8e\x7b\xe0\x51\x52\x69\x24\x86\x22\x02\x8b\x7a\x9c\x0e\x49\xf1\xc8\xdd\xe8\x66\xd3\xbb\x0c\x53\xdb\x9c\x67\xb1\x0b\x20\xd4\xbb\x26\x3f\x2c\x5a\x01\x85\xba\xcc\xfa\x7b\x8f\xe8\x25\x65\x70\x78\xfa\xba\xb0\x03\xb9\x31\x8a\x84\xf7\x65\xda\xaf\xc3\x7f\x49\x6e\xfb\xbc\xe9\xfa\x5d\x2c\x1f\x0a\x4b\x2a\xd0\xcf\x92\x69\x61\x84\x40\x71\x3b\xc3\xd9\x29\x85\xff\xbd\x6c\xc1\x9a\xfc\x86\x70\x30\x44\x37\x0e\xab\xc4\xde\x11\xf3\xbc\xbf\xb2\x21\xdd\xdc\x51\xbb\xa3\x52\xdc\x28\xfd\x49\xc0\x84\x04\x7f\xb0\xed\x8b\x97\x42\xa9\x6e\x53\xef\x4c\xcb\x94\xce\x4c\xad\x74\x6e\x9c\xae\xee\xc8\x43\xf7\x2b\x77\x9c\xc5\x8d\x25\xfe\x93\x1c\x1a\xf8\xa7\x95\xe1\x95\x68\x5c\x92\x18\x58\x03\xad\xbe\xc6\x06\x6c\xdd\xd8\x7e\x0b\x9a\x53\x80\xaf\xcd\x80\x79\x8f\x58\x08\x59\xea\xb3\x17\xcb\x27\x83\x11\x2a\xf7\xb3\x62\xa5\x9a\xe7\xa8\x24\x74\x94\x40\xe6\x66\x61\xb7\x88\xb8\x56\x05\x49\xa0\xb1\x35\x0d\xfb\x7a\x5e\x88\x92\x8d\x55\x8c\xbc\x8a\x26\xa0\xd7\x4e\x67\x63\x4e\xe9\xec\x1c\x1c\xa0\x8a\xfc\x5b\xeb\x43\xda\x65\xf4\xae\x0a\xc7\xeb\x25\x74\x42\xc9\x99\x0e\xdc\xf9\x3b\x1d\xad\xfe\xa9\x0b\xc2\x92\xbb\xf1\xd8\x23\xc6\x1e\xe9\x69\x24\x9f\x67\xbe\x07\xd7\x0d\xf8\xaf\xc7\xc3\xe5\xbf\x14\x5f\x28\xa2\xd0\x6c\x88\x0e\xff\x9a\x18\x11\x27\xc1\x34\x60\xa0\x6b\x36\x64\xa9\x4c\x88\x8b\x07\xaf\x77\xe8\x4d\x60\xde\xab\x76\x42\x28\xff\xea\x21\x63\x3f\x02\x04\xa5\xd7\xec\x4a\x0b\x30\x3f\xb0\x8f\xb7\x67\x28\xc4\x3d\x90\x73\x80\x01\x83\xc8\xb9\x9e\x22\xd6\x05\xa5\xe6\x39\x9c\x04\x9f\x7f\x88\x7c\xb9\xd7\xfb\xa9\x4d\xb3\x23\x08\x4b\xf9\x4d\xf5\x44\xf6\xce\x2d\xd4\x9a\x21\xd2\xca\xb5\x4d\xf0\x43\x97\x48\x2a\x64\xd2\x90\x0b\xb4\x0f\xa8\x7f\x42\xec\x75\xd6\x8b\xab\x17\x71\x4a\x93\x4b\xcd\xf3\x6f\x87\x07\x4f\x60\x28\xf9\xd6\x1a\x00\xad\xff\xc0\x6d\x62\x4b\xc6\x42\x97\x05\x96\x82\xcc\x8a\xdc\x7e\x2f\xb2\x10\xbd\x22\xfb\xd4\xad\x3d\x35\x15\xf7\x1b\x93\x31\x26\x75\x9e\xc4\xc0\x01\xed\x5c\xdb\xac\xe7\xcc\xe4\x31\x9b\x7a\xb5\x0f\xfc\x8f\x2f\x8f\x1b\xb8\x1a\xc0\x7f\x81\xdf\xff\x33\x54\x50\xac\xf0\x8e\x13\x91\x2d\x3c\x5f\x3a\xa1\x25\x81\x81\x1e\xbd\xb4\x41\x6e\xad\xa2\x59\x65\x1c\x07\x0b\x06\xea\x7e\x18\xa8\xf0\xc4\x00\x57\x5a\x0e\x7f\xdc\x4c\x88\x64\x5d\x35\xc2\xd3\x6a\x8c\xe6\xa2\x97\x2f\x35\x5d\x1a\x5d\x83\x2c\xd7\xef\x2c\x61\x1f\xd1\x10\x59\xda\x39\x0e\xc8\xc8\x74\x91\xd4\x96\x4f\xa4\x0b\x80\x83\x90\x57\x36\x2e\x67\x64\x55\xc7\x17\x2a\x23\x15\x4e\xfe\xba\x6f\xc9\xab\x4c\x15\xa7\x37\xe2\x99\xc1\xf1\x4d\xaa\x8f\x34\x97\xe3\x37\x0a\x52\x3e\xc1\x5c\x52\xba\xd9\x87\x10\x90\x03\xf8\xdc\xee\x4a\xc6\xc9\x0b\x0f\x8e\x4b\x74\x91\x97\x87\x88\xa9\xc1\xb2\x3a\x14\x39\x6b\x50\x8a\xa9\x51\x75\xfe\x3b\xd6\xa8\xb4\xa9\xc2\x17\xf4\xc9\x84\x2c\x1c\x33\x9d\x4d\x95\xdb\x83\xce\x6e\x7e\x7a\xc8\x8e\xae\x04\x13\x96\x10\x55\x22\x0b\x65\x69\x3d\x49\xa2\xf6\x96\xf6\x41\x42\x19\x25\xb4\x2f\x77\xb0\xf9\x43\x12\x39\x52\x7f\xd6\xd8\x6d\x6f\x9a\xbd\xf3\xd2\x7c\x0a\x79\xa6\xb0\x5a\x61\xdd\x7d\x99\x3d\xe2\xd4\xee\x99\x73\xb7\x78\xff\x19\x5d\x12\x40\xdb\x18\x36\xa5\x25\x8b\x4f\x57\x44\x97\xca\x2f\x9b\x34\x97\x78\x00\xe7\x28\x29\x7d\x98\x3e\x1e\x58\x5f\xaf\x45\x38\x1b\x47\x6d\x25\x31\xe8\x6c\xc6\xe8\x35\xa9\x72\xc3\xa5\xbb\xcc\xba\x7d\x85\x2e\xdc\x83\xbb\xad\x4c\x85\x20\x64\x00\x70\x87\xbb\xd3\x6b\xf8\xa8\x00\xf9\x1e\xea\x0a\x72\xd9\xa7\x5f\x5d\xb3\x5b\x10\x98\x68\x6d\x51\x34\x0a\x17\x2c\x70\x1b\xc4\x7b\x14\x0c\xe5\x2e\xf4\x75\x02\xd0\x07\x1e\x54\x55\x97\x97\x5a\x55\xca\x1e\x91\x21\x76\x45\xe3\xcf\xeb\xf4\xa6\x20\x1a\x84\x81\xf6\x51\x13\x86\x0f\x59\x28\x63\xaf\x1d\xd4\x73\x38\x3b\x1b\x79\xab\x32\xcf\xcd\x46\xe6\xac\xe2\x95\x8d\x42\xcc\xe5\xf9\xb2\x34\x76\x81\xf7\x70\x7a\xb4\xa3\x5f\x9a\xf5\x21\xd4\xc1\xba\xd7\x51\x30\x33\xa5\xf7\xaf\x2b\x7a\x2d\x3a\x49\x14\xd3\x84\x62\xb1\x6b\x85\xd6\x9f\xa6\x0c\x0c\x5e\xf5\x4b\xa2\xfb\x78\xfb\x15\x6a\x94\x7c\xf8\x0b\x1d\xac\xcd\x58\x9f\xdd\x07\x91\xb3\xa9\xeb\x83\x5b\x61\x53\x4a\x16\xf8\xf4\xb1\xca\xbb\xd3\x86\xb4\xc2\x1b\xa9\x7d\xe9\x16\xd2\xcf\x48\xb7\x20\x8c\x1b\xda\x77\xec\xf8\x16\x77\xcb\xce\x25\x58\x2c\xca\xb9\xa6\x5a\x2b\x73\xdd\x34\xb0\x02\xc2\x34\x94\x8a\x42\xb5\x66\x4d\x56\xd8\x24\x42\x9a\x78\xb6\x97\x03\x67\xec\x17\x0d\x1b\x11\x0b\x22\x23\x17\x58\x72\xbd\xc8\x66\x31\x8d\xe0\x66\xfe\xa5\x60\x15\x1d\x88\x25\xde\xe8\x2d\x34\x4b\x81\x6f\xb5\x5a\xaa\x52\x4e\x86\x08\x62\xac\x0c\x36\xcb\x6b\x6e\x81\xf4\x12\x3d\xa5\x9c\xb3\xef\xfe\x29\xce\x76\x98\xe2\xaa\x0c\x60\x36\x82\x0c\x45\x7f\x40\x42\x33\xe3\x22\x61\x31\x9a\x46\xbc\x8b\xd3\xde\x3c\x94\x8d\xc5\x2e\x27\xca\x52\x7d\xf7\xad\x68\xe6\xc4\xd4\xba\x8f\x6b\x43\x13\xa2\x94\x02\x98\x10\x59\xa1\x48\x79\x7f\xa0\x88\x02\x57\xfe\x04\x27\x01\x19\x28\xaf\x75\x2f\x81\xb8\x18\x68\x02\x10\x8f\x05\x90\x19\x50\x39\xc8\x38\x25\x72\x02\x42\x14\x10\xb8\xa3\x59\xe6\x9d\xdc\xd4\x74\x70\xf4\xd0\x5a\xe2\x89\x83\x4b\xe3\x04\xca\xf4\x9b\xbb\xac\xfd\xbe\x92\x7f\x42\x3b\xe9\xb8\x78\x82\xb0\xfa\xb4\xf5\x0b\xc7\xcd\xbf\xf6\xef\x10\x1f\x33\xf7\x03\x55\x6d\x45\xb6\xac\xe1\x64\x3c\xd7\xe7\x5a\xcf\x74\x06\x3e\x3e\x34\xe9\x63\xdb\x19\xf0\xd1\x9f\x14\x82\x9c\x91\xc4\x50\x66\x1d\x0e\x80\x9d\x5b\x79\x09\x69\x5b\xa1\x54\x46\xc8\x76\xa1\x67\xec\xca\x09\xfc\x00\xe1\x73\x7c\xbd\x4e\xf4\xf7\x0a\x50\xe3\xa0\x0f\xc9\x6f\x0e\x10\x23\xe5\xc8\x1e\x67\xd2\x47\xae\x0e\xc7\xec\x26\x72\x52\x80\x4a\x65\xb3\x01\xb9\x1a\x59\x9b\x8c\xe3\x7d\x95\xa9\x3d\xd9\xa9\x11\xdf\xb3\x95\xf3\x61\x92\x4e\x82\xea\x28\x1e\xfd\x7a\x2e\x01\x5a\xad\xaf\x64\x85\xfc\xea\xee\x0a\xb9\x05\xe1\x39\x6c\x12\x56\x03\xaf\xf4\xca\x16\x5f\x74\x9c\x23\x31\x02\x50\xf8\x00\xb2\xa8\x79\x17\xb9\x42\x1b\x0b\x4c\xde\xc9\xd8\x64\x14\xeb\x82\x23\x74\xb0\xd4\x32\x53\x58\xb2\xbf\x43\xe0\xe3\x12\x58\x88\x79\x76\x5c\x25\xc0\x98\xd1\x71\x86\x53\xbe\xa5\x27\x68\xdd\x7f\x10\x0f\xbd\x2b\x6a\xfc\xcf\x02\x13\x46\x9a\x7f\xa2\x5b\x5f\x77\xc6\xb5\x6c\xa0\x9d\xf8\x86\xa1\x6e\xd2\x4f\x51\xe2\x1d\x07\x8f\x25\xc4\x88\x87\xda\x12\xde\xa5\x7c\x8f\x48\x25\xf2\x7a\xe3\xd9\x16\x01\x96\xeb\x6b\xe0\x9f\x7b\xe8\xb2\x39\xa0\x5d\xbf\x6a\xae\xca\x96\x37\x09\x0d\x1e\x6f\x76\xeb\x93\x69\x27\x4c\x3a\xad\xa3\x36\x24\x3b\x8b\x9c\x59\xc3\xf9\xc9\x1a\xb4\x3f\xc9\x27\x3b\xb5\xbf\x2b\x59\xde\x8f\xbc\x50\x6c\x94\x36\x56\x5e\x4c\x9b\xa2\x96\x50\xb3\x78\x4d\x87\xf3\x37\xa4\xa4\xb5\x28\xca\x2a\x28\x0c\xed\xc3\x69\xb0\x09\x0c\x3f\x69\xc7\x60\x4a\x6d\xf3\x1f\xba\x78\x1c\x07\xd5\x8d\xba\xdd\x7c\x85\xa6\x26\xf8\x85\xf0\x9a\x91\x22\x4e\x79\xbd\x68\x79\x3f\x16\x7e\xbd\x8d\xa1\x0e\x5d\xa7\x8c\xfa\x7e\xbf\x10\xa8\xf2\xc9\x00\x3f\xb1\xcd\xd8\x7e\x46\x98\x61\xf3\xed\x23\xd2\x5b\xcb\x14\x53\x0a\x8f\xf8\xd9\x1e\x9e\x0c\x7c\x39\x76\xc3\xaf\xc7\xbd\x50\x05\xcc\xef\x59\xfa\xec\x52\xba\x35\x69\x3d\x0f\x0d\xce\xba\x84\x3a\xdd\x5a\x74\x7e\x0a\xa7\x2f\x09\xf2\xf4\x52\x81\xc9\xd4\xc6\xf1\xbb\x78\x37\x9a\xec\x78\x2c\x64\x81\x0d\xe3\x23\xc8\xab\xac\xc9\xfb\x7e\x7d\xbc\x1e\x29\x13\xa8\x5d\xf0\xbd\xb6\xac\x70\x1a\x68\x26\x9e\x79\xab\x28\x45\x8c\x02\x91\xe1\x84\x0b\x34\xac\xe2\xd0\xdc\xa9\x02\x9f\x6d\x95\x0e\x6e\xf1\xe5\xcb\xb9\x52\x4d\xb5\x01\xdc\x30\x22\x73\x3c\xb1\x0b\xb7\x4e\x9e\x69\x82\x45\xa9\x8d\xff\xe2\x37\x8c\x42\x54\x81\x19\xdd\x60\xf2\xb0\x21\x95\x3b\x30\x0f\x38\x97\x26\x61\xc3\xeb\xdf\x64\xa3\xaf\xb3\xc6\x29\xcc\xa5\xec\x93\x8c\x31\xee\x8c\xb6\x82\xdd\x38\xf3\x58\x18\x12\xf7\xba\x64\x31\xc1\x60\x65\x90\x39\xe7\xcf\xe7\x85\x9b\x1a\xa8\x13\x08\x33\xf1\xf6\x37\x24\xf8\x63\xb3\xe2\xa1\x8f\x9e\xbd\x1e\xa6\x14\xd3\x0d\x28\xbd\x4f\x5b\x8c\x26\x17\xbe\xcd\x8a\x4d\x8b\x3a\x9b\x42\xb8\x5d\x8e\x80\xc8\xfa\xf7\xd9\xcf\x56\x37\xdd\x98\x82\x6a\x10\xb6\x92\x40\x29\x33\xd2\xae\x0e\xa9\x08\xff\x5d\x6c\x22\xfc\x33\x5b\xe0\x06\x14\xa0\xf5\xe7\x00\x4e\xbe\xf7\x1f\xd2\x3d\x3f\x90\x11\x59\x84\xf0\xe4\x6e\x82\xac\x8b\x03\xe5\xd2\xbf\xea\xa2\x19\x23\x33\xc1\xa0\xa9\xfb\x19\xa7\x5b\xdc\x8f\x90\x58\x33\x6e\x86\xf3\xf7\xb3\x0f\x0b\xed\x24\xc4\xb2\x30\xcd\xfc\x92\xa9\x88\x5b\xe5\x1c\x0b\x85\x1c\xd7\xa0\x4a\x62\xfb\x3c\xe4\x7e\x76\x5a\x11\x4e\xf7\x68\x6b\xc7\xd8\x2e\xf5\xe1\xca\x02\x14\xb9\x5b\x64\xe5\x7f\x85\x12\x15\xce\x5a\x47\xdd\xfb\x91\x93\x2c\x85\x4c\x65\x25\xeb\xe7\xf6\xe1\x68\x45\xfa\x22\x5a\x74\x09\x3f\x6a\x26\x80\x08\x5a\x8f\xef\x66\x54\x1f\xc3\x64\x3f\xc8\x14\xc5\xa8\x06\x41\x5f\x70\x68\x8a\x4b\xe7\x7b\xea\xf7\x5d\x71\x02\x6e\x4d\xff\x38\x00\x12\x4b\xde\xc0\xe0\x65\x46\x3e\xdc\x69\x64\x1f\x67\xc7\xc4\x2b\x8e\x02\x5f\x81\x40\x6f\xd4\x89\x6d\x5d\xb8\xe1\x9f\xec\x09\x98\x09\xad\x50\xa9\x8a\x83\xb3\xca\xa8\xfd\x87\x31\x05\x14\xf4\xa7\xaf\xd9\xa9\x70\xc4\x56\x23\x1d\x91\x6b\x26\xd5\xc6\x2b\xc4\x83\x4a\xf9\xbc\x27\x77\xa7\xc7\xd3\xbb\xf5\xf2\xc6\xd8\x28\x93\x5f\x3b\x82\x77\x43\xc0\x92\x22\x32\x8e\x8e\x82\x91\xbb\x28\x3e\xba\x7d\x4b\xc8\x97\x87\x7f\x6e\x50\xa5\xfa\xbc\x77\xab\xf3\x15\x34\xd7\x00\x96\x2e\xde\xcb\x1d\xf4\xee\x12\x28\xa7\x29\xdf\x7d\xa8\x57\x71\xa3\xf1\xe3\x04\x29\xfa\xc9\x93\xd9\x73\x8d\x9d\x67\x28\xbf\x49\x2b\x47\x91\x43\x8c\x3c\xf6\xd5\x9a\xf8\x09\x97\x4a\xec\x44\x80\x98\xc2\x6c\xb3\x79\x1e\x43\x72\x40\x76\xef\x5c\xa9\xc7\x0c\xb3\xf5\x8a\xcc\xb5\x39\x94\x37\x86\xce\x98\xb0\x92\xc9\x65\xa1\x47\xd1\x87\x0a\xd4\x54\x68\x6b\xa5\x79\xc9\xd1\x0a\x61\x31\xd4\xd9\x80\xff\x68\x89\x8f\xb1\x1a\x0a\x9f\x61\xe6\x0a\x86\x42\x7f\x60\x66\x00\x88\x98\x4e\xed\x16\xac\xf6\xd3\x14\x30\x18\x3b\x81\x91\x2a\xdc\xde\x80\x84\x45\x71\x22\xec\xdd\x70\x54\xcf\x3d\xdd\xee\x25\xa9\x75\xfb\x24\x48\xe7\x1a\x27\xae\xdf\x68\x68\x5e\x9e\x8b\xf6\x07\x05\x6d\x68\xd7\x20\x60\x75\x99\xcb\x49\x97\xa1\xd5\x91\xa1\xcc\x17\x4e\xdd\xc6\x6f\x39\x16\x0a\x2e\x55\xee\xe6\xc8\x2b\x21\x8c\x5b\x96\x3a\x02\x68\x11\x7f\xcc\xda\x93\x14\xd7\xde\x3b\x1b\xfd\xf1\xde\x33\x83\x10\x41\x8d\xbb\x11\xf7\x3b\xfc\x1a\x70\x5a\x7f\x12\x56\x0c\x6a\x83\x6e\xbc\x1c\x92\x7d\x14\x27\xeb\x6d\x71\x04\xf9\x42\x70\x5a\x25\xe7\xa7\x94\x88\x76\x8c\x70\x7c\xdd\xb0\x59\xd0\x6f\x4f\x55\xd6\x41\x14\x65\x8b\xb3\x27\x07\x2a\x0f\x24\x8f\x91\x91\xae\xbf\x83\x8c\xcf\x46\x4e\x3d\xb3\x8b\xd0\x15\xc1\xfe\x7e\x0a\x1c\xe8\xc8\x54\xe0\x64\xad\x28\xdf\x20\x85\x4e\xca\xf4\x42\x88\x1d\x5b\x92\x2d\xb3\x32\x7a\x73\xa8\x00\x7f\x84\xaa\xcb\x94\x1b\xc1\x23\x27\x42\xd0\xad\x98\xeb\x8f\x05\xa8\x12\xc7\x95\x7f\xb4\xb6\x88\x52\x2e\xa6\xa1\xd5\xef\x22\xda\xbf\x25\x37\xb5\xf6\x8d\x81\xe0\x6b\x51\x78\x39\xb4\x74\x23\x85\x64\x96\x79\x29\xfa\x82\x31\xeb\x8e\xaa\x9b\xf7\x95\x54\x91\x79\x39\x33\x6f\x71\xed\xad\x5c\x01\x1d\xe4\xa9\x88\x7c\x9d\x8b\xfe\x58\x8c\x17\x47\xb4\x7e\xca\xe6\x41\xae\x07\x6a\x53\xcb\x66\x1d\x34\x46\x59\xed\x82\xa4\xf1\x06\x12\xea\x2e\xe0\x0a\x44\x4d\xe7\xe4\xb1\xa0\xc5\x61\x4d\x4a\x63\x69\xb4\x8c\xfa\xe5\x31\x6e\x83\x89\xcb\x72\x0a\x11\x11\x71\x38\x3a\x78\x79\x80\x31\xaf\x5e\x49\x76\xb8\x91\x75\xac\x1e\xfa\x79\xca\x7d\xd7\x28\xd2\x1c\xf2\x85\x3f\x69\x87\x03\x79\xdc\xd6\x91\xf4\x12\xb0\xda\xbb\x49\xf7\x4d\x48\xf9\x31\x3b\xe4\x58\x95\xe8\xd4\xe7\x8e\x23\xe3\x57\xa9\xa2\x29\x4b\xef\xb1\x73\xce\xcc\xdd\xb7\xde\xc8\x47\x81\x92\x0e\x95\x1e\xcc\x86\x3b\xdc\x84\x3a\xf7\x53\x5e\x72\x1a\x7a\x7f\x5b\xd6\xe0\xd3\x7f\xe9\xe5\xb5\xaf\x3f\x2a\xaa\x62\x96\x71\x12\xc0\xfe\x84\x8d\x3c\x38\xa6\x46\xde\xd7\xde\xba\x1a\xb9\x8d\x40\x88\x1b\xa2\xfc\x91\x8a\x86\x64\xbb\xab\xea\x14\xbe\x6f\x5b\xb9\x2e\x25\x4c\x47\x1b\x32\x4a\x02\x6c\x66\x1d\xe4\xb9\x7b\xa0\xae\x1f\x67\x06\x3f\x41\xa5\x61\x9d\xa8\xa4\x9a\x7a\xd6\xcf\x81\x53\x97\x7a\x4c\x63\x17\x1b\xba\x20\x88\x4b\x73\x44\xc4\x05\xd6\x1b\x9c\xe3\xce\x90\xdd\x0b\x6d\x86\xbe\x27\xc0\x28\xa2\xa4\x8f\xe0\x40\xd6\xf9\xd2\xf5\xdc\x24\x66\xcb\x9f\x74\x5e\x5a\x98\xe5\x26\x64\x98\xb1\x4d\x16\xe3\xfc\xee\x12\x02\x6c\x0f\x46\xb7\xfd\x1d\x30\x07\x65\x05\xcd\x64\xc1\xd6\x0c\x5c\xac\x8c\xb4\x00\xea\x6b\x75\x22\xc1\x65\xb0\x09\x4f\xf0\xff\x65\x6d\x08\x16\x73\x05\x6b\x73\xee\xe3\xef\xcb\xfb\xa2\x60\xff\x87\xe4\x30\x4c\x8e\xb1\x4a\xea\xdf\xda\xa0\x95\x70\xf6\x30\x64\x6c", 8192); *(uint64_t*)0x200000006c80 = 0x2000000036c0; *(uint32_t*)0x2000000036c0 = 0x50; *(uint32_t*)0x2000000036c4 = 0; *(uint64_t*)0x2000000036c8 = 8; *(uint32_t*)0x2000000036d0 = 7; *(uint32_t*)0x2000000036d4 = 0x2d; *(uint32_t*)0x2000000036d8 = 7; *(uint32_t*)0x2000000036dc = 0x8000008; *(uint16_t*)0x2000000036e0 = 7; *(uint16_t*)0x2000000036e2 = 0xfc00; *(uint32_t*)0x2000000036e4 = 0x3ff; *(uint32_t*)0x2000000036e8 = 0x59; *(uint16_t*)0x2000000036ec = 0; *(uint16_t*)0x2000000036ee = 0; *(uint32_t*)0x2000000036f0 = 0xe0; *(uint32_t*)0x2000000036f4 = 0x10000; memset((void*)0x2000000036f8, 0, 24); *(uint64_t*)0x200000006c88 = 0x200000003740; *(uint32_t*)0x200000003740 = 0x18; *(uint32_t*)0x200000003744 = 0; *(uint64_t*)0x200000003748 = 6; *(uint64_t*)0x200000003750 = 0x80000001; *(uint64_t*)0x200000006c90 = 0x200000003780; *(uint32_t*)0x200000003780 = 0x18; *(uint32_t*)0x200000003784 = 0; *(uint64_t*)0x200000003788 = 4; *(uint64_t*)0x200000003790 = 2; *(uint64_t*)0x200000006c98 = 0x2000000037c0; *(uint32_t*)0x2000000037c0 = 0x18; *(uint32_t*)0x2000000037c4 = 0xffffffda; *(uint64_t*)0x2000000037c8 = 0x37; *(uint32_t*)0x2000000037d0 = 0; *(uint32_t*)0x2000000037d4 = 0; *(uint64_t*)0x200000006ca0 = 0x200000003800; *(uint32_t*)0x200000003800 = 0x18; *(uint32_t*)0x200000003804 = 0; *(uint64_t*)0x200000003808 = 1; *(uint32_t*)0x200000003810 = 0xff; *(uint32_t*)0x200000003814 = 0; *(uint64_t*)0x200000006ca8 = 0x200000003840; *(uint32_t*)0x200000003840 = 0x28; *(uint32_t*)0x200000003844 = 0x26; *(uint64_t*)0x200000003848 = 0x7fffffffffffffff; *(uint64_t*)0x200000003850 = 0x7a; *(uint64_t*)0x200000003858 = 8; *(uint32_t*)0x200000003860 = 0; *(uint32_t*)0x200000003864 = 0; *(uint64_t*)0x200000006cb0 = 0x200000003880; *(uint32_t*)0x200000003880 = 0x60; *(uint32_t*)0x200000003884 = 0xfffffff5; *(uint64_t*)0x200000003888 = 1; *(uint64_t*)0x200000003890 = 0x81; *(uint64_t*)0x200000003898 = 6; *(uint64_t*)0x2000000038a0 = 0x3ff; *(uint64_t*)0x2000000038a8 = 2; *(uint64_t*)0x2000000038b0 = 4; *(uint32_t*)0x2000000038b8 = 4; *(uint32_t*)0x2000000038bc = 8; *(uint32_t*)0x2000000038c0 = 2; *(uint32_t*)0x2000000038c4 = 0; memset((void*)0x2000000038c8, 0, 24); *(uint64_t*)0x200000006cb8 = 0x200000003900; *(uint32_t*)0x200000003900 = 0x18; *(uint32_t*)0x200000003904 = 0; *(uint64_t*)0x200000003908 = 0; *(uint32_t*)0x200000003910 = 0xb; *(uint32_t*)0x200000003914 = 0; *(uint64_t*)0x200000006cc0 = 0x200000003940; *(uint32_t*)0x200000003940 = 0x12; *(uint32_t*)0x200000003944 = 0xaeab5fde; *(uint64_t*)0x200000003948 = 9; memcpy((void*)0x200000003950, "^\000", 2); *(uint64_t*)0x200000006cc8 = 0x200000003980; *(uint32_t*)0x200000003980 = 0x20; *(uint32_t*)0x200000003984 = 0; *(uint64_t*)0x200000003988 = 0; *(uint64_t*)0x200000003990 = 0; *(uint32_t*)0x200000003998 = 2; *(uint32_t*)0x20000000399c = 0; *(uint64_t*)0x200000006cd0 = 0x2000000039c0; *(uint32_t*)0x2000000039c0 = 0x78; *(uint32_t*)0x2000000039c4 = 0; *(uint64_t*)0x2000000039c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000039d0 = 3; *(uint32_t*)0x2000000039d8 = 0x67; *(uint32_t*)0x2000000039dc = 0; *(uint64_t*)0x2000000039e0 = 3; *(uint64_t*)0x2000000039e8 = 2; *(uint64_t*)0x2000000039f0 = 5; *(uint64_t*)0x2000000039f8 = 2; *(uint64_t*)0x200000003a00 = 0; *(uint64_t*)0x200000003a08 = 0x5b; *(uint32_t*)0x200000003a10 = 0x200; *(uint32_t*)0x200000003a14 = 6; *(uint32_t*)0x200000003a18 = 0xf0b7; *(uint32_t*)0x200000003a1c = 0x1000; *(uint32_t*)0x200000003a20 = 1; *(uint32_t*)0x200000003a24 = -1; *(uint32_t*)0x200000003a28 = -1; *(uint32_t*)0x200000003a2c = 4; *(uint32_t*)0x200000003a30 = 6; *(uint32_t*)0x200000003a34 = 0; *(uint64_t*)0x200000006cd8 = 0x200000004b00; *(uint32_t*)0x200000004b00 = 0x90; *(uint32_t*)0x200000004b04 = 0; *(uint64_t*)0x200000004b08 = 7; *(uint64_t*)0x200000004b10 = 1; *(uint64_t*)0x200000004b18 = 3; *(uint64_t*)0x200000004b20 = 0x10000; *(uint64_t*)0x200000004b28 = 0x200; *(uint32_t*)0x200000004b30 = 8; *(uint32_t*)0x200000004b34 = 0xa87; *(uint64_t*)0x200000004b38 = 4; *(uint64_t*)0x200000004b40 = 1; *(uint64_t*)0x200000004b48 = 7; *(uint64_t*)0x200000004b50 = 1; *(uint64_t*)0x200000004b58 = 0xfffffffffffffffd; *(uint64_t*)0x200000004b60 = 4; *(uint32_t*)0x200000004b68 = 9; *(uint32_t*)0x200000004b6c = 0xffff; *(uint32_t*)0x200000004b70 = 0x10000000; *(uint32_t*)0x200000004b74 = 0; *(uint32_t*)0x200000004b78 = 0xf40; *(uint32_t*)0x200000004b7c = 0; *(uint32_t*)0x200000004b80 = r[10]; *(uint32_t*)0x200000004b84 = 0x8001; *(uint32_t*)0x200000004b88 = 9; *(uint32_t*)0x200000004b8c = 0; *(uint64_t*)0x200000006ce0 = 0x200000004bc0; *(uint32_t*)0x200000004bc0 = 0x48; *(uint32_t*)0x200000004bc4 = 0; *(uint64_t*)0x200000004bc8 = 0x5c; *(uint64_t*)0x200000004bd0 = 1; *(uint64_t*)0x200000004bd8 = 4; *(uint32_t*)0x200000004be0 = 6; *(uint32_t*)0x200000004be4 = 8; memset((void*)0x200000004be8, 255, 6); *(uint64_t*)0x200000004bf0 = 1; *(uint64_t*)0x200000004bf8 = 8; *(uint32_t*)0x200000004c00 = 0; *(uint32_t*)0x200000004c04 = 0xb; *(uint64_t*)0x200000006ce8 = 0x200000006500; *(uint32_t*)0x200000006500 = 0x478; *(uint32_t*)0x200000006504 = 0; *(uint64_t*)0x200000006508 = 2; *(uint64_t*)0x200000006510 = 1; *(uint64_t*)0x200000006518 = 1; *(uint64_t*)0x200000006520 = 0xf; *(uint64_t*)0x200000006528 = 9; *(uint32_t*)0x200000006530 = 0x7fffffff; *(uint32_t*)0x200000006534 = 0x3ff; *(uint64_t*)0x200000006538 = 5; *(uint64_t*)0x200000006540 = 0xb3fc; *(uint64_t*)0x200000006548 = 3; *(uint64_t*)0x200000006550 = 0xa2d9; *(uint64_t*)0x200000006558 = 3; *(uint64_t*)0x200000006560 = 0x80000000; *(uint32_t*)0x200000006568 = 4; *(uint32_t*)0x20000000656c = 5; *(uint32_t*)0x200000006570 = 2; *(uint32_t*)0x200000006574 = 0x6000; *(uint32_t*)0x200000006578 = 0xfff; *(uint32_t*)0x20000000657c = -1; *(uint32_t*)0x200000006580 = 0xee01; *(uint32_t*)0x200000006584 = 5; *(uint32_t*)0x200000006588 = 6; *(uint32_t*)0x20000000658c = 0; *(uint64_t*)0x200000006590 = 5; *(uint64_t*)0x200000006598 = 9; *(uint32_t*)0x2000000065a0 = 6; *(uint32_t*)0x2000000065a4 = 6; memcpy((void*)0x2000000065a8, "wlan1\000", 6); *(uint64_t*)0x2000000065b0 = 3; *(uint64_t*)0x2000000065b8 = 1; *(uint64_t*)0x2000000065c0 = 4; *(uint64_t*)0x2000000065c8 = 0xf; *(uint32_t*)0x2000000065d0 = 1; *(uint32_t*)0x2000000065d4 = 5; *(uint64_t*)0x2000000065d8 = 4; *(uint64_t*)0x2000000065e0 = 0xffc; *(uint64_t*)0x2000000065e8 = 2; *(uint64_t*)0x2000000065f0 = 0xffffffffffffdbca; *(uint64_t*)0x2000000065f8 = 0x35; *(uint64_t*)0x200000006600 = 0x5fa; *(uint32_t*)0x200000006608 = 8; *(uint32_t*)0x20000000660c = 5; *(uint32_t*)0x200000006610 = 0x16d; *(uint32_t*)0x200000006614 = 0x6000; *(uint32_t*)0x200000006618 = 0x8000; *(uint32_t*)0x20000000661c = r[11]; *(uint32_t*)0x200000006620 = 0xee00; *(uint32_t*)0x200000006624 = 8; *(uint32_t*)0x200000006628 = 2; *(uint32_t*)0x20000000662c = 0; *(uint64_t*)0x200000006630 = 2; *(uint64_t*)0x200000006638 = 0x3e8; *(uint32_t*)0x200000006640 = 0x16; *(uint32_t*)0x200000006644 = 5; memcpy((void*)0x200000006648, "bpf_lsm_path_truncate\000", 22); *(uint64_t*)0x200000006660 = 6; *(uint64_t*)0x200000006668 = 3; *(uint64_t*)0x200000006670 = 0xcff0; *(uint64_t*)0x200000006678 = 0xfffffffffffffbff; *(uint32_t*)0x200000006680 = 3; *(uint32_t*)0x200000006684 = 3; *(uint64_t*)0x200000006688 = 5; *(uint64_t*)0x200000006690 = 4; *(uint64_t*)0x200000006698 = 8; *(uint64_t*)0x2000000066a0 = 9; *(uint64_t*)0x2000000066a8 = 0x10; *(uint64_t*)0x2000000066b0 = 5; *(uint32_t*)0x2000000066b8 = 0x91; *(uint32_t*)0x2000000066bc = 0xfff; *(uint32_t*)0x2000000066c0 = 0xfffffffd; *(uint32_t*)0x2000000066c4 = 0xc000; *(uint32_t*)0x2000000066c8 = 3; *(uint32_t*)0x2000000066cc = r[12]; *(uint32_t*)0x2000000066d0 = 0xee00; *(uint32_t*)0x2000000066d4 = 0x80; *(uint32_t*)0x2000000066d8 = 0x40; *(uint32_t*)0x2000000066dc = 0; *(uint64_t*)0x2000000066e0 = 0; *(uint64_t*)0x2000000066e8 = 8; *(uint32_t*)0x2000000066f0 = 6; *(uint32_t*)0x2000000066f4 = 0x80000001; memcpy((void*)0x2000000066f8, "wlan1\000", 6); *(uint64_t*)0x200000006700 = 3; *(uint64_t*)0x200000006708 = 2; *(uint64_t*)0x200000006710 = 8; *(uint64_t*)0x200000006718 = 9; *(uint32_t*)0x200000006720 = 0x80000000; *(uint32_t*)0x200000006724 = 0xd149; *(uint64_t*)0x200000006728 = 3; *(uint64_t*)0x200000006730 = 4; *(uint64_t*)0x200000006738 = 5; *(uint64_t*)0x200000006740 = 0xe; *(uint64_t*)0x200000006748 = 0x7a; *(uint64_t*)0x200000006750 = 0xd52; *(uint32_t*)0x200000006758 = 0; *(uint32_t*)0x20000000675c = 5; *(uint32_t*)0x200000006760 = 6; *(uint32_t*)0x200000006764 = 0xa000; *(uint32_t*)0x200000006768 = 2; *(uint32_t*)0x20000000676c = r[14]; *(uint32_t*)0x200000006770 = 0; *(uint32_t*)0x200000006774 = 0x7fffffff; *(uint32_t*)0x200000006778 = 5; *(uint32_t*)0x20000000677c = 0; *(uint64_t*)0x200000006780 = 4; *(uint64_t*)0x200000006788 = 0x7ff; *(uint32_t*)0x200000006790 = 2; *(uint32_t*)0x200000006794 = 0x78d; memcpy((void*)0x200000006798, "\300\'", 2); *(uint64_t*)0x2000000067a0 = 2; *(uint64_t*)0x2000000067a8 = 0; *(uint64_t*)0x2000000067b0 = 6; *(uint64_t*)0x2000000067b8 = 0x7fffffff; *(uint32_t*)0x2000000067c0 = 5; *(uint32_t*)0x2000000067c4 = 5; *(uint64_t*)0x2000000067c8 = 2; *(uint64_t*)0x2000000067d0 = 0xc; *(uint64_t*)0x2000000067d8 = 0xbde5; *(uint64_t*)0x2000000067e0 = 5; *(uint64_t*)0x2000000067e8 = 8; *(uint64_t*)0x2000000067f0 = 0x10; *(uint32_t*)0x2000000067f8 = 9; *(uint32_t*)0x2000000067fc = 6; *(uint32_t*)0x200000006800 = 0xe31; *(uint32_t*)0x200000006804 = 0x2000; *(uint32_t*)0x200000006808 = 0x5b8; *(uint32_t*)0x20000000680c = r[16]; *(uint32_t*)0x200000006810 = r[18]; *(uint32_t*)0x200000006814 = 6; *(uint32_t*)0x200000006818 = 8; *(uint32_t*)0x20000000681c = 0; *(uint64_t*)0x200000006820 = 2; *(uint64_t*)0x200000006828 = 0x80; *(uint32_t*)0x200000006830 = 0; *(uint32_t*)0x200000006834 = 0xb6; *(uint64_t*)0x200000006838 = 5; *(uint64_t*)0x200000006840 = 2; *(uint64_t*)0x200000006848 = 0x80000001; *(uint64_t*)0x200000006850 = 2; *(uint32_t*)0x200000006858 = 6; *(uint32_t*)0x20000000685c = 0xff; *(uint64_t*)0x200000006860 = 3; *(uint64_t*)0x200000006868 = 5; *(uint64_t*)0x200000006870 = 8; *(uint64_t*)0x200000006878 = 3; *(uint64_t*)0x200000006880 = 0x8001; *(uint64_t*)0x200000006888 = 5; *(uint32_t*)0x200000006890 = 1; *(uint32_t*)0x200000006894 = 7; *(uint32_t*)0x200000006898 = 2; *(uint32_t*)0x20000000689c = 0x1000; *(uint32_t*)0x2000000068a0 = 1; *(uint32_t*)0x2000000068a4 = 0xee01; *(uint32_t*)0x2000000068a8 = r[19]; *(uint32_t*)0x2000000068ac = 0x10001; *(uint32_t*)0x2000000068b0 = 6; *(uint32_t*)0x2000000068b4 = 0; *(uint64_t*)0x2000000068b8 = 0; *(uint64_t*)0x2000000068c0 = 6; *(uint32_t*)0x2000000068c8 = 5; *(uint32_t*)0x2000000068cc = 6; memset((void*)0x2000000068d0, 170, 5); *(uint64_t*)0x2000000068d8 = 3; *(uint64_t*)0x2000000068e0 = 1; *(uint64_t*)0x2000000068e8 = 0x8000000000000000; *(uint64_t*)0x2000000068f0 = 0x2e; *(uint32_t*)0x2000000068f8 = 5; *(uint32_t*)0x2000000068fc = 7; *(uint64_t*)0x200000006900 = 6; *(uint64_t*)0x200000006908 = 5; *(uint64_t*)0x200000006910 = 5; *(uint64_t*)0x200000006918 = 0xb; *(uint64_t*)0x200000006920 = 0; *(uint64_t*)0x200000006928 = 2; *(uint32_t*)0x200000006930 = 0xffff; *(uint32_t*)0x200000006934 = 0; *(uint32_t*)0x200000006938 = 8; *(uint32_t*)0x20000000693c = 0x2000; *(uint32_t*)0x200000006940 = 9; *(uint32_t*)0x200000006944 = r[20]; *(uint32_t*)0x200000006948 = r[21]; *(uint32_t*)0x20000000694c = 2; *(uint32_t*)0x200000006950 = 7; *(uint32_t*)0x200000006954 = 0; *(uint64_t*)0x200000006958 = 6; *(uint64_t*)0x200000006960 = 0xfffffffffffffffb; *(uint32_t*)0x200000006968 = 5; *(uint32_t*)0x20000000696c = 6; memset((void*)0x200000006970, 170, 5); *(uint64_t*)0x200000006cf0 = 0x200000006980; *(uint32_t*)0x200000006980 = 0xa0; *(uint32_t*)0x200000006984 = 0; *(uint64_t*)0x200000006988 = 0xd05; *(uint64_t*)0x200000006990 = 5; *(uint64_t*)0x200000006998 = 3; *(uint64_t*)0x2000000069a0 = 0x8000000000000001; *(uint64_t*)0x2000000069a8 = 7; *(uint32_t*)0x2000000069b0 = 5; *(uint32_t*)0x2000000069b4 = 2; *(uint64_t*)0x2000000069b8 = 3; *(uint64_t*)0x2000000069c0 = 4; *(uint64_t*)0x2000000069c8 = 5; *(uint64_t*)0x2000000069d0 = 3; *(uint64_t*)0x2000000069d8 = 8; *(uint64_t*)0x2000000069e0 = 1; *(uint32_t*)0x2000000069e8 = 0x8001; *(uint32_t*)0x2000000069ec = 0; *(uint32_t*)0x2000000069f0 = 0xfff; *(uint32_t*)0x2000000069f4 = 0x8000; *(uint32_t*)0x2000000069f8 = 0x101; *(uint32_t*)0x2000000069fc = r[22]; *(uint32_t*)0x200000006a00 = 0xee00; *(uint32_t*)0x200000006a04 = 7; *(uint32_t*)0x200000006a08 = 0xac; *(uint32_t*)0x200000006a0c = 0; *(uint64_t*)0x200000006a10 = 0; *(uint32_t*)0x200000006a18 = 0x10; *(uint32_t*)0x200000006a1c = 0; *(uint64_t*)0x200000006cf8 = 0x200000006a40; *(uint32_t*)0x200000006a40 = 0x20; *(uint32_t*)0x200000006a44 = 0; *(uint64_t*)0x200000006a48 = 0xffffffff; *(uint32_t*)0x200000006a50 = 4; *(uint32_t*)0x200000006a54 = 0; *(uint32_t*)0x200000006a58 = 9; *(uint32_t*)0x200000006a5c = 0xa; *(uint64_t*)0x200000006d00 = 0x200000006b40; *(uint32_t*)0x200000006b40 = 0x130; *(uint32_t*)0x200000006b44 = 0; *(uint64_t*)0x200000006b48 = 0x1ff; *(uint64_t*)0x200000006b50 = 0x6276287e; *(uint32_t*)0x200000006b58 = 7; *(uint32_t*)0x200000006b5c = 0; memset((void*)0x200000006b60, 0, 16); *(uint32_t*)0x200000006b70 = 0x800; *(uint32_t*)0x200000006b74 = 2; *(uint64_t*)0x200000006b78 = 3; *(uint32_t*)0x200000006b80 = 0x1e; *(uint32_t*)0x200000006b84 = -1; *(uint32_t*)0x200000006b88 = r[24]; *(uint16_t*)0x200000006b8c = 0x4000; memset((void*)0x200000006b8e, 0, 2); *(uint64_t*)0x200000006b90 = 0x800; *(uint64_t*)0x200000006b98 = 9; *(uint64_t*)0x200000006ba0 = 8; *(uint64_t*)0x200000006ba8 = 0x32f3fcde; *(uint64_t*)0x200000006bb0 = 6; *(uint32_t*)0x200000006bb8 = 1; *(uint32_t*)0x200000006bbc = 0; *(uint64_t*)0x200000006bc0 = 4; *(uint32_t*)0x200000006bc8 = 0xe30; *(uint32_t*)0x200000006bcc = 0; *(uint64_t*)0x200000006bd0 = 0x4d; *(uint32_t*)0x200000006bd8 = 3; *(uint32_t*)0x200000006bdc = 0; *(uint64_t*)0x200000006be0 = 6; *(uint32_t*)0x200000006be8 = 8; *(uint32_t*)0x200000006bec = 0; *(uint32_t*)0x200000006bf0 = 6; *(uint32_t*)0x200000006bf4 = 2; *(uint32_t*)0x200000006bf8 = 0xfb; *(uint32_t*)0x200000006bfc = 2; memset((void*)0x200000006c00, 0, 112); syz_fuse_handle_req(/*fd=*/r[9], /*buf=*/0x2000000016c0, /*len=*/0x2000, /*res=*/0x200000006c80); break; case 31: memcpy((void*)0x200000006d40, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000006d40, /*fd=*/r[23]); break; case 32: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 33: *(uint32_t*)0x200000006d84 = 0xd0f0; *(uint32_t*)0x200000006d88 = 0x20; *(uint32_t*)0x200000006d8c = 0; *(uint32_t*)0x200000006d90 = 0x1e5; *(uint32_t*)0x200000006d98 = -1; memset((void*)0x200000006d9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x28c2, /*params=*/0x200000006d80, /*ring_ptr=*/0x200000006e00, /*sqes_ptr=*/0x200000006e40); if (res != -1) r[25] = *(uint64_t*)0x200000006e00; break; case 34: syz_io_uring_complete(/*ring_ptr=*/r[25]); break; case 35: *(uint32_t*)0x200000006e84 = 0x979d; *(uint32_t*)0x200000006e88 = 4; *(uint32_t*)0x200000006e8c = 1; *(uint32_t*)0x200000006e90 = 0x206; *(uint32_t*)0x200000006e98 = r[9]; memset((void*)0x200000006e9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x7c1f, /*params=*/0x200000006e80, /*ring_ptr=*/0x200000006f00, /*sqes_ptr=*/0x200000006f40); if (res != -1) { r[26] = res; r[27] = *(uint64_t*)0x200000006f00; r[28] = *(uint64_t*)0x200000006f40; } break; case 36: res = syscall(__NR_io_uring_register, /*fd=*/r[26], /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul); if (res != -1) r[29] = res; break; case 37: *(uint8_t*)0x200000007000 = 0x1c; *(uint8_t*)0x200000007001 = 0x14; *(uint16_t*)0x200000007002 = 0; *(uint32_t*)0x200000007004 = r[23]; *(uint64_t*)0x200000007008 = 0x200000006f80; *(uint64_t*)0x200000006f80 = 0x818480; *(uint64_t*)0x200000006f88 = 0; *(uint64_t*)0x200000006f90 = 0x35; *(uint64_t*)0x200000007010 = 0x200000006fc0; memcpy((void*)0x200000006fc0, "./file0\000", 8); *(uint32_t*)0x200000007018 = 0x18; *(uint32_t*)0x20000000701c = 0; *(uint64_t*)0x200000007020 = 0x23456; *(uint16_t*)0x200000007028 = 0; *(uint16_t*)0x20000000702a = r[29]; memset((void*)0x20000000702c, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[27], /*sqes_ptr=*/r[28], /*sqe=*/0x200000007000); break; case 38: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[9], /*usermem=*/0x200000bfd000); if (res != -1) r[30] = res; break; case 39: *(uint64_t*)0x200000007400 = 0; *(uint64_t*)0x200000007408 = 0x200000007040; *(uint64_t*)0x200000007040 = 0x65; *(uint64_t*)0x200000007048 = 0x20; *(uint64_t*)0x200000007050 = 0x92e; *(uint64_t*)0x200000007058 = 8; *(uint64_t*)0x200000007060 = 0x130; *(uint64_t*)0x200000007068 = 0x18; *(uint64_t*)0x200000007070 = 1; *(uint64_t*)0x200000007078 = 0x68; *(uint64_t*)0x200000007080 = 0x20; *(uint64_t*)0x200000007088 = 1; *(uint64_t*)0x200000007090 = 0; *(uint64_t*)0x200000007098 = 0x17d; *(uint64_t*)0x2000000070a0 = 0x20; *(uint64_t*)0x2000000070a8 = 0xffffffff; *(uint64_t*)0x2000000070b0 = 0xbd0d; *(uint64_t*)0x2000000070b8 = 0x183; *(uint64_t*)0x2000000070c0 = 0x18; *(uint64_t*)0x2000000070c8 = 1; *(uint64_t*)0x2000000070d0 = 0xa; *(uint64_t*)0x2000000070d8 = 0x6a; memcpy((void*)0x2000000070e0, "\x36\x49\x0f\xc7\xaa\xd6\x61\x97\xc0\x26\x66\x0f\x38\x80\x94\x5e\x00\x80\x00\x00\x0f\x01\xba\x00\x80\x00\x00\x8f\xc9\xb8\x9b\x29\x47\x0f\xc7\xae\x20\x00\x00\x00\x45\x0f\x09\xc4\xe2\xd1\x39\x67\xc4\x36\x0f\x01\x7f\x05\x66\x64\x2e\x64\x3e\xd8\xf1\xc7\x44\x24\x00\x25\xfd\x00\x00\xc7\x44\x24\x02\x54\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x14\x24", 89); *(uint8_t*)0x200000007139 = 0xc3; *(uint64_t*)0x20000000713a = 0x180; *(uint64_t*)0x200000007142 = 0x38; *(uint64_t*)0x20000000714a = 0; *(uint64_t*)0x200000007152 = 0xb5; *(uint64_t*)0x20000000715a = 7; *(uint64_t*)0x200000007162 = 5; *(uint64_t*)0x20000000716a = 0; *(uint64_t*)0x200000007172 = 0x12f; *(uint64_t*)0x20000000717a = 0x18; *(uint64_t*)0x200000007182 = 3; *(uint64_t*)0x20000000718a = 0x12c; *(uint64_t*)0x200000007192 = 0x18; *(uint64_t*)0x20000000719a = 0; *(uint64_t*)0x2000000071a2 = 0x154; *(uint64_t*)0x2000000071aa = 0x38; *(uint64_t*)0x2000000071b2 = 3; *(uint64_t*)0x2000000071ba = 4; *(uint64_t*)0x2000000071c2 = 5; *(uint64_t*)0x2000000071ca = 0x1ff; *(uint64_t*)0x2000000071d2 = 8; *(uint64_t*)0x2000000071da = 0x130; *(uint64_t*)0x2000000071e2 = 0x18; *(uint64_t*)0x2000000071ea = 0; *(uint64_t*)0x2000000071f2 = 0x6a; *(uint64_t*)0x2000000071fa = 0x28; *(uint64_t*)0x200000007202 = 0xc636; *(uint64_t*)0x20000000720a = 5; *(uint64_t*)0x200000007212 = 4; *(uint64_t*)0x20000000721a = 0x12c; *(uint64_t*)0x200000007222 = 0x18; *(uint64_t*)0x20000000722a = 0; *(uint64_t*)0x200000007232 = 0x12f; *(uint64_t*)0x20000000723a = 0x18; *(uint64_t*)0x200000007242 = 1; *(uint64_t*)0x20000000724a = 0x65; *(uint64_t*)0x200000007252 = 0x20; *(uint64_t*)0x20000000725a = 0x8a3; *(uint64_t*)0x200000007262 = 9; *(uint64_t*)0x20000000726a = 0x68; *(uint64_t*)0x200000007272 = 0x20; *(uint64_t*)0x20000000727a = 4; *(uint64_t*)0x200000007282 = 6; *(uint64_t*)0x20000000728a = 0x12f; *(uint64_t*)0x200000007292 = 0x18; *(uint64_t*)0x20000000729a = 3; *(uint64_t*)0x2000000072a2 = 0x12d; *(uint64_t*)0x2000000072aa = 0x18; *(uint64_t*)0x2000000072b2 = 2; *(uint64_t*)0x2000000072ba = 0x17d; *(uint64_t*)0x2000000072c2 = 0x20; *(uint64_t*)0x2000000072ca = 0x8080000; *(uint64_t*)0x2000000072d2 = 0x943e; *(uint64_t*)0x2000000072da = 0x17c; *(uint64_t*)0x2000000072e2 = 0x38; *(uint64_t*)0x2000000072ea = 3; *(uint64_t*)0x2000000072f2 = 0x31; *(uint64_t*)0x2000000072fa = 0xc; *(uint64_t*)0x200000007302 = 6; *(uint64_t*)0x20000000730a = 8; *(uint64_t*)0x200000007312 = 0x180; *(uint64_t*)0x20000000731a = 0x38; *(uint64_t*)0x200000007322 = 2; *(uint64_t*)0x20000000732a = 0x36; *(uint64_t*)0x200000007332 = 1; *(uint64_t*)0x20000000733a = 2; *(uint64_t*)0x200000007342 = 3; *(uint64_t*)0x20000000734a = 0x130; *(uint64_t*)0x200000007352 = 0x18; *(uint64_t*)0x20000000735a = 1; *(uint64_t*)0x200000007362 = 0x130; *(uint64_t*)0x20000000736a = 0x18; *(uint64_t*)0x200000007372 = 0; *(uint64_t*)0x20000000737a = 0x180; *(uint64_t*)0x200000007382 = 0x38; *(uint64_t*)0x20000000738a = 3; *(uint64_t*)0x200000007392 = 0x72; *(uint64_t*)0x20000000739a = 2; *(uint64_t*)0x2000000073a2 = 5; *(uint64_t*)0x2000000073aa = 2; *(uint64_t*)0x2000000073b2 = 0x12f; *(uint64_t*)0x2000000073ba = 0x18; *(uint64_t*)0x2000000073c2 = 2; *(uint64_t*)0x2000000073ca = 0x12f; *(uint64_t*)0x2000000073d2 = 0x18; *(uint64_t*)0x2000000073da = 2; *(uint64_t*)0x200000007410 = 0x3a2; syz_kvm_add_vcpu(/*vm=*/r[30], /*text=*/0x200000007400); break; case 40: res = syscall(__NR_ioctl, /*fd=*/r[9], /*cmd=*/0xae01, /*type=*/5ul); if (res != -1) r[31] = res; break; case 41: *(uint64_t*)0x200000007680 = 0; *(uint64_t*)0x200000007688 = 0x200000007440; memcpy((void*)0x200000007440, "\xcd\xfa\xef\x13\x00\x00\x00\x3e\x00\x00\x10\x62\x04\x00\x10\x7a\x00\x00\x10\x66\xc1\x00\x10\x62\xa6\x03\x00\x7e\xb9\xf0\x00\x3e\xe9\x0e\x10\x62\x04\x00\x10\x7a\xa3\x30\x10\x66\x88\x26\x10\x62\xa6\x03\x00\x7e\x24\x00\x00\x4c\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xf6\x63\x60\xba\xaa\x80\x3c\x42\xab\x84\x60\x04\x00\x84\x78\xa5\xa4\x84\x64\xdb\xea\x84\x60\xc7\xb2\xa0\x3c\x4e\xd4\xa5\x60\x04\x00\xa5\x78\x8e\xd5\xa5\x64\xc9\xc4\xa5\x60\xf6\x27\xc0\x3c\x0e\x37\xc6\x60\x04\x00\xc6\x78\x10\x50\xc6\x64\xf3\x3c\xc6\x60\x64\xae\xe0\x3c\x0f\xe0\xe7\x60\x04\x00\xe7\x78\xf8\x33\xe7\x64\x27\xe1\xe7\x60\xf9\xfe\x00\x3d\x88\x3a\x08\x61\x04\x00\x08\x79\xf6\x6c\x08\x65\xcb\x9b\x08\x61\xe7\x22\x20\x3d\xa3\x5b\x29\x61\x04\x00\x29\x79\xbb\xbc\x29\x65\x5e\x83\x29\x61\xd9\x75\x40\x3d\x52\x94\x4a\x61\x04\x00\x4a\x79\xdb\x25\x4a\x65\xf3\x5e\x4a\x61\x02\x00\x00\x44\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x50\xf3\x63\x60\x42\x00\x00\x44\x0d\x0b\xc0\x3e\xa1\xda\xd6\x62\x04\x00\xd6\x7a\xeb\x5a\xd6\x66\x62\x96\xd6\x62\x9c\xb0\x00\x7c\xec\x06\x00\x7c\xa4\x00\x00\x4c\x3d\x6a\xa0\x3e\x17\x1b\xb5\x62\x04\x00\xb5\x7a\x72\x93\xb5\x66\x34\x54\xb5\x62\xa6\x03\xa0\x7e\xd4\x8d\xa0\x3e\x12\xd2\xb5\x62\x04\x00\xb5\x7a\xf6\xf5\xb5\x66\x15\xe0\xb5\x62\xa6\x03\xa0\x7e\x24\x00\x00\x4c\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x05\xc0\x3f\x00\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x00\xc0\x3f\x21\x8c\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf6\x78\xbd\x63\x00\x00\xc0\x3f\x0a\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xfa\x78\xbd\x63\x97\x4b\xc0\x3f\x5c\x3b\xde\x63\x00\x00\xdd\x93\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x49\x30\x84\x64\xf2\x78\x84\x60\x22\x00\x00\x44\x00\x00\x80\x3f\x00\x00\x9c\x63\x04\x00\x9c\x7b\x00\x00\x9c\x67\x1a\x00\x9c\x63\x24\x01\xc0\x7f", 524); *(uint64_t*)0x200000007690 = 0x20c; *(uint64_t*)0x2000000076c0 = 1; *(uint64_t*)0x2000000076c8 = 6; syz_kvm_setup_cpu(/*fd=*/r[31], /*cpufd=*/r[23], /*usermem=*/0x200000fe5000, /*text=*/0x200000007680, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_IR*/2, /*opts=*/0x2000000076c0, /*nopt=*/1); break; case 42: syz_kvm_setup_syzos_vm(/*fd=*/r[23], /*usermem=*/0x200000c00000); break; case 43: *(uint32_t*)0x200000007700 = 0; syz_memcpy_off(/*ring_ptr=*/0, /*flag_off=SQ_FLAGS_OFFSET*/0x114, /*src=*/0x200000007700, /*src_off=*/0, /*nbytes=*/4); break; case 44: memcpy((void*)0x200000007740, "fuse\000", 5); memcpy((void*)0x200000007780, "./file0\000", 8); memcpy((void*)0x2000000077c0, "fd", 2); *(uint8_t*)0x2000000077c2 = 0x3d; sprintf((char*)0x2000000077c3, "0x%016llx", (long long)r[23]); *(uint8_t*)0x2000000077d5 = 0x2c; memcpy((void*)0x2000000077d6, "rootmode", 8); *(uint8_t*)0x2000000077de = 0x3d; sprintf((char*)0x2000000077df, "%023llo", (long long)0x6000); *(uint8_t*)0x2000000077f6 = 0x2c; memcpy((void*)0x2000000077f7, "user_id", 7); *(uint8_t*)0x2000000077fe = 0x3d; sprintf((char*)0x2000000077ff, "%020llu", (long long)r[22]); *(uint8_t*)0x200000007813 = 0x2c; memcpy((void*)0x200000007814, "group_id", 8); *(uint8_t*)0x20000000781c = 0x3d; sprintf((char*)0x20000000781d, "%020llu", (long long)r[13]); *(uint8_t*)0x200000007831 = 0x2c; memcpy((void*)0x200000007832, "max_read", 8); *(uint8_t*)0x20000000783a = 0x3d; sprintf((char*)0x20000000783b, "0x%016llx", (long long)3); *(uint8_t*)0x20000000784d = 0x2c; memcpy((void*)0x20000000784e, "default_permissions", 19); *(uint8_t*)0x200000007861 = 0x2c; memcpy((void*)0x200000007862, "allow_other", 11); *(uint8_t*)0x20000000786d = 0x2c; memcpy((void*)0x20000000786e, "default_permissions", 19); *(uint8_t*)0x200000007881 = 0x2c; memcpy((void*)0x200000007882, "allow_other", 11); *(uint8_t*)0x20000000788d = 0x2c; memcpy((void*)0x20000000788e, "default_permissions", 19); *(uint8_t*)0x2000000078a1 = 0x2c; memcpy((void*)0x2000000078a2, "default_permissions", 19); *(uint8_t*)0x2000000078b5 = 0x2c; memcpy((void*)0x2000000078b6, "allow_other", 11); *(uint8_t*)0x2000000078c1 = 0x2c; memcpy((void*)0x2000000078c2, "permit_directio", 15); *(uint8_t*)0x2000000078d1 = 0x2c; memcpy((void*)0x2000000078d2, "uid<", 4); sprintf((char*)0x2000000078d6, "%020llu", (long long)r[17]); *(uint8_t*)0x2000000078ea = 0x2c; memcpy((void*)0x2000000078eb, "appraise", 8); *(uint8_t*)0x2000000078f3 = 0x2c; memcpy((void*)0x2000000078f4, "smackfshat", 10); *(uint8_t*)0x2000000078fe = 0x3d; memcpy((void*)0x2000000078ff, "\300\'", 2); *(uint8_t*)0x200000007901 = 0x2c; memcpy((void*)0x200000007902, "appraise", 8); *(uint8_t*)0x20000000790a = 0x2c; *(uint8_t*)0x20000000790b = 0; memcpy((void*)0x200000007940, "\xa4\xb2\x22\xdf\x2b\xa1\x0d\xf2\x4f\x54\x81\xe0\xdc\x5e\x93\xb8\x1b\x1b\x82\xe9\xa2\x14\xca\xbc\xe3\x44\x80\x0a\xd5\x4d\xe6\x10\xfa\x1e\xda\x44\xb9\x04\x05\x26\xf2\xdc\x7c\x73\x1c\x54\x73\xc8\xc6\xdc\x94\x19\x2a\x03\x48\x4e\x6d\x62\xbb\x49\x12\x86\x12\x54\x3a\x9d\x01\x6e\xd9\xa3\x73\x0e\x51\x08\x0f\x5c\x86\x0d\x03\xa7\x7e\xd5\x01\x64\xbc\xf9\x9c\x42\xd3\x56\x8a\x97\x4a\x92\x7a\x87\x9d\xe4\x1e\xdc\x2f\x55\x52\x36\x58\x86\x12\x1a\x31\x09\x5b\x97\xaa\x08\xee\x29\x77\x11\x1f\x7c\xc5\x6a\x77\xc0\xf2\xa1\x6b\x32\xb1\x9d\xf5\x0a\x24\x9c\xd3\x05\x8e\x60\xa6\xae\x8c\x96\x34\x9d\x5e\x5c\x00\x97\x59\x4c\xe0\x1c\x1f\xbe\xe5\xee\x94\x60\x6f\xef\x67\x32\x31\xe6\x57\x00\xbc\x71\x5f\x1f\x01\x19\xc8\x4e\xd2\x7b\x8a\xf3\x8e\xd1\x53\xd3\x94\xd6\xb2\x2c\xca\x54\xdb\x55\xa3\x1b\xc2\x5b\x45\xe8\x1d\xec\xa7\xbe\xdb\x69\x66\x91\xae\x6b\x92\xf0\x9e\xea\x3e\x2b\x5e\x8a\xf2\xf9\x96\x33\x9d\xec\x59\x2e\xde\xc5\x89\x7e\x94\xeb", 228); syz_mount_image(/*fs=*/0x200000007740, /*dir=*/0x200000007780, /*flags=MS_PRIVATE*/0x40000, /*opts=*/0x2000000077c0, /*chdir=*/1, /*size=*/0, /*img=*/0x200000007940); break; case 45: memcpy((void*)0x200000007a40, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000007a40, /*id=*/7, /*flags=*/0); break; case 46: memcpy((void*)0x200000007a80, "net/psched\000", 11); syz_open_procfs(/*pid=*/r[4], /*file=*/0x200000007a80); break; case 47: syz_open_pts(/*fd=*/r[9], /*flags=O_PATH|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|FASYNC|0x402*/0x292c02); break; case 48: syz_pidfd_open(/*pid=*/r[15], /*flags=*/0); break; case 49: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=*/0ul); if (res != -1) r[32] = res; break; case 50: syz_pkey_set(/*key=*/r[32], /*val=PKEY_DISABLE_WRITE|PKEY_DISABLE_ACCESS*/3); break; case 51: syz_socket_connect_nvme_tcp(); break; case 52: *(uint8_t*)0x200000007ac0 = 0x12; *(uint8_t*)0x200000007ac1 = 1; *(uint16_t*)0x200000007ac2 = 0x250; *(uint8_t*)0x200000007ac4 = 0x58; *(uint8_t*)0x200000007ac5 = 6; *(uint8_t*)0x200000007ac6 = 0x54; *(uint8_t*)0x200000007ac7 = 8; *(uint16_t*)0x200000007ac8 = 0x13d3; *(uint16_t*)0x200000007aca = 0x3348; *(uint16_t*)0x200000007acc = 0x15b2; *(uint8_t*)0x200000007ace = 1; *(uint8_t*)0x200000007acf = 2; *(uint8_t*)0x200000007ad0 = 3; *(uint8_t*)0x200000007ad1 = 1; *(uint8_t*)0x200000007ad2 = 9; *(uint8_t*)0x200000007ad3 = 2; *(uint16_t*)0x200000007ad4 = 0x283; *(uint8_t*)0x200000007ad6 = 2; *(uint8_t*)0x200000007ad7 = 9; *(uint8_t*)0x200000007ad8 = 2; *(uint8_t*)0x200000007ad9 = 0x10; *(uint8_t*)0x200000007ada = 8; *(uint8_t*)0x200000007adb = 9; *(uint8_t*)0x200000007adc = 4; *(uint8_t*)0x200000007add = 0x26; *(uint8_t*)0x200000007ade = 0xb; *(uint8_t*)0x200000007adf = 5; *(uint8_t*)0x200000007ae0 = 0x83; *(uint8_t*)0x200000007ae1 = 0x18; *(uint8_t*)0x200000007ae2 = 0x74; *(uint8_t*)0x200000007ae3 = 0xee; *(uint8_t*)0x200000007ae4 = 9; *(uint8_t*)0x200000007ae5 = 5; *(uint8_t*)0x200000007ae6 = 0xb; *(uint8_t*)0x200000007ae7 = 3; *(uint16_t*)0x200000007ae8 = 8; *(uint8_t*)0x200000007aea = 4; *(uint8_t*)0x200000007aeb = 0xfb; *(uint8_t*)0x200000007aec = 0x6a; *(uint8_t*)0x200000007aed = 0xbd; *(uint8_t*)0x200000007aee = 0xc; memcpy((void*)0x200000007aef, "\x8b\x82\xbd\x3f\xc8\x13\x7d\x3d\x25\x9c\xe7\xbc\x14\x0d\xe0\x82\x3d\xe2\x22\x2e\xed\x4c\x57\x0e\xdc\xb8\x45\x53\xcd\x1e\xfd\x64\x9d\xd3\x52\xdd\x37\x5d\x81\xda\x8d\xa8\xe6\x86\x3f\xb4\x82\xec\xb3\xa1\x6f\x12\x22\x10\xbf\xf2\x5c\x59\xa3\xaf\xc6\x54\x28\x48\xc0\x6e\x1b\x98\x3f\xbc\x8d\xd0\xde\x62\x7c\xfd\xdf\x9f\x90\x5f\x5c\xb6\xed\x4a\x25\xec\x59\x47\x59\x9b\x15\xb5\x38\xc7\xbb\x0b\x0d\x65\xd4\xa3\x1b\x31\x9f\x73\x83\x95\x5c\xe7\x66\xef\x4c\x66\xd1\x8b\xc7\x5d\x69\xb2\xdd\x7d\x13\x6c\x78\xea\xec\x1e\x22\x03\xeb\x91\x8d\xd6\x16\x09\xde\x40\xf4\xf6\x93\x91\x7e\xeb\x17\xfc\x38\x7b\xb4\x27\x34\x1f\x64\x16\xe0\xb8\xc4\x6a\x24\x45\xa5\xc4\x9b\xd9\xc8\x6d\xfe\x21\xc5\x98\xac\xf1\x7e\xa9\x8f\xfe\xce\x20\x2a\x21\xdc\x93\xa0\xb8\x30\xd2\x9a\xf8\x7c", 187); *(uint8_t*)0x200000007baa = 0xc7; *(uint8_t*)0x200000007bab = 6; memcpy((void*)0x200000007bac, "\xf5\x45\x9e\x11\x78\x00\xd2\x2a\x25\xa4\x86\xd1\x44\x2f\x5c\xbd\x4d\x3d\x77\x6c\xd0\x61\xd2\xc1\x85\xf9\x92\x4e\xae\x6a\x4d\x7b\x14\xc5\x8b\x59\x98\x63\xd3\x21\xe3\xea\x80\xa2\x5f\x6d\x8b\xe5\x1d\x5c\xa7\x0c\x27\x6c\xe0\xe6\xd9\x03\x8f\x88\x77\x6b\x96\x14\x28\x7d\xb7\xee\x21\x13\xf0\xe7\xe1\xf0\x18\x73\xb6\x13\xd7\x63\xda\x5f\x87\xf8\x6c\xd1\x86\x0b\xd6\x23\x46\x3f\xc6\xd9\x3d\x9f\x94\x8d\x0d\x4d\x70\xd7\x2a\x8a\xc1\xde\xc1\xad\xce\xb8\x71\x67\x29\x90\x64\x28\xd5\xb6\xe2\x4b\x01\x49\x9b\xfa\x6a\x0a\xa0\x48\x2e\xed\x8c\x77\x51\xa1\xc7\xec\x94\x4d\xb1\x92\x54\xa7\x4b\x61\x14\x2e\x72\x5a\x7a\x29\x0c\x41\x42\x87\x5d\x34\x7b\x3e\x48\x3f\x4e\x2d\xb8\x37\x3e\xf8\xfe\xad\x81\x18\xce\x07\xd8\x12\x33\x2b\x21\x1d\xa9\x73\x3d\x44\x4f\x7d\x70\x6a\x64\x39\xc2\x9a\xea\xed\xd0\x30\x00\xa2\xa8", 197); *(uint8_t*)0x200000007c71 = 9; *(uint8_t*)0x200000007c72 = 5; *(uint8_t*)0x200000007c73 = 0xa; *(uint8_t*)0x200000007c74 = 0xc; *(uint16_t*)0x200000007c75 = 0x400; *(uint8_t*)0x200000007c77 = 0xc; *(uint8_t*)0x200000007c78 = 0; *(uint8_t*)0x200000007c79 = 0xb5; *(uint8_t*)0x200000007c7a = 7; *(uint8_t*)0x200000007c7b = 0x25; *(uint8_t*)0x200000007c7c = 1; *(uint8_t*)0x200000007c7d = 1; *(uint8_t*)0x200000007c7e = 0xb; *(uint16_t*)0x200000007c7f = 7; *(uint8_t*)0x200000007c81 = 9; *(uint8_t*)0x200000007c82 = 5; *(uint8_t*)0x200000007c83 = 2; *(uint8_t*)0x200000007c84 = 0x10; *(uint16_t*)0x200000007c85 = 0x20; *(uint8_t*)0x200000007c87 = 7; *(uint8_t*)0x200000007c88 = 5; *(uint8_t*)0x200000007c89 = 5; *(uint8_t*)0x200000007c8a = 0x24; *(uint8_t*)0x200000007c8b = 7; memcpy((void*)0x200000007c8c, "\xad\x98\x31\x4a\x82\xd7\xae\xbb\xfc\xe8\x51\x78\x75\x22\x71\xb1\x58\xc0\x5d\xea\x1b\xf5\xa2\x45\x9c\x43\x1d\xf1\x80\xc1\xf3\xb2\xbe\x3b", 34); *(uint8_t*)0x200000007cae = 9; *(uint8_t*)0x200000007caf = 5; *(uint8_t*)0x200000007cb0 = 3; *(uint8_t*)0x200000007cb1 = 2; *(uint16_t*)0x200000007cb2 = 8; *(uint8_t*)0x200000007cb4 = 7; *(uint8_t*)0x200000007cb5 = 0xf3; *(uint8_t*)0x200000007cb6 = 4; *(uint8_t*)0x200000007cb7 = 9; *(uint8_t*)0x200000007cb8 = 5; *(uint8_t*)0x200000007cb9 = 5; *(uint8_t*)0x200000007cba = 0; *(uint16_t*)0x200000007cbb = 0x40; *(uint8_t*)0x200000007cbd = 2; *(uint8_t*)0x200000007cbe = 3; *(uint8_t*)0x200000007cbf = 2; *(uint8_t*)0x200000007cc0 = 0x6a; *(uint8_t*)0x200000007cc1 = 0xa; memcpy((void*)0x200000007cc2, "\xf7\xdd\x67\x50\x5d\x35\x3d\x93\xb6\xe1\xf3\xac\x2d\x8f\x9f\x76\x60\x12\xd2\x04\xe5\x58\xa7\x07\x6c\x6a\x1d\xd6\x64\x8b\x29\x28\xac\xaf\x80\x17\x10\xc8\x55\x50\x67\xe0\x71\x5e\x60\x77\x2d\x9a\x84\xc7\x14\xf6\x3d\x52\x7b\x9f\x15\x32\xa5\xac\x65\x11\x62\x7f\x9e\x84\x00\xe6\x2a\xd6\xbd\x25\xec\x51\xec\x63\x0a\xfc\x10\xe1\xf0\xf2\xfe\x01\xc9\x58\x8e\x28\x97\xef\x26\xd5\xea\x8b\xcf\x97\x0e\x51\xfc\x28\xd8\x4a\x62\x8c", 104); *(uint8_t*)0x200000007d2a = 9; *(uint8_t*)0x200000007d2b = 4; *(uint8_t*)0x200000007d2c = 0x48; *(uint8_t*)0x200000007d2d = 0xe; *(uint8_t*)0x200000007d2e = 3; *(uint8_t*)0x200000007d2f = 0xca; *(uint8_t*)0x200000007d30 = 0x1e; *(uint8_t*)0x200000007d31 = 0x4a; *(uint8_t*)0x200000007d32 = 0xf5; *(uint8_t*)0x200000007d33 = 9; *(uint8_t*)0x200000007d34 = 5; *(uint8_t*)0x200000007d35 = 0xb; *(uint8_t*)0x200000007d36 = 4; *(uint16_t*)0x200000007d37 = 0x400; *(uint8_t*)0x200000007d39 = 5; *(uint8_t*)0x200000007d3a = 0xf7; *(uint8_t*)0x200000007d3b = 0xf6; *(uint8_t*)0x200000007d3c = 9; *(uint8_t*)0x200000007d3d = 5; *(uint8_t*)0x200000007d3e = 0xe; *(uint8_t*)0x200000007d3f = 0x10; *(uint16_t*)0x200000007d40 = 0x3ff; *(uint8_t*)0x200000007d42 = 1; *(uint8_t*)0x200000007d43 = 0xd; *(uint8_t*)0x200000007d44 = 0x80; *(uint8_t*)0x200000007d45 = 9; *(uint8_t*)0x200000007d46 = 5; *(uint8_t*)0x200000007d47 = 5; *(uint8_t*)0x200000007d48 = 0x10; *(uint16_t*)0x200000007d49 = 0x10; *(uint8_t*)0x200000007d4b = 0x95; *(uint8_t*)0x200000007d4c = 3; *(uint8_t*)0x200000007d4d = 0; *(uint8_t*)0x200000007d4e = 7; *(uint8_t*)0x200000007d4f = 0x25; *(uint8_t*)0x200000007d50 = 1; *(uint8_t*)0x200000007d51 = 0x82; *(uint8_t*)0x200000007d52 = 0xae; *(uint16_t*)0x200000007d53 = 0x12; *(uint32_t*)0x200000007ec0 = 0xa; *(uint64_t*)0x200000007ec4 = 0x200000007d80; *(uint8_t*)0x200000007d80 = 0xa; *(uint8_t*)0x200000007d81 = 6; *(uint16_t*)0x200000007d82 = 0x110; *(uint8_t*)0x200000007d84 = 4; *(uint8_t*)0x200000007d85 = 1; *(uint8_t*)0x200000007d86 = 6; *(uint8_t*)0x200000007d87 = 8; *(uint8_t*)0x200000007d88 = 0xe; *(uint8_t*)0x200000007d89 = 0; *(uint32_t*)0x200000007ecc = 0x3b; *(uint64_t*)0x200000007ed0 = 0x200000007dc0; *(uint8_t*)0x200000007dc0 = 5; *(uint8_t*)0x200000007dc1 = 0xf; *(uint16_t*)0x200000007dc2 = 0x3b; *(uint8_t*)0x200000007dc4 = 4; *(uint8_t*)0x200000007dc5 = 0x14; *(uint8_t*)0x200000007dc6 = 0x10; *(uint8_t*)0x200000007dc7 = 4; *(uint8_t*)0x200000007dc8 = 6; memcpy((void*)0x200000007dc9, "\xfd\xf4\x04\x3a\xe7\xf5\x9e\x3e\x81\xfe\x30\x3d\x4d\xe3\xea\x16", 16); *(uint8_t*)0x200000007dd9 = 7; *(uint8_t*)0x200000007dda = 0x10; *(uint8_t*)0x200000007ddb = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007ddc, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007dde, 6, 0, 16); *(uint8_t*)0x200000007de0 = 7; *(uint8_t*)0x200000007de1 = 0x10; *(uint8_t*)0x200000007de2 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007de3, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 7, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 0xd, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de5, 0x95d7, 0, 16); *(uint8_t*)0x200000007de7 = 0x14; *(uint8_t*)0x200000007de8 = 0x10; *(uint8_t*)0x200000007de9 = 4; *(uint8_t*)0x200000007dea = 3; memcpy((void*)0x200000007deb, "\xbc\x6a\x92\x66\xbf\x50\x6e\x90\x62\x0d\x9c\x90\x0e\x18\x01\x43", 16); *(uint32_t*)0x200000007ed8 = 1; *(uint32_t*)0x200000007edc = 0x98; *(uint64_t*)0x200000007ee0 = 0x200000007e00; *(uint8_t*)0x200000007e00 = 0x98; *(uint8_t*)0x200000007e01 = 3; memcpy((void*)0x200000007e02, "\xd9\x5f\x3f\xca\xaa\x58\xf9\xd3\x6d\x03\xe3\xa2\xd5\x56\x6a\x51\x91\xf7\x42\xf7\x23\xfa\x49\xe3\x64\xe0\x3b\x0d\x28\x8a\x7f\xcb\x45\x79\xb5\x8c\x56\xd8\x24\xbe\x57\xf9\xad\x0f\x87\x03\xd3\x01\x1c\xac\x46\x84\x33\xfa\x22\xc2\x3b\xfa\xf1\x5d\xad\x54\x1e\xfb\x01\x38\xc4\x6b\xb8\xf8\x86\x92\x15\x15\x5c\x26\x85\xd6\x9b\x75\xff\xe6\x8c\x0c\xbd\x6e\x71\x74\x3a\xbd\x43\x55\xe1\x2d\x9d\xcb\x7d\xff\x16\xbb\x07\x5d\xa5\x53\xc1\x78\x13\x9e\xde\x2c\x28\x5a\x4a\x28\x45\xe8\x88\x9c\x23\x45\x04\xd9\x68\xd8\x70\xb6\x08\x4a\x7b\x4a\xb0\xdc\xdb\x83\xd4\x3b\xb2\xf4\xe7\xa0\x15\x6b\x80\xa6\x89\x19\xcb\xb7\xda\x84", 150); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0x295, /*dev=*/0x200000007ac0, /*conn_descs=*/0x200000007ec0); if (res != -1) r[33] = res; break; case 53: *(uint8_t*)0x200000007f00 = 0x12; *(uint8_t*)0x200000007f01 = 1; *(uint16_t*)0x200000007f02 = 0x200; *(uint8_t*)0x200000007f04 = -1; *(uint8_t*)0x200000007f05 = -1; *(uint8_t*)0x200000007f06 = -1; *(uint8_t*)0x200000007f07 = 0x40; *(uint16_t*)0x200000007f08 = 0xcf3; *(uint16_t*)0x200000007f0a = 0x9271; *(uint16_t*)0x200000007f0c = 0x108; *(uint8_t*)0x200000007f0e = 1; *(uint8_t*)0x200000007f0f = 2; *(uint8_t*)0x200000007f10 = 3; *(uint8_t*)0x200000007f11 = 1; *(uint8_t*)0x200000007f12 = 9; *(uint8_t*)0x200000007f13 = 2; *(uint16_t*)0x200000007f14 = 0x48; *(uint8_t*)0x200000007f16 = 1; *(uint8_t*)0x200000007f17 = 1; *(uint8_t*)0x200000007f18 = 0; *(uint8_t*)0x200000007f19 = 0x80; *(uint8_t*)0x200000007f1a = 0xfa; *(uint8_t*)0x200000007f1b = 9; *(uint8_t*)0x200000007f1c = 4; *(uint8_t*)0x200000007f1d = 0; *(uint8_t*)0x200000007f1e = 0; *(uint8_t*)0x200000007f1f = 6; *(uint8_t*)0x200000007f20 = -1; *(uint8_t*)0x200000007f21 = 0; *(uint8_t*)0x200000007f22 = 0; *(uint8_t*)0x200000007f23 = 0; *(uint8_t*)0x200000007f24 = 9; *(uint8_t*)0x200000007f25 = 5; *(uint8_t*)0x200000007f26 = 1; *(uint8_t*)0x200000007f27 = 2; *(uint16_t*)0x200000007f28 = 0x200; *(uint8_t*)0x200000007f2a = 0; *(uint8_t*)0x200000007f2b = 0; *(uint8_t*)0x200000007f2c = 0; *(uint8_t*)0x200000007f2d = 9; *(uint8_t*)0x200000007f2e = 5; *(uint8_t*)0x200000007f2f = 0x82; *(uint8_t*)0x200000007f30 = 2; *(uint16_t*)0x200000007f31 = 0x200; *(uint8_t*)0x200000007f33 = 0; *(uint8_t*)0x200000007f34 = 0; *(uint8_t*)0x200000007f35 = 0; *(uint8_t*)0x200000007f36 = 9; *(uint8_t*)0x200000007f37 = 5; *(uint8_t*)0x200000007f38 = 0x83; *(uint8_t*)0x200000007f39 = 3; *(uint16_t*)0x200000007f3a = 0x40; *(uint8_t*)0x200000007f3c = 1; *(uint8_t*)0x200000007f3d = 0; *(uint8_t*)0x200000007f3e = 0; *(uint8_t*)0x200000007f3f = 9; *(uint8_t*)0x200000007f40 = 5; *(uint8_t*)0x200000007f41 = 4; *(uint8_t*)0x200000007f42 = 3; *(uint16_t*)0x200000007f43 = 0x40; *(uint8_t*)0x200000007f45 = 1; *(uint8_t*)0x200000007f46 = 0; *(uint8_t*)0x200000007f47 = 0; *(uint8_t*)0x200000007f48 = 9; *(uint8_t*)0x200000007f49 = 5; *(uint8_t*)0x200000007f4a = 5; *(uint8_t*)0x200000007f4b = 2; *(uint16_t*)0x200000007f4c = 0x200; *(uint8_t*)0x200000007f4e = 0; *(uint8_t*)0x200000007f4f = 0; *(uint8_t*)0x200000007f50 = 0; *(uint8_t*)0x200000007f51 = 9; *(uint8_t*)0x200000007f52 = 5; *(uint8_t*)0x200000007f53 = 6; *(uint8_t*)0x200000007f54 = 2; *(uint16_t*)0x200000007f55 = 0x200; *(uint8_t*)0x200000007f57 = 0; *(uint8_t*)0x200000007f58 = 0; *(uint8_t*)0x200000007f59 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000007f00, /*conn_descs=*/0); if (res != -1) r[34] = res; break; case 54: *(uint8_t*)0x200000007f80 = 0x12; *(uint8_t*)0x200000007f81 = 1; *(uint16_t*)0x200000007f82 = 0x110; *(uint8_t*)0x200000007f84 = 0; *(uint8_t*)0x200000007f85 = 0; *(uint8_t*)0x200000007f86 = 0; *(uint8_t*)0x200000007f87 = 0x40; *(uint16_t*)0x200000007f88 = 0x1d6b; *(uint16_t*)0x200000007f8a = 0x101; *(uint16_t*)0x200000007f8c = 0x40; *(uint8_t*)0x200000007f8e = 1; *(uint8_t*)0x200000007f8f = 2; *(uint8_t*)0x200000007f90 = 3; *(uint8_t*)0x200000007f91 = 1; *(uint8_t*)0x200000007f92 = 9; *(uint8_t*)0x200000007f93 = 2; *(uint16_t*)0x200000007f94 = 0xd3; *(uint8_t*)0x200000007f96 = 3; *(uint8_t*)0x200000007f97 = 1; *(uint8_t*)0x200000007f98 = 1; *(uint8_t*)0x200000007f99 = 0x80; *(uint8_t*)0x200000007f9a = 0x80; *(uint8_t*)0x200000007f9b = 9; *(uint8_t*)0x200000007f9c = 4; *(uint8_t*)0x200000007f9d = 0; *(uint8_t*)0x200000007f9e = 0; *(uint8_t*)0x200000007f9f = 0; *(uint8_t*)0x200000007fa0 = 1; *(uint8_t*)0x200000007fa1 = 1; *(uint8_t*)0x200000007fa2 = 0; *(uint8_t*)0x200000007fa3 = 0; *(uint8_t*)0x200000007fa4 = 0xa; *(uint8_t*)0x200000007fa5 = 0x24; *(uint8_t*)0x200000007fa6 = 1; *(uint16_t*)0x200000007fa7 = 0; *(uint8_t*)0x200000007fa9 = 0x7c; *(uint8_t*)0x200000007faa = 2; *(uint8_t*)0x200000007fab = 1; *(uint8_t*)0x200000007fac = 2; *(uint8_t*)0x200000007fad = 0xd; *(uint8_t*)0x200000007fae = 0x24; *(uint8_t*)0x200000007faf = 8; *(uint8_t*)0x200000007fb0 = 2; *(uint16_t*)0x200000007fb1 = 8; *(uint8_t*)0x200000007fb3 = 9; memcpy((void*)0x200000007fb4, "\x0c\xff\xda\x3f\x22\x7b", 6); *(uint8_t*)0x200000007fba = 9; *(uint8_t*)0x200000007fbb = 4; *(uint8_t*)0x200000007fbc = 1; *(uint8_t*)0x200000007fbd = 0; *(uint8_t*)0x200000007fbe = 0; *(uint8_t*)0x200000007fbf = 1; *(uint8_t*)0x200000007fc0 = 2; *(uint8_t*)0x200000007fc1 = 0; *(uint8_t*)0x200000007fc2 = 0; *(uint8_t*)0x200000007fc3 = 9; *(uint8_t*)0x200000007fc4 = 4; *(uint8_t*)0x200000007fc5 = 1; *(uint8_t*)0x200000007fc6 = 1; *(uint8_t*)0x200000007fc7 = 1; *(uint8_t*)0x200000007fc8 = 1; *(uint8_t*)0x200000007fc9 = 2; *(uint8_t*)0x200000007fca = 0; *(uint8_t*)0x200000007fcb = 0; *(uint8_t*)0x200000007fcc = 0x12; *(uint8_t*)0x200000007fcd = 0x24; *(uint8_t*)0x200000007fce = 2; *(uint8_t*)0x200000007fcf = 2; *(uint16_t*)0x200000007fd0 = 6; *(uint16_t*)0x200000007fd2 = 0x9a; *(uint8_t*)0x200000007fd4 = 0x20; memcpy((void*)0x200000007fd5, "\x2d\xa5\xee\x78\xa2\x8e\x1f\x1a\x41", 9); *(uint8_t*)0x200000007fde = 0xd; *(uint8_t*)0x200000007fdf = 0x24; *(uint8_t*)0x200000007fe0 = 2; *(uint8_t*)0x200000007fe1 = 1; *(uint8_t*)0x200000007fe2 = 0xf8; *(uint8_t*)0x200000007fe3 = 3; *(uint8_t*)0x200000007fe4 = 0x69; *(uint8_t*)0x200000007fe5 = 0x6d; memcpy((void*)0x200000007fe6, "e)", 2); memcpy((void*)0x200000007fe8, "\xbf\x07\x94", 3); *(uint8_t*)0x200000007feb = 0xb; *(uint8_t*)0x200000007fec = 0x24; *(uint8_t*)0x200000007fed = 2; *(uint8_t*)0x200000007fee = 1; *(uint8_t*)0x200000007fef = 5; *(uint8_t*)0x200000007ff0 = 4; *(uint8_t*)0x200000007ff1 = 0x5b; *(uint8_t*)0x200000007ff2 = 3; memset((void*)0x200000007ff3, 68, 1); memcpy((void*)0x200000007ff4, "\x26\x18", 2); *(uint8_t*)0x200000007ff6 = 9; *(uint8_t*)0x200000007ff7 = 0x24; *(uint8_t*)0x200000007ff8 = 2; *(uint8_t*)0x200000007ff9 = 2; *(uint16_t*)0x200000007ffa = 0x7b4; *(uint16_t*)0x200000007ffc = 8; *(uint8_t*)0x200000007ffe = 4; *(uint8_t*)0x200000007fff = 0xc; *(uint8_t*)0x200000008000 = 0x24; *(uint8_t*)0x200000008001 = 2; *(uint8_t*)0x200000008002 = 1; *(uint8_t*)0x200000008003 = 0; *(uint8_t*)0x200000008004 = 3; *(uint8_t*)0x200000008005 = 8; *(uint8_t*)0x200000008006 = 8; memset((void*)0x200000008007, 170, 1); memcpy((void*)0x200000008008, "\xe8\xe5\xb4", 3); *(uint8_t*)0x20000000800b = 9; *(uint8_t*)0x20000000800c = 5; *(uint8_t*)0x20000000800d = 1; *(uint8_t*)0x20000000800e = 9; *(uint16_t*)0x20000000800f = 0x40; *(uint8_t*)0x200000008011 = 6; *(uint8_t*)0x200000008012 = 5; *(uint8_t*)0x200000008013 = 0; *(uint8_t*)0x200000008014 = 7; *(uint8_t*)0x200000008015 = 0x25; *(uint8_t*)0x200000008016 = 1; *(uint8_t*)0x200000008017 = 0x80; *(uint8_t*)0x200000008018 = 1; *(uint16_t*)0x200000008019 = 4; *(uint8_t*)0x20000000801b = 9; *(uint8_t*)0x20000000801c = 4; *(uint8_t*)0x20000000801d = 2; *(uint8_t*)0x20000000801e = 0; *(uint8_t*)0x20000000801f = 0; *(uint8_t*)0x200000008020 = 1; *(uint8_t*)0x200000008021 = 2; *(uint8_t*)0x200000008022 = 0; *(uint8_t*)0x200000008023 = 0; *(uint8_t*)0x200000008024 = 9; *(uint8_t*)0x200000008025 = 4; *(uint8_t*)0x200000008026 = 2; *(uint8_t*)0x200000008027 = 1; *(uint8_t*)0x200000008028 = 1; *(uint8_t*)0x200000008029 = 1; *(uint8_t*)0x20000000802a = 2; *(uint8_t*)0x20000000802b = 0; *(uint8_t*)0x20000000802c = 0; *(uint8_t*)0x20000000802d = 7; *(uint8_t*)0x20000000802e = 0x24; *(uint8_t*)0x20000000802f = 1; *(uint8_t*)0x200000008030 = 3; *(uint8_t*)0x200000008031 = 0x1e; *(uint16_t*)0x200000008032 = 4; *(uint8_t*)0x200000008034 = 7; *(uint8_t*)0x200000008035 = 0x24; *(uint8_t*)0x200000008036 = 1; *(uint8_t*)0x200000008037 = 0x6f; *(uint8_t*)0x200000008038 = 7; *(uint16_t*)0x200000008039 = 0; *(uint8_t*)0x20000000803b = 0xa; *(uint8_t*)0x20000000803c = 0x24; *(uint8_t*)0x20000000803d = 2; *(uint8_t*)0x20000000803e = 2; *(uint16_t*)0x20000000803f = 8; *(uint16_t*)0x200000008041 = 2; *(uint8_t*)0x200000008043 = 8; memset((void*)0x200000008044, 102, 1); *(uint8_t*)0x200000008045 = 0x10; *(uint8_t*)0x200000008046 = 0x24; *(uint8_t*)0x200000008047 = 2; *(uint8_t*)0x200000008048 = 2; *(uint16_t*)0x200000008049 = 9; *(uint16_t*)0x20000000804b = 0x401; *(uint8_t*)0x20000000804d = 5; memcpy((void*)0x20000000804e, "\x53\xb1\x1d\xbc\x8c\xd3\x10", 7); *(uint8_t*)0x200000008055 = 9; *(uint8_t*)0x200000008056 = 5; *(uint8_t*)0x200000008057 = 0x82; *(uint8_t*)0x200000008058 = 9; *(uint16_t*)0x200000008059 = 8; *(uint8_t*)0x20000000805b = 0; *(uint8_t*)0x20000000805c = 0x28; *(uint8_t*)0x20000000805d = 6; *(uint8_t*)0x20000000805e = 7; *(uint8_t*)0x20000000805f = 0x25; *(uint8_t*)0x200000008060 = 1; *(uint8_t*)0x200000008061 = 0x80; *(uint8_t*)0x200000008062 = 5; *(uint16_t*)0x200000008063 = 0xd; *(uint32_t*)0x2000000081c0 = 0xa; *(uint64_t*)0x2000000081c4 = 0x200000008080; *(uint8_t*)0x200000008080 = 0xa; *(uint8_t*)0x200000008081 = 6; *(uint16_t*)0x200000008082 = 0x110; *(uint8_t*)0x200000008084 = 0x59; *(uint8_t*)0x200000008085 = 0xa5; *(uint8_t*)0x200000008086 = 5; *(uint8_t*)0x200000008087 = 0x10; *(uint8_t*)0x200000008088 = 1; *(uint8_t*)0x200000008089 = 0; *(uint32_t*)0x2000000081cc = 0x39; *(uint64_t*)0x2000000081d0 = 0x2000000080c0; *(uint8_t*)0x2000000080c0 = 5; *(uint8_t*)0x2000000080c1 = 0xf; *(uint16_t*)0x2000000080c2 = 0x39; *(uint8_t*)0x2000000080c4 = 5; *(uint8_t*)0x2000000080c5 = 0xb; *(uint8_t*)0x2000000080c6 = 0x10; *(uint8_t*)0x2000000080c7 = 1; *(uint8_t*)0x2000000080c8 = 4; *(uint16_t*)0x2000000080c9 = 8; *(uint8_t*)0x2000000080cb = 3; *(uint8_t*)0x2000000080cc = 0xb8; *(uint16_t*)0x2000000080cd = 9; *(uint8_t*)0x2000000080cf = 4; *(uint8_t*)0x2000000080d0 = 0x14; *(uint8_t*)0x2000000080d1 = 0x10; *(uint8_t*)0x2000000080d2 = 4; *(uint8_t*)0x2000000080d3 = 2; memcpy((void*)0x2000000080d4, "\x9d\x9a\xb0\x97\x8e\x2a\xac\xe2\x6d\xe6\x63\x06\xe6\xe2\x96\x3d", 16); *(uint8_t*)0x2000000080e4 = 0xb; *(uint8_t*)0x2000000080e5 = 0x10; *(uint8_t*)0x2000000080e6 = 1; *(uint8_t*)0x2000000080e7 = 4; *(uint16_t*)0x2000000080e8 = 0; *(uint8_t*)0x2000000080ea = 6; *(uint8_t*)0x2000000080eb = 4; *(uint16_t*)0x2000000080ec = 1; *(uint8_t*)0x2000000080ee = 5; *(uint8_t*)0x2000000080ef = 3; *(uint8_t*)0x2000000080f0 = 0x10; *(uint8_t*)0x2000000080f1 = 0xb; *(uint8_t*)0x2000000080f2 = 7; *(uint8_t*)0x2000000080f3 = 0x10; *(uint8_t*)0x2000000080f4 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000080f5, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f7, 0xfff2, 0, 16); *(uint32_t*)0x2000000081d8 = 1; *(uint32_t*)0x2000000081dc = 0x84; *(uint64_t*)0x2000000081e0 = 0x200000008100; *(uint8_t*)0x200000008100 = 0x84; *(uint8_t*)0x200000008101 = 3; memcpy((void*)0x200000008102, "\x00\x0a\x6c\x9f\x4a\x15\xea\xbc\x97\xa9\x2a\xb6\x65\x23\x1b\x2c\xf9\x05\x73\x21\xeb\x43\x0c\x65\x21\xf4\x97\xa8\xc3\xce\x81\x62\x68\xcb\x33\x7f\xa4\x8d\xee\xcf\xeb\x28\xb2\x30\x5f\xcf\x2d\x2e\x98\x8c\xc8\xb8\xb9\x80\xa1\x33\x2d\xc4\x06\xbc\x34\x69\x5f\xa2\x4d\xc3\x60\x9f\x61\x9d\x7a\xc2\x84\xcc\x3a\xe7\xf0\xaf\xe4\x44\xd5\x78\xc9\x51\xd9\xae\xdc\x4c\x68\x2e\x10\x0c\xfe\xb6\x61\x9b\x98\xa9\x6b\x19\x78\xd8\xed\xe7\x57\x4e\x96\x9f\x8a\xe8\xe3\xdf\xb8\x35\xbd\xe5\xcc\xd9\x22\x13\x3e\x53\x03\x6f\xf4\x4e\xda\x52\xa0\xa9", 130); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0xe5, /*dev=*/0x200000007f80, /*conn_descs=*/0x2000000081c0); if (res != -1) r[35] = res; break; case 55: *(uint32_t*)0x200000008380 = 0x2c; *(uint64_t*)0x200000008384 = 0x200000008200; *(uint8_t*)0x200000008200 = 0x40; *(uint8_t*)0x200000008201 = 0x22; *(uint32_t*)0x200000008202 = 0x31; *(uint8_t*)0x200000008206 = 0x31; *(uint8_t*)0x200000008207 = 5; memcpy((void*)0x200000008208, "\x74\xe8\x3d\xcf\x53\xdd\x2d\x0e\xca\xc0\xaa\x34\x67\xb1\x8d\xfa\x71\xb2\x6c\xdd\x40\x3d\x95\x5c\x0f\xfe\x22\x81\x7b\x01\xfe\x57\x95\xd5\x1c\xf2\x4a\x6a\xe3\xb8\xe3\x2f\x1b\x7a\xc5\xf8\xca", 47); *(uint64_t*)0x20000000838c = 0x200000008240; *(uint8_t*)0x200000008240 = 0; *(uint8_t*)0x200000008241 = 3; *(uint32_t*)0x200000008242 = 0x1e; *(uint8_t*)0x200000008246 = 0x1e; *(uint8_t*)0x200000008247 = 3; memcpy((void*)0x200000008248, "\x89\x57\xa5\x01\xd8\x3c\x69\xe5\x4f\x70\xf6\x2f\x93\x2a\x50\xb6\x55\x06\xc3\x88\xc1\x28\x23\x9d\x36\x22\x9e\xe2", 28); *(uint64_t*)0x200000008394 = 0x200000008280; *(uint8_t*)0x200000008280 = 0; *(uint8_t*)0x200000008281 = 0xf; *(uint32_t*)0x200000008282 = 0x4f; *(uint8_t*)0x200000008286 = 5; *(uint8_t*)0x200000008287 = 0xf; *(uint16_t*)0x200000008288 = 0x4f; *(uint8_t*)0x20000000828a = 6; *(uint8_t*)0x20000000828b = 0x1c; *(uint8_t*)0x20000000828c = 0x10; *(uint8_t*)0x20000000828d = 0xa; *(uint8_t*)0x20000000828e = 0; STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 5, 5, 27); *(uint16_t*)0x200000008293 = 0xf000; *(uint16_t*)0x200000008295 = 0x409; *(uint32_t*)0x200000008297 = 0xc000; *(uint32_t*)0x20000000829b = 0x17f; *(uint32_t*)0x20000000829f = 0xff3f30; *(uint32_t*)0x2000000082a3 = 0xffffaf; *(uint8_t*)0x2000000082a7 = 0x10; *(uint8_t*)0x2000000082a8 = 0x10; *(uint8_t*)0x2000000082a9 = 0xa; *(uint8_t*)0x2000000082aa = 9; STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 4, 5, 27); *(uint16_t*)0x2000000082af = 0xff0f; *(uint16_t*)0x2000000082b1 = 0xf87; *(uint32_t*)0x2000000082b3 = 0xc030; *(uint8_t*)0x2000000082b7 = 7; *(uint8_t*)0x2000000082b8 = 0x10; *(uint8_t*)0x2000000082b9 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000082ba, 4, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bc, 5, 0, 16); *(uint8_t*)0x2000000082be = 0xa; *(uint8_t*)0x2000000082bf = 0x10; *(uint8_t*)0x2000000082c0 = 3; *(uint8_t*)0x2000000082c1 = 0; *(uint16_t*)0x2000000082c2 = 4; *(uint8_t*)0x2000000082c4 = 0xd2; *(uint8_t*)0x2000000082c5 = 3; *(uint16_t*)0x2000000082c6 = 5; *(uint8_t*)0x2000000082c8 = 0xa; *(uint8_t*)0x2000000082c9 = 0x10; *(uint8_t*)0x2000000082ca = 3; *(uint8_t*)0x2000000082cb = 0; *(uint16_t*)0x2000000082cc = 0; *(uint8_t*)0x2000000082ce = 1; *(uint8_t*)0x2000000082cf = 7; *(uint16_t*)0x2000000082d0 = 2; *(uint8_t*)0x2000000082d2 = 3; *(uint8_t*)0x2000000082d3 = 0x10; *(uint8_t*)0x2000000082d4 = 0xb; *(uint64_t*)0x20000000839c = 0x200000008300; *(uint8_t*)0x200000008300 = 0x20; *(uint8_t*)0x200000008301 = 0x29; *(uint32_t*)0x200000008302 = 0xf; *(uint8_t*)0x200000008306 = 0xf; *(uint8_t*)0x200000008307 = 0x29; *(uint8_t*)0x200000008308 = 8; *(uint16_t*)0x200000008309 = 1; *(uint8_t*)0x20000000830b = 7; *(uint8_t*)0x20000000830c = 4; memcpy((void*)0x20000000830d, "\b\r$}", 4); memcpy((void*)0x200000008311, "\x67\x01\x6d\xee", 4); *(uint64_t*)0x2000000083a4 = 0x200000008340; *(uint8_t*)0x200000008340 = 0x20; *(uint8_t*)0x200000008341 = 0x2a; *(uint32_t*)0x200000008342 = 0xc; *(uint8_t*)0x200000008346 = 0xc; *(uint8_t*)0x200000008347 = 0x2a; *(uint8_t*)0x200000008348 = 0x16; *(uint16_t*)0x200000008349 = 0x80; *(uint8_t*)0x20000000834b = 9; *(uint8_t*)0x20000000834c = 3; *(uint8_t*)0x20000000834d = 3; *(uint16_t*)0x20000000834e = 2; *(uint16_t*)0x200000008350 = 0xf000; *(uint32_t*)0x2000000087c0 = 0x84; *(uint64_t*)0x2000000087c4 = 0x2000000083c0; *(uint8_t*)0x2000000083c0 = 0; *(uint8_t*)0x2000000083c1 = 0x11; *(uint32_t*)0x2000000083c2 = 0x1f; memcpy((void*)0x2000000083c6, "\x16\xd6\x0d\x77\x43\x50\x14\x52\xff\xd5\x73\x04\x24\xbc\x4a\x97\x0c\xc6\x49\x0b\xb9\xcc\x85\x93\x86\x99\xed\xf2\x7a\x0c\x7d", 31); *(uint64_t*)0x2000000087cc = 0x200000008400; *(uint8_t*)0x200000008400 = 0; *(uint8_t*)0x200000008401 = 0xa; *(uint32_t*)0x200000008402 = 1; *(uint8_t*)0x200000008406 = 9; *(uint64_t*)0x2000000087d4 = 0x200000008440; *(uint8_t*)0x200000008440 = 0; *(uint8_t*)0x200000008441 = 8; *(uint32_t*)0x200000008442 = 1; *(uint8_t*)0x200000008446 = 4; *(uint64_t*)0x2000000087dc = 0x200000008480; *(uint8_t*)0x200000008480 = 0x20; *(uint8_t*)0x200000008481 = 0; *(uint32_t*)0x200000008482 = 4; *(uint16_t*)0x200000008486 = 0xe554; *(uint16_t*)0x200000008488 = 1; *(uint64_t*)0x2000000087e4 = 0x2000000084c0; *(uint8_t*)0x2000000084c0 = 0x20; *(uint8_t*)0x2000000084c1 = 0; *(uint32_t*)0x2000000084c2 = 4; *(uint16_t*)0x2000000084c6 = 0x200; *(uint16_t*)0x2000000084c8 = 0x2b; *(uint64_t*)0x2000000087ec = 0x200000008500; *(uint8_t*)0x200000008500 = 0x40; *(uint8_t*)0x200000008501 = 7; *(uint32_t*)0x200000008502 = 2; *(uint16_t*)0x200000008506 = 0xfd37; *(uint64_t*)0x2000000087f4 = 0x200000008540; *(uint8_t*)0x200000008540 = 0x40; *(uint8_t*)0x200000008541 = 9; *(uint32_t*)0x200000008542 = 1; *(uint8_t*)0x200000008546 = 0; *(uint64_t*)0x2000000087fc = 0x200000008580; *(uint8_t*)0x200000008580 = 0x40; *(uint8_t*)0x200000008581 = 0xb; *(uint32_t*)0x200000008582 = 2; memcpy((void*)0x200000008586, "E\"", 2); *(uint64_t*)0x200000008804 = 0x2000000085c0; *(uint8_t*)0x2000000085c0 = 0x40; *(uint8_t*)0x2000000085c1 = 0xf; *(uint32_t*)0x2000000085c2 = 2; *(uint16_t*)0x2000000085c6 = 2; *(uint64_t*)0x20000000880c = 0x200000008600; *(uint8_t*)0x200000008600 = 0x40; *(uint8_t*)0x200000008601 = 0x13; *(uint32_t*)0x200000008602 = 6; memcpy((void*)0x200000008606, "\x2f\xa6\xdd\xe0\x3a\x0f", 6); *(uint64_t*)0x200000008814 = 0x200000008640; *(uint8_t*)0x200000008640 = 0x40; *(uint8_t*)0x200000008641 = 0x17; *(uint32_t*)0x200000008642 = 6; memcpy((void*)0x200000008646, "\xde\x1c\x10\x2b\x02\x7e", 6); *(uint64_t*)0x20000000881c = 0x200000008680; *(uint8_t*)0x200000008680 = 0x40; *(uint8_t*)0x200000008681 = 0x19; *(uint32_t*)0x200000008682 = 2; memcpy((void*)0x200000008686, "\x0d\x97", 2); *(uint64_t*)0x200000008824 = 0x2000000086c0; *(uint8_t*)0x2000000086c0 = 0x40; *(uint8_t*)0x2000000086c1 = 0x1a; *(uint32_t*)0x2000000086c2 = 2; *(uint16_t*)0x2000000086c6 = 2; *(uint64_t*)0x20000000882c = 0x200000008700; *(uint8_t*)0x200000008700 = 0x40; *(uint8_t*)0x200000008701 = 0x1c; *(uint32_t*)0x200000008702 = 1; *(uint8_t*)0x200000008706 = 0xfd; *(uint64_t*)0x200000008834 = 0x200000008740; *(uint8_t*)0x200000008740 = 0x40; *(uint8_t*)0x200000008741 = 0x1e; *(uint32_t*)0x200000008742 = 1; *(uint8_t*)0x200000008746 = 0xfd; *(uint64_t*)0x20000000883c = 0x200000008780; *(uint8_t*)0x200000008780 = 0x40; *(uint8_t*)0x200000008781 = 0x21; *(uint32_t*)0x200000008782 = 1; *(uint8_t*)0x200000008786 = 0xc9; syz_usb_control_io(/*fd=*/r[35], /*descs=*/0x200000008380, /*resps=*/0x2000000087c0); break; case 56: syz_usb_disconnect(/*fd=*/r[33]); break; case 57: syz_usb_ep_read(/*fd=*/r[34], /*ep=*/7, /*len=*/0xfc, /*data=*/0x200000008880); break; case 58: *(uint8_t*)0x200000008980 = 0x12; *(uint8_t*)0x200000008981 = 1; *(uint16_t*)0x200000008982 = 0x200; *(uint8_t*)0x200000008984 = 7; *(uint8_t*)0x200000008985 = 1; *(uint8_t*)0x200000008986 = 1; *(uint8_t*)0x200000008987 = 0x20; *(uint16_t*)0x200000008988 = 0x525; *(uint16_t*)0x20000000898a = 0xa4a8; *(uint16_t*)0x20000000898c = 0x40; *(uint8_t*)0x20000000898e = 1; *(uint8_t*)0x20000000898f = 2; *(uint8_t*)0x200000008990 = 3; *(uint8_t*)0x200000008991 = 1; *(uint8_t*)0x200000008992 = 9; *(uint8_t*)0x200000008993 = 2; *(uint16_t*)0x200000008994 = 0x24; *(uint8_t*)0x200000008996 = 1; *(uint8_t*)0x200000008997 = 1; *(uint8_t*)0x200000008998 = 0xf4; *(uint8_t*)0x200000008999 = 0x60; *(uint8_t*)0x20000000899a = 4; *(uint8_t*)0x20000000899b = 9; *(uint8_t*)0x20000000899c = 4; *(uint8_t*)0x20000000899d = 0; *(uint8_t*)0x20000000899e = 3; *(uint8_t*)0x20000000899f = 2; *(uint8_t*)0x2000000089a0 = 0; *(uint8_t*)0x2000000089a1 = 0; *(uint8_t*)0x2000000089a2 = 0; *(uint8_t*)0x2000000089a3 = 0x81; *(uint8_t*)0x2000000089a4 = 9; *(uint8_t*)0x2000000089a5 = 5; *(uint8_t*)0x2000000089a6 = 1; *(uint8_t*)0x2000000089a7 = 2; *(uint16_t*)0x2000000089a8 = 0x400; *(uint8_t*)0x2000000089aa = 0; *(uint8_t*)0x2000000089ab = 8; *(uint8_t*)0x2000000089ac = 2; *(uint8_t*)0x2000000089ad = 9; *(uint8_t*)0x2000000089ae = 5; *(uint8_t*)0x2000000089af = 0x82; *(uint8_t*)0x2000000089b0 = 2; *(uint16_t*)0x2000000089b1 = 0x3ff; *(uint8_t*)0x2000000089b3 = 4; *(uint8_t*)0x2000000089b4 = 0x48; *(uint8_t*)0x2000000089b5 = 8; *(uint32_t*)0x200000008f00 = 0xa; *(uint64_t*)0x200000008f04 = 0x2000000089c0; *(uint8_t*)0x2000000089c0 = 0xa; *(uint8_t*)0x2000000089c1 = 6; *(uint16_t*)0x2000000089c2 = 0x250; *(uint8_t*)0x2000000089c4 = 0x7d; *(uint8_t*)0x2000000089c5 = 0xdd; *(uint8_t*)0x2000000089c6 = 3; *(uint8_t*)0x2000000089c7 = 0x20; *(uint8_t*)0x2000000089c8 = 0xfa; *(uint8_t*)0x2000000089c9 = 0; *(uint32_t*)0x200000008f0c = 0x154; *(uint64_t*)0x200000008f10 = 0x200000008a00; *(uint8_t*)0x200000008a00 = 5; *(uint8_t*)0x200000008a01 = 0xf; *(uint16_t*)0x200000008a02 = 0x154; *(uint8_t*)0x200000008a04 = 6; *(uint8_t*)0x200000008a05 = 0xe8; *(uint8_t*)0x200000008a06 = 0x10; *(uint8_t*)0x200000008a07 = 1; memcpy((void*)0x200000008a08, "\xd0\x31\xa9\x16\x5b\x9e\x27\x3f\xf6\xff\xe5\x55\x84\x9a\xf6\xdc\xa6\x6e\x17\xa6\x8e\xe5\xac\x78\x4d\xca\x23\xe4\xa5\x6d\x46\x16\x9a\xd0\x6e\xad\x2b\x8b\xcd\x99\x7e\xac\x2e\xcb\x8b\x2a\x25\x26\xaa\x20\x0d\xb5\x57\x58\xd0\x86\x59\x46\x92\x83\xd6\xec\xfb\xa9\x82\xc3\x00\xae\x82\xcc\xf4\xa8\xbf\x07\x3d\xbd\xe4\x53\x76\xb4\xf6\xfc\x55\x9b\xe5\x19\xf8\x2e\x8e\x5b\x2c\xf5\x9c\x3a\x3a\xf4\xf2\x90\x70\x7e\x76\x7a\x4e\x27\x68\x51\x09\x0d\x90\xbe\x0a\xb6\x6f\x78\x8e\x77\x60\xcd\x71\xab\x86\x5e\xa8\xb6\xbc\xc5\xf3\x5f\x60\x53\x81\x54\xa0\x99\xc3\x54\xa3\x59\x34\x17\x68\x2f\xc3\x9d\x2a\x6a\x25\x5e\xf4\xbb\x65\xf8\xd9\x7a\xf2\x9b\xeb\x0f\x87\x34\xa6\x8e\xd8\x4e\xf0\x8d\xf6\x9e\x9b\x35\xfa\x2e\x3f\xe6\x5e\x99\x38\xff\x44\x1d\xc3\xe7\x98\x2a\x81\xcc\xca\xf9\x62\x1d\x5d\xbc\x66\x3b\x80\xab\x44\x8c\x97\x5c\xbc\x19\xbb\x6c\x39\x01\xa0\x2c\x16\xb3\x2d\xfa\xf9\xf5\xc2\x20\xfa\x21\x43\x49\x37\xb4\x62\x03\x81\x05\xe6\xd0\x86", 229); *(uint8_t*)0x200000008aed = 0x4b; *(uint8_t*)0x200000008aee = 0x10; *(uint8_t*)0x200000008aef = 3; memcpy((void*)0x200000008af0, "\x10\xbe\xd1\x91\x2f\x7d\xc9\x4a\xc6\xd8\x7c\xbc\x68\x96\x2c\x89\xe7\x77\xcc\x51\xa2\x57\xd0\xca\xd3\x3c\xdc\xf3\x36\xa3\x1a\xc3\x9b\x86\x71\x44\xc2\xc9\x6b\xe4\x0f\xcc\xac\x19\x63\x3a\x54\x77\x87\xbc\x6e\x4f\xe9\x1e\x91\xfa\x47\x59\xdb\x2a\x86\x7d\x85\x9c\xd5\xa6\x0c\x84\xc1\xa3\x8e\x09", 72); *(uint8_t*)0x200000008b38 = 0xb; *(uint8_t*)0x200000008b39 = 0x10; *(uint8_t*)0x200000008b3a = 1; *(uint8_t*)0x200000008b3b = 2; *(uint16_t*)0x200000008b3c = 9; *(uint8_t*)0x200000008b3e = 0x77; *(uint8_t*)0x200000008b3f = 9; *(uint16_t*)0x200000008b40 = 0x2cf; *(uint8_t*)0x200000008b42 = 0; *(uint8_t*)0x200000008b43 = 0xb; *(uint8_t*)0x200000008b44 = 0x10; *(uint8_t*)0x200000008b45 = 1; *(uint8_t*)0x200000008b46 = 0xc; *(uint16_t*)0x200000008b47 = 5; *(uint8_t*)0x200000008b49 = 8; *(uint8_t*)0x200000008b4a = 5; *(uint16_t*)0x200000008b4b = 9; *(uint8_t*)0x200000008b4d = 0x16; *(uint8_t*)0x200000008b4e = 3; *(uint8_t*)0x200000008b4f = 0x10; *(uint8_t*)0x200000008b50 = 0xb; *(uint8_t*)0x200000008b51 = 3; *(uint8_t*)0x200000008b52 = 0x10; *(uint8_t*)0x200000008b53 = 0xb; *(uint32_t*)0x200000008f18 = 0xa; *(uint32_t*)0x200000008f1c = 4; *(uint64_t*)0x200000008f20 = 0x200000008b80; *(uint8_t*)0x200000008b80 = 4; *(uint8_t*)0x200000008b81 = 3; *(uint16_t*)0x200000008b82 = 0x40e; *(uint32_t*)0x200000008f28 = 4; *(uint64_t*)0x200000008f2c = 0x200000008bc0; *(uint8_t*)0x200000008bc0 = 4; *(uint8_t*)0x200000008bc1 = 3; *(uint16_t*)0x200000008bc2 = 0x427; *(uint32_t*)0x200000008f34 = 4; *(uint64_t*)0x200000008f38 = 0x200000008c00; *(uint8_t*)0x200000008c00 = 4; *(uint8_t*)0x200000008c01 = 3; *(uint16_t*)0x200000008c02 = 0x415; *(uint32_t*)0x200000008f40 = 4; *(uint64_t*)0x200000008f44 = 0x200000008c40; *(uint8_t*)0x200000008c40 = 4; *(uint8_t*)0x200000008c41 = 3; *(uint16_t*)0x200000008c42 = 0x1c0a; *(uint32_t*)0x200000008f4c = 4; *(uint64_t*)0x200000008f50 = 0x200000008c80; *(uint8_t*)0x200000008c80 = 4; *(uint8_t*)0x200000008c81 = 3; *(uint16_t*)0x200000008c82 = 0x83e; *(uint32_t*)0x200000008f58 = 4; *(uint64_t*)0x200000008f5c = 0x200000008cc0; *(uint8_t*)0x200000008cc0 = 4; *(uint8_t*)0x200000008cc1 = 3; *(uint16_t*)0x200000008cc2 = 0x300a; *(uint32_t*)0x200000008f64 = 4; *(uint64_t*)0x200000008f68 = 0x200000008d00; *(uint8_t*)0x200000008d00 = 4; *(uint8_t*)0x200000008d01 = 3; *(uint16_t*)0x200000008d02 = 0x300a; *(uint32_t*)0x200000008f70 = 4; *(uint64_t*)0x200000008f74 = 0x200000008d40; *(uint8_t*)0x200000008d40 = 4; *(uint8_t*)0x200000008d41 = 3; *(uint16_t*)0x200000008d42 = 0x423; *(uint32_t*)0x200000008f7c = 0x9f; *(uint64_t*)0x200000008f80 = 0x200000008d80; *(uint8_t*)0x200000008d80 = 0x9f; *(uint8_t*)0x200000008d81 = 3; memcpy((void*)0x200000008d82, "\xd4\x8e\x87\x24\x64\x9a\x28\x41\x92\x3d\x48\xb8\xb2\x35\xfd\xc4\x31\x5e\x0d\xfb\xe1\xb8\xa8\xa0\x83\x53\xaf\x5b\x63\x0b\xeb\x6e\xca\x1d\x6b\xe0\x3d\x88\xd5\x58\x79\x33\xd6\xad\xe1\x22\xb2\xad\x4c\x55\x80\x40\xe7\xf2\x03\xd8\xc7\xaf\x79\x0a\xf8\x5d\xe3\x6e\x84\x1e\xb9\x48\x0a\xfa\x1a\xaf\x9a\x22\x6f\x4d\xe2\x8c\xd4\x44\x15\x57\x41\x1c\x77\x37\xf7\x4d\x7d\x60\x31\x3c\xd3\xd0\x51\x28\x4f\xce\xb5\xb3\x27\x83\x73\xf6\x3c\x72\xa8\x4e\x8d\xe4\xe2\x3b\xf6\x4e\x2a\x69\xc0\x57\x91\x06\xc9\x33\x18\x03\xe2\xef\x32\xfd\x09\x88\x9a\xdc\xe7\xbc\xd7\xeb\x61\x34\xc4\x65\xed\x17\x38\x6d\x3f\x97\xa4\xe8\xa4\xe9\xc4\x19\xf9\xc6\xeb\x2d\x32", 157); *(uint32_t*)0x200000008f88 = 0xa4; *(uint64_t*)0x200000008f8c = 0x200000008e40; *(uint8_t*)0x200000008e40 = 0xa4; *(uint8_t*)0x200000008e41 = 3; memcpy((void*)0x200000008e42, "\x81\x10\x3e\x0d\x22\x88\x43\x34\x4b\x9a\x28\x85\x67\x53\x24\xf5\x79\xdf\x27\x8e\x6d\x25\x06\x59\x98\xbd\xbb\x69\xb8\xee\xd0\xe1\xdb\x8d\xf1\x6b\x19\x64\x6d\x92\xc5\xd0\x35\x21\xf7\x73\xc1\x6c\x24\xde\xea\xe5\x56\xbe\x69\xb0\x4e\x1e\x96\x6f\xeb\xfb\xf3\x7f\x3b\xbc\x6d\xd6\x4c\x83\xf4\xc2\xa8\x7d\xaf\x95\xfb\x91\xe1\x0a\x36\xc0\x06\x9f\x4d\x51\x7b\xf3\x96\x21\x11\xd8\xf9\xc8\x45\x32\x3c\x0b\x91\xe6\x8d\xea\x34\xb2\x77\xb4\x10\x72\x0b\xdf\x4a\x58\x64\xfe\x06\x9b\xde\xe8\x4f\xa9\xe4\x46\x55\x49\x71\x3f\xb3\x33\xaa\xed\x85\x5b\xaf\x29\x53\x27\xe1\xfb\x65\x17\x29\xfe\x4a\xcf\x1d\x9e\xbf\x80\xd6\x4c\x29\xfc\xd3\x68\xee\x16\x11\xe5\x50\xd7\xb6\x7a", 162); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_SUPER*/5, /*dev_len=*/0x36, /*dev=*/0x200000008980, /*conn_descs=*/0x200000008f00); if (res != -1) r[36] = res; break; case 59: memcpy((void*)0x200000008fc0, "\x18\x15\x12\xf6\x08\x38\x97\xf1\xb9\x4a\xd0\x1c\x9d\x8c\xc9\xeb\x6d\x7c\x14\x9c\x5e\xdf\x5e\xcf\x21\xcf\x4a\x2b\x2a\x9f\xf0\x2e\x0d\x8f\x8a\x4f\x60\xf7\xb3\x1a\xd0\xb2\x55\x2e\x14\x87\x8f\x84\x0f\x51\xa9\x7c\x25\x63\xb6\x19\xb1\x01\xea\x77\x61\x3b\x97\x52\x36\x7f\x0f\x6e\x6a\x62\x37\x81\xa3\x83\xe4\x99\xdc\x26\xfe\xd6\x0a\xfe\x6f\x15\x6d\x32\x6b\xc1\x41\xd6\x61\x5d\x18\xb6\x1a\x5c\x06\xcb\x49\xd9\xe0\x08\xe0\x5f\x65\x37\x6a\xef\xb5\xec\x21\xed\xc4\x68\xb8\x43\x4a\x0c\x9e\x39\xd1\x20\xbc\xd3\x11\x32\xf0\x75\x5c\x1f\xca\xf9\x1f\xec\xb2\x73\x3f\x98\x18\x42\x56\xd2\xf7\x9e\x80\x45\x2d\xc8\x6c\xf3\x19\x85\x08\x2e\x38\x60\x17\xeb\xe8\x21\x25\xc7\x8b\xee\x42\xf9\x49\xca\x67\x98\x67\x34\x33\xfb\x0a\x20\xd9\x16\x1b\x69\x8f\x04\x66\xb0\xea\x53\x58\x7a\x3f\x08\xcc\x34\x35\xbb\x7c\x19\x3f\x4a\xdc\xd2\xe5\xe1\x04\xf3\x3e\x3e\x1c\xdd\x33\xba\x95\x1f\xc9\xf7\x6b\x10\x8a\x40\x74\xc8\x07\x2b\x16\x46\x59\x62\xeb\x28\xe1\x38\xc9\x18\x8c\x3e\x54\xa0\x0a\xfb\x4f\xb1\x71\x0a\x27\x3a\x1f\x1c\x53\x0a\xda\x0d\x50", 251); syz_usb_ep_write(/*fd=*/r[36], /*ep=*/0xf9, /*len=*/0xfb, /*data=*/0x200000008fc0); break; case 60: syz_usbip_server_init(/*speed=USB_SPEED_FULL*/2); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :6317:17: error: '__NR_socketcall' undeclared (first use in this function) :6317:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor354852868 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/4 (1.18s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$IMCTRLREQ(0xffffffffffffffff, 0x80044945, &(0x7f0000000000)={0x4006, 0xd, 0x2, 0x8}) (fail_nth: 1) ioctl$SNDRV_TIMER_IOCTL_GINFO(0xffffffffffffffff, 0xc0f85403, &(0x7f0000000040)={{0x0, 0x1, 0x4, 0x2, 0x5}, 0x81, 0x0, 'id1\x00', 'timer0\x00', 0x0, 0x6, 0x3, 0x70a, 0x9}) (async) r0 = syz_open_dev$ircomm(&(0x7f0000000140), 0x0, 0x0) (rerun: 4) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTA3D_RGXCREATERENDERCONTEXT(0xffffffffffffffff, 0xc0206440, &(0x7f0000000340)={0x82, 0x8, &(0x7f0000000280)={0x1, 0x0, 0xc0, &(0x7f0000000180)="5b58ac0ed1d27b217d3fdc6299cdde4d85321f7bbaa064d361519cdde43b225cf00658ddbfbd914cf79eceb348f18692315c3c69ec148e2dd928ac7ee62f5111b9dccaca88524912341955f79b0f2206b80e6e5a7e681a629694a34f9b0e39877eefde60a068cdc44545d6fe45d0000c9961a1ff168747447e346b16460875c691de1183b2d7b032cfae85497d0d8848d4baa9adc6caaccd9af6019ea2ba6f3b4e6018df94cacabeddec7b600230ea7790019399d0beb61f427df8359cc34893", 0x0, 0x0, &(0x7f0000000240), 0x10000, 0x0, 0x0, 0x81, 0xe}, &(0x7f0000000300)={0x0}, 0x44, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXCMP_RGXGETLASTCOMPUTECONTEXTRESETREASON(r0, 0xc0206440, &(0x7f0000000400)={0x81, 0x4, &(0x7f0000000380)={r1}, &(0x7f00000003c0), 0x8, 0xc}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r0, 0xc08c5335, &(0x7f0000000440)={0x3, 0x6, 0x1, 'queue1\x00', 0xdae}) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000540), r0) sendmsg$TIPC_NL_BEARER_GET(r0, &(0x7f0000000880)={&(0x7f0000000500)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000840)={&(0x7f0000000580)={0x2b4, r2, 0x400, 0x70bd2d, 0x25dfdbfb, {}, [@TIPC_NLA_PUBL={0x44, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3f}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x2}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x4c00000}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x67c}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x7}]}, @TIPC_NLA_LINK={0x3c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_PROP={0x2c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x220a}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9c0}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x101}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x8}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x6}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}]}, @TIPC_NLA_BEARER={0xb8, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_PROP={0x24, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8}]}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz2\x00'}, @TIPC_NLA_BEARER_PROP={0xc, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}]}, @TIPC_NLA_BEARER_PROP={0x1c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}]}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @multicast2}}, {0x14, 0x2, @in={0x2, 0x4e20, @broadcast}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0xb}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz1\x00'}]}, @TIPC_NLA_NET={0x20, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x8}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x6}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x80}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK={0x10c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x187}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x40}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x10}]}, @TIPC_NLA_LINK_PROP={0x24, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xc0fb}, @TIPC_NLA_PROP_TOL={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x18}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x80000000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xfffffff2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xd0}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xf}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x401}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK_PROP={0x54, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0xe6a9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x10000}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x81}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3ff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x79}]}]}, 0x2b4}, 0x1, 0x0, 0x0, 0x4040811}, 0x0) read$snddsp(r0, &(0x7f00000008c0)=""/29, 0x1d) ioctl$KBASE_IOCTL_STICKY_RESOURCE_MAP(0xffffffffffffffff, 0x4010801d, &(0x7f0000000980)={0x6, &(0x7f0000000940)=[0x904e, 0x1, 0x9, 0x6, 0xe, 0x5]}) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@mgmt_frame=@deauth={{{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x4}, @device_a, @broadcast, @from_mac=@device_b, {0x1, 0x7f}}, 0x1f, @val={0x8c, 0x18, {0x5d9, "8e85144c6433", @long="e023fbed513011c5707e452472e2055d"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@random="3a386465f389380e26b0cb13f98a36e2214f099ee0d0b29b754e31d6efc82c04", 0x20, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_path_truncate\x00') r3 = syz_clone(0x4004000, &(0x7f0000000140)="daa4ed40f7cf4da86377e864d8e6c6d4fc5486af4a6f23dea58b3243a291b0180dbaf5c92758af73f9", 0x29, &(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)="40f276856b8191c4f312759d795a22c3c7edc91678794f4eeac45746fcc9930722c8189ba59565f7327cbcd4506164eb9f6ff175f1f08d60247091772c185ac38304e9b5b3") r4 = getpgrp(r3) r5 = syz_clone3(&(0x7f0000000500)={0x800, &(0x7f0000000280)=0xffffffffffffffff, &(0x7f00000002c0)=0x0, &(0x7f0000000300)=0x0, {0x12}, &(0x7f0000000340)=""/102, 0x66, &(0x7f00000003c0)=""/198, &(0x7f00000004c0)=[r3, r3, r3, r4], 0x4}, 0x58) syz_create_resource$binfmt(&(0x7f0000000580)='./file0\x00') syz_emit_ethernet(0x101a, &(0x7f00000005c0)={@remote, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}, @val={@void, {0x8100, 0x7, 0x0, 0x3}}, {@llc_tr={0x11, {@snap={0xab, 0x1fe, "fe", "1622d0", 0x1b, "e65515bded2366eb29e120fec39b24808c92d09c78d7f5b7b11d8a64fe8fb0e0ea7a265610503e40fe69ea35f6a592cca6605cbab30ca2b6e81defbfa8975d3233a7b511fa76cb1b755c8d00c96c16443f2b1682d6f197dea702f3216131e4d76b49c13ecc66674fc2fe47ae163527636f868d604cca513f5112bb56c3ab4ba6aea3059e1a484546566112328bdd5ba37697af7f361913e718bf091a66aed625deb89ea8c63fb756c958819dd3d2467301b0cd35eafbcc0f96ca0aaf82d82c8156f5fa27ea2d1d298f564f94160fd4b81af8f9e62eaffd504a2cd9412d4b6df66b447e1029b1a015a3f9207dbf1957660c19a6e0e73660325510e34133ffc4275e4e1d6d7acab29f9b371d0217382faee8c77911aa3f5378b09a5f6523357d2adec78972e15295abedbaa9969f37f316d474b2347dc11b523a88a0cd5745ae30ad7612f830013d78a6b149f3b332e6e7c5fb13bb95845924c3f180c3c6f347bb328022e5d07f540ec60bdbd9e8352d385e1b943062aa0bf38206a1d95e2f42e15838ade610c0c44e038b790096b521d1112f35c9922cbee2bfb184d6f979a7721cf0e6fd69fa705ae3e253113d2fc772ca741e96db42fc8ca72abd6d3d43c4bb64f13d2e5a5a8c433baf25ce3286c2e2355fc130e86841cde79482c3539d57122eecf25f3e35751e81980de375a713c18f9bcd952bde4bf36610a52ae2317c8b6689deb1810a091169200b2a9eeebeff191dafc5bc32b774cad960c8414ff0eee708563daefbfb26f59f6a8f289ea5fcba17412119f3faf53001a0f5a44f9c6dd6ac8d3380273e07c6ffdba5a224636ded1974137a40175f4944941ede7117cd3ddbb800defc6f8306e3f0435eeb74d44e021c9abdc636052b5170da68981617b28471a581a1eb095c6d3c977ef0fce842b5f260f2b276ac6cf24b2297f3e75479c7412f405e48343f4db14e4210bee79d3273bdef00d8175dd603b442210632bc8cb2ebfc4392bf8aefd9d4a264a63341f15189f8ac9add56f605e8797e2d70863afedb792eaf982ffac60ea0af41ceaadd6b2878511c8edd8bb273914bccf17a2d4393d4e235144be8ae79fd28a47d3c33bfc8ac4d199fdc73cf8e03cb6f15f4134599f2d95c46cb1a6e77d816080ae7e1ef85edab4b4553cee197da9594104139276ad2b9099def507e600efbb6a9877d8d7569e0599318aa400ea4674cc2bc0b86efdd2ddfb3966647ab570d200094b6ec63403274201d65481378db16529bd775feed537223c0d4e710125cafea8b65b9ef669cf32592fc3a93dd2d21a95e54ad2362302b1d5db5e6fe547edbac508c82d6b39a820b25bf1078418accf067c018443c430f9f2338afebe9705a654d50bc1595073615c52bc93703e446fe6befd76149bdfa9d69cff69b9d9b4f3fa0bb04900737116e49b4d0c08848215dbf90dbd523e9abff71319cf0a358be976598c41fd6d16edc3f0856ebbcc1e4086e79621a233991554e01420215c5ada574b6442e0134a744db4eddc1142f2936f7d9412dbb63cacddd60b2563fee5623ab0ece52481dac6fae957b61918a871c32652e0e7f73f2c2b424d4dffd636665e06bd0422195a1aa8cf62e89fb47fc0708ebf49a5f3b586ac088f570b11ed8d069dcf88ef1e849a22560ca8b60aec9859719983916a4a4b9246ea2ddb8409b0ec2d36728647a8f7462f2d4c4706c4b1888098d61d3231d89ee15026e63b55e1af3845bd60a72493af19313188400870de9bff53eb68011928201c34828ffcd88b35e4fca14c06a6790b5f28e8f85f0c906e1ea44ef4f6c50bcfa0213d0462fbf90324dcad6fc0008d575e5df11a98b7b231884c0626890f9cb18dcf85063f426fac0025bc6bd16e74c53eabb81423633df7391be5cb1ccd73ea25c7e7055fed3146202b97fd7f1a85890d444a20ce0d051efa2a3357d32f8585c0f798a3607c350f22ddb5c9912ce3684b2d7aa6c785b792504c31c7edb6dc5fa6d069f0352e3e9f771e146ab80ac39a120d005452e190a9147cb48fa8539f3a3c1d88716575003248e021a7038bd63657d46440402571949c24555432d26dbaa9d2cd2906ce0cf746dcd9348433bef36297b4a7a07faf2688249297c960a0fd8a3257534ea1372a3af5cdba9a6a48fbc95a07549a82bdd6181b1fa3fddc71d77b3460c6a32405589b89edf715a910fcc72449d9c36967fa9768a0ee59b23418561cf4f6b0fd9cbe02d19c7997e55259550dfdd97616015d2224c18c15a80b743ef8857d181d7efe40499f66d20158c0f62e4c692b3bd64ef3825a32bd662d9f580779d60a34669150e7874a45a7101af48cb3a6e3f763db20c5014edef61d07887c79d5711ed11be5306f7c4c2b7bba2bc8236c93a49bd2a252c4510785e0cebf75fbe5c69d928d8e48fe9f56a33ce6e0552630f338ab632320e750c32ede137447aa9aa69e3c3ea8ce4daf6eeb91d0a339974ce9875ccc30fcc08ecb203c3e4a7da99224b71d6ebf77331721fbb6ada6403d43eba812c0bddc6018062ca1231994de110586bff4589e52b8ab440baf13c24b35883ba4ae2ea8cc1fcfb49a7123bd6fafbb7291adb7f81fc58208cb7559ee5cfd779f899c11ee49ad92b0057e8dd79dfaa1f15bf659c360c8228eb36a9d17e0d479a88b9da28f3e962bedc108e22332bf55144f0b2ba0e21a334acd8bed5922128dbc75eeed571e1049e2689dda8992e2f9539373f0dd20e2bd43cb5ba34080ad38bf160a37cb0b7c39c015918202dd8349c4eacc0e4a40436b8d1eee12f9a6b9e2dbac9ca7c190c1bedc390dde78f896bd2837ce30d8ea888db6971930feee72206e308c7ada862b664b4b48b11d39dc7b1816d3da555778998eca5e3b4ac20c83c55021db6406eb6ab125f2bb2ec1a2c8fbda5bb0df736393dc62f9078de52e46872b4c18bde2959b18fea581e0eb42038522fb7af7ed40538ea7fd08e865102f5a9929c24a9fe936230655a7b131ab9eaeb9c491ef98d407dbbbded8852c387d6fd7741179775ea4a4562eaf0dee83f87ef117178086544f4cda982d3c0cf618bd1ed663cc9f4bdc77632398d24fe3002a7a78c079d0a5f5ac3bbdabd85309090aa0b5a8c269468ac8b7fa4428bd98bab7bd5643c721dd7d92810bbfde6bf8bf2013ee5e587d0da9991c66f58ccfa0fe497d0d743f0be668cef72d8a922fec8e10f368934227c98e9abe1f85bac46f80f17a15ccea46d256e1f56710e489cd7106fac936aea65f0e8a5d79d43730989a2642ee7ad9f35d8ea7a80647e15fb4db645efd8ca830469261efe740a2288bcc72b5c40a665d51812ce9a1df192dc4d9604153e84b86b8709fbce27aa27a99c73cc948a10561c1d4fcd0aca5e4f52d43b17f6790f1f79f00b90ed573b6a621bf3d64200274321292a04379e0ea3366bfad2d1fcfe3a05608d9be0e459cebc878ba6ad6de83922154a7ecbd01f5cfc77299c69c670a2763660b2ab98539c3050a64f10a89099a8bc54e234512250d273136455fe5825d5dbb4e9b733ee28dc11d0e2b3f9f4072b048771509c017af5d6d64385a54924f55c8d16cc1a72d8519301194f445c424e51d49f6616016580d2ea70ba1e0c86670926c738779ee67c3926bd2f90376e211ec1d7860737af1136446b2faa01baba239b7a5868f40780cdd13329fd67730bdfd298b20d63f1448e9fcff309e9091c39ccc75aabf18e598ecf0342ba94fc420373aedf83d4cbf0e5f176ea4bca7f0cc72faef9bdb6797be191e1d304704659b6b63b2066358d4eca8ea898cdde509cd2b9145c55adc3c46fbd2989817ad2403d4a0d6b6e6aaad0b2311d43d216e6cc8446b0d946e43916e662c5e687bffee3f3f21d9f34ea1624074d1d90273f0683f202b6cc24300b8f5a6325d6ce06bd69c9a95d6c8af3be8967e3bd49efc3e9c5f27ab9aaddc0ffabf87e7ed08d4253844f1f48f08a9fa268e13e0d73dc6af0abfadc5443a9a1daf12b4dbfd5f7902a5d41313683355d5e716f3a65a315170749bbaf8846dfd332bef6cd1443729abf2147120e53018bf2d062dd07bd5e20e30bf58bb4900db9aaea54a6402cc1ad562e8a59233868f38d666afd7b96aca5f9ec2aa94b4c22f6dd54924a1f5d98eaff57f742b01378d3b1c6322781b99d8774b07fd5b4af2b88bd4915f6eae83e33b469afa153324ee889105a74d3680d39e55a4a39183416961346447fc5a8532832031c52517a3896360d51fe593ef5a639eeee83df74db9e4d3218dd901db76a6130aef73955dbc866778a2c3421d4090b1df7648a42c558af46150e902b3129e5fe1071458ac93abc76d495e744412fb98ae401cbe04427d0f30e314eb6047513adffdd11a566f9734e058fa3bd2d1d6506122ae869725e3a6f4252ee5e971c430cd02cff254759c908943953ba8c978f1cae5ddf28c5d9dc85d27c2d4c19a16e34e094f1ca9172397cd4c5615e384715605452919ad74e70c78c282c0cce1bc618ae012f5283d1081399fd79c95e52a523f3729a180780547f9766507e21109254831787c1131ccd4ce8e5e9f3d24750ed3676fbff23dd4218e05eb68efc0a7be9cef8189c08e186f938ba691172d235fa32ca4b0e30b111189f32d15daf3cfff0a429a446aa68ec18c0c0755efc080733e9c3548f029e8dd634b3b6b69ba749486704d0f9ad702961773251624117f56945c04b8c6f0350a3d99a7b6e033f13ac7c01a1ffcb5a4cd7412bc176f50af905b0b6aa36d67289ceb12a6572c4eb872fb06f96735d31e8a153ff9bde2181e235868ad7dde54705c187130ae0fce01bdf3bf64e6ac86842bec3e0ef09b60a4c691134d89b6c6c6465ca949b58ef63a556918bd5c7f835c0e002f2cb4123d66481c737470f26b590fee1ad40eb641e73ec3501c69ca4fa50b75d9f23ae9e041c88df37a8947bbd0722f22911aba12976db4759af63f2b143ac155bf56333f6f6a69219453b92e5361843581802fb722a2c3ce2dec3e1e278444020ec6ee424ec7fc559d9cfcf68b2010eaaa9b391b071b6d53df5a2788cafe84a081bc3f0810194818039e68fc1b76de13ddba48a741b11bc963b8422a510a1a132d870153c2d01305c767c9d188c64b5d14979e1563aa7fdea0b85ff3de913fae64b3a7ccf087e933ab15ccc0c77fdafe42acd070780f2a7cc15a117a2bdd9576e574b10b56a00e007d69291985b50ef1296f37ec9b74c4623da3f94e0bb69f46e52c8765569b8817af5482532a50232f050635e67e235aec75c8f69efbe25383467cc82f43a214a142a8b76817f22338aeb3d4f0d39fc1dd1023a07b53adbe754884af3b789cb2dd9f386b26378d0d54267c47efa0ea5a7c26cc80d9bf9cf16bd217754a1951e9fd7fbe64335610faa909f0d7f77786f974c1becec9cb49be7f79e7bfbe29ea82cd13c197fbaa48f46019617ce6c6ad08c9a1d41c716baef284a4e4d77c06e4ddc07a46c3534beafd3729088ad142cd22bd5a220e589314c242a304581e88a246b51790d238c131ec7b09de7e1c618708363335fccf56eee3000466ce5fd70c5b3f35884a467469673d2dd5a8a2362e6028206a2ecde709d7cb1888bfe78cf6803f05ab0b11eae6d935ae116b3fd841a2717ed52790dd4f802cdcf72e4409d68c086a542d66eb14538421564ac9ed37617987ef2f4b83f43022394a2479c764b30f56c6ea76c1a056f82ad78ad980d1b5603a0ecbb72437bc2a1838b9ae37cd6ddefd2927e9d9adb7d56a98695c78ecb1f65739fe094edbfafce3f"}}}}}, 0x0) syz_emit_vhci(&(0x7f0000001600)=@HCI_VENDOR_PKT, 0x2) syz_extract_tcp_res(&(0x7f0000001640), 0x401, 0x8001) r9 = socketcall$auto_SYS_ACCEPT(0x5, &(0x7f0000001680)=0x4) shmctl$auto_SHM_UNLOCK(0x6, 0xc, &(0x7f0000004a80)={{0x80000000, 0xee01, 0xee01, 0x5, 0xfffffff8, 0x1, 0x6bc1}, 0x40, 0xffff, 0x2265, 0xfffffffffffffff8, @inferred=r3, @inferred=r8, 0xfffa, 0x0, &(0x7f0000003a40)="8917f96eff001e006491da948f25c3ac3665392d077a2878a0c47186fbb59600e8725c574893c0d645651cd496d4d6c43dd8d9e3ceca2e2a35fd60785cd77ec5c5eed5ea44a853769a52cb3e89d06c0995f77e9b7ecc68fa521ac4b193ee67dccec0a7d13f3c068ee046a9a142011cd4ba8e67f381e16745d81a2b5bf11f4ef0014330c95f0f5bc89d00f16129a9637782e5a6f4d922e0f07457ee515e1bbf5654906d887ba02bee664da72a51b5dcdf4becca2d8067e35753c0312359efb6da86149afc1010d0c6c86cc9c8831ca1276ca968811c87baab121c9d817273196e97ae66f397667e023fc23319c24fa823572226fb748ac54ff528236b0781a20ed52e116927a22b11e0b8aceb36d2cf4a78eb3465fcb9c9493eadd44686766fb26d4d0a54d028273a5c605388534e4937f18ca90532445f946651f3634e9b365bb8ed7242b91231ba06347eab1f320096374fbd8a7a94c2fa7154415c923fd66cd626489e7c79cad39b66b0674b9439b57b79ec7903d35ec314db9d7e415df3c4f75514b1c83e9b6b271dabebd3b793a78ad5baef25393934bc1b4969eb6128d3521490470f25e7a47b13ee0c4772d0473da518441b7bd362bc99b09cf696beb9e5f9d3d5e88e9e960e259e4fe67cfa3b2abde10010f3c6a60d269ad13e59052e8ab951401dde345c4fed4fea6d91b84daeeebf45fa7998ee41da06875e7bc48d9de54de36d9e27495fe7e88e024e7dd3587dcbc71cd433b71a4d972b026559efbf17c2b02b2357b9d913a764c95c5aa7b32fd2c0b62b47f27e4785e76d8562b4e43edc6d610d2b97dd1a1ee65bd1ef89e0110b14c2025b04b8cf16f0c2c1ab89ad30bdbd8b9894278b4be8d08155ec0cd20f544f18a4f26a980decac1ce2942127d8d0350dc4a9a32930af33531822319dd139e27cf769d068879608c2517d59965fbffe9879afd487875ad239586bbecad1b00e1377203abe3fc582faaf4f9e08e57658812209b3a8653bf39e126b79474ced54b74fd477b03a80906e346dfc7f5a86410f6bbc64a7ff88c37aa1d1871331ad2a63fecea9b43d3fad062de70ddd1c773ae62568ff3be804583d3a5a10796813cd4b51f67b09910b427eb92804e7f27adcd8ec9afb24e3151b48a38cc5992799df37e5cf6ad577941ad7e2caf15619236927342e87b5b260473716a9bad70b3951f7265c20c000852667fde0c4b7f27a32b7ee133cbc65ba4dc3910c2375e195ba7654e2d2d45f916e47f107595adc63247840df4ecaeb9640fb661986add0dd02796d5810f51c93fdcf8974da1f1014f2f4adb16f04e733b53ac2e8b4a853e93a935a732028c8e3ec120fc541e5126f2d88dd4bbca06fa610163464cb17f45e7a2be0e51d8e45e37c5091d762ce5bfdb69353bafb955c25544702dcf7d1394aac7a49a0787ff1687425a375249ca378bc4f4aa24abca24a871fd67425b2f66093b5b9872499ec85faeffbf43f0a4d3efb5ceae705a1a8e1f2bf79f553c1c9f38bd09f93a822beb454744dd1177eea67b7bd6c421e58246202ab902f79e0155f1de2bf226f61bb39bfc2fba3479f25eea7f01f70bc08a98e8874e5d1384283b99607eaa52e895490bdb21c81cb3b3791c1dece0ebce67cc45bcba299bb892c9d1950bf335e954fd303c65e1afec48a3d3e10a404352a1302efcebe1254eb2b25d6f450b26a3f1bd7f577e54c95e5661174d32782fe6b11996542fe1b9751396288d27a47e3c98d1cc3f3ab558ba3e82a6c3ed4840f4e3d79369573c37534073e79adfd2323832b65e7a6c45b72579138e226291d2700dac3a1cc916140f54cb28b3470856189812544366f757c0a294ee2b5bf6c308ad4df230d5a743b8cf7a1f64a3061983f223850262c7574ae480a02f68c043ba7aa822ff645d4e4482c14cbb58c15f65c98d1692f939d0d95585045424abe5e58651477f91d0c1dafb3f33af9e69b794e13eb0c429de9b92bbc5f9282a2e6c9119f6fd8603fe11af2d516c9a7ad38e3337b969c3d9593f0d4ac95c44e7f47e810f6970a1a6f18f209fedc35656dc5c536b0396aedaf83ca46655edcc4088c6fcffa689a878309c1767b2187c9b5fa575efd80e0574a577673b45edac8b1c912ce60cd18290d31025c80eba3d997e4792be23a49c0094ee28548fa33275e6c280bb6e0a0aa8e7904c641cbcb3d994946f0e4c6d6b191d3465364793a697f2c25d130923c799a3a8d7169a37ac29bddfb766d5130b5e4bd43978aad3549052cf6f564768052032346aef8f5844b9704842c0f1fa7d26c697188c0e8641658d6d299a61ff140a4b94f04f6ec06ffca6e574bdd600372ed5d166aeeae4f24e1ec3c212f05aa8537f0ab831e472f32164a0887c6f4e42532565f055a8cd435e9cc9108967e422c6d0e740633c9778471efa8a44ab55a06bdb6b817f8a6cc55d52ace6ec438ad4fbee7c64e00fc65c76a3616c35fb71bb6084f44f8083dff56d771e1d323584b82f105e0a211ceae9afc0f5e61a2649476440cf68d9abffb48decd0e8d2ed10907d35e390daa1eef83dac8ab44e2ac5886f6235f6bd7b69ff3c098b558894908d4cd28247fb6ec4bb5b163f6b2eef386e7ce26de759bd6e24e46aa2b38f0a4e6a4785af14bd6035a326c29af215a4c1c45ae767bd7e6db1bae69be045ef0b1eb3934ac5ebe3a4c1dd59bb96053beeb5561b521c47852d9a2c66cfaf82c2a016e5de729ea0e0ce4f98085792b5e5a802cd7fbac9ef38e203ebb3651f1b30af6ea29fa179f8b192641604be02929daffadd6c97ba4cd56790cc243d0470eb8c1ae7812da666b0b329fb3f04f78e25ad17b4b39781382ad937e08ad3448b63238185b982242190fd1e4ad8fbba55d6abf96e016e1d98d37d51c2ee1e41f54f8ac7e038e3616f569d024690ea303bec698beb98b9ea49f6b87e3f7104997a6ad7d33db8fb79ada8c5f7f54ee17f7b3d86aa1532b439cd8de90b5fd7fc3325680061d9319d1835e603faf7933bfd60d733965f0f25adf3945092bb99e95346602faf6aabeb33cbca3b219b4f8afafe825c6627c0c7b00c33875b69d01c08b90e6fa64f09b42932e1ccc9b3da36771667d5bb7531a2ac174bc412dffad7c6f8fd4dad330fb415a97e8136cd5c0bb7d00d2b2c956936c9f5f747e3c9a361d79d048cb3f528f187f9bba5d78d7309b1b256fbb349cd52945541a5a57809f2d71a8e80557b23be4fb31caddc59553b6bc0faa165e4ab1f8279ca6e307ce7920c43bdbadec04ef8be70d57af598d1d8a896a0952b23cba464e0e9b3625f993dc12c8f774e87da051eca49bd14e4e2e270cf75dc8343b2ad4b0a2178cb557c6d0eb1a0b23ed92580ce5ada78c2bb10ddd25d4bb147d61a00f5e1d1d5c888d47424c04de7d41384e2c688a57358d05814ad917135a80eccd1d1f147242a5da4dad0838322e9a2fa531fbb6b0832b6700f87279846ce2331679b82f04fe1be1e8ce9f610b63ff30ad0b76977817739a295c9ec9dcf11f81a67619407304c1d594c5196db1bdebfe03f22adaac9253d753967138bc9d2cf4735491d2745c23e5d229c74627dd191bc6c038513914dbdcfacb8bcb2814dc525edad889520999fce64469c60694405961518441c3e84453afa3499e3a8983b57f94593e8664719d5e6598422bb8cbc51620b259413bea16490bbe6c9a72bf21f6b4d499371ad9fc8277dd3f2f7523cc5e6ceebf74fc3944136b2d56daa2040374319a1c83c3bb0c962d321d8039170b98b604c8ed42c596314a01139c9d36ccd6f2cbd3113b2c9d4e19f08694463610a368f8ac74f29794f14560e0a3d481c673410ad9466581aa2a334ff380a100fb049ad8196eb4784ea1bedc139a7054f18a8d44bca0a3d0122f5dc3a1c4d29bde35e332bdf28cb9b98543ad3e33143af87903b5624f62305598de275833208ec8370682ad9f0f9ac64c439044a2de3033468734f49266138859695b60a6fb45d794b871c19cbedf59b764453b78cfead4c501b1f8c0ff827b70297392697adb13ceff2f139bff3ba238798a07fe5f55a0ef5b75ccb498bb8943bab4a671f125fb06f2e59f77fdb02cb23e8687568dc0d5c4860994a37ccab365d7a70803c6a6f48f5b3ff1cbdd51d8961f973c703375d252e6c5a0ff133b59724313f988841bd61ec29767a4608a5bc45b104e4fc98261e4540a10382a495d64dd5f6c039066d9d358efb16671178e884f070a07fd02a00b63b7f575f642bf91eec3bb90dba9a21df3179cf12ea9525d0974d6fc44bf69fc54f8a5ff986706678d7ce06cce44df2974b966e67aca314e0b58acc41554a442ef3587abbaf18295eca59ca8a10edd3fbd1fac0b06013de5f7333751c57deb4daef9e4c55e93741ed1d2f7f963cdedc6efdb5d8b14d7d612e2612f30966f4e6760d1a46fbee50dccffc0b2e5177b1c6027adaee09075b655cf85ddbb4e4483d5de7b38a910f996711c058c1b97e6212748c8cc7de8cf7a56af75e291867c2688e999c6553d7aaf3d2f62c2f53bf88cf2044007dbe929856531b0ad6b48a6118bf35cce827e5d0cd2a19b3fc37395e1ced2137f0c726f5cc991333a0f0794da0b6d757374217eaebcbb6d87431f089a57102ca5373b8d730a92026059c6a88094e9c629d81eccf86b4e8f091d325563d1f4016c97972c584bc76d1fb4ed94b721344d00cc6724f5649dfed84dc511583e1a08a43c2409934172ff3f0dfc93996b8479c050dc19309aa998f709eda3b3cf806bec717e1718b8cc10060b335c46f17c522ac0bb696fb4393a9450be5fa755ea0d71b30a8431515c446390154bc2a4951b3f15f419ce20b0302bd90025d83c47a018f6886ab1fbb7577d5c066bab23d84189ccff6340a3ca41df5c6d994b26b8fc34c690dfb229c83760224bdce8e867d1f5a097736d3f19d8229f9143ac037093d4cc32ab104b5828f1cc84495a68d767b7fbd725d434719a3601b5fb23364a5e4151c6f915ce53f7debbb9f15b811cb02bb87394ffb61e8b8ae5749dc7432b516b8a627990537b9cdfd2a09439b7dc043997e0f59036ab3470af1bc7671011e5b472e3f6ad456ba706d550661cbcf6107e9b7ee49a82052d901bb79fb18d82216aeefa2e76390f80943cc856a008c7256b84d8857fa634ad7dd4501386bbabe238a58aecb77a0de5ffaaa563a1968b72b92ba58d1a1ef6f9ed049ff38b7fc34227461631fec653e781f157ec7386362b66778afc8982cdae50e129f4329bfe35cd9da3d5752204fa7275ccbc01abf85c6cf3ab9eabb2ea7a1c779e673d0f9516b185154dc83cc5f69370e314198b7fa83ce5c5c91c2c50e54489b3a670a330a4e49fca517c83a9532cbc7edc840cd010b37ecc7537453016ed1ab445e45fc1238b14e2f8f93166cbf7d38b8528baa0fad3e9e76f4b32eebb60526881620bca5b11ac063dbe2169e5437843f6d2d486855ad5f192b268b2f3eb25deeabd2de89c48ba28f1ee2c84658656c337339b53acf988baf29ac5c9199ec7912b28940934bc02b131d1461354626b690835ba09abafa0ca7f515579e533c4bbfda2bc9f2faedd3538ce8c1e3606ea98395e0ff88492045f47cca85f4af16f950abbf3f2229de58ea2b45692d4ba843e70e5aeed29f68807138aaf5c994b30d47311ebb969107677dcf007f64d0b32c3600cd32bd42ca69ee46d786cf0cf9496bc51602c989fc54f76c4d383ce414af45fc948e5b971e3020af447c589b09956c9033d0904d6445d7e9fff7c903939f79c2d4c30b6", &(0x7f0000004a40)="884f381309896a88173889994e74c60694f7baa45be088e59bc3e939728257e8d2db71"}) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000004c40)={{{@in, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast1}, 0x0, @in=@remote}}, &(0x7f0000004d40)=0xe8) shmctl$auto(0x5, 0x2, &(0x7f0000004e00)={{0x7, 0xee00, 0xffffffffffffffff, 0x8, 0x80, 0x5, 0xfffc}, 0x1, 0x7, 0x5, 0xbed1, @inferred=r5, @inferred=r7, 0x1, 0x0, &(0x7f0000004d80), &(0x7f0000004dc0)="05c9215687a3ff1747cae5c18cb186ed5c62984337f90f0ab5948e21c63d1686f1da1459a89718a9f84930b892c2ad4de61f714ab8"}) msgctl$auto_IPC_RMID(0x4, 0x0, &(0x7f0000004f00)={{0x7, 0xffffffffffffffff, 0xffffffffffffffff, 0x1, 0x0, 0x98, 0x4}, &(0x7f0000004e80)=0x6, &(0x7f0000004ec0)=0x5, 0xc, 0x1ff800000, 0x8, 0x7f, 0x3, 0x101, 0x8, 0x1000, @inferred=r5, @inferred=r8}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000004f80)={{{@in6=@mcast1, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@multicast2}}, &(0x7f0000005080)=0xe8) shmctl$auto(0x2, 0x5, &(0x7f00000052c0)={{0x8, 0x0, 0x0, 0x7f, 0x5, 0x80000001, 0x43}, 0x7, 0x2, 0x0, 0xffffffffffffffff, @raw=0xf, @inferred=r7, 0x2, 0x0, &(0x7f00000050c0)="bcc4b5d86e91b02b73e16c4665dc3088f7cc9826da7807f9a8300d9d8980de67a1a2a153e95466e76d2c38c41558c08efe37ee81d9904674ced86dda9b2b6cc7c97b199758bef8d92dd20e0e69864d6fcd03a80ca012019cf41e5166475038fcd360338436e7827ef730469187e6a495f5bf018ee7caa71c804a386756c3242b30eca0b841166d7839e94a5639d08fbc06dac1f861494456d8d153de7fc30387d452304e7c3069bbfb424391d04fab12037c6d6ae6025df869fa3a45e03148c2dd052c", &(0x7f00000051c0)="0b7d67852a6f3d8968f476adad1672e6dcfcebe8e6249d8cc72d1a05c28acd3deda6431481c88ee1c2c09944ee7333d9d16b3f9bd186be36210e7e52fdac24099773c07af6f1a940e4baec3ada4766e38014ad527a5df77c9061c5a4caccc48bcf1562207f8db04d608a823c71979bdaf702b9a6ec8f62f23d316b69a8e40f1cd792585f34d8ff6c705641dbc09a0245efad326ca84d8ca39d29cc33a4a3fbe76c240d055e261e16d6bb5d9c231fe3c9e84fe59565befc53fe9d119eb50ce04e6e3c1df216ae69c313d80bb6a77e219b94516572eeaa398bfea649335ae8114cb0574236f4613167d9758b53b66cb6ba75d75af92f3c6e638b82"}) stat$auto(&(0x7f0000005340)='./file0\x00', &(0x7f0000005380)={0x355, 0x100000001, 0x5, 0x7, 0xffffffffffffffff, 0xee01, 0x0, 0x7, 0x2, 0x2, 0x6, 0xfffffffffffffff7, 0x7, 0x4, 0xfff, 0x17b, 0xffffffffffff27a1}) shmctl$auto(0x8001, 0xfffffee8, &(0x7f0000006480)={{0x7, 0xee00, 0x0, 0x0, 0x7, 0x8, 0x3ff}, 0x10, 0x2, 0x8, 0x7fffffff, @inferred=r8, @raw=0xffff, 0xffff, 0x0, &(0x7f0000005440)="4cf77c89a8a36d9b71d16c43ca99caec6590564d8951864cccc348102a7779cd97d951003ae876a9a0301c11867ff6432c9c54bd04ee433fce5f5db9eb71b76221d284c78dc7db27840ca0b1e9a5a119f0d74ff6485b52a986a6717f3cfd726d0a6a038bed2189344a3d14c2f119bf2e543fe4e716bc4c5bec83767da2f97d1cce4b2696bc5f9989fd42dc97a0c16cdc2fa967adaaa2bac730e2cbda744dc3121e3f015b66eae89156b262639f95bb014aba78bf2a4801499bf38268d77d99494aef486b9b388a1ebacb4b771a52bfa29990e93618af03762f953e3480fe01dde92ca7835ccd5e8864dbc9100d25c4fa632c9febddfdb1e77f1bcd7679ea4689d2c8504e50af6952c889d328c12c66c90d8ead369270d94e5aa342fb2387dc7cfe6ede705464985f301feb34b002ccefb80fde10d9fc1cb39b5f877524986dd12447a7c96f63507cb4d88068edfd7748fb2b667ae1aedbb416377574d70a3f6de46e4a3e5c149a64a4364666bd99fdb0e413a1335ba932575d1e9228508d614b663ab17acb21b2ac4d3618a65943804d5ba52cbb043a9619861202b505140e4844b8ceb6faf5024223d9636cb0be384a4cc1dd3d4f357629521a07698418dd1a97c39417196f861afb05bd702f4ccdc3d44b5a4193378b936f53c5c4b09c9858be95e349baeb7eb4da309400a4dbb08a24d0bb3772bee7a3873cf8d76e06df6f7ce591f40bdc849ea04cade886f075e1458f021f1b730b0cb5c328b911412aee9616ab5fdc831e34cea69de1a40806aafd4e64d3cd70c1a6c6f636d3bb94c995977c594f0f4e90d7aec43fec4c8aa707d00dfa26ff9db8a45e6ac65b5e5ceac43f78b50f1e4f494c85827b3f0ea1f7a4fe3bbbd390e3616628ed4770dd366694893513dc1cd252d3887a2f19a846d18ee7baf8b5680e61800baaf0041810a5a21fe06cba83e0621b2626c3ec5ba62dfe1f94ae16114c9f89e89458a069222b43b4504dca5fd969c06666dcf982434631597babaad465cb739e72835f69ad699b0efbe216a12cc188d54beb66861c78c80225438deb75b3af96a60a084e68edceca252c22225b4f3e56e99f976c2a082a29f4a5bc3d0c251f9122b584661f39bfd18dfb9d57a591c6d7013b420bd1e4c47e804cc40edffa4dc90cda1de0a6e5f0d7a4d1c0a02bf92582900643f97f8f2cc13768374cc13610f27c3ab9d6931479d0215c4ad669ef802e32928788c525f752edae477ff89ea3f0c87d9ec7eb1ef512dcab1037284291861322f872aa261fa46746edd83985ee320fef53b11518f5d58f846819b88b16588c13dd019058a1ce865b4e685e9478539b9b9af69a13126d6ad30b2bacb144c02ffb153966d20f565684a8749131c7def88f2c87e48eac6c0af576cc861118a9b718dca2eafbc5413bb6e7513746479bd801f07b9465bd80d0dc3d83eeb7d688f913bbc787b23a90a8637c579884a1585d5323b04a449feebd0cbe2bc32721244e92e5d033e20d0b2ccf8ed5e23900199dc5ecdea429a25961c907af8d93d57d5d0d7ff990310ac092dc447e88cf81617b67754ad8ee0b12532c7313d15fd65c9f65c0a94b755a09d24078bde275a44457eca4c8b2b3bc0dfd4c8acb9d2c6c4a8daa22a6cd961b4476b07880f8cf0988bce7dd8d3c3fbd9cfdb6563b681034b272fb3cde591de803d0b68405d25dea801ee8713aeb5498198395799db2ab19fbcedbaa3ced3e124d293d63ee8c12d931079fd94ca0fb5c456932a07ac665b9410d1237735872766764c05e852e061dc399bb31ed488d1ba5aef53ac7b4536c6e5fc45c96a99385512fe6ee8a2278a06be19a7cddf3ca678bdd73c255c159ea073557d666f67b9d1b9968e023f636c693a8adfc923acff108ed4370bb966b0f4c05034b08576c2bc89ceeb57c633d2a7c87665be7e75ffb30edb5fe9fcdc7256a0112d49f52031800b70f698038f0f1f81223cbe0e30b47e80570971d4fa84da58099f875ac76323c5ac25b69c5eaf67825ab8ac98cbd6dc0163751a47a1e52998e00e05c1c6901f504340318727902b1ed2bd2cff2d2ed09601a8cedf4528c1c13a670375fe3a685c7cb14723b559ce2786ca2955ae351eff839758c311e99ed53ff128372bf9fc38c570bd900b497c93161c34d8b4e4806ebccda1611445ea9d676bdc146ea5ba100fc5d995b2ca60709fabbf6aabb01ef243a129a3c6738cf66f6d3e3b00320be0f85e754878937e39762debbf5a3e7a811103566340fdf7dac8450e68eff102cbfd495a801de06e74df57fe06e15edfba4da71a43339c5248f422ee29a22efa493690d97246e2083be24c21ee4f2f1d60d753b2da75a15408af7f4ffc3f11673b89345795750c2ea6b6c789c9e4ed093056171e9fd9a675486a4a51afa967e009c5ab5da74fb7fcd00044ab94b287b54217848d47848d6a116aed41d454cdcbf4ad8d86e629997e308b86e23ea1bf1a4d25296b19fa79f2a8c9b13702b7628c89f71ba6d5c3aa656d4318c4ec3305b9d7ae29374e9356709c46d401c6b745118bc70d1ac74fbc57d9248b1a915de03df367a9a1044752775e3b336a935bc082a2c88299fad16993f6e3f4373de0c488af1af00adb940cb45f5cfd5372d6c0a4c696f96636d52d27939de729974a9a5be21f99b49fc6d4c65aca98c2874f3671de29264941cd4a4a6be0b2021ac02adcd1756bfcff10e7655db958bb999810d8b3fee9832646dedbeee86892eceb4fa04b7284fdce5669dc7eeb775d009ca176d82bbddd4262716efbbe18c8c79f6c76cb59bfa82a19a6681e0d5a49dbd642933648af881c56940e8c5e18fb8288c35e130e1f62817af3f187d002d1b9a1d584b662ebc5c9c9520c4d516649f2d99363efff116348caed43556b58ea9b7c4255fd27efb05edece75535963d32ef597eb133495dc6ff0117d923027f108dbc64cbaa4bedd565e057a0e28649908d87ab0164a1155abe4603ec3f81c3b5327ed0d5e1fc890162510afca7b91d61857573f6184386a7a7cbfba8eff79fb883d04aa6bb7f93f776a375565f67a037e475e28b57f42ca0fc54a30b9d91eed124cdc1bc53feaa475828f20db8ba50815c812a1e9c7454cd4144eb9a423e6d172edee0bad94cd150bbeb4deabc6e98e3e5f7c6bb47f35f110eec4ba632e9c426af699a5bd6c2331ef0c11d24a5a3f3888fae3a36a89fb8a0dbdba9cadfb9e052a93f00ed75755b4d78d99aaa84f69dcc6a6ab05eadd817b9f704e9a7697a315f36ac99d299b5cb8a2f0c7cd53aa16fdad2331947d81a52734dc38efd0309b4837fcc18c88a0cb8bf5f96e4209192266a2c7f60371d41fc8c7d050ae43bf5f67407b54f4b731e0f7195659cd71ecccf87e68e1b4bb874707336ca5bce6ae7d588d6d68e2f66eaf0faa26d488ef0a1a0b59686af8120558fd76c9d19590a9611d5f3eca00e148194d9b69594124be005cdde6d57b26c53ac6488236de7dc8ef17eee67cd948e32d8c11f14bd2478b5d7e2c1d39d02b47595cebe0851f99448960dd64c14a84dac887ce5b39309b1530b71295c36b1b19592242d6617f9ba315c8d0a9d39792541d11c0ec999975169e8af06a444b716c45240b315a08961fac6a69681d832198aad3de10ef3a488f507ab56fd194f6d94376d24968d5caadf3f2c3efb667dd1d19b18dc8dab53df92c2dc0fb4ad49aa8034cf6f9eae6220beaec08784cac765da9e98219ecae0fba094240d3df34f3c89539b206a9af38dac75874b0beeedc9b3795d5f1d1f9065a81ac5e15588c179c4b0effcba466b9170b12e72fb525acc0e2bf5b8c43efbdf53279e5c9fee04b029db5220ba82d4930e96374baf4338aef5550fb5922015a1f9f076f3615ee6d814da808d1bbcad1b176d5bb20b795882476c0c72345eb16134807a82b9d86c9d7a4d84d189be309ba025303eea1889b05cdcea4c2073cfb30bb3b90f35bcd6ee790f1360f963dcd6be81168de75e1d04e8150d2c00005df7fadeac9e5c3d2026799cbb2a2db4268e4d1cb614f158ef12a0b2282e42ba33ff9d67ceda79320f1d897277f486588a0dc0e46c1c0fa223be06cdaca909483358be8b182b37e3789f7c93959c0b45335b2c00cad1a70f8d04081383a79c3fd595fc8647bb6552c6081c26c720ed1b229a192b9a91fa1e12cd31840f86e0dad7feb7dadeadd232709bc99aa8fbc3a87af0d5c82e53aceb6122bf9b71b7bc92a0a063957cc666fafbad1f688bd911608bfc7681c64d8191c5d0c80f7dedd5a9ad4ebccd04e2618d9aad121fd9aa8b8d6848720a736722c7eced31540419659c0911a06e039e959c84dd5cc1640eba08505ea489a121ddca4a09c63b2e271d1edb91aea042e92bea12939ab6d4157efa94a68d07b5f9b2058bccaef5826ebd37657a99be45134aa30a84a4c4e08e463b75645c2b726c14f35750efa680408d1ea9f3f56feb1060c7b8e8114681c24992aa2e1e65219a036afc034dba75a390afce2963d756c7eaf67d213c75371935f9eab4d428c54322e32498a4340254cc41fbb55cf63b4f3f43c8930101f3ae3542fb96ac776263789a984a3a62bb46c5a4a41b85f9d66b47fb28ea765bbcdb52b01f4c15ebe188b454c3ae277dc8a9f8a1c634163c631bd5430a8a80b80b3733413a1e00eb3fff34bc5aa8d907d79de8866cbc6f10661356277716c88474be9b393018a7d8b9b3e1ce4b7a326b77f62fcfa9494e1b7c0280c3a25ee346c94ae4cb3af3fe09534e63836d5a00a62808742f5cc926088a6ed11ea2051a33c60b2dedd2069fc9fc2f2cd45366618e11000216ef8017163aa828eae1d15f02067aa46af467750cfdd36f7ecba0fd1f7382c2a78aa40ccb037ed72490759f08e4a257b73e1b4519ec4720d9081dd464a47ad468f8881ca3023e753100ae0a1b2989ac574ebb9ac9134bf16202ce61aeaafdf7689bb921c4a39a46f03a14decffec78cf9ffd01b4fca7d7bd40030fefa02591a28451bd35da746db7b5cdfd5ee9eb6c51b3be05fb0cd5d39e8103b0e903eec110b3ff1f9df981232a558234281039b46637641849d6412feb74a37b1393c31513cd994ad239e20addc7b6be2be448857bacb20cb1469fe9446946b6d60349ff39219f7c002ecb4dbfd317f79d950b395dd77cfd49a6fad36be0bd4591e4d2ca837fe7374a36792ccb0b2b027c69dcb0852749309b937177272f4a80d8e2a24997ffca208b7f528be82116556d235f17d574d17acc1c4b58363f03f6b2177a2d9bd31d7da8b2d37ea2a5eace2b4f3eab549cc55b38e0f1731cc82ef548a5cb6a7564b442a86da7312a94a1315e270f390a197b91e435fa70443f387cf53738f775a2362a87217b574f8f63ca63613375205dc194498a0c929ff130014d7426af7c0d098d69aff0da1027b123c023e732e0ca1eb695b4210adcaef9285fec8c83fea7efb3b5a09ab0e26a2c0926e158ee17089ef7f8eab5375718ba2e8ab683d2a1eefe25c2e303f419ed01423799867e02eb01ae20002207136a60a875077393a019ae7df3aadc5d4aed4d459cedde966d84fa64c2e564860172be41b9fbdcc9bb29cc2af86bcb8da14d1d7efd6d90fefd473fbac5b0559ac2bdc110c7fdaa921d920731f362f95d426680b73312da58facc4d0a1d7ba590b3e91c03bf3b5f500a5cae46bed373702129ee2f25b0500219bbec050285949f2de4948328964329b1a46a38421c137cb95b99290b4f6cb46b576697c95b9378e7c15caa04ab0e8a04b8df8bc46d615fa29", &(0x7f0000006440)="1c3d61efc1467b6b61e9e5f06fa3d1dcc0e70035dcc9c6c3b00df58900"}) r21 = getgid() r22 = geteuid() ioctl$auto_XFS_IOC_SWAPEXT(0xffffffffffffffff, 0xc0c0586d, &(0x7f0000006a80)={0xfff, @raw=0xd, @inferred=r6, 0x7, 0x2, '\x00', {0xf, 0x0, 0x46, 0xffffffffffffffff, 0x0, 0xfffffffd, 0xf7, 0x7f, {0x8, 0x9}, {0x3, 0x200}, {0x4, 0x5}, 0x62, 0x5, 0xff, 0x6cbf, 0x48, 0x0, 0x8001, 0x7f, 0x6, 0x8, '\x00', 0x40, 0xffff, 0xa, 0xb04b}}) syz_fuse_handle_req(r9, &(0x7f00000016c0)="27fe2ffe47404c4ac0a1ecab30bbcb864ead78fed0c0e175ac9994f22c05a47188988b3ff7cddec1f6f39e606160f4f199d3745e26e2748d68e35a99f1bc4ac32084634f2c0ba5d1e0000e2d5bee777a2ab509e7c94c43f297b825934378ffa3bb7942256fc52a69e23820cd520e7559ed9a31a954df955de5bc7c1855d974b95ff00a84dc2d9ad67964334434d528bce5934808b48f8e251a179eb47dee2a108b50092f559816136cffe9bd6e0a34004e62d50f73c14b23ce17518f954c4bc61e6175756c1204e2f27c182b9e3a7e3b823dc2d210e5232c7ad0e8d8e049f0e92060b620499b0b8f4b4b971d29a97ae94ce3cea6fb4e4296f72e3deabff562e79243933cfc5300e3c41c6ab9c0559ae24b21ce45bc69b7a1eb56c08b822ba10fbcb0bd238f6fcd60ed24092b3f47f1900e3d3373379649daa3959bcb319d7a74ab3e62bb5fbdfa42f9d3b3e7340efd12d9db738b9a7a581d914f4deb34005aacaee865dd595ad5f007c48b5168e699e52decc666509f0bac516d5d8b1ecc1c99e601b8f85af1c67623fd2cff7b883841aecddf3a85239980d3ea2ae6378d59cc242b2abcda91e918487cfea037839017eefbed85e0de24148b3c67ecadc8bbe51ffdd0696a55d8ff21523178a6829ec4d3f25977433b85e9238fe5d8b1437c54a93382fa152549cfca4e4700705f3ce5a260a4b943dd3e532cc196c8129518225566e93e29a8c6f02f054a94ee5fe21e5ad5bf55dd7fde9ac641f347a992e8197fe5fc4b9c65ef4d687921dff0f6cb82a3a96f6df1cfaedffced7cb06b21de9b83cde5f96bdad6ee4c617b9da766cc443712f84ef7c38708070bd19db90abe251009d9bbcce7c419bf7efa7ea70086a95a27e7359d3bcf81899bb6b7560c58227db92bbe342e60019ff0cdbeec13bdb56c5b5fdfdbce7e2f5a7d971dbbc64c59c5111d0b452af57980e21785d5af0884822d12f4081e8381d16e0f411936274b9030215c4b0b47074dab09b9fa2322a88050a62448ffb2bdbb9d6b87521b3bfeb5de7736a4de11ff4e56d41aaed90061e8f13c3789a44a63e76902c4ee9b6fc735ab8ff9525af0ab52167e04d3479667852b755d0074cc95078094dfe03926007fcf4b2b68e262d117df6c918127cd6a5642b80c30bf916a1e51520229e1e0ece35ac9b909fd5ff92b930aa55ae60a2a7f5274e047ae70cd1d894c3a93094d5e88ca4ff4a1f7a74c2572c591f254ec0946de4f96248388b06f7f0a7daa490f4359184a76a56a9bbca593c6f6fe479c675fb02c63547d0804963bbbfe5c668769f3cf16be9cd51178030d64cc2bb9d82634399db8859e4887c8cece4c852f5cb76ce70a6c4edd0e8a465cbf7827b21b5538579771fb56b79974aa36288516bd08a9394900160f75d6bbe89de70f8b5ceacc9419fc5a3d5ee5ea783d0ca808a6248c13ad17c873bc93e0e50a39487fb25ec3233070d7776e7ce8ba022ccd8e2db5645594e0b2d874ede739f93b617ffefaf3d8468e66eecc8561fdb81dd4fe7c779dd93cce317a8f5cb86551c26166c7824c87140d9647508cbbc15c1d3b7208609168909e890e9e9fd2671d3a9a7527a734471f2c7480926d8d18ba6e24da6d6cee422aebfb14d1f12a915ffb7375ccb3ecc9863c45534a97a922433217dde2203545aa983e2a6c546511d8626428aabe7cec1d0e8124de1983d5ab1ed6e9dee82f0df4699f4ab70706c34c754d0cd8b6de541ca8a71d5f9825fc13158480d5980e6415cca05c5757894169223b43cc2963091824cf953fcf54530558ad5ce422fce99f5f2650b7dec702fe12bbb08c28519f08b6354cf58d01f027237070cb438fe4807b7b1f7ebc27f274fd50ef37ad060a7adcdf65962f8a52c04b569d7db3d86a0feb6c78ed1adb361866f7d5606569d910c6727cdd76c6bb2a405ed12dfc2edc81666787f3a3a239c62f65d2d98d8b07c5911355a3a6206646fe74c075a6778072870fd652aa4df9aa3b96f145c3afa74f5aaa8d7ff0427c9389dd5462af0eb6828f3aa54c752bb4c89d1821076172a925f146aef789deb14c6b6cb2873388cbe0be062871048c49679d72c3f325c77ea319ed28fa27861040f6be5d4f32cf29cac11243da042becf2125d21e735493ac7694aa961ee92443fc588c2adc0f97ac7b5fae10d43ddb81f31128582185b9aa124fe6ed780ac954f84421767f90f5c0b569443d63beac0684ed68bc5039a27567bd233b8f2675e1afa140df8e1e64f0a90ec553b52172739d0d6b3884947f2666929cb5dd7931942c06e9df9ec7917f1d93a2f0fbe5cd0f573c0102ff0205e4d59ddd603db5da56694bd92873ee21fe7786a87428bdf19a1a87d72ba697fbe0ed975db5bb3a705177f3a1369e29dec7581d43aea3855943ff4efa4d7af3622c319d78b31083788d20310208299ca0347afffe54ecaf1fbece6e0935abc7aa8f8553f9996ff1d46b88b78df2fe267f1699f2ebf1925b8e50cb46c8a103cfb556510155ddb84276e1e0aef3f411c7af3d20593b6fec7006aa7a4ee33802aad168949dad9fa911888d7f61bf16db2265003416fb576de44f80b9c901ace454d2b04b374f3dcfc38fdd6edcfab24d367aff3f6d8298a4133d081563de1365beaff74da252b248fa61d80e72cbbd58533e7518dbae1a925d9912bfe70fbc64b8c81ce262530bd11ae83f366e38c53bfd5a0dac9785b922bcdd1a3b683f43f8d485dfcc6dd00b6cddea064f846fb2693d48fa97b5263f537eabf6c0e549a78d2bcadb2e8fdb2b1b0f47fd49dc61ca1058bb8882aa1ca2ed341feb737d5eaae0ea08f945a04a38b6e3137f961a7563ad13cec30072b9143e4f9c7824e7cbda2df89b74c142dadaf5ca24b6fe909ce3a1ff37ee5a0b661d30739ef0c372cf7a1b4c6a0e519b48b40dc794cd61356756609f68dd58f724bdd86db7f2649b90e163530ca69f0696addfcef84efc9f9e04d9d6e18ed17f74ff807e92b0f330fb6e06e0e2f193ea03a181c8673950a19eba22fd6b1b56ebb336e0248c64f936cafd3311fd50c50fc916156bb28156d15d7f4d5a798d8626afc6ba7d217d2c9f1a98fede62b1bacfc314dfa89e8cbb8c37bd526dd53ede81b1953cef517703babce446e863bf9d246b03b88502c7fdbac4d87f1eaad86ed170d710d81eaf395aef60dc164d9116601a5a58c79a89275c95d28912e8708fee2472e6b87d2e077d362c0ba8f4bc6a5e38745eae91046bc61e6a040cbfe38204f17e604f0e1405e8ee07d7141b698bc2be7690a8f0bf31d58ae906cb70e4fe5fe035631d76533b7a7b032e1b1eee21428084afbcc930a9f28e9f17e269a6997af838f95e2fb395b540a1d49f3d4290274d2d31f760835ff7351d25b62e135adf59e0118872d17843d99154f4660fa8f48b6c4868b1fbc6b84da61f98123167b067370a54fc6c5a688e31d4201ac4c4d5646f9a4a4a804a175167cf79dda22f4d6867281cb0b3e0999fad7bf26512d131440a8f9ec75fe9df680547855d8c9b3b3f0d514197c2af0d672991373b8d4ac1dd51e1f907450d62101b5e2613ea289c194d0735e1c5e166909eb71ee2a4ee5ff99140c0becca2672faf6944938c61809d8bf2faa561f9b56dab85ded7ee735d300c8da84c57f067b2fe50929cae139875abbab084742c90706bc31fc4c68538889718769d1c6da0ee1826ecde1f60ea66ced44c24fe2875dcbc87a3572af96455edf31e051e5422a8e2910c7d975df6448da0c0f833f61f7150598fb47fae938357a7b645e406df9a4a30cdd1cef6ddb263c9f06b268767a9a0f92c4ea1380e5e36f5f2a3e90bf87d6818c5aefc3439c4f4de2cfb4db145756848b27b618c22feea3f9f4601557f53c2aae71dbc0e9468243f1bf3b086b4dcab2734d6128c5441546903d2fea40c7ca4840ac4b1b3ea8897cf037623e427fb1ef9c0e7deb9eba0f8e5a5b29d422923f2fc8c5dc1369fe526709247c2776f5b7687ccf420b0dc84461105c2a31cce9decca30b746bfe43440d49c4775a2dfc88f049e23a30e2de2ce634549bbc0c263097ebb8044b4b9bb6f5f95a4a499a3dce9c11b99487d996eb57d654090b436dfe0b94796e93feae2b63d01320af7323a8006bc75f95a0c6ce53691802a097108881bda64a2cf8ed8f6752e19815e71e2b8554fac0301875262109331151915f6b19362c2d82c3047478525a649ae4c9a41f756083f138156f6ec4ea04b44f652ab1e66c5c630e6130062a260be553f10b8b700e6c6b089f0b09ce117ca78d45aec4339764dc2e39b5bb955602d57323e40d49ecf8987184a12d21993c03b458fca98c773071c2242d90596599336e1c69ff551af3ef27aaa74c547f231a1ef64a2fbe5498f5bffd9e597b8d871a073e82f13f5bdf2189d361649dbe144e7c2fb26a518884c4f276afa04450b3b1261511a1861507e94be4b0c301e62471bb953363e54a80ac90b2551b012d74a5621e265bf91260a467fe7606e79592272aa208b12935a8991dfb817a5cb05acba79dccb97d0a0f9eb5825e16d124a77224c9a09a5335f1ced785636ae3581598af5c28e54ea8dcc4c722e4a658a33fa7c473f3b5e74ed5625680f07c7d472966ab646ac3ac2d67469c43dbab6b886779def79417698cfed9472fdcab0f8079f221285441881eaae4c211a814e6d4e6c25d49a5706738b03b35c0d284fcd675505b0adc88d04390f3a1b0c82785ba7bf029aa46187131dbdc36aaed980b90888e67e8a8be7c1f7c5e3ad4442e97aa77c7e1d286c29d8b761ec91250529bfffc56ce2d1f4e79cf74237f02050afb6e25d5436545da66622970e89e4cb9e77e0e9a6672feb03328568d75d51465772b5e408e40ebc9676e7e5ee7ab0cbfca5ff0c023b393529464668b774ae1b5cef76d67f1d735b87281555b396c7858701c6d42b0f365b253e7bccb64c2dc39bfed645906ae68bc5ebc3cda73f386b4b97953b3ca6c735f7c47e4762925d3599480e7c17633e5276af75a60332bab2d8c039e4f980a7de81229bd174f6e50e5de20d20b518c418b6eb6a06ee93789fb6f4a6ecb8b01691ad1eb2ae951a42f976e018ac4b585bbc3f42da79e55d1b7f24e909fcee23436b727dd9ce47b41b3bcaa883715d316acdc55e0fcab97ef90da859a80ebebc6dfd0af9524e8a36b3f71ebd703b0afcbd7acc6aa413648ad935e7094a293f1ad659bf55951511b8feaa0390b982c91b1a1bc04cb1e158b132e8ff2fe46667f10312a25468f07324810a97ddfad6df0d61ee5db1929580227ea260682a8937d0379bbcd796aa13fe92f793e958d28d8e4564bfdd4944d7ebadddd673392c6772d0961cebe60a3d9e9f96e4a4ca07e55d31e9d9425e00171aba02f0aef4b8f5e43ec62327a950fe292427d513476c31839a5d11e03f7949cb2d8343ef4b98268797190344a7a6891cddde29faef1333f7fb75069a74e806a4121addf986835281f4868f15c7343e1307d237bb50a7ec6764b9f4325b6e41357edc33d247a583e285735faffc5bebc400476af6c5cdd349137470860d159a976ef3c4761285ebb8c53a7ef569ee2e710d41819eb85cb3e38c6d6ccd03587fb0828f631c19900153a6f1edb812a58ead041c63a6ac6283806d3cfb69b65591a829baba97a367c9b0f2497b44f3ca85a0731e5942b57ecf9c2dee01ef7ea533f8ba317f74c30f49bd69489735361092292205509c574200663f771cf4d1d484fe5a9c4cd3b0cc432e925b302fab0574b53606f2777563d6794fb5fe487d5ce7b5beab399bf7727b67eebf9b9dacf5c5678ec9821a34dc030d036d04d7025ed5b1782965cf262bba0b3de34974d1e77a63e9bb52dc659de690e47b35f4bbca66f8d5e0a271a04a289435f5dc9013c0652633dcce4102fcbe47fb4c5eb9a6eaff5463c73c11e37e8df9dab0932334922fed80d5e3ed125dde3764f48d496f4f3b49f0322a9b9b968ff75efedb369b4b1c9afc5d27e68d76d17c216c4fed82dc2487aabc660bb55b2ee17d68365da8408c45af38783ac2be54772bbea41f5868456ee66a27a36be499a5e5dd3396f4805e22a2cdc229079c2a53c9299559269ed1c512213544f2bf331388e1cb85e5550915f8f27a47ba9fc9a50ce01cd2b53b37f357966f1d00bd340e050c9d84f2914b8abd4294826e7500b0dcae9cd4d284d17345653ccb469c5ee3a31058eae14fed75585cde2fd71b88ebf517359774e9023466ea5a47956b8225671792df45b9f38b10ab03f9ede1ddb2e157d61c095d9b82b977cc09d929745560fe8106503ff7dd228db22b251776897ee15b180b4b4631f85ecf6a6074efd2cdf40a448dad62331c27ed8b3377fde4b1533126a4dc708b77202f6f8c015966ef711c4c496e9034cf15a33bc998a43265edfe436342d7eb4973be8ab0ae6719a1aaa41e0d76d952b06808dff02fd81603429a36ff7440e0b215d9ebc908efc145b6e1b7feb53bd5e175c7d1a7764f9040744b81db86fd22c0a38a2daf7440bbfe8835009d4aebbb11a0e9148bc04951fc06ec1c2a268a05cc2cc76791b82269f963d3d2f564ae03789601940d56f28e5ab0152acf663e481195209efc1a3a1b472536e0acf9ae383b5951dfbb6bd4d1eb5550102c3d7fa2365a36fb7c5949cc727ce57311dec52a4c3b91f0d5ec3677c265d5835535f16006985ce846ef12a46cb8662cff85af2ffd4b3b35085705d45df3e8c60ee4963823cea99dd55c0c33da9de354f709f2a4583561325c4a5954a34e2ab32738c2f3fbfb2786aa57828ef3091122e5932058c12d50d0e89ee5dc1e3ee4135d38c0c984daf3947670272714de8935720c1f3d3dd9fc57529a75013d85946484233ce69257718d3cd667cd0886d1f3c257ccac6b48ee5cdc03eb6c6aa2a78d68e2a9c2253954450915762f3f2fade0ac78593cc38e55cef3bc0bfb938ebd0a61c739c024addaf443406a7b6026360a7fc87c274a9bdcdb2eb5cf470b53f7fc1bd4ed05ceaa66528cef79e9de78da42b167c82cf4dadca5707d0a166b0f41b7f7e3421a8f88f6d88d24cfd9981b50b6c342bb49cce4b823f3cfdb17bba24fdb1601ba060a4792c0909a7c7cebf0c33e8ff27fb6e327c8877fb31efd8bb0b9fca2829cac2c143f4a5bd0afba4324548af32f05f581ae264c9e20d0f1604e112c6e2bc518b78097c145d871a3c0287371b0cf6bdcf17266371c7464d87a55f52e01e297866d6d498868ac01648249c1edd314580bfc35834b15d108ddbaf6ca3536aa43161019c3af0b331d9d071eb0a50442355a2a2e195474e13b7971d956ad54ed590b429d6a1ec7e38d41a27536bbbfadad1b35fc8f827a92e0baffabb811816cfb4cdac4b98c5f6f71cdcf30649536f7800eb6b7cee222d64165e0ca9504693b6d8459bc327e5da2e6f38a4ee2472ca5e6caa0811d042f8fb32a99bd36101cf19acceeed73b44e3deb223cf282ecd4c439f55f5c274e2c756c67c23c00ef7bffa4b6012a1334d0c97f816a6123cbcb77ace8e7be0515269248622028b7a9c0e49f1c8dde866d3bb0c53db9c67b10b20d4bb263f2c5a0185baccfa7b8fe825657078fabab003b9318a84f765daafc37f496efbbce9fa5d2c1f0a4b2ad0cf9269618440713bc3d92985ffbd6cc19afc86703044370eabc4de11f3bcbfb221dddc51bba352dc28fd49c084047fb0ed8b9742a96e53ef4ccb94ce4cad746e9caeeec843f72b779cc58d25fe931c1af8a795e195685c92185803adbec6066cddd87e0b9a5380afcd80798f580859eab317cb2783112af7b362a59ae7a824749440e66661b788b8560549a0b1350dfb7a5e88928d558cbc8a26a0d74e67634ee9ec1c1ca08afc5beb43da65f4ae0ac7eb257442c9990edcf93b1dadfea90bc292bbf1d823c61ee969249f67be07d70df8afc7c3e5bf145f28a2d06c880eff9a181127c13460a06b3664a94c888b07af77e84d60deab764228ffea21633f0204a5d7ec4a0b303fb08fb76728c43d9073800183c8b99e22d605a5e6399c049f7f887cb9d7fba94db323084bf94df544f6ce2dd49a21d2cab54df04397482a64d2900bb40fa87f42ec75d68bab17714a934bcdf36f87074f6028f9d61a00adffc06d624bc64297059682cc8adc7e2fb210bd22fbd4ad3d3515f71b933126759ec4c001ed5cdbace7cce4319b7ab50ffc8f2f8f1bb81ac07f81dfff335450acf08e13912d3c5f3aa12581811ebdb4416eada259651c070b06ea7e18a8f0c400575a0e7fdc4c88645d35c2d36a8ce6a2972f355d1a5d832cd7ef2c611fd11059da390ec8c87491d4964fa40b80839057362e676455c7172a23154efeba6fc9ab4c15a737e299c1f14daa8f3497e3370a523ec15c52bad987109003f8dcee4ac6c90b0f8e4b7491978788a9c1b23a14396b508aa95175fe3bd6a8b4a9c217f4c9842c1c339d4d95db83ce6e7e7ac88eae0413961055220b65693d49a2f696f641421925b42f77b0f9431239527fd6d86d6f9abdf3d27c0a79a6b05a61dd7d993de2d4ee9973b778ff195d1240db1836a5258b4f574497ca2f9b34977800e728297d983e1e585faf45381b476d2531e86cc6e835a972c3a5bbccba7d852edc83bbad4c852064007087bbd36bf8a800f91eea0a72d9a75f5db35b1098686d51340a172c701bc47b140ce52ef47502d0071e545597975a55ca1e91217645e3cfebf4a6201a8481f65113860f592863af1dd473383b1b79ab32cfcd46e6ace2958d42cce5f9b2347681f7707ab4a35f9af521d4c1bad7513033a5f7af2b7a2d3a4914d38462b16b85d69fa60c0c5ef54ba2fb78fb156a947cf80b1daccd589fdd0791b3a9eb835b61534a16f8f4b1cabbd386b4c21ba97de916d2cf48b7208c1bda77ecf81677cbce25582ccab9a65a2b73dd34b002c234948a42b5664d56d824429a78b6970367ec170d1b110b2223175872bdc866318de066fea560151d8825dee82d344b816fb55aaa524e860862ac0c36cb6b6e81f4123da59cb3effe29ce7698e2aa0c6036820c457f404233e32261319a46bc8bd3de3c948dc52e27ca527df7ad68e6c4d4ba8f6b4313a29402981059a148797fa0880257fe0427011928af752f81b8186802108f0590195039c838257202421410b8a359e69ddcd47470f4d05ae289834be304caf49bbbacfdbe927f423be9b87882b0fab4f50bc7cdbff6ef101f33f703556d45b6ace1643cd7e75acf74063e3e34e963db19f0d19f14829c91c450661d0e809d5b7909695ba15446c876a167ecca09fc00e1737cbd4ef4f70a50e3a00fc96f0e1023e5c81e67d247ae0ec7ec267252804a65b301b91a599b8ce37d95a93dd9a911dfb395f361924e82ea281efd7a2e015aadaf6485fceaee0ab905e1396c125603aff4ca165f749c23310250f800b2a87917b9421b0b4cdec9d86414eb822374b0d4325358b2bf43e0e312588879765c25c098d1718653bea52768dd7f100fbd2b6afccf0213469a7fa25b5f77c6b56ca09df886a16ed24f51e21d078f25c48887da12dea57c8f4825f27ae3d9160196eb6be09f7be8b239a05dbf6aaeca9637090d1e6f76eb9369274c3aada336243b8b9c59c3f9c91ab43fc9273bb5bf2b59de8fbc506c9436565e4c9ba29650b3784d87f337a4a4b528ca2a280cedc369b0090c3f69c7604a6df31fba781c07d58dbadd7c85a626f885f09a91224e79bd68793f167ebd8da10e5da78cfa7ebf10a8f2c9003fb1cdd87e469861f3ed23d25bcb14530a8ff8d91e9e0c7c3976c3afc7bd5005ccef59faec52ba35693d0f0dceba843add5a747e0aa72f09f2f45281c9d4c6f1bb78379aec782c64810de323c8abacc9fb7e7dbc1e2913a85df0bdb6ac701a68269e79ab28458c0291e1840b34ace2d0dca9029f6d950e6ef1e5cbb9524db501dc3022733cb10bb74e9e698245a98dffe2378c42548119dd60f2b021953b300f38972661c3ebdf64a3afb3c629cca5ec938c31ee8cb682dd38f3581812f7ba6431c160659039e7cfe7859b1aa8130833f1f63724f863b3e2a18f9ebd1ea614d30d28bd4f5b8c2617becd8a4d8b3a9b42b85d8e80c8faf7d9cf5637dd98826a10b692402933d2ae0ea908ff5d6c22fc335be00614a0f5e7004ebef71fd23d3f90115984f0e46e82ac8b03e5d2bfeaa2192333c1a0a9fb19a75bdc8f9058336e86f3f7b30f0bed24c4b230cdfc92a9885be51c0b851cd7a04a62fb3ce47e765a114ef7686bc7d82ef5e1ca0214b95b64e57f851215ce5a47ddfb91932c854c6525ebe7f6e16845fa225a74093f6a2680085a8fef66541fc3643fc814c5a806415f70688a4be77beaf75d71026e4dff3800124bdec0e065463edc69641f67c7c42b8e025f81406fd4896d5db8e19fec099809ad50a98a83b3caa8fd87310514f4a7afd9a970c456231d916b26d5c62bc4834af9bc2777a7c7d3bbf5f2c6d828935f3b827743c09222328e8e8291bb283eba7d4bc897877f6e50a5fabc77abf31534d700962edecb1df4ee1228a729df7da85771a3f1e30429fac993d9738d9d6728bf492b4791438c3cf6d59af809974aec448098c26cb3791e43724076ef5ca9c70cb3f58accb539943786ce98b092c965a147d1870ad454686ba579c9d10a6131d4d980ff68898fb11a0a9f61e60a86427f60660088984eed16acf6d31430183b81912adcde8084457122ecdd7054cf3dddee25a975fb2448e71a27aedf68685e9e8bf607056d68d720607599cb4997a1d591a1cc174eddc66f39160a2e55eee6c82b218c5b963a0268117fccda9314d7de3b1bfdf1de338310418dbb11f73bfc1a705a7f12560c6a836ebc1c927d1427eb6d7104f942705a25e7a79488768c707cddb059d06f4f55d64114658bb327072a0f248f9191aebf838ccf464e3db38bd015c1fe7e0a1ce8c854e064ad28df20854ecaf442881d5b922db3327a73a8007f84aacb941bc1232742d0ad98eb8f05a812c7957fb4b688522ea6a1d5ef22dabf2537b5f68d81e06b517839b474238564967929fa8231eb8eaa9bf79554917939336f71edad5c011de4a9887c9d8bfe588c1747b47ecae641ae076a53cb661d344659ed82a4f10612ea2ee00a444de7e4b1a0c5614d4a6369b48cfae5316e8389cb720a111171383a78798031af5e4976b89175ac1efa79ca7dd728d21cf2853f69870379dcd691f412b0dabb49f74d48f9313be45895e8d4e78e23e357a9a2294befb173ceccddb7dec84781920e951ecc863bdc843af7535e721a7a7f5bd6e0d37fe9e5b5af3f2aaa62967112c0fe848d3c38a646ded7deba1ab98d40881ba2fc918a8664bbabea14be6f5bb92e254c471b324a026c661de4b97ba0ae1f67063f41a5619da8a49a7ad6cf8153977a4c63171bba20884b7344c405d61b9ce3ce90dd0b6d86be27c028a2a48fe040d6f9d2f5dc2466cb9f745e5a98e5266498b14d16e3fcee12026c0f46b7fd1d30076505cd64c1d60c5cac8cb400ea6b7522c165b0094ff0ff656d081673056b73eee3efcbfba260ff87e4304c8eb14aeadfdaa09570f630646c", 0x2000, &(0x7f0000006c80)={&(0x7f00000036c0)={0x50, 0x0, 0x8, {0x7, 0x2d, 0x7, 0x8000008, 0x7, 0xfc00, 0x3ff, 0x59, 0x0, 0x0, 0xe0, 0x10000}}, &(0x7f0000003740)={0x18, 0x0, 0x6, {0x80000001}}, &(0x7f0000003780)={0x18, 0x0, 0x4, {0x2}}, &(0x7f00000037c0)={0x18, 0xffffffffffffffda, 0x37}, &(0x7f0000003800)={0x18, 0x0, 0x1, {0xff}}, &(0x7f0000003840)={0x28, 0x26, 0x7fffffffffffffff, {{0x7a, 0x8}}}, &(0x7f0000003880)={0x60, 0xfffffffffffffff5, 0x1, {{0x81, 0x6, 0x3ff, 0x2, 0x4, 0x4, 0x8, 0x2}}}, &(0x7f0000003900)={0x18, 0x0, 0x0, {0xb}}, &(0x7f0000003940)={0x12, 0xf92c178daeab5fde, 0x9, {'^\x00'}}, &(0x7f0000003980)={0x20, 0x0, 0x0, {0x0, 0x2}}, &(0x7f00000039c0)={0x78, 0x0, 0xfffffffffffffff7, {0x3, 0x67, 0x0, {0x3, 0x2, 0x5, 0x2, 0x0, 0x5b, 0x200, 0x6, 0xf0b7, 0x1000, 0x1, 0xffffffffffffffff, 0xffffffffffffffff, 0x4, 0x6}}}, &(0x7f0000004b00)={0x90, 0x0, 0x7, {0x1, 0x3, 0x10000, 0x200, 0x8, 0xa87, {0x4, 0x1, 0x7, 0x1, 0xfffffffffffffffd, 0x4, 0x9, 0xffff, 0x10000000, 0x0, 0xf40, 0x0, r10, 0x8001, 0x9}}}, &(0x7f0000004bc0)={0x48, 0x0, 0x5c, [{0x1, 0x4, 0x6, 0x8, '\xff\xff\xff\xff\xff\xff'}, {0x1, 0x8, 0x0, 0xb}]}, &(0x7f0000006500)={0x478, 0x0, 0x2, [{{0x1, 0x1, 0xf, 0x9, 0x7fffffff, 0x3ff, {0x5, 0xb3fc, 0x3, 0xa2d9, 0x3, 0x80000000, 0x4, 0x5, 0x2, 0x6000, 0xfff, 0xffffffffffffffff, 0xee01, 0x5, 0x6}}, {0x5, 0x9, 0x6, 0x6, 'wlan1\x00'}}, {{0x3, 0x1, 0x4, 0xf, 0x1, 0x5, {0x4, 0xffc, 0x2, 0xffffffffffffdbca, 0x35, 0x5fa, 0x8, 0x5, 0x16d, 0x6000, 0x8000, r11, 0xee00, 0x8, 0x2}}, {0x2, 0x3e8, 0x16, 0x5, 'bpf_lsm_path_truncate\x00'}}, {{0x6, 0x3, 0xcff0, 0xfffffffffffffbff, 0x3, 0x3, {0x5, 0x4, 0x8, 0x9, 0x10, 0x5, 0x91, 0xfff, 0xfffffffd, 0xc000, 0x3, r12, 0xee00, 0x80, 0x40}}, {0x0, 0x8, 0x6, 0x80000001, 'wlan1\x00'}}, {{0x3, 0x2, 0x8, 0x9, 0x80000000, 0xd149, {0x3, 0x4, 0x5, 0xe, 0x7a, 0xd52, 0x0, 0x5, 0x6, 0xa000, 0x2, r14, 0x0, 0x7fffffff, 0x5}}, {0x4, 0x7ff, 0x2, 0x78d, '\xc0\''}}, {{0x2, 0x0, 0x6, 0x7fffffff, 0x5, 0x5, {0x2, 0xc, 0xbde5, 0x5, 0x8, 0x10, 0x9, 0x6, 0xe31, 0x2000, 0x5b8, r16, r18, 0x6, 0x8}}, {0x2, 0x80, 0x0, 0xb6}}, {{0x5, 0x2, 0x80000001, 0x2, 0x6, 0xff, {0x3, 0x5, 0x8, 0x3, 0x8001, 0x5, 0x1, 0x7, 0x2, 0x1000, 0x1, 0xee01, r19, 0x10001, 0x6}}, {0x0, 0x6, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}, {{0x3, 0x1, 0x8000000000000000, 0x2e, 0x5, 0x7, {0x6, 0x5, 0x5, 0xb, 0x0, 0x2, 0xffff, 0x0, 0x8, 0x2000, 0x9, r20, r21, 0x2, 0x7}}, {0x6, 0xfffffffffffffffb, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000006980)={0xa0, 0x0, 0xd05, {{0x5, 0x3, 0x8000000000000001, 0x7, 0x5, 0x2, {0x3, 0x4, 0x5, 0x3, 0x8, 0x1, 0x8001, 0x0, 0xfff, 0x8000, 0x101, r22, 0xee00, 0x7, 0xac}}, {0x0, 0x10}}}, &(0x7f0000006a40)={0x20, 0x0, 0xffffffff, {0x4, 0x0, 0x9, 0xa}}, &(0x7f0000006b40)={0x130, 0x0, 0x1ff, {0x6276287e, 0x7, 0x0, '\x00', {0x800, 0x2, 0x3, 0x1e, 0xffffffffffffffff, r24, 0x4000, '\x00', 0x800, 0x9, 0x8, 0x32f3fcde, {0x6, 0x1}, {0x4, 0xe30}, {0x4d, 0x3}, {0x6, 0x8}, 0x6, 0x2, 0xfb, 0x2}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000006d40), r23) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) syz_io_uring_setup(0x28c2, &(0x7f0000006d80)={0x0, 0xd0f0, 0x20, 0x0, 0x1e5}, &(0x7f0000006e00)=0x0, &(0x7f0000006e40)) syz_io_uring_complete(r25) r26 = syz_io_uring_setup(0x7c1f, &(0x7f0000006e80)={0x0, 0x979d, 0x4, 0x1, 0x206, 0x0, r9}, &(0x7f0000006f00)=0x0, &(0x7f0000006f40)=0x0) r29 = io_uring_register$IORING_REGISTER_PERSONALITY(r26, 0x9, 0x0, 0x0) syz_io_uring_submit(r27, r28, &(0x7f0000007000)=@IORING_OP_OPENAT2={0x1c, 0x14, 0x0, r23, &(0x7f0000006f80)={0x818480, 0x0, 0x35}, &(0x7f0000006fc0)='./file0\x00', 0x18, 0x0, 0x23456, {0x0, r29}}) r30 = syz_kvm_setup_syzos_vm$x86(r9, &(0x7f0000bfd000/0x400000)=nil) syz_kvm_add_vcpu$x86(r30, &(0x7f0000007400)={0x0, &(0x7f0000007040)=[@wrmsr={0x65, 0x20, {0x92e, 0x8}}, @nested_vmresume={0x130, 0x18, 0x1}, @wr_drn={0x68, 0x20, {0x1}}, @nested_amd_invlpga={0x17d, 0x20, {0xffffffff, 0xbd0d}}, @nested_amd_vmsave={0x183, 0x18, 0x1}, @code={0xa, 0x6a, {"36490fc7aad66197c026660f3880945e008000000f01ba008000008fc9b89b29470fc7ae20000000450f09c4e2d13967c4360f017f0566642e643ed8f1c744240025fd0000c744240254000000c7442406000000000f011424"}}, @nested_amd_inject_event={0x180, 0x38, {0x0, 0xb5, 0x7, 0x5}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @enable_nested={0x12c, 0x18}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x3, @control16=0x4, 0x5, 0x1ff, 0x8}}, @nested_vmresume={0x130, 0x18}, @out_dx={0x6a, 0x28, {0xc636, 0x5, 0x4}}, @enable_nested={0x12c, 0x18}, @nested_vmlaunch={0x12f, 0x18, 0x1}, @wrmsr={0x65, 0x20, {0x8a3, 0x9}}, @wr_drn={0x68, 0x20, {0x4, 0x6}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @nested_create_vm={0x12d, 0x18, 0x2}, @nested_amd_invlpga={0x17d, 0x20, {0x8080000, 0x943e}}, @nested_amd_vmcb_write_mask={0x17c, 0x38, {0x3, @control_area=0x31, 0xc, 0x6, 0x8}}, @nested_amd_inject_event={0x180, 0x38, {0x2, 0x36, 0x1, 0x2, 0x3}}, @nested_vmresume={0x130, 0x18, 0x1}, @nested_vmresume={0x130, 0x18}, @nested_amd_inject_event={0x180, 0x38, {0x3, 0x72, 0x2, 0x5, 0x2}}, @nested_vmlaunch={0x12f, 0x18, 0x2}, @nested_vmlaunch={0x12f, 0x18, 0x2}], 0x3a2}) r31 = ioctl$KVM_CREATE_VM(r9, 0xae01, 0x5) syz_kvm_setup_cpu$ppc64(r31, r23, &(0x7f0000fe5000/0x18000)=nil, &(0x7f0000007680)=[{0x0, &(0x7f0000007440)="cdfaef130000003e000010620400107a00001066c1001062a603007eb9f0003ee90e10620400107aa330106688261062a603007e2400004c0000603c0000636004006378000063640cf66360baaa803c42ab846004008478a5a48464dbea8460c7b2a03c4ed4a5600400a5788ed5a564c9c4a560f627c03c0e37c6600400c6781050c664f33cc66064aee03c0fe0e7600400e778f833e76427e1e760f9fe003d883a086104000879f66c0865cb9b0861e722203da35b296104002979bbbc29655e832961d975403d52944a6104004a79db254a65f35e4a61020000440000603c00006360040063780000636450f36360420000440d0bc03ea1dad6620400d67aeb5ad6666296d6629cb0007cec06007ca400004c3d6aa03e171bb5620400b57a7293b5663454b562a603a07ed48da03e12d2b5620400b57af6f5b56615e0b562a603a07e2400004c0000a03f0000bd630400bd7b4930bd67f278bd630005c03f0000de630000dd930000a03f0000bd630400bd7b4930bd67f278bd630000c03f218cde630000dd930000a03f0000bd630400bd7b4930bd67f678bd630000c03f0a00de630000dd930000a03f0000bd630400bd7b4930bd67fa78bd63974bc03f5c3bde630000dd930000603c00006360040063780000636400f063600000803c000084600400847849308464f2788460220000440000803f00009c6304009c7b00009c671a009c632401c07f", 0x20c}], 0x1, 0x2, &(0x7f00000076c0)=[@featur2={0x1, 0x6}], 0x1) syz_kvm_setup_syzos_vm$x86(r23, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(0x0, 0x114, &(0x7f0000007700), 0x0, 0x4) syz_mount_image$fuse(&(0x7f0000007740), &(0x7f0000007780)='./file0\x00', 0x40000, &(0x7f00000077c0)={{'fd', 0x3d, r23}, 0x2c, {'rootmode', 0x3d, 0x6000}, 0x2c, {'user_id', 0x3d, r22}, 0x2c, {'group_id', 0x3d, r13}, 0x2c, {[{@max_read={'max_read', 0x3d, 0x3}}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@default_permissions}, {@allow_other}], [{@permit_directio}, {@uid_lt={'uid<', r17}}, {@appraise}, {@smackfshat={'smackfshat', 0x3d, '\xc0\''}}, {@appraise}]}}, 0x1, 0x0, &(0x7f0000007940)="a4b222df2ba10df24f5481e0dc5e93b81b1b82e9a214cabce344800ad54de610fa1eda44b9040526f2dc7c731c5473c8c6dc94192a03484e6d62bb49128612543a9d016ed9a3730e51080f5c860d03a77ed50164bcf99c42d3568a974a927a879de41edc2f5552365886121a31095b97aa08ee2977111f7cc56a77c0f2a16b32b19df50a249cd3058e60a6ae8c96349d5e5c0097594ce01c1fbee5ee94606fef673231e65700bc715f1f0119c84ed27b8af38ed153d394d6b22cca54db55a31bc25b45e81deca7bedb696691ae6b92f09eea3e2b5e8af2f996339dec592edec5897e94eb") syz_open_dev$I2C(&(0x7f0000007a40), 0x7, 0x0) syz_open_procfs(r4, &(0x7f0000007a80)='net/psched\x00') syz_open_pts(r9, 0x292c02) syz_pidfd_open(r15, 0x0) r32 = pkey_alloc(0x0, 0x0) syz_pkey_set(r32, 0x3) syz_socket_connect_nvme_tcp() r33 = syz_usb_connect(0x1, 0x295, &(0x7f0000007ac0)={{0x12, 0x1, 0x250, 0x58, 0x6, 0x54, 0x8, 0x13d3, 0x3348, 0x15b2, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x283, 0x2, 0x9, 0x2, 0x10, 0x8, [{{0x9, 0x4, 0x26, 0xb, 0x5, 0x83, 0x18, 0x74, 0xee, [], [{{0x9, 0x5, 0xb, 0x3, 0x8, 0x4, 0xfb, 0x6a, [@generic={0xbd, 0xc, "8b82bd3fc8137d3d259ce7bc140de0823de2222eed4c570edcb84553cd1efd649dd352dd375d81da8da8e6863fb482ecb3a16f122210bff25c59a3afc6542848c06e1b983fbc8dd0de627cfddf9f905f5cb6ed4a25ec5947599b15b538c7bb0b0d65d4a31b319f7383955ce766ef4c66d18bc75d69b2dd7d136c78eaec1e2203eb918dd61609de40f4f693917eeb17fc387bb427341f6416e0b8c46a2445a5c49bd9c86dfe21c598acf17ea98ffece202a21dc93a0b830d29af87c"}, @generic={0xc7, 0x6, "f5459e117800d22a25a486d1442f5cbd4d3d776cd061d2c185f9924eae6a4d7b14c58b599863d321e3ea80a25f6d8be51d5ca70c276ce0e6d9038f88776b9614287db7ee2113f0e7e1f01873b613d763da5f87f86cd1860bd623463fc6d93d9f948d0d4d70d72a8ac1dec1adceb8716729906428d5b6e24b01499bfa6a0aa0482eed8c7751a1c7ec944db19254a74b61142e725a7a290c4142875d347b3e483f4e2db8373ef8fead8118ce07d812332b211da9733d444f7d706a6439c29aeaedd03000a2a8"}]}}, {{0x9, 0x5, 0xa, 0xc, 0x400, 0xc, 0x0, 0xb5, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0xb, 0x7}]}}, {{0x9, 0x5, 0x2, 0x10, 0x20, 0x7, 0x5, 0x5, [@generic={0x24, 0x7, "ad98314a82d7aebbfce85178752271b158c05dea1bf5a2459c431df180c1f3b2be3b"}]}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x7, 0xf3, 0x4}}, {{0x9, 0x5, 0x5, 0x0, 0x40, 0x2, 0x3, 0x2, [@generic={0x6a, 0xa, "f7dd67505d353d93b6e1f3ac2d8f9f766012d204e558a7076c6a1dd6648b2928acaf801710c8555067e0715e60772d9a84c714f63d527b9f1532a5ac6511627f9e8400e62ad6bd25ec51ec630afc10e1f0f2fe01c9588e2897ef26d5ea8bcf970e51fc28d84a628c"}]}}]}}, {{0x9, 0x4, 0x48, 0xe, 0x3, 0xca, 0x1e, 0x4a, 0xf5, [], [{{0x9, 0x5, 0xb, 0x4, 0x400, 0x5, 0xf7, 0xf6}}, {{0x9, 0x5, 0xe, 0x10, 0x3ff, 0x1, 0xd, 0x80}}, {{0x9, 0x5, 0x5, 0x10, 0x10, 0x95, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xae, 0x12}]}}]}}]}}]}}, &(0x7f0000007ec0)={0xa, &(0x7f0000007d80)={0xa, 0x6, 0x110, 0x4, 0x1, 0x6, 0x8, 0xe}, 0x3b, &(0x7f0000007dc0)={0x5, 0xf, 0x3b, 0x4, [@ss_container_id={0x14, 0x10, 0x4, 0x6, "fdf4043ae7f59e3e81fe303d4de3ea16"}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x8, 0x6, 0x6}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x7, 0xd, 0x95d7}, @ss_container_id={0x14, 0x10, 0x4, 0x3, "bc6a9266bf506e90620d9c900e180143"}]}, 0x1, [{0x98, &(0x7f0000007e00)=@string={0x98, 0x3, "d95f3fcaaa58f9d36d03e3a2d5566a5191f742f723fa49e364e03b0d288a7fcb4579b58c56d824be57f9ad0f8703d3011cac468433fa22c23bfaf15dad541efb0138c46bb8f8869215155c2685d69b75ffe68c0cbd6e71743abd4355e12d9dcb7dff16bb075da553c178139ede2c285a4a2845e8889c234504d968d870b6084a7b4ab0dcdb83d43bb2f4e7a0156b80a68919cbb7da84"}}]}) r34 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007f00)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r35 = syz_usb_connect$uac1(0x3, 0xe5, &(0x7f0000007f80)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xd3, 0x3, 0x1, 0x1, 0x80, 0x80, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x0, 0x7c}, [@extension_unit={0xd, 0x24, 0x8, 0x2, 0x8, 0x9, "0cffda3f227b"}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x6, 0x9a, 0x20, "2da5ee78a28e1f1a41"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0xf8, 0x3, 0x69, 0x6d, 'e)', "bf0794"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x5, 0x4, 0x5b, 0x3, 'D', "2618"}, @format_type_ii_discrete={0x9, 0x24, 0x2, 0x2, 0x7b4, 0x8, 0x4}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x0, 0x3, 0x8, 0x8, "aa", "e8e5b4"}]}, {{0x9, 0x5, 0x1, 0x9, 0x40, 0x6, 0x5, 0x0, {0x7, 0x25, 0x1, 0x80, 0x1, 0x4}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@as_header={0x7, 0x24, 0x1, 0x3, 0x1e, 0x4}, @as_header={0x7, 0x24, 0x1, 0x6f, 0x7}, @format_type_ii_discrete={0xa, 0x24, 0x2, 0x2, 0x8, 0x2, 0x8, 'f'}, @format_type_ii_discrete={0x10, 0x24, 0x2, 0x2, 0x9, 0x401, 0x5, "53b11dbc8cd310"}]}, {{0x9, 0x5, 0x82, 0x9, 0x8, 0x0, 0x28, 0x6, {0x7, 0x25, 0x1, 0x80, 0x5, 0xd}}}}}}}]}}, &(0x7f00000081c0)={0xa, &(0x7f0000008080)={0xa, 0x6, 0x110, 0x59, 0xa5, 0x5, 0x10, 0x1}, 0x39, &(0x7f00000080c0)={0x5, 0xf, 0x39, 0x5, [@wireless={0xb, 0x10, 0x1, 0x4, 0x8, 0x3, 0xb8, 0x9, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0x2, "9d9ab0978e2aace26de66306e6e2963d"}, @wireless={0xb, 0x10, 0x1, 0x4, 0x0, 0x6, 0x4, 0x1, 0x5}, @ptm_cap={0x3}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x5, 0x6, 0xfff2}]}, 0x1, [{0x84, &(0x7f0000008100)=@string={0x84, 0x3, "000a6c9f4a15eabc97a92ab665231b2cf9057321eb430c6521f497a8c3ce816268cb337fa48deecfeb28b2305fcf2d2e988cc8b8b980a1332dc406bc34695fa24dc3609f619d7ac284cc3ae7f0afe444d578c951d9aedc4c682e100cfeb6619b98a96b1978d8ede7574e969f8ae8e3dfb835bde5ccd922133e53036ff44eda52a0a9"}}]}) syz_usb_control_io(r35, &(0x7f0000008380)={0x2c, &(0x7f0000008200)={0x40, 0x22, 0x31, {0x31, 0x5, "74e83dcf53dd2d0ecac0aa3467b18dfa71b26cdd403d955c0ffe22817b01fe5795d51cf24a6ae3b8e32f1b7ac5f8ca"}}, &(0x7f0000008240)={0x0, 0x3, 0x1e, @string={0x1e, 0x3, "8957a501d83c69e54f70f62f932a50b65506c388c128239d36229ee2"}}, &(0x7f0000008280)={0x0, 0xf, 0x4f, {0x5, 0xf, 0x4f, 0x6, [@ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x5, 0xf000, 0x409, [0xc000, 0x17f, 0xff3f30, 0xffffaf]}, @ssp_cap={0x10, 0x10, 0xa, 0x9, 0x1, 0x4, 0xff0f, 0xf87, [0xc030]}, @ext_cap={0x7, 0x10, 0x2, 0x4, 0x1, 0x4, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x4, 0xd2, 0x3, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x1, 0x7, 0x2}, @ptm_cap={0x3}]}}, &(0x7f0000008300)={0x20, 0x29, 0xf, {0xf, 0x29, 0x8, 0x1, 0x7, 0x4, '\b\r$}', "67016dee"}}, &(0x7f0000008340)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x16, 0x80, 0x9, 0x3, 0x3, 0x2, 0xf000}}}, &(0x7f00000087c0)={0x84, &(0x7f00000083c0)={0x0, 0x11, 0x1f, "16d60d7743501452ffd5730424bc4a970cc6490bb9cc85938699edf27a0c7d"}, &(0x7f0000008400)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000008440)={0x0, 0x8, 0x1, 0x4}, &(0x7f0000008480)={0x20, 0x0, 0x4, {0x2f1050d721a8e554, 0x1}}, &(0x7f00000084c0)={0x20, 0x0, 0x4, {0x200, 0x2b}}, &(0x7f0000008500)={0x40, 0x7, 0x2, 0xfd37}, &(0x7f0000008540)={0x40, 0x9, 0x1}, &(0x7f0000008580)={0x40, 0xb, 0x2, 'E\"'}, &(0x7f00000085c0)={0x40, 0xf, 0x2, 0x2}, &(0x7f0000008600)={0x40, 0x13, 0x6, @random="2fa6dde03a0f"}, &(0x7f0000008640)={0x40, 0x17, 0x6, @random="de1c102b027e"}, &(0x7f0000008680)={0x40, 0x19, 0x2, "0d97"}, &(0x7f00000086c0)={0x40, 0x1a, 0x2, 0x2}, &(0x7f0000008700)={0x40, 0x1c, 0x1, 0xfd}, &(0x7f0000008740)={0x40, 0x1e, 0x1, 0xfd}, &(0x7f0000008780)={0x40, 0x21, 0x1, 0xc9}}) syz_usb_disconnect(r33) syz_usb_ep_read(r34, 0x7, 0xfc, &(0x7f0000008880)=""/252) r36 = syz_usb_connect$printer(0x5, 0x36, &(0x7f0000008980)={{0x12, 0x1, 0x200, 0x7, 0x1, 0x1, 0x20, 0x525, 0xa4a8, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0xf4, 0x60, 0x4, [{{0x9, 0x4, 0x0, 0x3, 0x2, 0x0, 0x0, 0x0, 0x81, "", {{{0x9, 0x5, 0x1, 0x2, 0x400, 0x0, 0x8, 0x2}}, [{{0x9, 0x5, 0x82, 0x2, 0x3ff, 0x4, 0x48, 0x8}}]}}}]}}]}}, &(0x7f0000008f00)={0xa, &(0x7f00000089c0)={0xa, 0x6, 0x250, 0x7d, 0xdd, 0x3, 0x20, 0xfa}, 0x154, &(0x7f0000008a00)={0x5, 0xf, 0x154, 0x6, [@generic={0xe8, 0x10, 0x1, "d031a9165b9e273ff6ffe555849af6dca66e17a68ee5ac784dca23e4a56d46169ad06ead2b8bcd997eac2ecb8b2a2526aa200db55758d08659469283d6ecfba982c300ae82ccf4a8bf073dbde45376b4f6fc559be519f82e8e5b2cf59c3a3af4f290707e767a4e276851090d90be0ab66f788e7760cd71ab865ea8b6bcc5f35f60538154a099c354a3593417682fc39d2a6a255ef4bb65f8d97af29beb0f8734a68ed84ef08df69e9b35fa2e3fe65e9938ff441dc3e7982a81cccaf9621d5dbc663b80ab448c975cbc19bb6c3901a02c16b32dfaf9f5c220fa21434937b462038105e6d086"}, @generic={0x4b, 0x10, 0x3, "10bed1912f7dc94ac6d87cbc68962c89e777cc51a257d0cad33cdcf336a31ac39b867144c2c96be40fccac19633a547787bc6e4fe91e91fa4759db2a867d859cd5a60c84c1a38e09"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x9, 0x77, 0x9, 0x2cf}, @wireless={0xb, 0x10, 0x1, 0xc, 0x5, 0x8, 0x5, 0x9, 0x16}, @ptm_cap={0x3}, @ptm_cap={0x3}]}, 0xa, [{0x4, &(0x7f0000008b80)=@lang_id={0x4, 0x3, 0x40e}}, {0x4, &(0x7f0000008bc0)=@lang_id={0x4, 0x3, 0x427}}, {0x4, &(0x7f0000008c00)=@lang_id={0x4, 0x3, 0x415}}, {0x4, &(0x7f0000008c40)=@lang_id={0x4, 0x3, 0x1c0a}}, {0x4, &(0x7f0000008c80)=@lang_id={0x4, 0x3, 0x83e}}, {0x4, &(0x7f0000008cc0)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d00)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d40)=@lang_id={0x4, 0x3, 0x423}}, {0x9f, &(0x7f0000008d80)=@string={0x9f, 0x3, "d48e8724649a2841923d48b8b235fdc4315e0dfbe1b8a8a08353af5b630beb6eca1d6be03d88d5587933d6ade122b2ad4c558040e7f203d8c7af790af85de36e841eb9480afa1aaf9a226f4de28cd4441557411c7737f74d7d60313cd3d051284fceb5b3278373f63c72a84e8de4e23bf64e2a69c0579106c9331803e2ef32fd09889adce7bcd7eb6134c465ed17386d3f97a4e8a4e9c419f9c6eb2d32"}}, {0xa4, &(0x7f0000008e40)=@string={0xa4, 0x3, "81103e0d228843344b9a2885675324f579df278e6d25065998bdbb69b8eed0e1db8df16b19646d92c5d03521f773c16c24deeae556be69b04e1e966febfbf37f3bbc6dd64c83f4c2a87daf95fb91e10a36c0069f4d517bf3962111d8f9c845323c0b91e68dea34b277b410720bdf4a5864fe069bdee84fa9e4465549713fb333aaed855baf295327e1fb651729fe4acf1d9ebf80d64c29fcd368ee1611e550d7b67a"}}]}) syz_usb_ep_write(r36, 0xf9, 0xfb, &(0x7f0000008fc0)="181512f6083897f1b94ad01c9d8cc9eb6d7c149c5edf5ecf21cf4a2b2a9ff02e0d8f8a4f60f7b31ad0b2552e14878f840f51a97c2563b619b101ea77613b9752367f0f6e6a623781a383e499dc26fed60afe6f156d326bc141d6615d18b61a5c06cb49d9e008e05f65376aefb5ec21edc468b8434a0c9e39d120bcd31132f0755c1fcaf91fecb2733f98184256d2f79e80452dc86cf31985082e386017ebe82125c78bee42f949ca6798673433fb0a20d9161b698f0466b0ea53587a3f08cc3435bb7c193f4adcd2e5e104f33e3e1cdd33ba951fc9f76b108a4074c8072b16465962eb28e138c9188c3e54a00afb4fb1710a273a1f1c530ada0d50") syz_usbip_server_init(0x2) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_PT_POOL 0x5000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x70000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x200000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 8) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t size, uint64_t cpu) { uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; if (cmd->call >= SYZOS_API_STOP) return; if (cmd->size > size) return; volatile uint64_t call = cmd->call; if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit((uint64_t)-1); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; *ptr = exit_code; } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_pdpt_addr = l2_pml4_addr + KVM_PAGE_SIZE; uint64_t l2_pd_addr = l2_pml4_addr + 2 * KVM_PAGE_SIZE; uint64_t l2_pt_addr = l2_pml4_addr + 3 * KVM_PAGE_SIZE; volatile uint64_t* pml4 = (volatile uint64_t*)l2_pml4_addr; volatile uint64_t* pdpt = (volatile uint64_t*)l2_pdpt_addr; volatile uint64_t* pd = (volatile uint64_t*)l2_pd_addr; volatile uint64_t* pt = (volatile uint64_t*)l2_pt_addr; guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pdpt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pd_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id), 0, KVM_PAGE_SIZE); uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; pml4[0] = l2_pdpt_addr | flags; pdpt[0] = l2_pd_addr | flags; pd[0] = l2_pt_addr | flags; uint64_t pt_flags = flags; if (vendor == CPU_VENDOR_INTEL) { pt_flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { pt_flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } for (int i = 0; i < 512; i++) pt[i] = (i * KVM_PAGE_SIZE) | pt_flags; } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%rax push %%rbx push %%rcx push %%rdx push %%rsi push %%rdi push %%rbp push %%r8 push %%r9 push %%r10 push %%r11 push %%r12 push %%r13 push %%r14 push %%r15 mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[stack_cleanup_size], %%rsp jmp after_vmentry_label )" : : [stack_cleanup_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, 0); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); uint64_t tmpreg = 0; asm volatile("mov %%rsp, %0" : "=r"(tmpreg)); vmwrite(VMCS_HOST_RSP, tmpreg); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, VMX_AR_TSS_AVAILABLE); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_DEBUGCTL, 0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR6, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR7, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, efer & ~X86_EFER_SCE); vmcb_write64(vmcb_addr, VMCB_GUEST_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_addr, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline __optnone void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { uint64_t vmx_error_code = 0; uint8_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); if (is_launch) { asm volatile(R"( vmlaunch setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } else { asm volatile(R"( vmresume setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } asm volatile(".globl after_vmentry_label\nafter_vmentry_label:"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile uint8_t* vmcb_ptr = (volatile uint8_t*)vmcb_addr; uint8_t fail_flag = 0; asm volatile( "mov %1, %%rax\n\t" "vmrun\n\t" "setc %0\n\t" : "=q"(fail_flag) : "m"(vmcb_addr) : "rax", "cc", "memory"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } uint64_t exit_reason = vmcb_read64(vmcb_ptr, VMCB_EXIT_CODE); nested_vm_exit_handler_amd(exit_reason, cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 48, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, }; struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; }; #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)((uint64_t)vm->host_mem + sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static void map_4k_page(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)(host_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = (uint64_t*)(host_mem + (pml4[pml4_idx] & PAGE_MASK)); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = (uint64_t*)(host_mem + (pdpt[pdpt_idx] & PAGE_MASK)); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = (uint64_t*)(host_mem + (pd[pd_idx] & PAGE_MASK)); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(host_mem, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; uint64_t host_mem = (uint64_t)vm->gpa0_mem; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + 32 * KVM_PAGE_SIZE}; for (uint64_t i = 0; i < (alloc.last_page - alloc.next_page); i += KVM_PAGE_SIZE) memset((void*)(host_mem + alloc.next_page + i), 0, KVM_PAGE_SIZE); for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) total -= map_4k_region(host_mem, &alloc, syzos_mem_regions[i].gpa, syzos_mem_regions[i].pages); map_4k_region(host_mem, &alloc, X86_SYZOS_ADDR_UNUSED, total); } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = 0, .base_mid = 0, .access = 0x89, .limit_high_and_flags = 0x00, .base_high = 0}; } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)((uint64_t)vm->host_mem + sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)((uint64_t)vm->host_mem + X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); setup_pg_table(vm); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, int cpu_id, size_t text_size) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = executor_fn_guest_addr(guest_main); regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = text_size; regs.rsi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd); setup_cpuid(cpufd); reset_cpu_regs(cpufd, cpu_id, text_size); } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; struct addr_size next = alloc_guest_mem(&allocator, r->pages * KVM_PAGE_SIZE); uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); } struct addr_size next = alloc_guest_mem(&allocator, allocator.size); vm_set_user_memory_region(vmfd, slot++, 0, X86_SYZOS_ADDR_UNUSED, next.size, (uintptr_t)next.addr); } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 60; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 51 ? 3000 : 0) + (call == 52 ? 3000 : 0) + (call == 53 ? 3000 : 0) + (call == 54 ? 300 : 0) + (call == 55 ? 300 : 0) + (call == 56 ? 300 : 0) + (call == 57 ? 3000 : 0) + (call == 58 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[37] = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x200000000000 = 0x4006; *(uint32_t*)0x200000000004 = 0xd; *(uint32_t*)0x200000000008 = 2; *(uint32_t*)0x20000000000c = 8; inject_fault(1); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x80044945, /*arg=*/0x200000000000ul); break; case 1: *(uint32_t*)0x200000000040 = 0; *(uint32_t*)0x200000000044 = 1; *(uint32_t*)0x200000000048 = 4; *(uint32_t*)0x20000000004c = 2; *(uint32_t*)0x200000000050 = 5; *(uint32_t*)0x200000000054 = 0x81; *(uint32_t*)0x200000000058 = 0; memcpy((void*)0x20000000005c, "id1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); memcpy((void*)0x20000000009c, "timer0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 80); *(uint64_t*)0x2000000000f0 = 0; *(uint64_t*)0x2000000000f8 = 6; *(uint64_t*)0x200000000100 = 3; *(uint64_t*)0x200000000108 = 0x70a; *(uint32_t*)0x200000000110 = 9; memset((void*)0x200000000114, 0, 32); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0f85403, /*arg=*/0x200000000040ul); break; case 2: memcpy((void*)0x200000000140, "/dev/ircomm#\000", 13); res = -1; res = syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); for (int i = 0; i < 4; i++) { syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); } if (res != -1) r[0] = res; break; case 3: *(uint32_t*)0x200000000340 = 0x82; *(uint32_t*)0x200000000344 = 8; *(uint64_t*)0x200000000348 = 0x200000000280; *(uint32_t*)0x200000000280 = 1; *(uint64_t*)0x200000000284 = 0; *(uint32_t*)0x20000000028c = 0xc0; *(uint64_t*)0x200000000290 = 0x200000000180; memcpy((void*)0x200000000180, "\x5b\x58\xac\x0e\xd1\xd2\x7b\x21\x7d\x3f\xdc\x62\x99\xcd\xde\x4d\x85\x32\x1f\x7b\xba\xa0\x64\xd3\x61\x51\x9c\xdd\xe4\x3b\x22\x5c\xf0\x06\x58\xdd\xbf\xbd\x91\x4c\xf7\x9e\xce\xb3\x48\xf1\x86\x92\x31\x5c\x3c\x69\xec\x14\x8e\x2d\xd9\x28\xac\x7e\xe6\x2f\x51\x11\xb9\xdc\xca\xca\x88\x52\x49\x12\x34\x19\x55\xf7\x9b\x0f\x22\x06\xb8\x0e\x6e\x5a\x7e\x68\x1a\x62\x96\x94\xa3\x4f\x9b\x0e\x39\x87\x7e\xef\xde\x60\xa0\x68\xcd\xc4\x45\x45\xd6\xfe\x45\xd0\x00\x0c\x99\x61\xa1\xff\x16\x87\x47\x44\x7e\x34\x6b\x16\x46\x08\x75\xc6\x91\xde\x11\x83\xb2\xd7\xb0\x32\xcf\xae\x85\x49\x7d\x0d\x88\x48\xd4\xba\xa9\xad\xc6\xca\xac\xcd\x9a\xf6\x01\x9e\xa2\xba\x6f\x3b\x4e\x60\x18\xdf\x94\xca\xca\xbe\xdd\xec\x7b\x60\x02\x30\xea\x77\x90\x01\x93\x99\xd0\xbe\xb6\x1f\x42\x7d\xf8\x35\x9c\xc3\x48\x93", 192); *(uint64_t*)0x200000000298 = 0; *(uint32_t*)0x2000000002a0 = 0; *(uint64_t*)0x2000000002a4 = 0x200000000240; *(uint32_t*)0x2000000002ac = 0x10000; *(uint32_t*)0x2000000002b0 = 0; *(uint64_t*)0x2000000002b4 = 0; *(uint32_t*)0x2000000002bc = 0x81; *(uint32_t*)0x2000000002c0 = 0xe; *(uint64_t*)0x200000000350 = 0x200000000300; *(uint32_t*)0x200000000358 = 0x44; *(uint32_t*)0x20000000035c = 0xc; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0206440, /*arg=*/0x200000000340ul); if (res != -1) r[1] = *(uint64_t*)0x200000000300; break; case 4: *(uint32_t*)0x200000000400 = 0x81; *(uint32_t*)0x200000000404 = 4; *(uint64_t*)0x200000000408 = 0x200000000380; *(uint64_t*)0x200000000380 = r[1]; *(uint64_t*)0x200000000410 = 0x2000000003c0; *(uint32_t*)0x200000000418 = 8; *(uint32_t*)0x20000000041c = 0xc; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000400ul); break; case 5: *(uint32_t*)0x200000000440 = 3; *(uint32_t*)0x200000000444 = 6; STORE_BY_BITMASK(uint32_t, , 0x200000000448, 1, 0, 1); memcpy((void*)0x200000000449, "queue1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); *(uint32_t*)0x20000000048c = 0xdae; memset((void*)0x200000000490, 0, 60); syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc08c5335, /*arg=*/0x200000000440ul); break; case 6: memcpy((void*)0x200000000540, "TIPCv2\000", 7); res = -1; res = syz_genetlink_get_family_id(/*name=*/0x200000000540, /*fd=*/r[0]); if (res != -1) r[2] = res; break; case 7: *(uint64_t*)0x200000000880 = 0x200000000500; *(uint16_t*)0x200000000500 = 0x10; *(uint16_t*)0x200000000502 = 0; *(uint32_t*)0x200000000504 = 0; *(uint32_t*)0x200000000508 = 0x1000000; *(uint32_t*)0x200000000888 = 0xc; *(uint64_t*)0x200000000890 = 0x200000000840; *(uint64_t*)0x200000000840 = 0x200000000580; *(uint32_t*)0x200000000580 = 0x2b4; *(uint16_t*)0x200000000584 = r[2]; *(uint16_t*)0x200000000586 = 0x400; *(uint32_t*)0x200000000588 = 0x70bd2d; *(uint32_t*)0x20000000058c = 0x25dfdbfb; *(uint8_t*)0x200000000590 = 4; *(uint8_t*)0x200000000591 = 0; *(uint16_t*)0x200000000592 = 0; *(uint16_t*)0x200000000594 = 0x44; STORE_BY_BITMASK(uint16_t, , 0x200000000596, 3, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 1, 7, 1); *(uint16_t*)0x200000000598 = 8; *(uint16_t*)0x20000000059a = 1; *(uint32_t*)0x20000000059c = 6; *(uint16_t*)0x2000000005a0 = 8; *(uint16_t*)0x2000000005a2 = 1; *(uint32_t*)0x2000000005a4 = 0x3f; *(uint16_t*)0x2000000005a8 = 8; *(uint16_t*)0x2000000005aa = 1; *(uint32_t*)0x2000000005ac = 2; *(uint16_t*)0x2000000005b0 = 8; *(uint16_t*)0x2000000005b2 = 1; *(uint32_t*)0x2000000005b4 = 0x4c00000; *(uint16_t*)0x2000000005b8 = 8; *(uint16_t*)0x2000000005ba = 1; *(uint32_t*)0x2000000005bc = 3; *(uint16_t*)0x2000000005c0 = 8; *(uint16_t*)0x2000000005c2 = 1; *(uint32_t*)0x2000000005c4 = 6; *(uint16_t*)0x2000000005c8 = 8; *(uint16_t*)0x2000000005ca = 3; *(uint32_t*)0x2000000005cc = 0x67c; *(uint16_t*)0x2000000005d0 = 8; *(uint16_t*)0x2000000005d2 = 1; *(uint32_t*)0x2000000005d4 = 7; *(uint16_t*)0x2000000005d8 = 0x3c; STORE_BY_BITMASK(uint16_t, , 0x2000000005da, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 1, 7, 1); *(uint16_t*)0x2000000005dc = 9; *(uint16_t*)0x2000000005de = 1; memcpy((void*)0x2000000005e0, "syz1\000", 5); *(uint16_t*)0x2000000005e8 = 0x2c; STORE_BY_BITMASK(uint16_t, , 0x2000000005ea, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 1, 7, 1); *(uint16_t*)0x2000000005ec = 8; *(uint16_t*)0x2000000005ee = 3; *(uint32_t*)0x2000000005f0 = 0x220a; *(uint16_t*)0x2000000005f4 = 8; *(uint16_t*)0x2000000005f6 = 4; *(uint32_t*)0x2000000005f8 = 0x9c0; *(uint16_t*)0x2000000005fc = 8; *(uint16_t*)0x2000000005fe = 2; *(uint32_t*)0x200000000600 = 0x101; *(uint16_t*)0x200000000604 = 8; *(uint16_t*)0x200000000606 = 4; *(uint32_t*)0x200000000608 = 3; *(uint16_t*)0x20000000060c = 8; *(uint16_t*)0x20000000060e = 1; *(uint32_t*)0x200000000610 = 8; *(uint16_t*)0x200000000614 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000616, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 1, 7, 1); *(uint16_t*)0x200000000618 = 8; *(uint16_t*)0x20000000061a = 2; *(uint32_t*)0x20000000061c = 6; *(uint16_t*)0x200000000620 = 8; *(uint16_t*)0x200000000622 = 1; *(uint32_t*)0x200000000624 = 1; *(uint16_t*)0x200000000628 = 0xb8; STORE_BY_BITMASK(uint16_t, , 0x20000000062a, 1, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 1, 7, 1); *(uint16_t*)0x20000000062c = 0x24; STORE_BY_BITMASK(uint16_t, , 0x20000000062e, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 1, 7, 1); *(uint16_t*)0x200000000630 = 8; *(uint16_t*)0x200000000632 = 2; *(uint32_t*)0x200000000634 = 9; *(uint16_t*)0x200000000638 = 8; *(uint16_t*)0x20000000063a = 4; *(uint32_t*)0x20000000063c = 7; *(uint16_t*)0x200000000640 = 8; *(uint16_t*)0x200000000642 = 2; *(uint32_t*)0x200000000644 = 5; *(uint16_t*)0x200000000648 = 8; *(uint16_t*)0x20000000064a = 2; *(uint32_t*)0x20000000064c = 2; *(uint16_t*)0x200000000650 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000652, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 1, 7, 1); *(uint16_t*)0x200000000654 = 8; *(uint16_t*)0x200000000656 = 3; *(uint32_t*)0x200000000658 = 6; *(uint16_t*)0x20000000065c = 8; *(uint16_t*)0x20000000065e = 4; *(uint32_t*)0x200000000660 = 0; *(uint16_t*)0x200000000664 = 0xd; *(uint16_t*)0x200000000666 = 1; memcpy((void*)0x200000000668, "udp:syz2\000", 9); *(uint16_t*)0x200000000674 = 0xc; STORE_BY_BITMASK(uint16_t, , 0x200000000676, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 1, 7, 1); *(uint16_t*)0x200000000678 = 8; *(uint16_t*)0x20000000067a = 4; *(uint32_t*)0x20000000067c = 7; *(uint16_t*)0x200000000680 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000682, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 1, 7, 1); *(uint16_t*)0x200000000684 = 8; *(uint16_t*)0x200000000686 = 1; *(uint32_t*)0x200000000688 = 0x17; *(uint16_t*)0x20000000068c = 8; *(uint16_t*)0x20000000068e = 1; *(uint32_t*)0x200000000690 = 0x17; *(uint16_t*)0x200000000694 = 8; *(uint16_t*)0x200000000696 = 1; *(uint32_t*)0x200000000698 = 0x12; *(uint16_t*)0x20000000069c = 0x2c; *(uint16_t*)0x20000000069e = 4; *(uint16_t*)0x2000000006a0 = 0x14; *(uint16_t*)0x2000000006a2 = 1; *(uint16_t*)0x2000000006a4 = 2; *(uint16_t*)0x2000000006a6 = htobe16(0x4e21); *(uint32_t*)0x2000000006a8 = htobe32(0xe0000002); *(uint16_t*)0x2000000006b4 = 0x14; *(uint16_t*)0x2000000006b6 = 2; *(uint16_t*)0x2000000006b8 = 2; *(uint16_t*)0x2000000006ba = htobe16(0x4e20); *(uint32_t*)0x2000000006bc = htobe32(-1); *(uint16_t*)0x2000000006c8 = 8; *(uint16_t*)0x2000000006ca = 3; *(uint32_t*)0x2000000006cc = 0xb; *(uint16_t*)0x2000000006d0 = 0xd; *(uint16_t*)0x2000000006d2 = 1; memcpy((void*)0x2000000006d4, "udp:syz1\000", 9); *(uint16_t*)0x2000000006e0 = 0x20; STORE_BY_BITMASK(uint16_t, , 0x2000000006e2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 1, 7, 1); *(uint16_t*)0x2000000006e4 = 8; *(uint16_t*)0x2000000006e6 = 1; *(uint32_t*)0x2000000006e8 = 8; *(uint16_t*)0x2000000006ec = 0xc; *(uint16_t*)0x2000000006ee = 3; *(uint64_t*)0x2000000006f0 = 6; *(uint16_t*)0x2000000006f8 = 8; *(uint16_t*)0x2000000006fa = 1; *(uint32_t*)0x2000000006fc = 0x80; *(uint16_t*)0x200000000700 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000702, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 1, 7, 1); *(uint16_t*)0x200000000704 = 8; *(uint16_t*)0x200000000706 = 1; *(uint32_t*)0x200000000708 = 2; *(uint16_t*)0x20000000070c = 8; *(uint16_t*)0x20000000070e = 1; *(uint32_t*)0x200000000710 = 9; *(uint16_t*)0x200000000714 = 0x10c; STORE_BY_BITMASK(uint16_t, , 0x200000000716, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 1, 7, 1); *(uint16_t*)0x200000000718 = 9; *(uint16_t*)0x20000000071a = 1; memcpy((void*)0x20000000071c, "syz1\000", 5); *(uint16_t*)0x200000000724 = 0x13; *(uint16_t*)0x200000000726 = 1; memcpy((void*)0x200000000728, "broadcast-link\000", 15); *(uint16_t*)0x200000000738 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000073a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 1, 7, 1); *(uint16_t*)0x20000000073c = 8; *(uint16_t*)0x20000000073e = 2; *(uint32_t*)0x200000000740 = 0x187; *(uint16_t*)0x200000000744 = 8; *(uint16_t*)0x200000000746 = 4; *(uint32_t*)0x200000000748 = 0x40; *(uint16_t*)0x20000000074c = 8; *(uint16_t*)0x20000000074e = 1; *(uint32_t*)0x200000000750 = 0x10; *(uint16_t*)0x200000000754 = 0x24; STORE_BY_BITMASK(uint16_t, , 0x200000000756, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 1, 7, 1); *(uint16_t*)0x200000000758 = 8; *(uint16_t*)0x20000000075a = 2; *(uint32_t*)0x20000000075c = 0xc0fb; *(uint16_t*)0x200000000760 = 8; *(uint16_t*)0x200000000762 = 2; *(uint32_t*)0x200000000764 = 0; *(uint16_t*)0x200000000768 = 8; *(uint16_t*)0x20000000076a = 2; *(uint32_t*)0x20000000076c = 3; *(uint16_t*)0x200000000770 = 8; *(uint16_t*)0x200000000772 = 4; *(uint32_t*)0x200000000774 = 6; *(uint16_t*)0x200000000778 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000077a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 1, 7, 1); *(uint16_t*)0x20000000077c = 8; *(uint16_t*)0x20000000077e = 1; *(uint32_t*)0x200000000780 = 0x18; *(uint16_t*)0x200000000784 = 8; *(uint16_t*)0x200000000786 = 2; *(uint32_t*)0x200000000788 = 0x80000000; *(uint16_t*)0x20000000078c = 8; *(uint16_t*)0x20000000078e = 2; *(uint32_t*)0x200000000790 = 2; *(uint16_t*)0x200000000794 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000796, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 1, 7, 1); *(uint16_t*)0x200000000798 = 8; *(uint16_t*)0x20000000079a = 4; *(uint32_t*)0x20000000079c = 0xfffffff2; *(uint16_t*)0x2000000007a0 = 8; *(uint16_t*)0x2000000007a2 = 3; *(uint32_t*)0x2000000007a4 = 7; *(uint16_t*)0x2000000007a8 = 8; *(uint16_t*)0x2000000007aa = 3; *(uint32_t*)0x2000000007ac = 0xd0; *(uint16_t*)0x2000000007b0 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x2000000007b2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 1, 7, 1); *(uint16_t*)0x2000000007b4 = 8; *(uint16_t*)0x2000000007b6 = 1; *(uint32_t*)0x2000000007b8 = 0xf; *(uint16_t*)0x2000000007bc = 8; *(uint16_t*)0x2000000007be = 4; *(uint32_t*)0x2000000007c0 = 0x401; *(uint16_t*)0x2000000007c4 = 8; *(uint16_t*)0x2000000007c6 = 1; *(uint32_t*)0x2000000007c8 = 9; *(uint16_t*)0x2000000007cc = 0x54; STORE_BY_BITMASK(uint16_t, , 0x2000000007ce, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 1, 7, 1); *(uint16_t*)0x2000000007d0 = 8; *(uint16_t*)0x2000000007d2 = 3; *(uint32_t*)0x2000000007d4 = 0xe6a9; *(uint16_t*)0x2000000007d8 = 8; *(uint16_t*)0x2000000007da = 4; *(uint32_t*)0x2000000007dc = 7; *(uint16_t*)0x2000000007e0 = 8; *(uint16_t*)0x2000000007e2 = 3; *(uint32_t*)0x2000000007e4 = 0x10000; *(uint16_t*)0x2000000007e8 = 8; *(uint16_t*)0x2000000007ea = 3; *(uint32_t*)0x2000000007ec = 0x2000; *(uint16_t*)0x2000000007f0 = 8; *(uint16_t*)0x2000000007f2 = 2; *(uint32_t*)0x2000000007f4 = 9; *(uint16_t*)0x2000000007f8 = 8; *(uint16_t*)0x2000000007fa = 3; *(uint32_t*)0x2000000007fc = 6; *(uint16_t*)0x200000000800 = 8; *(uint16_t*)0x200000000802 = 4; *(uint32_t*)0x200000000804 = 0x81; *(uint16_t*)0x200000000808 = 8; *(uint16_t*)0x20000000080a = 3; *(uint32_t*)0x20000000080c = 0x3ff; *(uint16_t*)0x200000000810 = 8; *(uint16_t*)0x200000000812 = 1; *(uint32_t*)0x200000000814 = 0x19; *(uint16_t*)0x200000000818 = 8; *(uint16_t*)0x20000000081a = 1; *(uint32_t*)0x20000000081c = 0x1a; *(uint16_t*)0x200000000820 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000822, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 1, 7, 1); *(uint16_t*)0x200000000824 = 8; *(uint16_t*)0x200000000826 = 1; *(uint32_t*)0x200000000828 = 1; *(uint16_t*)0x20000000082c = 8; *(uint16_t*)0x20000000082e = 2; *(uint32_t*)0x200000000830 = 0x79; *(uint64_t*)0x200000000848 = 0x2b4; *(uint64_t*)0x200000000898 = 1; *(uint64_t*)0x2000000008a0 = 0; *(uint64_t*)0x2000000008a8 = 0; *(uint32_t*)0x2000000008b0 = 0x4040811; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x200000000880ul, /*f=*/0ul); break; case 8: syscall(__NR_read, /*fd=*/r[0], /*data=*/0x2000000008c0ul, /*len=*/0x1dul); break; case 9: *(uint64_t*)0x200000000980 = 6; *(uint64_t*)0x200000000988 = 0x200000000940; *(uint64_t*)0x200000000940 = 0x904e; *(uint64_t*)0x200000000948 = 1; *(uint64_t*)0x200000000950 = 9; *(uint64_t*)0x200000000958 = 6; *(uint64_t*)0x200000000960 = 0xe; *(uint64_t*)0x200000000968 = 5; syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x4010801d, /*arg=*/0x200000000980ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 4, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 0; memset((void*)0x20000000004a, 255, 6); *(uint8_t*)0x200000000050 = 8; *(uint8_t*)0x200000000051 = 2; *(uint8_t*)0x200000000052 = 0x11; *(uint8_t*)0x200000000053 = 0; *(uint8_t*)0x200000000054 = 0; *(uint8_t*)0x200000000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x200000000056, 1, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 0x7f, 4, 12); *(uint16_t*)0x200000000058 = 0x1f; *(uint8_t*)0x20000000005a = 0x8c; *(uint8_t*)0x20000000005b = 0x18; *(uint16_t*)0x20000000005c = 0x5d9; memcpy((void*)0x20000000005e, "\x8e\x85\x14\x4c\x64\x33", 6); memcpy((void*)0x200000000064, "\xe0\x23\xfb\xed\x51\x30\x11\xc5\x70\x7e\x45\x24\x72\xe2\x05\x5d", 16); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x34); break; case 11: memcpy((void*)0x200000000080, "wlan1\000", 6); memcpy((void*)0x2000000000c0, "\x3a\x38\x64\x65\xf3\x89\x38\x0e\x26\xb0\xcb\x13\xf9\x8a\x36\xe2\x21\x4f\x09\x9e\xe0\xd0\xb2\x9b\x75\x4e\x31\xd6\xef\xc8\x2c\x04", 32); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/0x20, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_path_truncate\000", 22); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\xda\xa4\xed\x40\xf7\xcf\x4d\xa8\x63\x77\xe8\x64\xd8\xe6\xc6\xd4\xfc\x54\x86\xaf\x4a\x6f\x23\xde\xa5\x8b\x32\x43\xa2\x91\xb0\x18\x0d\xba\xf5\xc9\x27\x58\xaf\x73\xf9", 41); memcpy((void*)0x200000000200, "\x40\xf2\x76\x85\x6b\x81\x91\xc4\xf3\x12\x75\x9d\x79\x5a\x22\xc3\xc7\xed\xc9\x16\x78\x79\x4f\x4e\xea\xc4\x57\x46\xfc\xc9\x93\x07\x22\xc8\x18\x9b\xa5\x95\x65\xf7\x32\x7c\xbc\xd4\x50\x61\x64\xeb\x9f\x6f\xf1\x75\xf1\xf0\x8d\x60\x24\x70\x91\x77\x2c\x18\x5a\xc3\x83\x04\xe9\xb5\xb3", 69); res = -1; res = syz_clone(/*flags=CLONE_NEWUTS|CLONE_VFORK*/0x4004000, /*stack=*/0x200000000140, /*stack_len=*/0x29, /*parentid=*/0x200000000180, /*childtid=*/0x2000000001c0, /*tls=*/0x200000000200); if (res != -1) r[3] = res; break; case 14: res = syscall(__NR_getpgrp, /*pid=*/r[3]); if (res != -1) r[4] = res; break; case 15: *(uint64_t*)0x200000000500 = 0x800; *(uint64_t*)0x200000000508 = 0x200000000280; *(uint64_t*)0x200000000510 = 0x2000000002c0; *(uint64_t*)0x200000000518 = 0x200000000300; *(uint32_t*)0x200000000520 = 0x12; *(uint64_t*)0x200000000528 = 0x200000000340; *(uint64_t*)0x200000000530 = 0x66; *(uint64_t*)0x200000000538 = 0x2000000003c0; *(uint64_t*)0x200000000540 = 0x2000000004c0; *(uint32_t*)0x2000000004c0 = r[3]; *(uint32_t*)0x2000000004c4 = r[3]; *(uint32_t*)0x2000000004c8 = r[3]; *(uint32_t*)0x2000000004cc = r[4]; *(uint64_t*)0x200000000548 = 4; *(uint32_t*)0x200000000550 = -1; res = -1; res = syz_clone3(/*args=*/0x200000000500, /*size=*/0x58); if (res != -1) { r[5] = res; r[6] = *(uint32_t*)0x200000000280; r[7] = *(uint32_t*)0x2000000002c0; r[8] = *(uint32_t*)0x200000000300; } break; case 16: memcpy((void*)0x200000000580, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000580); break; case 17: *(uint64_t*)0x200000001680 = 4; res = syscall(__NR_socketcall, /*call=*/5ul, /*args=*/0x200000001680ul); if (res != -1) r[9] = res; break; case 18: *(uint32_t*)0x200000004a80 = 0x80000000; *(uint32_t*)0x200000004a84 = 0xee01; *(uint32_t*)0x200000004a88 = 0xee01; *(uint32_t*)0x200000004a8c = 5; *(uint32_t*)0x200000004a90 = 0xfffffff8; *(uint32_t*)0x200000004a94 = 1; *(uint16_t*)0x200000004a98 = 0x6bc1; *(uint32_t*)0x200000004a9c = 0x40; *(uint64_t*)0x200000004aa0 = 0xffff; *(uint64_t*)0x200000004aa8 = 0x2265; *(uint64_t*)0x200000004ab0 = 0xfffffffffffffff8; *(uint32_t*)0x200000004ab8 = r[3]; *(uint32_t*)0x200000004abc = r[8]; *(uint16_t*)0x200000004ac0 = 0xfffa; *(uint16_t*)0x200000004ac2 = 0; *(uint64_t*)0x200000004ac8 = 0x200000003a40; memcpy((void*)0x200000003a40, "\x89\x17\xf9\x6e\xff\x00\x1e\x00\x64\x91\xda\x94\x8f\x25\xc3\xac\x36\x65\x39\x2d\x07\x7a\x28\x78\xa0\xc4\x71\x86\xfb\xb5\x96\x00\xe8\x72\x5c\x57\x48\x93\xc0\xd6\x45\x65\x1c\xd4\x96\xd4\xd6\xc4\x3d\xd8\xd9\xe3\xce\xca\x2e\x2a\x35\xfd\x60\x78\x5c\xd7\x7e\xc5\xc5\xee\xd5\xea\x44\xa8\x53\x76\x9a\x52\xcb\x3e\x89\xd0\x6c\x09\x95\xf7\x7e\x9b\x7e\xcc\x68\xfa\x52\x1a\xc4\xb1\x93\xee\x67\xdc\xce\xc0\xa7\xd1\x3f\x3c\x06\x8e\xe0\x46\xa9\xa1\x42\x01\x1c\xd4\xba\x8e\x67\xf3\x81\xe1\x67\x45\xd8\x1a\x2b\x5b\xf1\x1f\x4e\xf0\x01\x43\x30\xc9\x5f\x0f\x5b\xc8\x9d\x00\xf1\x61\x29\xa9\x63\x77\x82\xe5\xa6\xf4\xd9\x22\xe0\xf0\x74\x57\xee\x51\x5e\x1b\xbf\x56\x54\x90\x6d\x88\x7b\xa0\x2b\xee\x66\x4d\xa7\x2a\x51\xb5\xdc\xdf\x4b\xec\xca\x2d\x80\x67\xe3\x57\x53\xc0\x31\x23\x59\xef\xb6\xda\x86\x14\x9a\xfc\x10\x10\xd0\xc6\xc8\x6c\xc9\xc8\x83\x1c\xa1\x27\x6c\xa9\x68\x81\x1c\x87\xba\xab\x12\x1c\x9d\x81\x72\x73\x19\x6e\x97\xae\x66\xf3\x97\x66\x7e\x02\x3f\xc2\x33\x19\xc2\x4f\xa8\x23\x57\x22\x26\xfb\x74\x8a\xc5\x4f\xf5\x28\x23\x6b\x07\x81\xa2\x0e\xd5\x2e\x11\x69\x27\xa2\x2b\x11\xe0\xb8\xac\xeb\x36\xd2\xcf\x4a\x78\xeb\x34\x65\xfc\xb9\xc9\x49\x3e\xad\xd4\x46\x86\x76\x6f\xb2\x6d\x4d\x0a\x54\xd0\x28\x27\x3a\x5c\x60\x53\x88\x53\x4e\x49\x37\xf1\x8c\xa9\x05\x32\x44\x5f\x94\x66\x51\xf3\x63\x4e\x9b\x36\x5b\xb8\xed\x72\x42\xb9\x12\x31\xba\x06\x34\x7e\xab\x1f\x32\x00\x96\x37\x4f\xbd\x8a\x7a\x94\xc2\xfa\x71\x54\x41\x5c\x92\x3f\xd6\x6c\xd6\x26\x48\x9e\x7c\x79\xca\xd3\x9b\x66\xb0\x67\x4b\x94\x39\xb5\x7b\x79\xec\x79\x03\xd3\x5e\xc3\x14\xdb\x9d\x7e\x41\x5d\xf3\xc4\xf7\x55\x14\xb1\xc8\x3e\x9b\x6b\x27\x1d\xab\xeb\xd3\xb7\x93\xa7\x8a\xd5\xba\xef\x25\x39\x39\x34\xbc\x1b\x49\x69\xeb\x61\x28\xd3\x52\x14\x90\x47\x0f\x25\xe7\xa4\x7b\x13\xee\x0c\x47\x72\xd0\x47\x3d\xa5\x18\x44\x1b\x7b\xd3\x62\xbc\x99\xb0\x9c\xf6\x96\xbe\xb9\xe5\xf9\xd3\xd5\xe8\x8e\x9e\x96\x0e\x25\x9e\x4f\xe6\x7c\xfa\x3b\x2a\xbd\xe1\x00\x10\xf3\xc6\xa6\x0d\x26\x9a\xd1\x3e\x59\x05\x2e\x8a\xb9\x51\x40\x1d\xde\x34\x5c\x4f\xed\x4f\xea\x6d\x91\xb8\x4d\xae\xee\xbf\x45\xfa\x79\x98\xee\x41\xda\x06\x87\x5e\x7b\xc4\x8d\x9d\xe5\x4d\xe3\x6d\x9e\x27\x49\x5f\xe7\xe8\x8e\x02\x4e\x7d\xd3\x58\x7d\xcb\xc7\x1c\xd4\x33\xb7\x1a\x4d\x97\x2b\x02\x65\x59\xef\xbf\x17\xc2\xb0\x2b\x23\x57\xb9\xd9\x13\xa7\x64\xc9\x5c\x5a\xa7\xb3\x2f\xd2\xc0\xb6\x2b\x47\xf2\x7e\x47\x85\xe7\x6d\x85\x62\xb4\xe4\x3e\xdc\x6d\x61\x0d\x2b\x97\xdd\x1a\x1e\xe6\x5b\xd1\xef\x89\xe0\x11\x0b\x14\xc2\x02\x5b\x04\xb8\xcf\x16\xf0\xc2\xc1\xab\x89\xad\x30\xbd\xbd\x8b\x98\x94\x27\x8b\x4b\xe8\xd0\x81\x55\xec\x0c\xd2\x0f\x54\x4f\x18\xa4\xf2\x6a\x98\x0d\xec\xac\x1c\xe2\x94\x21\x27\xd8\xd0\x35\x0d\xc4\xa9\xa3\x29\x30\xaf\x33\x53\x18\x22\x31\x9d\xd1\x39\xe2\x7c\xf7\x69\xd0\x68\x87\x96\x08\xc2\x51\x7d\x59\x96\x5f\xbf\xfe\x98\x79\xaf\xd4\x87\x87\x5a\xd2\x39\x58\x6b\xbe\xca\xd1\xb0\x0e\x13\x77\x20\x3a\xbe\x3f\xc5\x82\xfa\xaf\x4f\x9e\x08\xe5\x76\x58\x81\x22\x09\xb3\xa8\x65\x3b\xf3\x9e\x12\x6b\x79\x47\x4c\xed\x54\xb7\x4f\xd4\x77\xb0\x3a\x80\x90\x6e\x34\x6d\xfc\x7f\x5a\x86\x41\x0f\x6b\xbc\x64\xa7\xff\x88\xc3\x7a\xa1\xd1\x87\x13\x31\xad\x2a\x63\xfe\xce\xa9\xb4\x3d\x3f\xad\x06\x2d\xe7\x0d\xdd\x1c\x77\x3a\xe6\x25\x68\xff\x3b\xe8\x04\x58\x3d\x3a\x5a\x10\x79\x68\x13\xcd\x4b\x51\xf6\x7b\x09\x91\x0b\x42\x7e\xb9\x28\x04\xe7\xf2\x7a\xdc\xd8\xec\x9a\xfb\x24\xe3\x15\x1b\x48\xa3\x8c\xc5\x99\x27\x99\xdf\x37\xe5\xcf\x6a\xd5\x77\x94\x1a\xd7\xe2\xca\xf1\x56\x19\x23\x69\x27\x34\x2e\x87\xb5\xb2\x60\x47\x37\x16\xa9\xba\xd7\x0b\x39\x51\xf7\x26\x5c\x20\xc0\x00\x85\x26\x67\xfd\xe0\xc4\xb7\xf2\x7a\x32\xb7\xee\x13\x3c\xbc\x65\xba\x4d\xc3\x91\x0c\x23\x75\xe1\x95\xba\x76\x54\xe2\xd2\xd4\x5f\x91\x6e\x47\xf1\x07\x59\x5a\xdc\x63\x24\x78\x40\xdf\x4e\xca\xeb\x96\x40\xfb\x66\x19\x86\xad\xd0\xdd\x02\x79\x6d\x58\x10\xf5\x1c\x93\xfd\xcf\x89\x74\xda\x1f\x10\x14\xf2\xf4\xad\xb1\x6f\x04\xe7\x33\xb5\x3a\xc2\xe8\xb4\xa8\x53\xe9\x3a\x93\x5a\x73\x20\x28\xc8\xe3\xec\x12\x0f\xc5\x41\xe5\x12\x6f\x2d\x88\xdd\x4b\xbc\xa0\x6f\xa6\x10\x16\x34\x64\xcb\x17\xf4\x5e\x7a\x2b\xe0\xe5\x1d\x8e\x45\xe3\x7c\x50\x91\xd7\x62\xce\x5b\xfd\xb6\x93\x53\xba\xfb\x95\x5c\x25\x54\x47\x02\xdc\xf7\xd1\x39\x4a\xac\x7a\x49\xa0\x78\x7f\xf1\x68\x74\x25\xa3\x75\x24\x9c\xa3\x78\xbc\x4f\x4a\xa2\x4a\xbc\xa2\x4a\x87\x1f\xd6\x74\x25\xb2\xf6\x60\x93\xb5\xb9\x87\x24\x99\xec\x85\xfa\xef\xfb\xf4\x3f\x0a\x4d\x3e\xfb\x5c\xea\xe7\x05\xa1\xa8\xe1\xf2\xbf\x79\xf5\x53\xc1\xc9\xf3\x8b\xd0\x9f\x93\xa8\x22\xbe\xb4\x54\x74\x4d\xd1\x17\x7e\xea\x67\xb7\xbd\x6c\x42\x1e\x58\x24\x62\x02\xab\x90\x2f\x79\xe0\x15\x5f\x1d\xe2\xbf\x22\x6f\x61\xbb\x39\xbf\xc2\xfb\xa3\x47\x9f\x25\xee\xa7\xf0\x1f\x70\xbc\x08\xa9\x8e\x88\x74\xe5\xd1\x38\x42\x83\xb9\x96\x07\xea\xa5\x2e\x89\x54\x90\xbd\xb2\x1c\x81\xcb\x3b\x37\x91\xc1\xde\xce\x0e\xbc\xe6\x7c\xc4\x5b\xcb\xa2\x99\xbb\x89\x2c\x9d\x19\x50\xbf\x33\x5e\x95\x4f\xd3\x03\xc6\x5e\x1a\xfe\xc4\x8a\x3d\x3e\x10\xa4\x04\x35\x2a\x13\x02\xef\xce\xbe\x12\x54\xeb\x2b\x25\xd6\xf4\x50\xb2\x6a\x3f\x1b\xd7\xf5\x77\xe5\x4c\x95\xe5\x66\x11\x74\xd3\x27\x82\xfe\x6b\x11\x99\x65\x42\xfe\x1b\x97\x51\x39\x62\x88\xd2\x7a\x47\xe3\xc9\x8d\x1c\xc3\xf3\xab\x55\x8b\xa3\xe8\x2a\x6c\x3e\xd4\x84\x0f\x4e\x3d\x79\x36\x95\x73\xc3\x75\x34\x07\x3e\x79\xad\xfd\x23\x23\x83\x2b\x65\xe7\xa6\xc4\x5b\x72\x57\x91\x38\xe2\x26\x29\x1d\x27\x00\xda\xc3\xa1\xcc\x91\x61\x40\xf5\x4c\xb2\x8b\x34\x70\x85\x61\x89\x81\x25\x44\x36\x6f\x75\x7c\x0a\x29\x4e\xe2\xb5\xbf\x6c\x30\x8a\xd4\xdf\x23\x0d\x5a\x74\x3b\x8c\xf7\xa1\xf6\x4a\x30\x61\x98\x3f\x22\x38\x50\x26\x2c\x75\x74\xae\x48\x0a\x02\xf6\x8c\x04\x3b\xa7\xaa\x82\x2f\xf6\x45\xd4\xe4\x48\x2c\x14\xcb\xb5\x8c\x15\xf6\x5c\x98\xd1\x69\x2f\x93\x9d\x0d\x95\x58\x50\x45\x42\x4a\xbe\x5e\x58\x65\x14\x77\xf9\x1d\x0c\x1d\xaf\xb3\xf3\x3a\xf9\xe6\x9b\x79\x4e\x13\xeb\x0c\x42\x9d\xe9\xb9\x2b\xbc\x5f\x92\x82\xa2\xe6\xc9\x11\x9f\x6f\xd8\x60\x3f\xe1\x1a\xf2\xd5\x16\xc9\xa7\xad\x38\xe3\x33\x7b\x96\x9c\x3d\x95\x93\xf0\xd4\xac\x95\xc4\x4e\x7f\x47\xe8\x10\xf6\x97\x0a\x1a\x6f\x18\xf2\x09\xfe\xdc\x35\x65\x6d\xc5\xc5\x36\xb0\x39\x6a\xed\xaf\x83\xca\x46\x65\x5e\xdc\xc4\x08\x8c\x6f\xcf\xfa\x68\x9a\x87\x83\x09\xc1\x76\x7b\x21\x87\xc9\xb5\xfa\x57\x5e\xfd\x80\xe0\x57\x4a\x57\x76\x73\xb4\x5e\xda\xc8\xb1\xc9\x12\xce\x60\xcd\x18\x29\x0d\x31\x02\x5c\x80\xeb\xa3\xd9\x97\xe4\x79\x2b\xe2\x3a\x49\xc0\x09\x4e\xe2\x85\x48\xfa\x33\x27\x5e\x6c\x28\x0b\xb6\xe0\xa0\xaa\x8e\x79\x04\xc6\x41\xcb\xcb\x3d\x99\x49\x46\xf0\xe4\xc6\xd6\xb1\x91\xd3\x46\x53\x64\x79\x3a\x69\x7f\x2c\x25\xd1\x30\x92\x3c\x79\x9a\x3a\x8d\x71\x69\xa3\x7a\xc2\x9b\xdd\xfb\x76\x6d\x51\x30\xb5\xe4\xbd\x43\x97\x8a\xad\x35\x49\x05\x2c\xf6\xf5\x64\x76\x80\x52\x03\x23\x46\xae\xf8\xf5\x84\x4b\x97\x04\x84\x2c\x0f\x1f\xa7\xd2\x6c\x69\x71\x88\xc0\xe8\x64\x16\x58\xd6\xd2\x99\xa6\x1f\xf1\x40\xa4\xb9\x4f\x04\xf6\xec\x06\xff\xca\x6e\x57\x4b\xdd\x60\x03\x72\xed\x5d\x16\x6a\xee\xae\x4f\x24\xe1\xec\x3c\x21\x2f\x05\xaa\x85\x37\xf0\xab\x83\x1e\x47\x2f\x32\x16\x4a\x08\x87\xc6\xf4\xe4\x25\x32\x56\x5f\x05\x5a\x8c\xd4\x35\xe9\xcc\x91\x08\x96\x7e\x42\x2c\x6d\x0e\x74\x06\x33\xc9\x77\x84\x71\xef\xa8\xa4\x4a\xb5\x5a\x06\xbd\xb6\xb8\x17\xf8\xa6\xcc\x55\xd5\x2a\xce\x6e\xc4\x38\xad\x4f\xbe\xe7\xc6\x4e\x00\xfc\x65\xc7\x6a\x36\x16\xc3\x5f\xb7\x1b\xb6\x08\x4f\x44\xf8\x08\x3d\xff\x56\xd7\x71\xe1\xd3\x23\x58\x4b\x82\xf1\x05\xe0\xa2\x11\xce\xae\x9a\xfc\x0f\x5e\x61\xa2\x64\x94\x76\x44\x0c\xf6\x8d\x9a\xbf\xfb\x48\xde\xcd\x0e\x8d\x2e\xd1\x09\x07\xd3\x5e\x39\x0d\xaa\x1e\xef\x83\xda\xc8\xab\x44\xe2\xac\x58\x86\xf6\x23\x5f\x6b\xd7\xb6\x9f\xf3\xc0\x98\xb5\x58\x89\x49\x08\xd4\xcd\x28\x24\x7f\xb6\xec\x4b\xb5\xb1\x63\xf6\xb2\xee\xf3\x86\xe7\xce\x26\xde\x75\x9b\xd6\xe2\x4e\x46\xaa\x2b\x38\xf0\xa4\xe6\xa4\x78\x5a\xf1\x4b\xd6\x03\x5a\x32\x6c\x29\xaf\x21\x5a\x4c\x1c\x45\xae\x76\x7b\xd7\xe6\xdb\x1b\xae\x69\xbe\x04\x5e\xf0\xb1\xeb\x39\x34\xac\x5e\xbe\x3a\x4c\x1d\xd5\x9b\xb9\x60\x53\xbe\xeb\x55\x61\xb5\x21\xc4\x78\x52\xd9\xa2\xc6\x6c\xfa\xf8\x2c\x2a\x01\x6e\x5d\xe7\x29\xea\x0e\x0c\xe4\xf9\x80\x85\x79\x2b\x5e\x5a\x80\x2c\xd7\xfb\xac\x9e\xf3\x8e\x20\x3e\xbb\x36\x51\xf1\xb3\x0a\xf6\xea\x29\xfa\x17\x9f\x8b\x19\x26\x41\x60\x4b\xe0\x29\x29\xda\xff\xad\xd6\xc9\x7b\xa4\xcd\x56\x79\x0c\xc2\x43\xd0\x47\x0e\xb8\xc1\xae\x78\x12\xda\x66\x6b\x0b\x32\x9f\xb3\xf0\x4f\x78\xe2\x5a\xd1\x7b\x4b\x39\x78\x13\x82\xad\x93\x7e\x08\xad\x34\x48\xb6\x32\x38\x18\x5b\x98\x22\x42\x19\x0f\xd1\xe4\xad\x8f\xbb\xa5\x5d\x6a\xbf\x96\xe0\x16\xe1\xd9\x8d\x37\xd5\x1c\x2e\xe1\xe4\x1f\x54\xf8\xac\x7e\x03\x8e\x36\x16\xf5\x69\xd0\x24\x69\x0e\xa3\x03\xbe\xc6\x98\xbe\xb9\x8b\x9e\xa4\x9f\x6b\x87\xe3\xf7\x10\x49\x97\xa6\xad\x7d\x33\xdb\x8f\xb7\x9a\xda\x8c\x5f\x7f\x54\xee\x17\xf7\xb3\xd8\x6a\xa1\x53\x2b\x43\x9c\xd8\xde\x90\xb5\xfd\x7f\xc3\x32\x56\x80\x06\x1d\x93\x19\xd1\x83\x5e\x60\x3f\xaf\x79\x33\xbf\xd6\x0d\x73\x39\x65\xf0\xf2\x5a\xdf\x39\x45\x09\x2b\xb9\x9e\x95\x34\x66\x02\xfa\xf6\xaa\xbe\xb3\x3c\xbc\xa3\xb2\x19\xb4\xf8\xaf\xaf\xe8\x25\xc6\x62\x7c\x0c\x7b\x00\xc3\x38\x75\xb6\x9d\x01\xc0\x8b\x90\xe6\xfa\x64\xf0\x9b\x42\x93\x2e\x1c\xcc\x9b\x3d\xa3\x67\x71\x66\x7d\x5b\xb7\x53\x1a\x2a\xc1\x74\xbc\x41\x2d\xff\xad\x7c\x6f\x8f\xd4\xda\xd3\x30\xfb\x41\x5a\x97\xe8\x13\x6c\xd5\xc0\xbb\x7d\x00\xd2\xb2\xc9\x56\x93\x6c\x9f\x5f\x74\x7e\x3c\x9a\x36\x1d\x79\xd0\x48\xcb\x3f\x52\x8f\x18\x7f\x9b\xba\x5d\x78\xd7\x30\x9b\x1b\x25\x6f\xbb\x34\x9c\xd5\x29\x45\x54\x1a\x5a\x57\x80\x9f\x2d\x71\xa8\xe8\x05\x57\xb2\x3b\xe4\xfb\x31\xca\xdd\xc5\x95\x53\xb6\xbc\x0f\xaa\x16\x5e\x4a\xb1\xf8\x27\x9c\xa6\xe3\x07\xce\x79\x20\xc4\x3b\xdb\xad\xec\x04\xef\x8b\xe7\x0d\x57\xaf\x59\x8d\x1d\x8a\x89\x6a\x09\x52\xb2\x3c\xba\x46\x4e\x0e\x9b\x36\x25\xf9\x93\xdc\x12\xc8\xf7\x74\xe8\x7d\xa0\x51\xec\xa4\x9b\xd1\x4e\x4e\x2e\x27\x0c\xf7\x5d\xc8\x34\x3b\x2a\xd4\xb0\xa2\x17\x8c\xb5\x57\xc6\xd0\xeb\x1a\x0b\x23\xed\x92\x58\x0c\xe5\xad\xa7\x8c\x2b\xb1\x0d\xdd\x25\xd4\xbb\x14\x7d\x61\xa0\x0f\x5e\x1d\x1d\x5c\x88\x8d\x47\x42\x4c\x04\xde\x7d\x41\x38\x4e\x2c\x68\x8a\x57\x35\x8d\x05\x81\x4a\xd9\x17\x13\x5a\x80\xec\xcd\x1d\x1f\x14\x72\x42\xa5\xda\x4d\xad\x08\x38\x32\x2e\x9a\x2f\xa5\x31\xfb\xb6\xb0\x83\x2b\x67\x00\xf8\x72\x79\x84\x6c\xe2\x33\x16\x79\xb8\x2f\x04\xfe\x1b\xe1\xe8\xce\x9f\x61\x0b\x63\xff\x30\xad\x0b\x76\x97\x78\x17\x73\x9a\x29\x5c\x9e\xc9\xdc\xf1\x1f\x81\xa6\x76\x19\x40\x73\x04\xc1\xd5\x94\xc5\x19\x6d\xb1\xbd\xeb\xfe\x03\xf2\x2a\xda\xac\x92\x53\xd7\x53\x96\x71\x38\xbc\x9d\x2c\xf4\x73\x54\x91\xd2\x74\x5c\x23\xe5\xd2\x29\xc7\x46\x27\xdd\x19\x1b\xc6\xc0\x38\x51\x39\x14\xdb\xdc\xfa\xcb\x8b\xcb\x28\x14\xdc\x52\x5e\xda\xd8\x89\x52\x09\x99\xfc\xe6\x44\x69\xc6\x06\x94\x40\x59\x61\x51\x84\x41\xc3\xe8\x44\x53\xaf\xa3\x49\x9e\x3a\x89\x83\xb5\x7f\x94\x59\x3e\x86\x64\x71\x9d\x5e\x65\x98\x42\x2b\xb8\xcb\xc5\x16\x20\xb2\x59\x41\x3b\xea\x16\x49\x0b\xbe\x6c\x9a\x72\xbf\x21\xf6\xb4\xd4\x99\x37\x1a\xd9\xfc\x82\x77\xdd\x3f\x2f\x75\x23\xcc\x5e\x6c\xee\xbf\x74\xfc\x39\x44\x13\x6b\x2d\x56\xda\xa2\x04\x03\x74\x31\x9a\x1c\x83\xc3\xbb\x0c\x96\x2d\x32\x1d\x80\x39\x17\x0b\x98\xb6\x04\xc8\xed\x42\xc5\x96\x31\x4a\x01\x13\x9c\x9d\x36\xcc\xd6\xf2\xcb\xd3\x11\x3b\x2c\x9d\x4e\x19\xf0\x86\x94\x46\x36\x10\xa3\x68\xf8\xac\x74\xf2\x97\x94\xf1\x45\x60\xe0\xa3\xd4\x81\xc6\x73\x41\x0a\xd9\x46\x65\x81\xaa\x2a\x33\x4f\xf3\x80\xa1\x00\xfb\x04\x9a\xd8\x19\x6e\xb4\x78\x4e\xa1\xbe\xdc\x13\x9a\x70\x54\xf1\x8a\x8d\x44\xbc\xa0\xa3\xd0\x12\x2f\x5d\xc3\xa1\xc4\xd2\x9b\xde\x35\xe3\x32\xbd\xf2\x8c\xb9\xb9\x85\x43\xad\x3e\x33\x14\x3a\xf8\x79\x03\xb5\x62\x4f\x62\x30\x55\x98\xde\x27\x58\x33\x20\x8e\xc8\x37\x06\x82\xad\x9f\x0f\x9a\xc6\x4c\x43\x90\x44\xa2\xde\x30\x33\x46\x87\x34\xf4\x92\x66\x13\x88\x59\x69\x5b\x60\xa6\xfb\x45\xd7\x94\xb8\x71\xc1\x9c\xbe\xdf\x59\xb7\x64\x45\x3b\x78\xcf\xea\xd4\xc5\x01\xb1\xf8\xc0\xff\x82\x7b\x70\x29\x73\x92\x69\x7a\xdb\x13\xce\xff\x2f\x13\x9b\xff\x3b\xa2\x38\x79\x8a\x07\xfe\x5f\x55\xa0\xef\x5b\x75\xcc\xb4\x98\xbb\x89\x43\xba\xb4\xa6\x71\xf1\x25\xfb\x06\xf2\xe5\x9f\x77\xfd\xb0\x2c\xb2\x3e\x86\x87\x56\x8d\xc0\xd5\xc4\x86\x09\x94\xa3\x7c\xca\xb3\x65\xd7\xa7\x08\x03\xc6\xa6\xf4\x8f\x5b\x3f\xf1\xcb\xdd\x51\xd8\x96\x1f\x97\x3c\x70\x33\x75\xd2\x52\xe6\xc5\xa0\xff\x13\x3b\x59\x72\x43\x13\xf9\x88\x84\x1b\xd6\x1e\xc2\x97\x67\xa4\x60\x8a\x5b\xc4\x5b\x10\x4e\x4f\xc9\x82\x61\xe4\x54\x0a\x10\x38\x2a\x49\x5d\x64\xdd\x5f\x6c\x03\x90\x66\xd9\xd3\x58\xef\xb1\x66\x71\x17\x8e\x88\x4f\x07\x0a\x07\xfd\x02\xa0\x0b\x63\xb7\xf5\x75\xf6\x42\xbf\x91\xee\xc3\xbb\x90\xdb\xa9\xa2\x1d\xf3\x17\x9c\xf1\x2e\xa9\x52\x5d\x09\x74\xd6\xfc\x44\xbf\x69\xfc\x54\xf8\xa5\xff\x98\x67\x06\x67\x8d\x7c\xe0\x6c\xce\x44\xdf\x29\x74\xb9\x66\xe6\x7a\xca\x31\x4e\x0b\x58\xac\xc4\x15\x54\xa4\x42\xef\x35\x87\xab\xba\xf1\x82\x95\xec\xa5\x9c\xa8\xa1\x0e\xdd\x3f\xbd\x1f\xac\x0b\x06\x01\x3d\xe5\xf7\x33\x37\x51\xc5\x7d\xeb\x4d\xae\xf9\xe4\xc5\x5e\x93\x74\x1e\xd1\xd2\xf7\xf9\x63\xcd\xed\xc6\xef\xdb\x5d\x8b\x14\xd7\xd6\x12\xe2\x61\x2f\x30\x96\x6f\x4e\x67\x60\xd1\xa4\x6f\xbe\xe5\x0d\xcc\xff\xc0\xb2\xe5\x17\x7b\x1c\x60\x27\xad\xae\xe0\x90\x75\xb6\x55\xcf\x85\xdd\xbb\x4e\x44\x83\xd5\xde\x7b\x38\xa9\x10\xf9\x96\x71\x1c\x05\x8c\x1b\x97\xe6\x21\x27\x48\xc8\xcc\x7d\xe8\xcf\x7a\x56\xaf\x75\xe2\x91\x86\x7c\x26\x88\xe9\x99\xc6\x55\x3d\x7a\xaf\x3d\x2f\x62\xc2\xf5\x3b\xf8\x8c\xf2\x04\x40\x07\xdb\xe9\x29\x85\x65\x31\xb0\xad\x6b\x48\xa6\x11\x8b\xf3\x5c\xce\x82\x7e\x5d\x0c\xd2\xa1\x9b\x3f\xc3\x73\x95\xe1\xce\xd2\x13\x7f\x0c\x72\x6f\x5c\xc9\x91\x33\x3a\x0f\x07\x94\xda\x0b\x6d\x75\x73\x74\x21\x7e\xae\xbc\xbb\x6d\x87\x43\x1f\x08\x9a\x57\x10\x2c\xa5\x37\x3b\x8d\x73\x0a\x92\x02\x60\x59\xc6\xa8\x80\x94\xe9\xc6\x29\xd8\x1e\xcc\xf8\x6b\x4e\x8f\x09\x1d\x32\x55\x63\xd1\xf4\x01\x6c\x97\x97\x2c\x58\x4b\xc7\x6d\x1f\xb4\xed\x94\xb7\x21\x34\x4d\x00\xcc\x67\x24\xf5\x64\x9d\xfe\xd8\x4d\xc5\x11\x58\x3e\x1a\x08\xa4\x3c\x24\x09\x93\x41\x72\xff\x3f\x0d\xfc\x93\x99\x6b\x84\x79\xc0\x50\xdc\x19\x30\x9a\xa9\x98\xf7\x09\xed\xa3\xb3\xcf\x80\x6b\xec\x71\x7e\x17\x18\xb8\xcc\x10\x06\x0b\x33\x5c\x46\xf1\x7c\x52\x2a\xc0\xbb\x69\x6f\xb4\x39\x3a\x94\x50\xbe\x5f\xa7\x55\xea\x0d\x71\xb3\x0a\x84\x31\x51\x5c\x44\x63\x90\x15\x4b\xc2\xa4\x95\x1b\x3f\x15\xf4\x19\xce\x20\xb0\x30\x2b\xd9\x00\x25\xd8\x3c\x47\xa0\x18\xf6\x88\x6a\xb1\xfb\xb7\x57\x7d\x5c\x06\x6b\xab\x23\xd8\x41\x89\xcc\xff\x63\x40\xa3\xca\x41\xdf\x5c\x6d\x99\x4b\x26\xb8\xfc\x34\xc6\x90\xdf\xb2\x29\xc8\x37\x60\x22\x4b\xdc\xe8\xe8\x67\xd1\xf5\xa0\x97\x73\x6d\x3f\x19\xd8\x22\x9f\x91\x43\xac\x03\x70\x93\xd4\xcc\x32\xab\x10\x4b\x58\x28\xf1\xcc\x84\x49\x5a\x68\xd7\x67\xb7\xfb\xd7\x25\xd4\x34\x71\x9a\x36\x01\xb5\xfb\x23\x36\x4a\x5e\x41\x51\xc6\xf9\x15\xce\x53\xf7\xde\xbb\xb9\xf1\x5b\x81\x1c\xb0\x2b\xb8\x73\x94\xff\xb6\x1e\x8b\x8a\xe5\x74\x9d\xc7\x43\x2b\x51\x6b\x8a\x62\x79\x90\x53\x7b\x9c\xdf\xd2\xa0\x94\x39\xb7\xdc\x04\x39\x97\xe0\xf5\x90\x36\xab\x34\x70\xaf\x1b\xc7\x67\x10\x11\xe5\xb4\x72\xe3\xf6\xad\x45\x6b\xa7\x06\xd5\x50\x66\x1c\xbc\xf6\x10\x7e\x9b\x7e\xe4\x9a\x82\x05\x2d\x90\x1b\xb7\x9f\xb1\x8d\x82\x21\x6a\xee\xfa\x2e\x76\x39\x0f\x80\x94\x3c\xc8\x56\xa0\x08\xc7\x25\x6b\x84\xd8\x85\x7f\xa6\x34\xad\x7d\xd4\x50\x13\x86\xbb\xab\xe2\x38\xa5\x8a\xec\xb7\x7a\x0d\xe5\xff\xaa\xa5\x63\xa1\x96\x8b\x72\xb9\x2b\xa5\x8d\x1a\x1e\xf6\xf9\xed\x04\x9f\xf3\x8b\x7f\xc3\x42\x27\x46\x16\x31\xfe\xc6\x53\xe7\x81\xf1\x57\xec\x73\x86\x36\x2b\x66\x77\x8a\xfc\x89\x82\xcd\xae\x50\xe1\x29\xf4\x32\x9b\xfe\x35\xcd\x9d\xa3\xd5\x75\x22\x04\xfa\x72\x75\xcc\xbc\x01\xab\xf8\x5c\x6c\xf3\xab\x9e\xab\xb2\xea\x7a\x1c\x77\x9e\x67\x3d\x0f\x95\x16\xb1\x85\x15\x4d\xc8\x3c\xc5\xf6\x93\x70\xe3\x14\x19\x8b\x7f\xa8\x3c\xe5\xc5\xc9\x1c\x2c\x50\xe5\x44\x89\xb3\xa6\x70\xa3\x30\xa4\xe4\x9f\xca\x51\x7c\x83\xa9\x53\x2c\xbc\x7e\xdc\x84\x0c\xd0\x10\xb3\x7e\xcc\x75\x37\x45\x30\x16\xed\x1a\xb4\x45\xe4\x5f\xc1\x23\x8b\x14\xe2\xf8\xf9\x31\x66\xcb\xf7\xd3\x8b\x85\x28\xba\xa0\xfa\xd3\xe9\xe7\x6f\x4b\x32\xee\xbb\x60\x52\x68\x81\x62\x0b\xca\x5b\x11\xac\x06\x3d\xbe\x21\x69\xe5\x43\x78\x43\xf6\xd2\xd4\x86\x85\x5a\xd5\xf1\x92\xb2\x68\xb2\xf3\xeb\x25\xde\xea\xbd\x2d\xe8\x9c\x48\xba\x28\xf1\xee\x2c\x84\x65\x86\x56\xc3\x37\x33\x9b\x53\xac\xf9\x88\xba\xf2\x9a\xc5\xc9\x19\x9e\xc7\x91\x2b\x28\x94\x09\x34\xbc\x02\xb1\x31\xd1\x46\x13\x54\x62\x6b\x69\x08\x35\xba\x09\xab\xaf\xa0\xca\x7f\x51\x55\x79\xe5\x33\xc4\xbb\xfd\xa2\xbc\x9f\x2f\xae\xdd\x35\x38\xce\x8c\x1e\x36\x06\xea\x98\x39\x5e\x0f\xf8\x84\x92\x04\x5f\x47\xcc\xa8\x5f\x4a\xf1\x6f\x95\x0a\xbb\xf3\xf2\x22\x9d\xe5\x8e\xa2\xb4\x56\x92\xd4\xba\x84\x3e\x70\xe5\xae\xed\x29\xf6\x88\x07\x13\x8a\xaf\x5c\x99\x4b\x30\xd4\x73\x11\xeb\xb9\x69\x10\x76\x77\xdc\xf0\x07\xf6\x4d\x0b\x32\xc3\x60\x0c\xd3\x2b\xd4\x2c\xa6\x9e\xe4\x6d\x78\x6c\xf0\xcf\x94\x96\xbc\x51\x60\x2c\x98\x9f\xc5\x4f\x76\xc4\xd3\x83\xce\x41\x4a\xf4\x5f\xc9\x48\xe5\xb9\x71\xe3\x02\x0a\xf4\x47\xc5\x89\xb0\x99\x56\xc9\x03\x3d\x09\x04\xd6\x44\x5d\x7e\x9f\xff\x7c\x90\x39\x39\xf7\x9c\x2d\x4c\x30\xb6", 4096); *(uint64_t*)0x200000004ad0 = 0x200000004a40; memcpy((void*)0x200000004a40, "\x88\x4f\x38\x13\x09\x89\x6a\x88\x17\x38\x89\x99\x4e\x74\xc6\x06\x94\xf7\xba\xa4\x5b\xe0\x88\xe5\x9b\xc3\xe9\x39\x72\x82\x57\xe8\xd2\xdb\x71", 35); res = syscall(__NR_shmctl, /*shmid=*/6, /*cmd=*/0xcul, /*buf=*/0x200000004a80ul); if (res != -1) r[10] = *(uint32_t*)0x200000004a88; break; case 19: *(uint32_t*)0x200000004d40 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x23, /*optval=*/0x200000004c40ul, /*optlen=*/0x200000004d40ul); if (res != -1) r[11] = *(uint32_t*)0x200000004c74; break; case 20: *(uint32_t*)0x200000004e00 = 7; *(uint32_t*)0x200000004e04 = 0xee00; *(uint32_t*)0x200000004e08 = -1; *(uint32_t*)0x200000004e0c = 8; *(uint32_t*)0x200000004e10 = 0x80; *(uint32_t*)0x200000004e14 = 5; *(uint16_t*)0x200000004e18 = 0xfffc; *(uint32_t*)0x200000004e1c = 1; *(uint64_t*)0x200000004e20 = 7; *(uint64_t*)0x200000004e28 = 5; *(uint64_t*)0x200000004e30 = 0xbed1; *(uint32_t*)0x200000004e38 = r[5]; *(uint32_t*)0x200000004e3c = r[7]; *(uint16_t*)0x200000004e40 = 1; *(uint16_t*)0x200000004e42 = 0; *(uint64_t*)0x200000004e48 = 0x200000004d80; *(uint64_t*)0x200000004e50 = 0x200000004dc0; memcpy((void*)0x200000004dc0, "\x05\xc9\x21\x56\x87\xa3\xff\x17\x47\xca\xe5\xc1\x8c\xb1\x86\xed\x5c\x62\x98\x43\x37\xf9\x0f\x0a\xb5\x94\x8e\x21\xc6\x3d\x16\x86\xf1\xda\x14\x59\xa8\x97\x18\xa9\xf8\x49\x30\xb8\x92\xc2\xad\x4d\xe6\x1f\x71\x4a\xb8", 53); res = syscall(__NR_shmctl, /*shmid=*/5, /*cmd=*/2, /*buf=*/0x200000004e00ul); if (res != -1) { r[12] = *(uint32_t*)0x200000004e04; r[13] = *(uint32_t*)0x200000004e08; } break; case 21: *(uint32_t*)0x200000004f00 = 7; *(uint32_t*)0x200000004f04 = -1; *(uint32_t*)0x200000004f08 = -1; *(uint32_t*)0x200000004f0c = 1; *(uint32_t*)0x200000004f10 = 0; *(uint32_t*)0x200000004f14 = 0x98; *(uint16_t*)0x200000004f18 = 4; *(uint64_t*)0x200000004f20 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 6; *(uint64_t*)0x200000004f28 = 0x200000004ec0; *(uint8_t*)0x200000004ec0 = 5; *(uint64_t*)0x200000004f30 = 0xc; *(uint64_t*)0x200000004f38 = 0x1ff800000; *(uint64_t*)0x200000004f40 = 8; *(uint64_t*)0x200000004f48 = 0x7f; *(uint64_t*)0x200000004f50 = 3; *(uint16_t*)0x200000004f58 = 0x101; *(uint16_t*)0x200000004f5a = 8; *(uint16_t*)0x200000004f5c = 0x1000; *(uint32_t*)0x200000004f60 = r[5]; *(uint32_t*)0x200000004f64 = r[8]; res = syscall(__NR_msgctl, /*msqid=*/4, /*cmd=*/0ul, /*buf=*/0x200000004f00ul); if (res != -1) { r[14] = *(uint32_t*)0x200000004f04; r[15] = *(uint32_t*)0x200000004f60; } break; case 22: *(uint32_t*)0x200000005080 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x22, /*optval=*/0x200000004f80ul, /*optlen=*/0x200000005080ul); if (res != -1) r[16] = *(uint32_t*)0x200000004fb4; break; case 23: *(uint32_t*)0x2000000052c0 = 8; *(uint32_t*)0x2000000052c4 = 0; *(uint32_t*)0x2000000052c8 = 0; *(uint32_t*)0x2000000052cc = 0x7f; *(uint32_t*)0x2000000052d0 = 5; *(uint32_t*)0x2000000052d4 = 0x80000001; *(uint16_t*)0x2000000052d8 = 0x43; *(uint32_t*)0x2000000052dc = 7; *(uint64_t*)0x2000000052e0 = 2; *(uint64_t*)0x2000000052e8 = 0; *(uint64_t*)0x2000000052f0 = -1; *(uint32_t*)0x2000000052f8 = 0xf; *(uint32_t*)0x2000000052fc = r[7]; *(uint16_t*)0x200000005300 = 2; *(uint16_t*)0x200000005302 = 0; *(uint64_t*)0x200000005308 = 0x2000000050c0; memcpy((void*)0x2000000050c0, "\xbc\xc4\xb5\xd8\x6e\x91\xb0\x2b\x73\xe1\x6c\x46\x65\xdc\x30\x88\xf7\xcc\x98\x26\xda\x78\x07\xf9\xa8\x30\x0d\x9d\x89\x80\xde\x67\xa1\xa2\xa1\x53\xe9\x54\x66\xe7\x6d\x2c\x38\xc4\x15\x58\xc0\x8e\xfe\x37\xee\x81\xd9\x90\x46\x74\xce\xd8\x6d\xda\x9b\x2b\x6c\xc7\xc9\x7b\x19\x97\x58\xbe\xf8\xd9\x2d\xd2\x0e\x0e\x69\x86\x4d\x6f\xcd\x03\xa8\x0c\xa0\x12\x01\x9c\xf4\x1e\x51\x66\x47\x50\x38\xfc\xd3\x60\x33\x84\x36\xe7\x82\x7e\xf7\x30\x46\x91\x87\xe6\xa4\x95\xf5\xbf\x01\x8e\xe7\xca\xa7\x1c\x80\x4a\x38\x67\x56\xc3\x24\x2b\x30\xec\xa0\xb8\x41\x16\x6d\x78\x39\xe9\x4a\x56\x39\xd0\x8f\xbc\x06\xda\xc1\xf8\x61\x49\x44\x56\xd8\xd1\x53\xde\x7f\xc3\x03\x87\xd4\x52\x30\x4e\x7c\x30\x69\xbb\xfb\x42\x43\x91\xd0\x4f\xab\x12\x03\x7c\x6d\x6a\xe6\x02\x5d\xf8\x69\xfa\x3a\x45\xe0\x31\x48\xc2\xdd\x05\x2c", 195); *(uint64_t*)0x200000005310 = 0x2000000051c0; memcpy((void*)0x2000000051c0, "\x0b\x7d\x67\x85\x2a\x6f\x3d\x89\x68\xf4\x76\xad\xad\x16\x72\xe6\xdc\xfc\xeb\xe8\xe6\x24\x9d\x8c\xc7\x2d\x1a\x05\xc2\x8a\xcd\x3d\xed\xa6\x43\x14\x81\xc8\x8e\xe1\xc2\xc0\x99\x44\xee\x73\x33\xd9\xd1\x6b\x3f\x9b\xd1\x86\xbe\x36\x21\x0e\x7e\x52\xfd\xac\x24\x09\x97\x73\xc0\x7a\xf6\xf1\xa9\x40\xe4\xba\xec\x3a\xda\x47\x66\xe3\x80\x14\xad\x52\x7a\x5d\xf7\x7c\x90\x61\xc5\xa4\xca\xcc\xc4\x8b\xcf\x15\x62\x20\x7f\x8d\xb0\x4d\x60\x8a\x82\x3c\x71\x97\x9b\xda\xf7\x02\xb9\xa6\xec\x8f\x62\xf2\x3d\x31\x6b\x69\xa8\xe4\x0f\x1c\xd7\x92\x58\x5f\x34\xd8\xff\x6c\x70\x56\x41\xdb\xc0\x9a\x02\x45\xef\xad\x32\x6c\xa8\x4d\x8c\xa3\x9d\x29\xcc\x33\xa4\xa3\xfb\xe7\x6c\x24\x0d\x05\x5e\x26\x1e\x16\xd6\xbb\x5d\x9c\x23\x1f\xe3\xc9\xe8\x4f\xe5\x95\x65\xbe\xfc\x53\xfe\x9d\x11\x9e\xb5\x0c\xe0\x4e\x6e\x3c\x1d\xf2\x16\xae\x69\xc3\x13\xd8\x0b\xb6\xa7\x7e\x21\x9b\x94\x51\x65\x72\xee\xaa\x39\x8b\xfe\xa6\x49\x33\x5a\xe8\x11\x4c\xb0\x57\x42\x36\xf4\x61\x31\x67\xd9\x75\x8b\x53\xb6\x6c\xb6\xba\x75\xd7\x5a\xf9\x2f\x3c\x6e\x63\x8b\x82", 250); res = syscall(__NR_shmctl, /*shmid=*/2, /*cmd=*/5, /*buf=*/0x2000000052c0ul); if (res != -1) { r[17] = *(uint32_t*)0x2000000052c4; r[18] = *(uint32_t*)0x2000000052c8; } break; case 24: memcpy((void*)0x200000005340, "./file0\000", 8); *(uint64_t*)0x200000005380 = 0x355; *(uint64_t*)0x200000005388 = 0x100000001; *(uint64_t*)0x200000005390 = 5; *(uint32_t*)0x200000005398 = 7; *(uint32_t*)0x20000000539c = -1; *(uint32_t*)0x2000000053a0 = 0xee01; *(uint32_t*)0x2000000053a4 = 0; *(uint64_t*)0x2000000053a8 = 7; *(uint64_t*)0x2000000053b0 = 2; *(uint64_t*)0x2000000053b8 = 2; *(uint64_t*)0x2000000053c0 = 6; *(uint64_t*)0x2000000053c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000053d0 = 7; *(uint64_t*)0x2000000053d8 = 4; *(uint64_t*)0x2000000053e0 = 0xfff; *(uint64_t*)0x2000000053e8 = 0x17b; *(uint64_t*)0x2000000053f0 = 0xffffffffffff27a1; memset((void*)0x2000000053f8, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000005340ul, /*statbuf=*/0x200000005380ul); if (res != -1) r[19] = *(uint32_t*)0x2000000053a0; break; case 25: *(uint32_t*)0x200000006480 = 7; *(uint32_t*)0x200000006484 = 0xee00; *(uint32_t*)0x200000006488 = 0; *(uint32_t*)0x20000000648c = 0; *(uint32_t*)0x200000006490 = 7; *(uint32_t*)0x200000006494 = 8; *(uint16_t*)0x200000006498 = 0x3ff; *(uint32_t*)0x20000000649c = 0x10; *(uint64_t*)0x2000000064a0 = 2; *(uint64_t*)0x2000000064a8 = 8; *(uint64_t*)0x2000000064b0 = 0x7fffffff; *(uint32_t*)0x2000000064b8 = r[8]; *(uint32_t*)0x2000000064bc = 0xffff; *(uint16_t*)0x2000000064c0 = -1; *(uint16_t*)0x2000000064c2 = 0; *(uint64_t*)0x2000000064c8 = 0x200000005440; memcpy((void*)0x200000005440, "\x4c\xf7\x7c\x89\xa8\xa3\x6d\x9b\x71\xd1\x6c\x43\xca\x99\xca\xec\x65\x90\x56\x4d\x89\x51\x86\x4c\xcc\xc3\x48\x10\x2a\x77\x79\xcd\x97\xd9\x51\x00\x3a\xe8\x76\xa9\xa0\x30\x1c\x11\x86\x7f\xf6\x43\x2c\x9c\x54\xbd\x04\xee\x43\x3f\xce\x5f\x5d\xb9\xeb\x71\xb7\x62\x21\xd2\x84\xc7\x8d\xc7\xdb\x27\x84\x0c\xa0\xb1\xe9\xa5\xa1\x19\xf0\xd7\x4f\xf6\x48\x5b\x52\xa9\x86\xa6\x71\x7f\x3c\xfd\x72\x6d\x0a\x6a\x03\x8b\xed\x21\x89\x34\x4a\x3d\x14\xc2\xf1\x19\xbf\x2e\x54\x3f\xe4\xe7\x16\xbc\x4c\x5b\xec\x83\x76\x7d\xa2\xf9\x7d\x1c\xce\x4b\x26\x96\xbc\x5f\x99\x89\xfd\x42\xdc\x97\xa0\xc1\x6c\xdc\x2f\xa9\x67\xad\xaa\xa2\xba\xc7\x30\xe2\xcb\xda\x74\x4d\xc3\x12\x1e\x3f\x01\x5b\x66\xea\xe8\x91\x56\xb2\x62\x63\x9f\x95\xbb\x01\x4a\xba\x78\xbf\x2a\x48\x01\x49\x9b\xf3\x82\x68\xd7\x7d\x99\x49\x4a\xef\x48\x6b\x9b\x38\x8a\x1e\xba\xcb\x4b\x77\x1a\x52\xbf\xa2\x99\x90\xe9\x36\x18\xaf\x03\x76\x2f\x95\x3e\x34\x80\xfe\x01\xdd\xe9\x2c\xa7\x83\x5c\xcd\x5e\x88\x64\xdb\xc9\x10\x0d\x25\xc4\xfa\x63\x2c\x9f\xeb\xdd\xfd\xb1\xe7\x7f\x1b\xcd\x76\x79\xea\x46\x89\xd2\xc8\x50\x4e\x50\xaf\x69\x52\xc8\x89\xd3\x28\xc1\x2c\x66\xc9\x0d\x8e\xad\x36\x92\x70\xd9\x4e\x5a\xa3\x42\xfb\x23\x87\xdc\x7c\xfe\x6e\xde\x70\x54\x64\x98\x5f\x30\x1f\xeb\x34\xb0\x02\xcc\xef\xb8\x0f\xde\x10\xd9\xfc\x1c\xb3\x9b\x5f\x87\x75\x24\x98\x6d\xd1\x24\x47\xa7\xc9\x6f\x63\x50\x7c\xb4\xd8\x80\x68\xed\xfd\x77\x48\xfb\x2b\x66\x7a\xe1\xae\xdb\xb4\x16\x37\x75\x74\xd7\x0a\x3f\x6d\xe4\x6e\x4a\x3e\x5c\x14\x9a\x64\xa4\x36\x46\x66\xbd\x99\xfd\xb0\xe4\x13\xa1\x33\x5b\xa9\x32\x57\x5d\x1e\x92\x28\x50\x8d\x61\x4b\x66\x3a\xb1\x7a\xcb\x21\xb2\xac\x4d\x36\x18\xa6\x59\x43\x80\x4d\x5b\xa5\x2c\xbb\x04\x3a\x96\x19\x86\x12\x02\xb5\x05\x14\x0e\x48\x44\xb8\xce\xb6\xfa\xf5\x02\x42\x23\xd9\x63\x6c\xb0\xbe\x38\x4a\x4c\xc1\xdd\x3d\x4f\x35\x76\x29\x52\x1a\x07\x69\x84\x18\xdd\x1a\x97\xc3\x94\x17\x19\x6f\x86\x1a\xfb\x05\xbd\x70\x2f\x4c\xcd\xc3\xd4\x4b\x5a\x41\x93\x37\x8b\x93\x6f\x53\xc5\xc4\xb0\x9c\x98\x58\xbe\x95\xe3\x49\xba\xeb\x7e\xb4\xda\x30\x94\x00\xa4\xdb\xb0\x8a\x24\xd0\xbb\x37\x72\xbe\xe7\xa3\x87\x3c\xf8\xd7\x6e\x06\xdf\x6f\x7c\xe5\x91\xf4\x0b\xdc\x84\x9e\xa0\x4c\xad\xe8\x86\xf0\x75\xe1\x45\x8f\x02\x1f\x1b\x73\x0b\x0c\xb5\xc3\x28\xb9\x11\x41\x2a\xee\x96\x16\xab\x5f\xdc\x83\x1e\x34\xce\xa6\x9d\xe1\xa4\x08\x06\xaa\xfd\x4e\x64\xd3\xcd\x70\xc1\xa6\xc6\xf6\x36\xd3\xbb\x94\xc9\x95\x97\x7c\x59\x4f\x0f\x4e\x90\xd7\xae\xc4\x3f\xec\x4c\x8a\xa7\x07\xd0\x0d\xfa\x26\xff\x9d\xb8\xa4\x5e\x6a\xc6\x5b\x5e\x5c\xea\xc4\x3f\x78\xb5\x0f\x1e\x4f\x49\x4c\x85\x82\x7b\x3f\x0e\xa1\xf7\xa4\xfe\x3b\xbb\xd3\x90\xe3\x61\x66\x28\xed\x47\x70\xdd\x36\x66\x94\x89\x35\x13\xdc\x1c\xd2\x52\xd3\x88\x7a\x2f\x19\xa8\x46\xd1\x8e\xe7\xba\xf8\xb5\x68\x0e\x61\x80\x0b\xaa\xf0\x04\x18\x10\xa5\xa2\x1f\xe0\x6c\xba\x83\xe0\x62\x1b\x26\x26\xc3\xec\x5b\xa6\x2d\xfe\x1f\x94\xae\x16\x11\x4c\x9f\x89\xe8\x94\x58\xa0\x69\x22\x2b\x43\xb4\x50\x4d\xca\x5f\xd9\x69\xc0\x66\x66\xdc\xf9\x82\x43\x46\x31\x59\x7b\xab\xaa\xd4\x65\xcb\x73\x9e\x72\x83\x5f\x69\xad\x69\x9b\x0e\xfb\xe2\x16\xa1\x2c\xc1\x88\xd5\x4b\xeb\x66\x86\x1c\x78\xc8\x02\x25\x43\x8d\xeb\x75\xb3\xaf\x96\xa6\x0a\x08\x4e\x68\xed\xce\xca\x25\x2c\x22\x22\x5b\x4f\x3e\x56\xe9\x9f\x97\x6c\x2a\x08\x2a\x29\xf4\xa5\xbc\x3d\x0c\x25\x1f\x91\x22\xb5\x84\x66\x1f\x39\xbf\xd1\x8d\xfb\x9d\x57\xa5\x91\xc6\xd7\x01\x3b\x42\x0b\xd1\xe4\xc4\x7e\x80\x4c\xc4\x0e\xdf\xfa\x4d\xc9\x0c\xda\x1d\xe0\xa6\xe5\xf0\xd7\xa4\xd1\xc0\xa0\x2b\xf9\x25\x82\x90\x06\x43\xf9\x7f\x8f\x2c\xc1\x37\x68\x37\x4c\xc1\x36\x10\xf2\x7c\x3a\xb9\xd6\x93\x14\x79\xd0\x21\x5c\x4a\xd6\x69\xef\x80\x2e\x32\x92\x87\x88\xc5\x25\xf7\x52\xed\xae\x47\x7f\xf8\x9e\xa3\xf0\xc8\x7d\x9e\xc7\xeb\x1e\xf5\x12\xdc\xab\x10\x37\x28\x42\x91\x86\x13\x22\xf8\x72\xaa\x26\x1f\xa4\x67\x46\xed\xd8\x39\x85\xee\x32\x0f\xef\x53\xb1\x15\x18\xf5\xd5\x8f\x84\x68\x19\xb8\x8b\x16\x58\x8c\x13\xdd\x01\x90\x58\xa1\xce\x86\x5b\x4e\x68\x5e\x94\x78\x53\x9b\x9b\x9a\xf6\x9a\x13\x12\x6d\x6a\xd3\x0b\x2b\xac\xb1\x44\xc0\x2f\xfb\x15\x39\x66\xd2\x0f\x56\x56\x84\xa8\x74\x91\x31\xc7\xde\xf8\x8f\x2c\x87\xe4\x8e\xac\x6c\x0a\xf5\x76\xcc\x86\x11\x18\xa9\xb7\x18\xdc\xa2\xea\xfb\xc5\x41\x3b\xb6\xe7\x51\x37\x46\x47\x9b\xd8\x01\xf0\x7b\x94\x65\xbd\x80\xd0\xdc\x3d\x83\xee\xb7\xd6\x88\xf9\x13\xbb\xc7\x87\xb2\x3a\x90\xa8\x63\x7c\x57\x98\x84\xa1\x58\x5d\x53\x23\xb0\x4a\x44\x9f\xee\xbd\x0c\xbe\x2b\xc3\x27\x21\x24\x4e\x92\xe5\xd0\x33\xe2\x0d\x0b\x2c\xcf\x8e\xd5\xe2\x39\x00\x19\x9d\xc5\xec\xde\xa4\x29\xa2\x59\x61\xc9\x07\xaf\x8d\x93\xd5\x7d\x5d\x0d\x7f\xf9\x90\x31\x0a\xc0\x92\xdc\x44\x7e\x88\xcf\x81\x61\x7b\x67\x75\x4a\xd8\xee\x0b\x12\x53\x2c\x73\x13\xd1\x5f\xd6\x5c\x9f\x65\xc0\xa9\x4b\x75\x5a\x09\xd2\x40\x78\xbd\xe2\x75\xa4\x44\x57\xec\xa4\xc8\xb2\xb3\xbc\x0d\xfd\x4c\x8a\xcb\x9d\x2c\x6c\x4a\x8d\xaa\x22\xa6\xcd\x96\x1b\x44\x76\xb0\x78\x80\xf8\xcf\x09\x88\xbc\xe7\xdd\x8d\x3c\x3f\xbd\x9c\xfd\xb6\x56\x3b\x68\x10\x34\xb2\x72\xfb\x3c\xde\x59\x1d\xe8\x03\xd0\xb6\x84\x05\xd2\x5d\xea\x80\x1e\xe8\x71\x3a\xeb\x54\x98\x19\x83\x95\x79\x9d\xb2\xab\x19\xfb\xce\xdb\xaa\x3c\xed\x3e\x12\x4d\x29\x3d\x63\xee\x8c\x12\xd9\x31\x07\x9f\xd9\x4c\xa0\xfb\x5c\x45\x69\x32\xa0\x7a\xc6\x65\xb9\x41\x0d\x12\x37\x73\x58\x72\x76\x67\x64\xc0\x5e\x85\x2e\x06\x1d\xc3\x99\xbb\x31\xed\x48\x8d\x1b\xa5\xae\xf5\x3a\xc7\xb4\x53\x6c\x6e\x5f\xc4\x5c\x96\xa9\x93\x85\x51\x2f\xe6\xee\x8a\x22\x78\xa0\x6b\xe1\x9a\x7c\xdd\xf3\xca\x67\x8b\xdd\x73\xc2\x55\xc1\x59\xea\x07\x35\x57\xd6\x66\xf6\x7b\x9d\x1b\x99\x68\xe0\x23\xf6\x36\xc6\x93\xa8\xad\xfc\x92\x3a\xcf\xf1\x08\xed\x43\x70\xbb\x96\x6b\x0f\x4c\x05\x03\x4b\x08\x57\x6c\x2b\xc8\x9c\xee\xb5\x7c\x63\x3d\x2a\x7c\x87\x66\x5b\xe7\xe7\x5f\xfb\x30\xed\xb5\xfe\x9f\xcd\xc7\x25\x6a\x01\x12\xd4\x9f\x52\x03\x18\x00\xb7\x0f\x69\x80\x38\xf0\xf1\xf8\x12\x23\xcb\xe0\xe3\x0b\x47\xe8\x05\x70\x97\x1d\x4f\xa8\x4d\xa5\x80\x99\xf8\x75\xac\x76\x32\x3c\x5a\xc2\x5b\x69\xc5\xea\xf6\x78\x25\xab\x8a\xc9\x8c\xbd\x6d\xc0\x16\x37\x51\xa4\x7a\x1e\x52\x99\x8e\x00\xe0\x5c\x1c\x69\x01\xf5\x04\x34\x03\x18\x72\x79\x02\xb1\xed\x2b\xd2\xcf\xf2\xd2\xed\x09\x60\x1a\x8c\xed\xf4\x52\x8c\x1c\x13\xa6\x70\x37\x5f\xe3\xa6\x85\xc7\xcb\x14\x72\x3b\x55\x9c\xe2\x78\x6c\xa2\x95\x5a\xe3\x51\xef\xf8\x39\x75\x8c\x31\x1e\x99\xed\x53\xff\x12\x83\x72\xbf\x9f\xc3\x8c\x57\x0b\xd9\x00\xb4\x97\xc9\x31\x61\xc3\x4d\x8b\x4e\x48\x06\xeb\xcc\xda\x16\x11\x44\x5e\xa9\xd6\x76\xbd\xc1\x46\xea\x5b\xa1\x00\xfc\x5d\x99\x5b\x2c\xa6\x07\x09\xfa\xbb\xf6\xaa\xbb\x01\xef\x24\x3a\x12\x9a\x3c\x67\x38\xcf\x66\xf6\xd3\xe3\xb0\x03\x20\xbe\x0f\x85\xe7\x54\x87\x89\x37\xe3\x97\x62\xde\xbb\xf5\xa3\xe7\xa8\x11\x10\x35\x66\x34\x0f\xdf\x7d\xac\x84\x50\xe6\x8e\xff\x10\x2c\xbf\xd4\x95\xa8\x01\xde\x06\xe7\x4d\xf5\x7f\xe0\x6e\x15\xed\xfb\xa4\xda\x71\xa4\x33\x39\xc5\x24\x8f\x42\x2e\xe2\x9a\x22\xef\xa4\x93\x69\x0d\x97\x24\x6e\x20\x83\xbe\x24\xc2\x1e\xe4\xf2\xf1\xd6\x0d\x75\x3b\x2d\xa7\x5a\x15\x40\x8a\xf7\xf4\xff\xc3\xf1\x16\x73\xb8\x93\x45\x79\x57\x50\xc2\xea\x6b\x6c\x78\x9c\x9e\x4e\xd0\x93\x05\x61\x71\xe9\xfd\x9a\x67\x54\x86\xa4\xa5\x1a\xfa\x96\x7e\x00\x9c\x5a\xb5\xda\x74\xfb\x7f\xcd\x00\x04\x4a\xb9\x4b\x28\x7b\x54\x21\x78\x48\xd4\x78\x48\xd6\xa1\x16\xae\xd4\x1d\x45\x4c\xdc\xbf\x4a\xd8\xd8\x6e\x62\x99\x97\xe3\x08\xb8\x6e\x23\xea\x1b\xf1\xa4\xd2\x52\x96\xb1\x9f\xa7\x9f\x2a\x8c\x9b\x13\x70\x2b\x76\x28\xc8\x9f\x71\xba\x6d\x5c\x3a\xa6\x56\xd4\x31\x8c\x4e\xc3\x30\x5b\x9d\x7a\xe2\x93\x74\xe9\x35\x67\x09\xc4\x6d\x40\x1c\x6b\x74\x51\x18\xbc\x70\xd1\xac\x74\xfb\xc5\x7d\x92\x48\xb1\xa9\x15\xde\x03\xdf\x36\x7a\x9a\x10\x44\x75\x27\x75\xe3\xb3\x36\xa9\x35\xbc\x08\x2a\x2c\x88\x29\x9f\xad\x16\x99\x3f\x6e\x3f\x43\x73\xde\x0c\x48\x8a\xf1\xaf\x00\xad\xb9\x40\xcb\x45\xf5\xcf\xd5\x37\x2d\x6c\x0a\x4c\x69\x6f\x96\x63\x6d\x52\xd2\x79\x39\xde\x72\x99\x74\xa9\xa5\xbe\x21\xf9\x9b\x49\xfc\x6d\x4c\x65\xac\xa9\x8c\x28\x74\xf3\x67\x1d\xe2\x92\x64\x94\x1c\xd4\xa4\xa6\xbe\x0b\x20\x21\xac\x02\xad\xcd\x17\x56\xbf\xcf\xf1\x0e\x76\x55\xdb\x95\x8b\xb9\x99\x81\x0d\x8b\x3f\xee\x98\x32\x64\x6d\xed\xbe\xee\x86\x89\x2e\xce\xb4\xfa\x04\xb7\x28\x4f\xdc\xe5\x66\x9d\xc7\xee\xb7\x75\xd0\x09\xca\x17\x6d\x82\xbb\xdd\xd4\x26\x27\x16\xef\xbb\xe1\x8c\x8c\x79\xf6\xc7\x6c\xb5\x9b\xfa\x82\xa1\x9a\x66\x81\xe0\xd5\xa4\x9d\xbd\x64\x29\x33\x64\x8a\xf8\x81\xc5\x69\x40\xe8\xc5\xe1\x8f\xb8\x28\x8c\x35\xe1\x30\xe1\xf6\x28\x17\xaf\x3f\x18\x7d\x00\x2d\x1b\x9a\x1d\x58\x4b\x66\x2e\xbc\x5c\x9c\x95\x20\xc4\xd5\x16\x64\x9f\x2d\x99\x36\x3e\xff\xf1\x16\x34\x8c\xae\xd4\x35\x56\xb5\x8e\xa9\xb7\xc4\x25\x5f\xd2\x7e\xfb\x05\xed\xec\xe7\x55\x35\x96\x3d\x32\xef\x59\x7e\xb1\x33\x49\x5d\xc6\xff\x01\x17\xd9\x23\x02\x7f\x10\x8d\xbc\x64\xcb\xaa\x4b\xed\xd5\x65\xe0\x57\xa0\xe2\x86\x49\x90\x8d\x87\xab\x01\x64\xa1\x15\x5a\xbe\x46\x03\xec\x3f\x81\xc3\xb5\x32\x7e\xd0\xd5\xe1\xfc\x89\x01\x62\x51\x0a\xfc\xa7\xb9\x1d\x61\x85\x75\x73\xf6\x18\x43\x86\xa7\xa7\xcb\xfb\xa8\xef\xf7\x9f\xb8\x83\xd0\x4a\xa6\xbb\x7f\x93\xf7\x76\xa3\x75\x56\x5f\x67\xa0\x37\xe4\x75\xe2\x8b\x57\xf4\x2c\xa0\xfc\x54\xa3\x0b\x9d\x91\xee\xd1\x24\xcd\xc1\xbc\x53\xfe\xaa\x47\x58\x28\xf2\x0d\xb8\xba\x50\x81\x5c\x81\x2a\x1e\x9c\x74\x54\xcd\x41\x44\xeb\x9a\x42\x3e\x6d\x17\x2e\xde\xe0\xba\xd9\x4c\xd1\x50\xbb\xeb\x4d\xea\xbc\x6e\x98\xe3\xe5\xf7\xc6\xbb\x47\xf3\x5f\x11\x0e\xec\x4b\xa6\x32\xe9\xc4\x26\xaf\x69\x9a\x5b\xd6\xc2\x33\x1e\xf0\xc1\x1d\x24\xa5\xa3\xf3\x88\x8f\xae\x3a\x36\xa8\x9f\xb8\xa0\xdb\xdb\xa9\xca\xdf\xb9\xe0\x52\xa9\x3f\x00\xed\x75\x75\x5b\x4d\x78\xd9\x9a\xaa\x84\xf6\x9d\xcc\x6a\x6a\xb0\x5e\xad\xd8\x17\xb9\xf7\x04\xe9\xa7\x69\x7a\x31\x5f\x36\xac\x99\xd2\x99\xb5\xcb\x8a\x2f\x0c\x7c\xd5\x3a\xa1\x6f\xda\xd2\x33\x19\x47\xd8\x1a\x52\x73\x4d\xc3\x8e\xfd\x03\x09\xb4\x83\x7f\xcc\x18\xc8\x8a\x0c\xb8\xbf\x5f\x96\xe4\x20\x91\x92\x26\x6a\x2c\x7f\x60\x37\x1d\x41\xfc\x8c\x7d\x05\x0a\xe4\x3b\xf5\xf6\x74\x07\xb5\x4f\x4b\x73\x1e\x0f\x71\x95\x65\x9c\xd7\x1e\xcc\xcf\x87\xe6\x8e\x1b\x4b\xb8\x74\x70\x73\x36\xca\x5b\xce\x6a\xe7\xd5\x88\xd6\xd6\x8e\x2f\x66\xea\xf0\xfa\xa2\x6d\x48\x8e\xf0\xa1\xa0\xb5\x96\x86\xaf\x81\x20\x55\x8f\xd7\x6c\x9d\x19\x59\x0a\x96\x11\xd5\xf3\xec\xa0\x0e\x14\x81\x94\xd9\xb6\x95\x94\x12\x4b\xe0\x05\xcd\xde\x6d\x57\xb2\x6c\x53\xac\x64\x88\x23\x6d\xe7\xdc\x8e\xf1\x7e\xee\x67\xcd\x94\x8e\x32\xd8\xc1\x1f\x14\xbd\x24\x78\xb5\xd7\xe2\xc1\xd3\x9d\x02\xb4\x75\x95\xce\xbe\x08\x51\xf9\x94\x48\x96\x0d\xd6\x4c\x14\xa8\x4d\xac\x88\x7c\xe5\xb3\x93\x09\xb1\x53\x0b\x71\x29\x5c\x36\xb1\xb1\x95\x92\x24\x2d\x66\x17\xf9\xba\x31\x5c\x8d\x0a\x9d\x39\x79\x25\x41\xd1\x1c\x0e\xc9\x99\x97\x51\x69\xe8\xaf\x06\xa4\x44\xb7\x16\xc4\x52\x40\xb3\x15\xa0\x89\x61\xfa\xc6\xa6\x96\x81\xd8\x32\x19\x8a\xad\x3d\xe1\x0e\xf3\xa4\x88\xf5\x07\xab\x56\xfd\x19\x4f\x6d\x94\x37\x6d\x24\x96\x8d\x5c\xaa\xdf\x3f\x2c\x3e\xfb\x66\x7d\xd1\xd1\x9b\x18\xdc\x8d\xab\x53\xdf\x92\xc2\xdc\x0f\xb4\xad\x49\xaa\x80\x34\xcf\x6f\x9e\xae\x62\x20\xbe\xae\xc0\x87\x84\xca\xc7\x65\xda\x9e\x98\x21\x9e\xca\xe0\xfb\xa0\x94\x24\x0d\x3d\xf3\x4f\x3c\x89\x53\x9b\x20\x6a\x9a\xf3\x8d\xac\x75\x87\x4b\x0b\xee\xed\xc9\xb3\x79\x5d\x5f\x1d\x1f\x90\x65\xa8\x1a\xc5\xe1\x55\x88\xc1\x79\xc4\xb0\xef\xfc\xba\x46\x6b\x91\x70\xb1\x2e\x72\xfb\x52\x5a\xcc\x0e\x2b\xf5\xb8\xc4\x3e\xfb\xdf\x53\x27\x9e\x5c\x9f\xee\x04\xb0\x29\xdb\x52\x20\xba\x82\xd4\x93\x0e\x96\x37\x4b\xaf\x43\x38\xae\xf5\x55\x0f\xb5\x92\x20\x15\xa1\xf9\xf0\x76\xf3\x61\x5e\xe6\xd8\x14\xda\x80\x8d\x1b\xbc\xad\x1b\x17\x6d\x5b\xb2\x0b\x79\x58\x82\x47\x6c\x0c\x72\x34\x5e\xb1\x61\x34\x80\x7a\x82\xb9\xd8\x6c\x9d\x7a\x4d\x84\xd1\x89\xbe\x30\x9b\xa0\x25\x30\x3e\xea\x18\x89\xb0\x5c\xdc\xea\x4c\x20\x73\xcf\xb3\x0b\xb3\xb9\x0f\x35\xbc\xd6\xee\x79\x0f\x13\x60\xf9\x63\xdc\xd6\xbe\x81\x16\x8d\xe7\x5e\x1d\x04\xe8\x15\x0d\x2c\x00\x00\x5d\xf7\xfa\xde\xac\x9e\x5c\x3d\x20\x26\x79\x9c\xbb\x2a\x2d\xb4\x26\x8e\x4d\x1c\xb6\x14\xf1\x58\xef\x12\xa0\xb2\x28\x2e\x42\xba\x33\xff\x9d\x67\xce\xda\x79\x32\x0f\x1d\x89\x72\x77\xf4\x86\x58\x8a\x0d\xc0\xe4\x6c\x1c\x0f\xa2\x23\xbe\x06\xcd\xac\xa9\x09\x48\x33\x58\xbe\x8b\x18\x2b\x37\xe3\x78\x9f\x7c\x93\x95\x9c\x0b\x45\x33\x5b\x2c\x00\xca\xd1\xa7\x0f\x8d\x04\x08\x13\x83\xa7\x9c\x3f\xd5\x95\xfc\x86\x47\xbb\x65\x52\xc6\x08\x1c\x26\xc7\x20\xed\x1b\x22\x9a\x19\x2b\x9a\x91\xfa\x1e\x12\xcd\x31\x84\x0f\x86\xe0\xda\xd7\xfe\xb7\xda\xde\xad\xd2\x32\x70\x9b\xc9\x9a\xa8\xfb\xc3\xa8\x7a\xf0\xd5\xc8\x2e\x53\xac\xeb\x61\x22\xbf\x9b\x71\xb7\xbc\x92\xa0\xa0\x63\x95\x7c\xc6\x66\xfa\xfb\xad\x1f\x68\x8b\xd9\x11\x60\x8b\xfc\x76\x81\xc6\x4d\x81\x91\xc5\xd0\xc8\x0f\x7d\xed\xd5\xa9\xad\x4e\xbc\xcd\x04\xe2\x61\x8d\x9a\xad\x12\x1f\xd9\xaa\x8b\x8d\x68\x48\x72\x0a\x73\x67\x22\xc7\xec\xed\x31\x54\x04\x19\x65\x9c\x09\x11\xa0\x6e\x03\x9e\x95\x9c\x84\xdd\x5c\xc1\x64\x0e\xba\x08\x50\x5e\xa4\x89\xa1\x21\xdd\xca\x4a\x09\xc6\x3b\x2e\x27\x1d\x1e\xdb\x91\xae\xa0\x42\xe9\x2b\xea\x12\x93\x9a\xb6\xd4\x15\x7e\xfa\x94\xa6\x8d\x07\xb5\xf9\xb2\x05\x8b\xcc\xae\xf5\x82\x6e\xbd\x37\x65\x7a\x99\xbe\x45\x13\x4a\xa3\x0a\x84\xa4\xc4\xe0\x8e\x46\x3b\x75\x64\x5c\x2b\x72\x6c\x14\xf3\x57\x50\xef\xa6\x80\x40\x8d\x1e\xa9\xf3\xf5\x6f\xeb\x10\x60\xc7\xb8\xe8\x11\x46\x81\xc2\x49\x92\xaa\x2e\x1e\x65\x21\x9a\x03\x6a\xfc\x03\x4d\xba\x75\xa3\x90\xaf\xce\x29\x63\xd7\x56\xc7\xea\xf6\x7d\x21\x3c\x75\x37\x19\x35\xf9\xea\xb4\xd4\x28\xc5\x43\x22\xe3\x24\x98\xa4\x34\x02\x54\xcc\x41\xfb\xb5\x5c\xf6\x3b\x4f\x3f\x43\xc8\x93\x01\x01\xf3\xae\x35\x42\xfb\x96\xac\x77\x62\x63\x78\x9a\x98\x4a\x3a\x62\xbb\x46\xc5\xa4\xa4\x1b\x85\xf9\xd6\x6b\x47\xfb\x28\xea\x76\x5b\xbc\xdb\x52\xb0\x1f\x4c\x15\xeb\xe1\x88\xb4\x54\xc3\xae\x27\x7d\xc8\xa9\xf8\xa1\xc6\x34\x16\x3c\x63\x1b\xd5\x43\x0a\x8a\x80\xb8\x0b\x37\x33\x41\x3a\x1e\x00\xeb\x3f\xff\x34\xbc\x5a\xa8\xd9\x07\xd7\x9d\xe8\x86\x6c\xbc\x6f\x10\x66\x13\x56\x27\x77\x16\xc8\x84\x74\xbe\x9b\x39\x30\x18\xa7\xd8\xb9\xb3\xe1\xce\x4b\x7a\x32\x6b\x77\xf6\x2f\xcf\xa9\x49\x4e\x1b\x7c\x02\x80\xc3\xa2\x5e\xe3\x46\xc9\x4a\xe4\xcb\x3a\xf3\xfe\x09\x53\x4e\x63\x83\x6d\x5a\x00\xa6\x28\x08\x74\x2f\x5c\xc9\x26\x08\x8a\x6e\xd1\x1e\xa2\x05\x1a\x33\xc6\x0b\x2d\xed\xd2\x06\x9f\xc9\xfc\x2f\x2c\xd4\x53\x66\x61\x8e\x11\x00\x02\x16\xef\x80\x17\x16\x3a\xa8\x28\xea\xe1\xd1\x5f\x02\x06\x7a\xa4\x6a\xf4\x67\x75\x0c\xfd\xd3\x6f\x7e\xcb\xa0\xfd\x1f\x73\x82\xc2\xa7\x8a\xa4\x0c\xcb\x03\x7e\xd7\x24\x90\x75\x9f\x08\xe4\xa2\x57\xb7\x3e\x1b\x45\x19\xec\x47\x20\xd9\x08\x1d\xd4\x64\xa4\x7a\xd4\x68\xf8\x88\x1c\xa3\x02\x3e\x75\x31\x00\xae\x0a\x1b\x29\x89\xac\x57\x4e\xbb\x9a\xc9\x13\x4b\xf1\x62\x02\xce\x61\xae\xaa\xfd\xf7\x68\x9b\xb9\x21\xc4\xa3\x9a\x46\xf0\x3a\x14\xde\xcf\xfe\xc7\x8c\xf9\xff\xd0\x1b\x4f\xca\x7d\x7b\xd4\x00\x30\xfe\xfa\x02\x59\x1a\x28\x45\x1b\xd3\x5d\xa7\x46\xdb\x7b\x5c\xdf\xd5\xee\x9e\xb6\xc5\x1b\x3b\xe0\x5f\xb0\xcd\x5d\x39\xe8\x10\x3b\x0e\x90\x3e\xec\x11\x0b\x3f\xf1\xf9\xdf\x98\x12\x32\xa5\x58\x23\x42\x81\x03\x9b\x46\x63\x76\x41\x84\x9d\x64\x12\xfe\xb7\x4a\x37\xb1\x39\x3c\x31\x51\x3c\xd9\x94\xad\x23\x9e\x20\xad\xdc\x7b\x6b\xe2\xbe\x44\x88\x57\xba\xcb\x20\xcb\x14\x69\xfe\x94\x46\x94\x6b\x6d\x60\x34\x9f\xf3\x92\x19\xf7\xc0\x02\xec\xb4\xdb\xfd\x31\x7f\x79\xd9\x50\xb3\x95\xdd\x77\xcf\xd4\x9a\x6f\xad\x36\xbe\x0b\xd4\x59\x1e\x4d\x2c\xa8\x37\xfe\x73\x74\xa3\x67\x92\xcc\xb0\xb2\xb0\x27\xc6\x9d\xcb\x08\x52\x74\x93\x09\xb9\x37\x17\x72\x72\xf4\xa8\x0d\x8e\x2a\x24\x99\x7f\xfc\xa2\x08\xb7\xf5\x28\xbe\x82\x11\x65\x56\xd2\x35\xf1\x7d\x57\x4d\x17\xac\xc1\xc4\xb5\x83\x63\xf0\x3f\x6b\x21\x77\xa2\xd9\xbd\x31\xd7\xda\x8b\x2d\x37\xea\x2a\x5e\xac\xe2\xb4\xf3\xea\xb5\x49\xcc\x55\xb3\x8e\x0f\x17\x31\xcc\x82\xef\x54\x8a\x5c\xb6\xa7\x56\x4b\x44\x2a\x86\xda\x73\x12\xa9\x4a\x13\x15\xe2\x70\xf3\x90\xa1\x97\xb9\x1e\x43\x5f\xa7\x04\x43\xf3\x87\xcf\x53\x73\x8f\x77\x5a\x23\x62\xa8\x72\x17\xb5\x74\xf8\xf6\x3c\xa6\x36\x13\x37\x52\x05\xdc\x19\x44\x98\xa0\xc9\x29\xff\x13\x00\x14\xd7\x42\x6a\xf7\xc0\xd0\x98\xd6\x9a\xff\x0d\xa1\x02\x7b\x12\x3c\x02\x3e\x73\x2e\x0c\xa1\xeb\x69\x5b\x42\x10\xad\xca\xef\x92\x85\xfe\xc8\xc8\x3f\xea\x7e\xfb\x3b\x5a\x09\xab\x0e\x26\xa2\xc0\x92\x6e\x15\x8e\xe1\x70\x89\xef\x7f\x8e\xab\x53\x75\x71\x8b\xa2\xe8\xab\x68\x3d\x2a\x1e\xef\xe2\x5c\x2e\x30\x3f\x41\x9e\xd0\x14\x23\x79\x98\x67\xe0\x2e\xb0\x1a\xe2\x00\x02\x20\x71\x36\xa6\x0a\x87\x50\x77\x39\x3a\x01\x9a\xe7\xdf\x3a\xad\xc5\xd4\xae\xd4\xd4\x59\xce\xdd\xe9\x66\xd8\x4f\xa6\x4c\x2e\x56\x48\x60\x17\x2b\xe4\x1b\x9f\xbd\xcc\x9b\xb2\x9c\xc2\xaf\x86\xbc\xb8\xda\x14\xd1\xd7\xef\xd6\xd9\x0f\xef\xd4\x73\xfb\xac\x5b\x05\x59\xac\x2b\xdc\x11\x0c\x7f\xda\xa9\x21\xd9\x20\x73\x1f\x36\x2f\x95\xd4\x26\x68\x0b\x73\x31\x2d\xa5\x8f\xac\xc4\xd0\xa1\xd7\xba\x59\x0b\x3e\x91\xc0\x3b\xf3\xb5\xf5\x00\xa5\xca\xe4\x6b\xed\x37\x37\x02\x12\x9e\xe2\xf2\x5b\x05\x00\x21\x9b\xbe\xc0\x50\x28\x59\x49\xf2\xde\x49\x48\x32\x89\x64\x32\x9b\x1a\x46\xa3\x84\x21\xc1\x37\xcb\x95\xb9\x92\x90\xb4\xf6\xcb\x46\xb5\x76\x69\x7c\x95\xb9\x37\x8e\x7c\x15\xca\xa0\x4a\xb0\xe8\xa0\x4b\x8d\xf8\xbc\x46\xd6\x15\xfa\x29", 4096); *(uint64_t*)0x2000000064d0 = 0x200000006440; memcpy((void*)0x200000006440, "\x1c\x3d\x61\xef\xc1\x46\x7b\x6b\x61\xe9\xe5\xf0\x6f\xa3\xd1\xdc\xc0\xe7\x00\x35\xdc\xc9\xc6\xc3\xb0\x0d\xf5\x89\x00", 29); res = syscall(__NR_shmctl, /*shmid=*/0x8001, /*cmd=*/0xfffffee8, /*buf=*/0x200000006480ul); if (res != -1) r[20] = *(uint32_t*)0x200000006484; break; case 26: res = syscall(__NR_getgid); if (res != -1) r[21] = res; break; case 27: res = syscall(__NR_geteuid); if (res != -1) r[22] = res; break; case 28: *(uint64_t*)0x200000006a80 = 0xfff; *(uint64_t*)0x200000006a88 = 0xd; *(uint32_t*)0x200000006a90 = r[6]; *(uint64_t*)0x200000006a98 = 7; *(uint64_t*)0x200000006aa0 = 2; memset((void*)0x200000006aa8, 0, 16); *(uint64_t*)0x200000006ab8 = 0xf; *(uint16_t*)0x200000006ac0 = 0; *(uint16_t*)0x200000006ac2 = 0x46; *(uint32_t*)0x200000006ac4 = -1; *(uint32_t*)0x200000006ac8 = 0; *(uint32_t*)0x200000006acc = 0xfffffffd; *(uint32_t*)0x200000006ad0 = 0xf7; *(uint64_t*)0x200000006ad8 = 0x7f; *(uint64_t*)0x200000006ae0 = 8; *(uint32_t*)0x200000006ae8 = 9; *(uint64_t*)0x200000006af0 = 3; *(uint32_t*)0x200000006af8 = 0x200; *(uint64_t*)0x200000006b00 = 4; *(uint32_t*)0x200000006b08 = 5; *(uint64_t*)0x200000006b10 = 0x62; *(uint32_t*)0x200000006b18 = 5; *(uint32_t*)0x200000006b1c = 0xff; *(uint32_t*)0x200000006b20 = 0x6cbf; *(uint32_t*)0x200000006b24 = 0x48; *(uint16_t*)0x200000006b28 = 0; *(uint16_t*)0x200000006b2a = 0x8001; *(uint16_t*)0x200000006b2c = 0x7f; *(uint16_t*)0x200000006b2e = 6; *(uint16_t*)0x200000006b30 = 8; memset((void*)0x200000006b32, 0, 2); *(uint32_t*)0x200000006b34 = 0x40; *(uint32_t*)0x200000006b38 = 0xffff; *(uint16_t*)0x200000006b3c = 0xa; *(uint16_t*)0x200000006b3e = 0xb04b; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0c0586d, /*arg=*/0x200000006a80ul); if (res != -1) { r[23] = *(uint32_t*)0x200000006a90; r[24] = *(uint32_t*)0x200000006ac8; } break; case 29: memcpy((void*)0x2000000016c0, "\x27\xfe\x2f\xfe\x47\x40\x4c\x4a\xc0\xa1\xec\xab\x30\xbb\xcb\x86\x4e\xad\x78\xfe\xd0\xc0\xe1\x75\xac\x99\x94\xf2\x2c\x05\xa4\x71\x88\x98\x8b\x3f\xf7\xcd\xde\xc1\xf6\xf3\x9e\x60\x61\x60\xf4\xf1\x99\xd3\x74\x5e\x26\xe2\x74\x8d\x68\xe3\x5a\x99\xf1\xbc\x4a\xc3\x20\x84\x63\x4f\x2c\x0b\xa5\xd1\xe0\x00\x0e\x2d\x5b\xee\x77\x7a\x2a\xb5\x09\xe7\xc9\x4c\x43\xf2\x97\xb8\x25\x93\x43\x78\xff\xa3\xbb\x79\x42\x25\x6f\xc5\x2a\x69\xe2\x38\x20\xcd\x52\x0e\x75\x59\xed\x9a\x31\xa9\x54\xdf\x95\x5d\xe5\xbc\x7c\x18\x55\xd9\x74\xb9\x5f\xf0\x0a\x84\xdc\x2d\x9a\xd6\x79\x64\x33\x44\x34\xd5\x28\xbc\xe5\x93\x48\x08\xb4\x8f\x8e\x25\x1a\x17\x9e\xb4\x7d\xee\x2a\x10\x8b\x50\x09\x2f\x55\x98\x16\x13\x6c\xff\xe9\xbd\x6e\x0a\x34\x00\x4e\x62\xd5\x0f\x73\xc1\x4b\x23\xce\x17\x51\x8f\x95\x4c\x4b\xc6\x1e\x61\x75\x75\x6c\x12\x04\xe2\xf2\x7c\x18\x2b\x9e\x3a\x7e\x3b\x82\x3d\xc2\xd2\x10\xe5\x23\x2c\x7a\xd0\xe8\xd8\xe0\x49\xf0\xe9\x20\x60\xb6\x20\x49\x9b\x0b\x8f\x4b\x4b\x97\x1d\x29\xa9\x7a\xe9\x4c\xe3\xce\xa6\xfb\x4e\x42\x96\xf7\x2e\x3d\xea\xbf\xf5\x62\xe7\x92\x43\x93\x3c\xfc\x53\x00\xe3\xc4\x1c\x6a\xb9\xc0\x55\x9a\xe2\x4b\x21\xce\x45\xbc\x69\xb7\xa1\xeb\x56\xc0\x8b\x82\x2b\xa1\x0f\xbc\xb0\xbd\x23\x8f\x6f\xcd\x60\xed\x24\x09\x2b\x3f\x47\xf1\x90\x0e\x3d\x33\x73\x37\x96\x49\xda\xa3\x95\x9b\xcb\x31\x9d\x7a\x74\xab\x3e\x62\xbb\x5f\xbd\xfa\x42\xf9\xd3\xb3\xe7\x34\x0e\xfd\x12\xd9\xdb\x73\x8b\x9a\x7a\x58\x1d\x91\x4f\x4d\xeb\x34\x00\x5a\xac\xae\xe8\x65\xdd\x59\x5a\xd5\xf0\x07\xc4\x8b\x51\x68\xe6\x99\xe5\x2d\xec\xc6\x66\x50\x9f\x0b\xac\x51\x6d\x5d\x8b\x1e\xcc\x1c\x99\xe6\x01\xb8\xf8\x5a\xf1\xc6\x76\x23\xfd\x2c\xff\x7b\x88\x38\x41\xae\xcd\xdf\x3a\x85\x23\x99\x80\xd3\xea\x2a\xe6\x37\x8d\x59\xcc\x24\x2b\x2a\xbc\xda\x91\xe9\x18\x48\x7c\xfe\xa0\x37\x83\x90\x17\xee\xfb\xed\x85\xe0\xde\x24\x14\x8b\x3c\x67\xec\xad\xc8\xbb\xe5\x1f\xfd\xd0\x69\x6a\x55\xd8\xff\x21\x52\x31\x78\xa6\x82\x9e\xc4\xd3\xf2\x59\x77\x43\x3b\x85\xe9\x23\x8f\xe5\xd8\xb1\x43\x7c\x54\xa9\x33\x82\xfa\x15\x25\x49\xcf\xca\x4e\x47\x00\x70\x5f\x3c\xe5\xa2\x60\xa4\xb9\x43\xdd\x3e\x53\x2c\xc1\x96\xc8\x12\x95\x18\x22\x55\x66\xe9\x3e\x29\xa8\xc6\xf0\x2f\x05\x4a\x94\xee\x5f\xe2\x1e\x5a\xd5\xbf\x55\xdd\x7f\xde\x9a\xc6\x41\xf3\x47\xa9\x92\xe8\x19\x7f\xe5\xfc\x4b\x9c\x65\xef\x4d\x68\x79\x21\xdf\xf0\xf6\xcb\x82\xa3\xa9\x6f\x6d\xf1\xcf\xae\xdf\xfc\xed\x7c\xb0\x6b\x21\xde\x9b\x83\xcd\xe5\xf9\x6b\xda\xd6\xee\x4c\x61\x7b\x9d\xa7\x66\xcc\x44\x37\x12\xf8\x4e\xf7\xc3\x87\x08\x07\x0b\xd1\x9d\xb9\x0a\xbe\x25\x10\x09\xd9\xbb\xcc\xe7\xc4\x19\xbf\x7e\xfa\x7e\xa7\x00\x86\xa9\x5a\x27\xe7\x35\x9d\x3b\xcf\x81\x89\x9b\xb6\xb7\x56\x0c\x58\x22\x7d\xb9\x2b\xbe\x34\x2e\x60\x01\x9f\xf0\xcd\xbe\xec\x13\xbd\xb5\x6c\x5b\x5f\xdf\xdb\xce\x7e\x2f\x5a\x7d\x97\x1d\xbb\xc6\x4c\x59\xc5\x11\x1d\x0b\x45\x2a\xf5\x79\x80\xe2\x17\x85\xd5\xaf\x08\x84\x82\x2d\x12\xf4\x08\x1e\x83\x81\xd1\x6e\x0f\x41\x19\x36\x27\x4b\x90\x30\x21\x5c\x4b\x0b\x47\x07\x4d\xab\x09\xb9\xfa\x23\x22\xa8\x80\x50\xa6\x24\x48\xff\xb2\xbd\xbb\x9d\x6b\x87\x52\x1b\x3b\xfe\xb5\xde\x77\x36\xa4\xde\x11\xff\x4e\x56\xd4\x1a\xae\xd9\x00\x61\xe8\xf1\x3c\x37\x89\xa4\x4a\x63\xe7\x69\x02\xc4\xee\x9b\x6f\xc7\x35\xab\x8f\xf9\x52\x5a\xf0\xab\x52\x16\x7e\x04\xd3\x47\x96\x67\x85\x2b\x75\x5d\x00\x74\xcc\x95\x07\x80\x94\xdf\xe0\x39\x26\x00\x7f\xcf\x4b\x2b\x68\xe2\x62\xd1\x17\xdf\x6c\x91\x81\x27\xcd\x6a\x56\x42\xb8\x0c\x30\xbf\x91\x6a\x1e\x51\x52\x02\x29\xe1\xe0\xec\xe3\x5a\xc9\xb9\x09\xfd\x5f\xf9\x2b\x93\x0a\xa5\x5a\xe6\x0a\x2a\x7f\x52\x74\xe0\x47\xae\x70\xcd\x1d\x89\x4c\x3a\x93\x09\x4d\x5e\x88\xca\x4f\xf4\xa1\xf7\xa7\x4c\x25\x72\xc5\x91\xf2\x54\xec\x09\x46\xde\x4f\x96\x24\x83\x88\xb0\x6f\x7f\x0a\x7d\xaa\x49\x0f\x43\x59\x18\x4a\x76\xa5\x6a\x9b\xbc\xa5\x93\xc6\xf6\xfe\x47\x9c\x67\x5f\xb0\x2c\x63\x54\x7d\x08\x04\x96\x3b\xbb\xfe\x5c\x66\x87\x69\xf3\xcf\x16\xbe\x9c\xd5\x11\x78\x03\x0d\x64\xcc\x2b\xb9\xd8\x26\x34\x39\x9d\xb8\x85\x9e\x48\x87\xc8\xce\xce\x4c\x85\x2f\x5c\xb7\x6c\xe7\x0a\x6c\x4e\xdd\x0e\x8a\x46\x5c\xbf\x78\x27\xb2\x1b\x55\x38\x57\x97\x71\xfb\x56\xb7\x99\x74\xaa\x36\x28\x85\x16\xbd\x08\xa9\x39\x49\x00\x16\x0f\x75\xd6\xbb\xe8\x9d\xe7\x0f\x8b\x5c\xea\xcc\x94\x19\xfc\x5a\x3d\x5e\xe5\xea\x78\x3d\x0c\xa8\x08\xa6\x24\x8c\x13\xad\x17\xc8\x73\xbc\x93\xe0\xe5\x0a\x39\x48\x7f\xb2\x5e\xc3\x23\x30\x70\xd7\x77\x6e\x7c\xe8\xba\x02\x2c\xcd\x8e\x2d\xb5\x64\x55\x94\xe0\xb2\xd8\x74\xed\xe7\x39\xf9\x3b\x61\x7f\xfe\xfa\xf3\xd8\x46\x8e\x66\xee\xcc\x85\x61\xfd\xb8\x1d\xd4\xfe\x7c\x77\x9d\xd9\x3c\xce\x31\x7a\x8f\x5c\xb8\x65\x51\xc2\x61\x66\xc7\x82\x4c\x87\x14\x0d\x96\x47\x50\x8c\xbb\xc1\x5c\x1d\x3b\x72\x08\x60\x91\x68\x90\x9e\x89\x0e\x9e\x9f\xd2\x67\x1d\x3a\x9a\x75\x27\xa7\x34\x47\x1f\x2c\x74\x80\x92\x6d\x8d\x18\xba\x6e\x24\xda\x6d\x6c\xee\x42\x2a\xeb\xfb\x14\xd1\xf1\x2a\x91\x5f\xfb\x73\x75\xcc\xb3\xec\xc9\x86\x3c\x45\x53\x4a\x97\xa9\x22\x43\x32\x17\xdd\xe2\x20\x35\x45\xaa\x98\x3e\x2a\x6c\x54\x65\x11\xd8\x62\x64\x28\xaa\xbe\x7c\xec\x1d\x0e\x81\x24\xde\x19\x83\xd5\xab\x1e\xd6\xe9\xde\xe8\x2f\x0d\xf4\x69\x9f\x4a\xb7\x07\x06\xc3\x4c\x75\x4d\x0c\xd8\xb6\xde\x54\x1c\xa8\xa7\x1d\x5f\x98\x25\xfc\x13\x15\x84\x80\xd5\x98\x0e\x64\x15\xcc\xa0\x5c\x57\x57\x89\x41\x69\x22\x3b\x43\xcc\x29\x63\x09\x18\x24\xcf\x95\x3f\xcf\x54\x53\x05\x58\xad\x5c\xe4\x22\xfc\xe9\x9f\x5f\x26\x50\xb7\xde\xc7\x02\xfe\x12\xbb\xb0\x8c\x28\x51\x9f\x08\xb6\x35\x4c\xf5\x8d\x01\xf0\x27\x23\x70\x70\xcb\x43\x8f\xe4\x80\x7b\x7b\x1f\x7e\xbc\x27\xf2\x74\xfd\x50\xef\x37\xad\x06\x0a\x7a\xdc\xdf\x65\x96\x2f\x8a\x52\xc0\x4b\x56\x9d\x7d\xb3\xd8\x6a\x0f\xeb\x6c\x78\xed\x1a\xdb\x36\x18\x66\xf7\xd5\x60\x65\x69\xd9\x10\xc6\x72\x7c\xdd\x76\xc6\xbb\x2a\x40\x5e\xd1\x2d\xfc\x2e\xdc\x81\x66\x67\x87\xf3\xa3\xa2\x39\xc6\x2f\x65\xd2\xd9\x8d\x8b\x07\xc5\x91\x13\x55\xa3\xa6\x20\x66\x46\xfe\x74\xc0\x75\xa6\x77\x80\x72\x87\x0f\xd6\x52\xaa\x4d\xf9\xaa\x3b\x96\xf1\x45\xc3\xaf\xa7\x4f\x5a\xaa\x8d\x7f\xf0\x42\x7c\x93\x89\xdd\x54\x62\xaf\x0e\xb6\x82\x8f\x3a\xa5\x4c\x75\x2b\xb4\xc8\x9d\x18\x21\x07\x61\x72\xa9\x25\xf1\x46\xae\xf7\x89\xde\xb1\x4c\x6b\x6c\xb2\x87\x33\x88\xcb\xe0\xbe\x06\x28\x71\x04\x8c\x49\x67\x9d\x72\xc3\xf3\x25\xc7\x7e\xa3\x19\xed\x28\xfa\x27\x86\x10\x40\xf6\xbe\x5d\x4f\x32\xcf\x29\xca\xc1\x12\x43\xda\x04\x2b\xec\xf2\x12\x5d\x21\xe7\x35\x49\x3a\xc7\x69\x4a\xa9\x61\xee\x92\x44\x3f\xc5\x88\xc2\xad\xc0\xf9\x7a\xc7\xb5\xfa\xe1\x0d\x43\xdd\xb8\x1f\x31\x12\x85\x82\x18\x5b\x9a\xa1\x24\xfe\x6e\xd7\x80\xac\x95\x4f\x84\x42\x17\x67\xf9\x0f\x5c\x0b\x56\x94\x43\xd6\x3b\xea\xc0\x68\x4e\xd6\x8b\xc5\x03\x9a\x27\x56\x7b\xd2\x33\xb8\xf2\x67\x5e\x1a\xfa\x14\x0d\xf8\xe1\xe6\x4f\x0a\x90\xec\x55\x3b\x52\x17\x27\x39\xd0\xd6\xb3\x88\x49\x47\xf2\x66\x69\x29\xcb\x5d\xd7\x93\x19\x42\xc0\x6e\x9d\xf9\xec\x79\x17\xf1\xd9\x3a\x2f\x0f\xbe\x5c\xd0\xf5\x73\xc0\x10\x2f\xf0\x20\x5e\x4d\x59\xdd\xd6\x03\xdb\x5d\xa5\x66\x94\xbd\x92\x87\x3e\xe2\x1f\xe7\x78\x6a\x87\x42\x8b\xdf\x19\xa1\xa8\x7d\x72\xba\x69\x7f\xbe\x0e\xd9\x75\xdb\x5b\xb3\xa7\x05\x17\x7f\x3a\x13\x69\xe2\x9d\xec\x75\x81\xd4\x3a\xea\x38\x55\x94\x3f\xf4\xef\xa4\xd7\xaf\x36\x22\xc3\x19\xd7\x8b\x31\x08\x37\x88\xd2\x03\x10\x20\x82\x99\xca\x03\x47\xaf\xff\xe5\x4e\xca\xf1\xfb\xec\xe6\xe0\x93\x5a\xbc\x7a\xa8\xf8\x55\x3f\x99\x96\xff\x1d\x46\xb8\x8b\x78\xdf\x2f\xe2\x67\xf1\x69\x9f\x2e\xbf\x19\x25\xb8\xe5\x0c\xb4\x6c\x8a\x10\x3c\xfb\x55\x65\x10\x15\x5d\xdb\x84\x27\x6e\x1e\x0a\xef\x3f\x41\x1c\x7a\xf3\xd2\x05\x93\xb6\xfe\xc7\x00\x6a\xa7\xa4\xee\x33\x80\x2a\xad\x16\x89\x49\xda\xd9\xfa\x91\x18\x88\xd7\xf6\x1b\xf1\x6d\xb2\x26\x50\x03\x41\x6f\xb5\x76\xde\x44\xf8\x0b\x9c\x90\x1a\xce\x45\x4d\x2b\x04\xb3\x74\xf3\xdc\xfc\x38\xfd\xd6\xed\xcf\xab\x24\xd3\x67\xaf\xf3\xf6\xd8\x29\x8a\x41\x33\xd0\x81\x56\x3d\xe1\x36\x5b\xea\xff\x74\xda\x25\x2b\x24\x8f\xa6\x1d\x80\xe7\x2c\xbb\xd5\x85\x33\xe7\x51\x8d\xba\xe1\xa9\x25\xd9\x91\x2b\xfe\x70\xfb\xc6\x4b\x8c\x81\xce\x26\x25\x30\xbd\x11\xae\x83\xf3\x66\xe3\x8c\x53\xbf\xd5\xa0\xda\xc9\x78\x5b\x92\x2b\xcd\xd1\xa3\xb6\x83\xf4\x3f\x8d\x48\x5d\xfc\xc6\xdd\x00\xb6\xcd\xde\xa0\x64\xf8\x46\xfb\x26\x93\xd4\x8f\xa9\x7b\x52\x63\xf5\x37\xea\xbf\x6c\x0e\x54\x9a\x78\xd2\xbc\xad\xb2\xe8\xfd\xb2\xb1\xb0\xf4\x7f\xd4\x9d\xc6\x1c\xa1\x05\x8b\xb8\x88\x2a\xa1\xca\x2e\xd3\x41\xfe\xb7\x37\xd5\xea\xae\x0e\xa0\x8f\x94\x5a\x04\xa3\x8b\x6e\x31\x37\xf9\x61\xa7\x56\x3a\xd1\x3c\xec\x30\x07\x2b\x91\x43\xe4\xf9\xc7\x82\x4e\x7c\xbd\xa2\xdf\x89\xb7\x4c\x14\x2d\xad\xaf\x5c\xa2\x4b\x6f\xe9\x09\xce\x3a\x1f\xf3\x7e\xe5\xa0\xb6\x61\xd3\x07\x39\xef\x0c\x37\x2c\xf7\xa1\xb4\xc6\xa0\xe5\x19\xb4\x8b\x40\xdc\x79\x4c\xd6\x13\x56\x75\x66\x09\xf6\x8d\xd5\x8f\x72\x4b\xdd\x86\xdb\x7f\x26\x49\xb9\x0e\x16\x35\x30\xca\x69\xf0\x69\x6a\xdd\xfc\xef\x84\xef\xc9\xf9\xe0\x4d\x9d\x6e\x18\xed\x17\xf7\x4f\xf8\x07\xe9\x2b\x0f\x33\x0f\xb6\xe0\x6e\x0e\x2f\x19\x3e\xa0\x3a\x18\x1c\x86\x73\x95\x0a\x19\xeb\xa2\x2f\xd6\xb1\xb5\x6e\xbb\x33\x6e\x02\x48\xc6\x4f\x93\x6c\xaf\xd3\x31\x1f\xd5\x0c\x50\xfc\x91\x61\x56\xbb\x28\x15\x6d\x15\xd7\xf4\xd5\xa7\x98\xd8\x62\x6a\xfc\x6b\xa7\xd2\x17\xd2\xc9\xf1\xa9\x8f\xed\xe6\x2b\x1b\xac\xfc\x31\x4d\xfa\x89\xe8\xcb\xb8\xc3\x7b\xd5\x26\xdd\x53\xed\xe8\x1b\x19\x53\xce\xf5\x17\x70\x3b\xab\xce\x44\x6e\x86\x3b\xf9\xd2\x46\xb0\x3b\x88\x50\x2c\x7f\xdb\xac\x4d\x87\xf1\xea\xad\x86\xed\x17\x0d\x71\x0d\x81\xea\xf3\x95\xae\xf6\x0d\xc1\x64\xd9\x11\x66\x01\xa5\xa5\x8c\x79\xa8\x92\x75\xc9\x5d\x28\x91\x2e\x87\x08\xfe\xe2\x47\x2e\x6b\x87\xd2\xe0\x77\xd3\x62\xc0\xba\x8f\x4b\xc6\xa5\xe3\x87\x45\xea\xe9\x10\x46\xbc\x61\xe6\xa0\x40\xcb\xfe\x38\x20\x4f\x17\xe6\x04\xf0\xe1\x40\x5e\x8e\xe0\x7d\x71\x41\xb6\x98\xbc\x2b\xe7\x69\x0a\x8f\x0b\xf3\x1d\x58\xae\x90\x6c\xb7\x0e\x4f\xe5\xfe\x03\x56\x31\xd7\x65\x33\xb7\xa7\xb0\x32\xe1\xb1\xee\xe2\x14\x28\x08\x4a\xfb\xcc\x93\x0a\x9f\x28\xe9\xf1\x7e\x26\x9a\x69\x97\xaf\x83\x8f\x95\xe2\xfb\x39\x5b\x54\x0a\x1d\x49\xf3\xd4\x29\x02\x74\xd2\xd3\x1f\x76\x08\x35\xff\x73\x51\xd2\x5b\x62\xe1\x35\xad\xf5\x9e\x01\x18\x87\x2d\x17\x84\x3d\x99\x15\x4f\x46\x60\xfa\x8f\x48\xb6\xc4\x86\x8b\x1f\xbc\x6b\x84\xda\x61\xf9\x81\x23\x16\x7b\x06\x73\x70\xa5\x4f\xc6\xc5\xa6\x88\xe3\x1d\x42\x01\xac\x4c\x4d\x56\x46\xf9\xa4\xa4\xa8\x04\xa1\x75\x16\x7c\xf7\x9d\xda\x22\xf4\xd6\x86\x72\x81\xcb\x0b\x3e\x09\x99\xfa\xd7\xbf\x26\x51\x2d\x13\x14\x40\xa8\xf9\xec\x75\xfe\x9d\xf6\x80\x54\x78\x55\xd8\xc9\xb3\xb3\xf0\xd5\x14\x19\x7c\x2a\xf0\xd6\x72\x99\x13\x73\xb8\xd4\xac\x1d\xd5\x1e\x1f\x90\x74\x50\xd6\x21\x01\xb5\xe2\x61\x3e\xa2\x89\xc1\x94\xd0\x73\x5e\x1c\x5e\x16\x69\x09\xeb\x71\xee\x2a\x4e\xe5\xff\x99\x14\x0c\x0b\xec\xca\x26\x72\xfa\xf6\x94\x49\x38\xc6\x18\x09\xd8\xbf\x2f\xaa\x56\x1f\x9b\x56\xda\xb8\x5d\xed\x7e\xe7\x35\xd3\x00\xc8\xda\x84\xc5\x7f\x06\x7b\x2f\xe5\x09\x29\xca\xe1\x39\x87\x5a\xbb\xab\x08\x47\x42\xc9\x07\x06\xbc\x31\xfc\x4c\x68\x53\x88\x89\x71\x87\x69\xd1\xc6\xda\x0e\xe1\x82\x6e\xcd\xe1\xf6\x0e\xa6\x6c\xed\x44\xc2\x4f\xe2\x87\x5d\xcb\xc8\x7a\x35\x72\xaf\x96\x45\x5e\xdf\x31\xe0\x51\xe5\x42\x2a\x8e\x29\x10\xc7\xd9\x75\xdf\x64\x48\xda\x0c\x0f\x83\x3f\x61\xf7\x15\x05\x98\xfb\x47\xfa\xe9\x38\x35\x7a\x7b\x64\x5e\x40\x6d\xf9\xa4\xa3\x0c\xdd\x1c\xef\x6d\xdb\x26\x3c\x9f\x06\xb2\x68\x76\x7a\x9a\x0f\x92\xc4\xea\x13\x80\xe5\xe3\x6f\x5f\x2a\x3e\x90\xbf\x87\xd6\x81\x8c\x5a\xef\xc3\x43\x9c\x4f\x4d\xe2\xcf\xb4\xdb\x14\x57\x56\x84\x8b\x27\xb6\x18\xc2\x2f\xee\xa3\xf9\xf4\x60\x15\x57\xf5\x3c\x2a\xae\x71\xdb\xc0\xe9\x46\x82\x43\xf1\xbf\x3b\x08\x6b\x4d\xca\xb2\x73\x4d\x61\x28\xc5\x44\x15\x46\x90\x3d\x2f\xea\x40\xc7\xca\x48\x40\xac\x4b\x1b\x3e\xa8\x89\x7c\xf0\x37\x62\x3e\x42\x7f\xb1\xef\x9c\x0e\x7d\xeb\x9e\xba\x0f\x8e\x5a\x5b\x29\xd4\x22\x92\x3f\x2f\xc8\xc5\xdc\x13\x69\xfe\x52\x67\x09\x24\x7c\x27\x76\xf5\xb7\x68\x7c\xcf\x42\x0b\x0d\xc8\x44\x61\x10\x5c\x2a\x31\xcc\xe9\xde\xcc\xa3\x0b\x74\x6b\xfe\x43\x44\x0d\x49\xc4\x77\x5a\x2d\xfc\x88\xf0\x49\xe2\x3a\x30\xe2\xde\x2c\xe6\x34\x54\x9b\xbc\x0c\x26\x30\x97\xeb\xb8\x04\x4b\x4b\x9b\xb6\xf5\xf9\x5a\x4a\x49\x9a\x3d\xce\x9c\x11\xb9\x94\x87\xd9\x96\xeb\x57\xd6\x54\x09\x0b\x43\x6d\xfe\x0b\x94\x79\x6e\x93\xfe\xae\x2b\x63\xd0\x13\x20\xaf\x73\x23\xa8\x00\x6b\xc7\x5f\x95\xa0\xc6\xce\x53\x69\x18\x02\xa0\x97\x10\x88\x81\xbd\xa6\x4a\x2c\xf8\xed\x8f\x67\x52\xe1\x98\x15\xe7\x1e\x2b\x85\x54\xfa\xc0\x30\x18\x75\x26\x21\x09\x33\x11\x51\x91\x5f\x6b\x19\x36\x2c\x2d\x82\xc3\x04\x74\x78\x52\x5a\x64\x9a\xe4\xc9\xa4\x1f\x75\x60\x83\xf1\x38\x15\x6f\x6e\xc4\xea\x04\xb4\x4f\x65\x2a\xb1\xe6\x6c\x5c\x63\x0e\x61\x30\x06\x2a\x26\x0b\xe5\x53\xf1\x0b\x8b\x70\x0e\x6c\x6b\x08\x9f\x0b\x09\xce\x11\x7c\xa7\x8d\x45\xae\xc4\x33\x97\x64\xdc\x2e\x39\xb5\xbb\x95\x56\x02\xd5\x73\x23\xe4\x0d\x49\xec\xf8\x98\x71\x84\xa1\x2d\x21\x99\x3c\x03\xb4\x58\xfc\xa9\x8c\x77\x30\x71\xc2\x24\x2d\x90\x59\x65\x99\x33\x6e\x1c\x69\xff\x55\x1a\xf3\xef\x27\xaa\xa7\x4c\x54\x7f\x23\x1a\x1e\xf6\x4a\x2f\xbe\x54\x98\xf5\xbf\xfd\x9e\x59\x7b\x8d\x87\x1a\x07\x3e\x82\xf1\x3f\x5b\xdf\x21\x89\xd3\x61\x64\x9d\xbe\x14\x4e\x7c\x2f\xb2\x6a\x51\x88\x84\xc4\xf2\x76\xaf\xa0\x44\x50\xb3\xb1\x26\x15\x11\xa1\x86\x15\x07\xe9\x4b\xe4\xb0\xc3\x01\xe6\x24\x71\xbb\x95\x33\x63\xe5\x4a\x80\xac\x90\xb2\x55\x1b\x01\x2d\x74\xa5\x62\x1e\x26\x5b\xf9\x12\x60\xa4\x67\xfe\x76\x06\xe7\x95\x92\x27\x2a\xa2\x08\xb1\x29\x35\xa8\x99\x1d\xfb\x81\x7a\x5c\xb0\x5a\xcb\xa7\x9d\xcc\xb9\x7d\x0a\x0f\x9e\xb5\x82\x5e\x16\xd1\x24\xa7\x72\x24\xc9\xa0\x9a\x53\x35\xf1\xce\xd7\x85\x63\x6a\xe3\x58\x15\x98\xaf\x5c\x28\xe5\x4e\xa8\xdc\xc4\xc7\x22\xe4\xa6\x58\xa3\x3f\xa7\xc4\x73\xf3\xb5\xe7\x4e\xd5\x62\x56\x80\xf0\x7c\x7d\x47\x29\x66\xab\x64\x6a\xc3\xac\x2d\x67\x46\x9c\x43\xdb\xab\x6b\x88\x67\x79\xde\xf7\x94\x17\x69\x8c\xfe\xd9\x47\x2f\xdc\xab\x0f\x80\x79\xf2\x21\x28\x54\x41\x88\x1e\xaa\xe4\xc2\x11\xa8\x14\xe6\xd4\xe6\xc2\x5d\x49\xa5\x70\x67\x38\xb0\x3b\x35\xc0\xd2\x84\xfc\xd6\x75\x50\x5b\x0a\xdc\x88\xd0\x43\x90\xf3\xa1\xb0\xc8\x27\x85\xba\x7b\xf0\x29\xaa\x46\x18\x71\x31\xdb\xdc\x36\xaa\xed\x98\x0b\x90\x88\x8e\x67\xe8\xa8\xbe\x7c\x1f\x7c\x5e\x3a\xd4\x44\x2e\x97\xaa\x77\xc7\xe1\xd2\x86\xc2\x9d\x8b\x76\x1e\xc9\x12\x50\x52\x9b\xff\xfc\x56\xce\x2d\x1f\x4e\x79\xcf\x74\x23\x7f\x02\x05\x0a\xfb\x6e\x25\xd5\x43\x65\x45\xda\x66\x62\x29\x70\xe8\x9e\x4c\xb9\xe7\x7e\x0e\x9a\x66\x72\xfe\xb0\x33\x28\x56\x8d\x75\xd5\x14\x65\x77\x2b\x5e\x40\x8e\x40\xeb\xc9\x67\x6e\x7e\x5e\xe7\xab\x0c\xbf\xca\x5f\xf0\xc0\x23\xb3\x93\x52\x94\x64\x66\x8b\x77\x4a\xe1\xb5\xce\xf7\x6d\x67\xf1\xd7\x35\xb8\x72\x81\x55\x5b\x39\x6c\x78\x58\x70\x1c\x6d\x42\xb0\xf3\x65\xb2\x53\xe7\xbc\xcb\x64\xc2\xdc\x39\xbf\xed\x64\x59\x06\xae\x68\xbc\x5e\xbc\x3c\xda\x73\xf3\x86\xb4\xb9\x79\x53\xb3\xca\x6c\x73\x5f\x7c\x47\xe4\x76\x29\x25\xd3\x59\x94\x80\xe7\xc1\x76\x33\xe5\x27\x6a\xf7\x5a\x60\x33\x2b\xab\x2d\x8c\x03\x9e\x4f\x98\x0a\x7d\xe8\x12\x29\xbd\x17\x4f\x6e\x50\xe5\xde\x20\xd2\x0b\x51\x8c\x41\x8b\x6e\xb6\xa0\x6e\xe9\x37\x89\xfb\x6f\x4a\x6e\xcb\x8b\x01\x69\x1a\xd1\xeb\x2a\xe9\x51\xa4\x2f\x97\x6e\x01\x8a\xc4\xb5\x85\xbb\xc3\xf4\x2d\xa7\x9e\x55\xd1\xb7\xf2\x4e\x90\x9f\xce\xe2\x34\x36\xb7\x27\xdd\x9c\xe4\x7b\x41\xb3\xbc\xaa\x88\x37\x15\xd3\x16\xac\xdc\x55\xe0\xfc\xab\x97\xef\x90\xda\x85\x9a\x80\xeb\xeb\xc6\xdf\xd0\xaf\x95\x24\xe8\xa3\x6b\x3f\x71\xeb\xd7\x03\xb0\xaf\xcb\xd7\xac\xc6\xaa\x41\x36\x48\xad\x93\x5e\x70\x94\xa2\x93\xf1\xad\x65\x9b\xf5\x59\x51\x51\x1b\x8f\xea\xa0\x39\x0b\x98\x2c\x91\xb1\xa1\xbc\x04\xcb\x1e\x15\x8b\x13\x2e\x8f\xf2\xfe\x46\x66\x7f\x10\x31\x2a\x25\x46\x8f\x07\x32\x48\x10\xa9\x7d\xdf\xad\x6d\xf0\xd6\x1e\xe5\xdb\x19\x29\x58\x02\x27\xea\x26\x06\x82\xa8\x93\x7d\x03\x79\xbb\xcd\x79\x6a\xa1\x3f\xe9\x2f\x79\x3e\x95\x8d\x28\xd8\xe4\x56\x4b\xfd\xd4\x94\x4d\x7e\xba\xdd\xdd\x67\x33\x92\xc6\x77\x2d\x09\x61\xce\xbe\x60\xa3\xd9\xe9\xf9\x6e\x4a\x4c\xa0\x7e\x55\xd3\x1e\x9d\x94\x25\xe0\x01\x71\xab\xa0\x2f\x0a\xef\x4b\x8f\x5e\x43\xec\x62\x32\x7a\x95\x0f\xe2\x92\x42\x7d\x51\x34\x76\xc3\x18\x39\xa5\xd1\x1e\x03\xf7\x94\x9c\xb2\xd8\x34\x3e\xf4\xb9\x82\x68\x79\x71\x90\x34\x4a\x7a\x68\x91\xcd\xdd\xe2\x9f\xae\xf1\x33\x3f\x7f\xb7\x50\x69\xa7\x4e\x80\x6a\x41\x21\xad\xdf\x98\x68\x35\x28\x1f\x48\x68\xf1\x5c\x73\x43\xe1\x30\x7d\x23\x7b\xb5\x0a\x7e\xc6\x76\x4b\x9f\x43\x25\xb6\xe4\x13\x57\xed\xc3\x3d\x24\x7a\x58\x3e\x28\x57\x35\xfa\xff\xc5\xbe\xbc\x40\x04\x76\xaf\x6c\x5c\xdd\x34\x91\x37\x47\x08\x60\xd1\x59\xa9\x76\xef\x3c\x47\x61\x28\x5e\xbb\x8c\x53\xa7\xef\x56\x9e\xe2\xe7\x10\xd4\x18\x19\xeb\x85\xcb\x3e\x38\xc6\xd6\xcc\xd0\x35\x87\xfb\x08\x28\xf6\x31\xc1\x99\x00\x15\x3a\x6f\x1e\xdb\x81\x2a\x58\xea\xd0\x41\xc6\x3a\x6a\xc6\x28\x38\x06\xd3\xcf\xb6\x9b\x65\x59\x1a\x82\x9b\xab\xa9\x7a\x36\x7c\x9b\x0f\x24\x97\xb4\x4f\x3c\xa8\x5a\x07\x31\xe5\x94\x2b\x57\xec\xf9\xc2\xde\xe0\x1e\xf7\xea\x53\x3f\x8b\xa3\x17\xf7\x4c\x30\xf4\x9b\xd6\x94\x89\x73\x53\x61\x09\x22\x92\x20\x55\x09\xc5\x74\x20\x06\x63\xf7\x71\xcf\x4d\x1d\x48\x4f\xe5\xa9\xc4\xcd\x3b\x0c\xc4\x32\xe9\x25\xb3\x02\xfa\xb0\x57\x4b\x53\x60\x6f\x27\x77\x56\x3d\x67\x94\xfb\x5f\xe4\x87\xd5\xce\x7b\x5b\xea\xb3\x99\xbf\x77\x27\xb6\x7e\xeb\xf9\xb9\xda\xcf\x5c\x56\x78\xec\x98\x21\xa3\x4d\xc0\x30\xd0\x36\xd0\x4d\x70\x25\xed\x5b\x17\x82\x96\x5c\xf2\x62\xbb\xa0\xb3\xde\x34\x97\x4d\x1e\x77\xa6\x3e\x9b\xb5\x2d\xc6\x59\xde\x69\x0e\x47\xb3\x5f\x4b\xbc\xa6\x6f\x8d\x5e\x0a\x27\x1a\x04\xa2\x89\x43\x5f\x5d\xc9\x01\x3c\x06\x52\x63\x3d\xcc\xe4\x10\x2f\xcb\xe4\x7f\xb4\xc5\xeb\x9a\x6e\xaf\xf5\x46\x3c\x73\xc1\x1e\x37\xe8\xdf\x9d\xab\x09\x32\x33\x49\x22\xfe\xd8\x0d\x5e\x3e\xd1\x25\xdd\xe3\x76\x4f\x48\xd4\x96\xf4\xf3\xb4\x9f\x03\x22\xa9\xb9\xb9\x68\xff\x75\xef\xed\xb3\x69\xb4\xb1\xc9\xaf\xc5\xd2\x7e\x68\xd7\x6d\x17\xc2\x16\xc4\xfe\xd8\x2d\xc2\x48\x7a\xab\xc6\x60\xbb\x55\xb2\xee\x17\xd6\x83\x65\xda\x84\x08\xc4\x5a\xf3\x87\x83\xac\x2b\xe5\x47\x72\xbb\xea\x41\xf5\x86\x84\x56\xee\x66\xa2\x7a\x36\xbe\x49\x9a\x5e\x5d\xd3\x39\x6f\x48\x05\xe2\x2a\x2c\xdc\x22\x90\x79\xc2\xa5\x3c\x92\x99\x55\x92\x69\xed\x1c\x51\x22\x13\x54\x4f\x2b\xf3\x31\x38\x8e\x1c\xb8\x5e\x55\x50\x91\x5f\x8f\x27\xa4\x7b\xa9\xfc\x9a\x50\xce\x01\xcd\x2b\x53\xb3\x7f\x35\x79\x66\xf1\xd0\x0b\xd3\x40\xe0\x50\xc9\xd8\x4f\x29\x14\xb8\xab\xd4\x29\x48\x26\xe7\x50\x0b\x0d\xca\xe9\xcd\x4d\x28\x4d\x17\x34\x56\x53\xcc\xb4\x69\xc5\xee\x3a\x31\x05\x8e\xae\x14\xfe\xd7\x55\x85\xcd\xe2\xfd\x71\xb8\x8e\xbf\x51\x73\x59\x77\x4e\x90\x23\x46\x6e\xa5\xa4\x79\x56\xb8\x22\x56\x71\x79\x2d\xf4\x5b\x9f\x38\xb1\x0a\xb0\x3f\x9e\xde\x1d\xdb\x2e\x15\x7d\x61\xc0\x95\xd9\xb8\x2b\x97\x7c\xc0\x9d\x92\x97\x45\x56\x0f\xe8\x10\x65\x03\xff\x7d\xd2\x28\xdb\x22\xb2\x51\x77\x68\x97\xee\x15\xb1\x80\xb4\xb4\x63\x1f\x85\xec\xf6\xa6\x07\x4e\xfd\x2c\xdf\x40\xa4\x48\xda\xd6\x23\x31\xc2\x7e\xd8\xb3\x37\x7f\xde\x4b\x15\x33\x12\x6a\x4d\xc7\x08\xb7\x72\x02\xf6\xf8\xc0\x15\x96\x6e\xf7\x11\xc4\xc4\x96\xe9\x03\x4c\xf1\x5a\x33\xbc\x99\x8a\x43\x26\x5e\xdf\xe4\x36\x34\x2d\x7e\xb4\x97\x3b\xe8\xab\x0a\xe6\x71\x9a\x1a\xaa\x41\xe0\xd7\x6d\x95\x2b\x06\x80\x8d\xff\x02\xfd\x81\x60\x34\x29\xa3\x6f\xf7\x44\x0e\x0b\x21\x5d\x9e\xbc\x90\x8e\xfc\x14\x5b\x6e\x1b\x7f\xeb\x53\xbd\x5e\x17\x5c\x7d\x1a\x77\x64\xf9\x04\x07\x44\xb8\x1d\xb8\x6f\xd2\x2c\x0a\x38\xa2\xda\xf7\x44\x0b\xbf\xe8\x83\x50\x09\xd4\xae\xbb\xb1\x1a\x0e\x91\x48\xbc\x04\x95\x1f\xc0\x6e\xc1\xc2\xa2\x68\xa0\x5c\xc2\xcc\x76\x79\x1b\x82\x26\x9f\x96\x3d\x3d\x2f\x56\x4a\xe0\x37\x89\x60\x19\x40\xd5\x6f\x28\xe5\xab\x01\x52\xac\xf6\x63\xe4\x81\x19\x52\x09\xef\xc1\xa3\xa1\xb4\x72\x53\x6e\x0a\xcf\x9a\xe3\x83\xb5\x95\x1d\xfb\xb6\xbd\x4d\x1e\xb5\x55\x01\x02\xc3\xd7\xfa\x23\x65\xa3\x6f\xb7\xc5\x94\x9c\xc7\x27\xce\x57\x31\x1d\xec\x52\xa4\xc3\xb9\x1f\x0d\x5e\xc3\x67\x7c\x26\x5d\x58\x35\x53\x5f\x16\x00\x69\x85\xce\x84\x6e\xf1\x2a\x46\xcb\x86\x62\xcf\xf8\x5a\xf2\xff\xd4\xb3\xb3\x50\x85\x70\x5d\x45\xdf\x3e\x8c\x60\xee\x49\x63\x82\x3c\xea\x99\xdd\x55\xc0\xc3\x3d\xa9\xde\x35\x4f\x70\x9f\x2a\x45\x83\x56\x13\x25\xc4\xa5\x95\x4a\x34\xe2\xab\x32\x73\x8c\x2f\x3f\xbf\xb2\x78\x6a\xa5\x78\x28\xef\x30\x91\x12\x2e\x59\x32\x05\x8c\x12\xd5\x0d\x0e\x89\xee\x5d\xc1\xe3\xee\x41\x35\xd3\x8c\x0c\x98\x4d\xaf\x39\x47\x67\x02\x72\x71\x4d\xe8\x93\x57\x20\xc1\xf3\xd3\xdd\x9f\xc5\x75\x29\xa7\x50\x13\xd8\x59\x46\x48\x42\x33\xce\x69\x25\x77\x18\xd3\xcd\x66\x7c\xd0\x88\x6d\x1f\x3c\x25\x7c\xca\xc6\xb4\x8e\xe5\xcd\xc0\x3e\xb6\xc6\xaa\x2a\x78\xd6\x8e\x2a\x9c\x22\x53\x95\x44\x50\x91\x57\x62\xf3\xf2\xfa\xde\x0a\xc7\x85\x93\xcc\x38\xe5\x5c\xef\x3b\xc0\xbf\xb9\x38\xeb\xd0\xa6\x1c\x73\x9c\x02\x4a\xdd\xaf\x44\x34\x06\xa7\xb6\x02\x63\x60\xa7\xfc\x87\xc2\x74\xa9\xbd\xcd\xb2\xeb\x5c\xf4\x70\xb5\x3f\x7f\xc1\xbd\x4e\xd0\x5c\xea\xa6\x65\x28\xce\xf7\x9e\x9d\xe7\x8d\xa4\x2b\x16\x7c\x82\xcf\x4d\xad\xca\x57\x07\xd0\xa1\x66\xb0\xf4\x1b\x7f\x7e\x34\x21\xa8\xf8\x8f\x6d\x88\xd2\x4c\xfd\x99\x81\xb5\x0b\x6c\x34\x2b\xb4\x9c\xce\x4b\x82\x3f\x3c\xfd\xb1\x7b\xba\x24\xfd\xb1\x60\x1b\xa0\x60\xa4\x79\x2c\x09\x09\xa7\xc7\xce\xbf\x0c\x33\xe8\xff\x27\xfb\x6e\x32\x7c\x88\x77\xfb\x31\xef\xd8\xbb\x0b\x9f\xca\x28\x29\xca\xc2\xc1\x43\xf4\xa5\xbd\x0a\xfb\xa4\x32\x45\x48\xaf\x32\xf0\x5f\x58\x1a\xe2\x64\xc9\xe2\x0d\x0f\x16\x04\xe1\x12\xc6\xe2\xbc\x51\x8b\x78\x09\x7c\x14\x5d\x87\x1a\x3c\x02\x87\x37\x1b\x0c\xf6\xbd\xcf\x17\x26\x63\x71\xc7\x46\x4d\x87\xa5\x5f\x52\xe0\x1e\x29\x78\x66\xd6\xd4\x98\x86\x8a\xc0\x16\x48\x24\x9c\x1e\xdd\x31\x45\x80\xbf\xc3\x58\x34\xb1\x5d\x10\x8d\xdb\xaf\x6c\xa3\x53\x6a\xa4\x31\x61\x01\x9c\x3a\xf0\xb3\x31\xd9\xd0\x71\xeb\x0a\x50\x44\x23\x55\xa2\xa2\xe1\x95\x47\x4e\x13\xb7\x97\x1d\x95\x6a\xd5\x4e\xd5\x90\xb4\x29\xd6\xa1\xec\x7e\x38\xd4\x1a\x27\x53\x6b\xbb\xfa\xda\xd1\xb3\x5f\xc8\xf8\x27\xa9\x2e\x0b\xaf\xfa\xbb\x81\x18\x16\xcf\xb4\xcd\xac\x4b\x98\xc5\xf6\xf7\x1c\xdc\xf3\x06\x49\x53\x6f\x78\x00\xeb\x6b\x7c\xee\x22\x2d\x64\x16\x5e\x0c\xa9\x50\x46\x93\xb6\xd8\x45\x9b\xc3\x27\xe5\xda\x2e\x6f\x38\xa4\xee\x24\x72\xca\x5e\x6c\xaa\x08\x11\xd0\x42\xf8\xfb\x32\xa9\x9b\xd3\x61\x01\xcf\x19\xac\xce\xee\xd7\x3b\x44\xe3\xde\xb2\x23\xcf\x28\x2e\xcd\x4c\x43\x9f\x55\xf5\xc2\x74\xe2\xc7\x56\xc6\x7c\x23\xc0\x0e\xf7\xbf\xfa\x4b\x60\x12\xa1\x33\x4d\x0c\x97\xf8\x16\xa6\x12\x3c\xbc\xb7\x7a\xce\x8e\x7b\xe0\x51\x52\x69\x24\x86\x22\x02\x8b\x7a\x9c\x0e\x49\xf1\xc8\xdd\xe8\x66\xd3\xbb\x0c\x53\xdb\x9c\x67\xb1\x0b\x20\xd4\xbb\x26\x3f\x2c\x5a\x01\x85\xba\xcc\xfa\x7b\x8f\xe8\x25\x65\x70\x78\xfa\xba\xb0\x03\xb9\x31\x8a\x84\xf7\x65\xda\xaf\xc3\x7f\x49\x6e\xfb\xbc\xe9\xfa\x5d\x2c\x1f\x0a\x4b\x2a\xd0\xcf\x92\x69\x61\x84\x40\x71\x3b\xc3\xd9\x29\x85\xff\xbd\x6c\xc1\x9a\xfc\x86\x70\x30\x44\x37\x0e\xab\xc4\xde\x11\xf3\xbc\xbf\xb2\x21\xdd\xdc\x51\xbb\xa3\x52\xdc\x28\xfd\x49\xc0\x84\x04\x7f\xb0\xed\x8b\x97\x42\xa9\x6e\x53\xef\x4c\xcb\x94\xce\x4c\xad\x74\x6e\x9c\xae\xee\xc8\x43\xf7\x2b\x77\x9c\xc5\x8d\x25\xfe\x93\x1c\x1a\xf8\xa7\x95\xe1\x95\x68\x5c\x92\x18\x58\x03\xad\xbe\xc6\x06\x6c\xdd\xd8\x7e\x0b\x9a\x53\x80\xaf\xcd\x80\x79\x8f\x58\x08\x59\xea\xb3\x17\xcb\x27\x83\x11\x2a\xf7\xb3\x62\xa5\x9a\xe7\xa8\x24\x74\x94\x40\xe6\x66\x61\xb7\x88\xb8\x56\x05\x49\xa0\xb1\x35\x0d\xfb\x7a\x5e\x88\x92\x8d\x55\x8c\xbc\x8a\x26\xa0\xd7\x4e\x67\x63\x4e\xe9\xec\x1c\x1c\xa0\x8a\xfc\x5b\xeb\x43\xda\x65\xf4\xae\x0a\xc7\xeb\x25\x74\x42\xc9\x99\x0e\xdc\xf9\x3b\x1d\xad\xfe\xa9\x0b\xc2\x92\xbb\xf1\xd8\x23\xc6\x1e\xe9\x69\x24\x9f\x67\xbe\x07\xd7\x0d\xf8\xaf\xc7\xc3\xe5\xbf\x14\x5f\x28\xa2\xd0\x6c\x88\x0e\xff\x9a\x18\x11\x27\xc1\x34\x60\xa0\x6b\x36\x64\xa9\x4c\x88\x8b\x07\xaf\x77\xe8\x4d\x60\xde\xab\x76\x42\x28\xff\xea\x21\x63\x3f\x02\x04\xa5\xd7\xec\x4a\x0b\x30\x3f\xb0\x8f\xb7\x67\x28\xc4\x3d\x90\x73\x80\x01\x83\xc8\xb9\x9e\x22\xd6\x05\xa5\xe6\x39\x9c\x04\x9f\x7f\x88\x7c\xb9\xd7\xfb\xa9\x4d\xb3\x23\x08\x4b\xf9\x4d\xf5\x44\xf6\xce\x2d\xd4\x9a\x21\xd2\xca\xb5\x4d\xf0\x43\x97\x48\x2a\x64\xd2\x90\x0b\xb4\x0f\xa8\x7f\x42\xec\x75\xd6\x8b\xab\x17\x71\x4a\x93\x4b\xcd\xf3\x6f\x87\x07\x4f\x60\x28\xf9\xd6\x1a\x00\xad\xff\xc0\x6d\x62\x4b\xc6\x42\x97\x05\x96\x82\xcc\x8a\xdc\x7e\x2f\xb2\x10\xbd\x22\xfb\xd4\xad\x3d\x35\x15\xf7\x1b\x93\x31\x26\x75\x9e\xc4\xc0\x01\xed\x5c\xdb\xac\xe7\xcc\xe4\x31\x9b\x7a\xb5\x0f\xfc\x8f\x2f\x8f\x1b\xb8\x1a\xc0\x7f\x81\xdf\xff\x33\x54\x50\xac\xf0\x8e\x13\x91\x2d\x3c\x5f\x3a\xa1\x25\x81\x81\x1e\xbd\xb4\x41\x6e\xad\xa2\x59\x65\x1c\x07\x0b\x06\xea\x7e\x18\xa8\xf0\xc4\x00\x57\x5a\x0e\x7f\xdc\x4c\x88\x64\x5d\x35\xc2\xd3\x6a\x8c\xe6\xa2\x97\x2f\x35\x5d\x1a\x5d\x83\x2c\xd7\xef\x2c\x61\x1f\xd1\x10\x59\xda\x39\x0e\xc8\xc8\x74\x91\xd4\x96\x4f\xa4\x0b\x80\x83\x90\x57\x36\x2e\x67\x64\x55\xc7\x17\x2a\x23\x15\x4e\xfe\xba\x6f\xc9\xab\x4c\x15\xa7\x37\xe2\x99\xc1\xf1\x4d\xaa\x8f\x34\x97\xe3\x37\x0a\x52\x3e\xc1\x5c\x52\xba\xd9\x87\x10\x90\x03\xf8\xdc\xee\x4a\xc6\xc9\x0b\x0f\x8e\x4b\x74\x91\x97\x87\x88\xa9\xc1\xb2\x3a\x14\x39\x6b\x50\x8a\xa9\x51\x75\xfe\x3b\xd6\xa8\xb4\xa9\xc2\x17\xf4\xc9\x84\x2c\x1c\x33\x9d\x4d\x95\xdb\x83\xce\x6e\x7e\x7a\xc8\x8e\xae\x04\x13\x96\x10\x55\x22\x0b\x65\x69\x3d\x49\xa2\xf6\x96\xf6\x41\x42\x19\x25\xb4\x2f\x77\xb0\xf9\x43\x12\x39\x52\x7f\xd6\xd8\x6d\x6f\x9a\xbd\xf3\xd2\x7c\x0a\x79\xa6\xb0\x5a\x61\xdd\x7d\x99\x3d\xe2\xd4\xee\x99\x73\xb7\x78\xff\x19\x5d\x12\x40\xdb\x18\x36\xa5\x25\x8b\x4f\x57\x44\x97\xca\x2f\x9b\x34\x97\x78\x00\xe7\x28\x29\x7d\x98\x3e\x1e\x58\x5f\xaf\x45\x38\x1b\x47\x6d\x25\x31\xe8\x6c\xc6\xe8\x35\xa9\x72\xc3\xa5\xbb\xcc\xba\x7d\x85\x2e\xdc\x83\xbb\xad\x4c\x85\x20\x64\x00\x70\x87\xbb\xd3\x6b\xf8\xa8\x00\xf9\x1e\xea\x0a\x72\xd9\xa7\x5f\x5d\xb3\x5b\x10\x98\x68\x6d\x51\x34\x0a\x17\x2c\x70\x1b\xc4\x7b\x14\x0c\xe5\x2e\xf4\x75\x02\xd0\x07\x1e\x54\x55\x97\x97\x5a\x55\xca\x1e\x91\x21\x76\x45\xe3\xcf\xeb\xf4\xa6\x20\x1a\x84\x81\xf6\x51\x13\x86\x0f\x59\x28\x63\xaf\x1d\xd4\x73\x38\x3b\x1b\x79\xab\x32\xcf\xcd\x46\xe6\xac\xe2\x95\x8d\x42\xcc\xe5\xf9\xb2\x34\x76\x81\xf7\x70\x7a\xb4\xa3\x5f\x9a\xf5\x21\xd4\xc1\xba\xd7\x51\x30\x33\xa5\xf7\xaf\x2b\x7a\x2d\x3a\x49\x14\xd3\x84\x62\xb1\x6b\x85\xd6\x9f\xa6\x0c\x0c\x5e\xf5\x4b\xa2\xfb\x78\xfb\x15\x6a\x94\x7c\xf8\x0b\x1d\xac\xcd\x58\x9f\xdd\x07\x91\xb3\xa9\xeb\x83\x5b\x61\x53\x4a\x16\xf8\xf4\xb1\xca\xbb\xd3\x86\xb4\xc2\x1b\xa9\x7d\xe9\x16\xd2\xcf\x48\xb7\x20\x8c\x1b\xda\x77\xec\xf8\x16\x77\xcb\xce\x25\x58\x2c\xca\xb9\xa6\x5a\x2b\x73\xdd\x34\xb0\x02\xc2\x34\x94\x8a\x42\xb5\x66\x4d\x56\xd8\x24\x42\x9a\x78\xb6\x97\x03\x67\xec\x17\x0d\x1b\x11\x0b\x22\x23\x17\x58\x72\xbd\xc8\x66\x31\x8d\xe0\x66\xfe\xa5\x60\x15\x1d\x88\x25\xde\xe8\x2d\x34\x4b\x81\x6f\xb5\x5a\xaa\x52\x4e\x86\x08\x62\xac\x0c\x36\xcb\x6b\x6e\x81\xf4\x12\x3d\xa5\x9c\xb3\xef\xfe\x29\xce\x76\x98\xe2\xaa\x0c\x60\x36\x82\x0c\x45\x7f\x40\x42\x33\xe3\x22\x61\x31\x9a\x46\xbc\x8b\xd3\xde\x3c\x94\x8d\xc5\x2e\x27\xca\x52\x7d\xf7\xad\x68\xe6\xc4\xd4\xba\x8f\x6b\x43\x13\xa2\x94\x02\x98\x10\x59\xa1\x48\x79\x7f\xa0\x88\x02\x57\xfe\x04\x27\x01\x19\x28\xaf\x75\x2f\x81\xb8\x18\x68\x02\x10\x8f\x05\x90\x19\x50\x39\xc8\x38\x25\x72\x02\x42\x14\x10\xb8\xa3\x59\xe6\x9d\xdc\xd4\x74\x70\xf4\xd0\x5a\xe2\x89\x83\x4b\xe3\x04\xca\xf4\x9b\xbb\xac\xfd\xbe\x92\x7f\x42\x3b\xe9\xb8\x78\x82\xb0\xfa\xb4\xf5\x0b\xc7\xcd\xbf\xf6\xef\x10\x1f\x33\xf7\x03\x55\x6d\x45\xb6\xac\xe1\x64\x3c\xd7\xe7\x5a\xcf\x74\x06\x3e\x3e\x34\xe9\x63\xdb\x19\xf0\xd1\x9f\x14\x82\x9c\x91\xc4\x50\x66\x1d\x0e\x80\x9d\x5b\x79\x09\x69\x5b\xa1\x54\x46\xc8\x76\xa1\x67\xec\xca\x09\xfc\x00\xe1\x73\x7c\xbd\x4e\xf4\xf7\x0a\x50\xe3\xa0\x0f\xc9\x6f\x0e\x10\x23\xe5\xc8\x1e\x67\xd2\x47\xae\x0e\xc7\xec\x26\x72\x52\x80\x4a\x65\xb3\x01\xb9\x1a\x59\x9b\x8c\xe3\x7d\x95\xa9\x3d\xd9\xa9\x11\xdf\xb3\x95\xf3\x61\x92\x4e\x82\xea\x28\x1e\xfd\x7a\x2e\x01\x5a\xad\xaf\x64\x85\xfc\xea\xee\x0a\xb9\x05\xe1\x39\x6c\x12\x56\x03\xaf\xf4\xca\x16\x5f\x74\x9c\x23\x31\x02\x50\xf8\x00\xb2\xa8\x79\x17\xb9\x42\x1b\x0b\x4c\xde\xc9\xd8\x64\x14\xeb\x82\x23\x74\xb0\xd4\x32\x53\x58\xb2\xbf\x43\xe0\xe3\x12\x58\x88\x79\x76\x5c\x25\xc0\x98\xd1\x71\x86\x53\xbe\xa5\x27\x68\xdd\x7f\x10\x0f\xbd\x2b\x6a\xfc\xcf\x02\x13\x46\x9a\x7f\xa2\x5b\x5f\x77\xc6\xb5\x6c\xa0\x9d\xf8\x86\xa1\x6e\xd2\x4f\x51\xe2\x1d\x07\x8f\x25\xc4\x88\x87\xda\x12\xde\xa5\x7c\x8f\x48\x25\xf2\x7a\xe3\xd9\x16\x01\x96\xeb\x6b\xe0\x9f\x7b\xe8\xb2\x39\xa0\x5d\xbf\x6a\xae\xca\x96\x37\x09\x0d\x1e\x6f\x76\xeb\x93\x69\x27\x4c\x3a\xad\xa3\x36\x24\x3b\x8b\x9c\x59\xc3\xf9\xc9\x1a\xb4\x3f\xc9\x27\x3b\xb5\xbf\x2b\x59\xde\x8f\xbc\x50\x6c\x94\x36\x56\x5e\x4c\x9b\xa2\x96\x50\xb3\x78\x4d\x87\xf3\x37\xa4\xa4\xb5\x28\xca\x2a\x28\x0c\xed\xc3\x69\xb0\x09\x0c\x3f\x69\xc7\x60\x4a\x6d\xf3\x1f\xba\x78\x1c\x07\xd5\x8d\xba\xdd\x7c\x85\xa6\x26\xf8\x85\xf0\x9a\x91\x22\x4e\x79\xbd\x68\x79\x3f\x16\x7e\xbd\x8d\xa1\x0e\x5d\xa7\x8c\xfa\x7e\xbf\x10\xa8\xf2\xc9\x00\x3f\xb1\xcd\xd8\x7e\x46\x98\x61\xf3\xed\x23\xd2\x5b\xcb\x14\x53\x0a\x8f\xf8\xd9\x1e\x9e\x0c\x7c\x39\x76\xc3\xaf\xc7\xbd\x50\x05\xcc\xef\x59\xfa\xec\x52\xba\x35\x69\x3d\x0f\x0d\xce\xba\x84\x3a\xdd\x5a\x74\x7e\x0a\xa7\x2f\x09\xf2\xf4\x52\x81\xc9\xd4\xc6\xf1\xbb\x78\x37\x9a\xec\x78\x2c\x64\x81\x0d\xe3\x23\xc8\xab\xac\xc9\xfb\x7e\x7d\xbc\x1e\x29\x13\xa8\x5d\xf0\xbd\xb6\xac\x70\x1a\x68\x26\x9e\x79\xab\x28\x45\x8c\x02\x91\xe1\x84\x0b\x34\xac\xe2\xd0\xdc\xa9\x02\x9f\x6d\x95\x0e\x6e\xf1\xe5\xcb\xb9\x52\x4d\xb5\x01\xdc\x30\x22\x73\x3c\xb1\x0b\xb7\x4e\x9e\x69\x82\x45\xa9\x8d\xff\xe2\x37\x8c\x42\x54\x81\x19\xdd\x60\xf2\xb0\x21\x95\x3b\x30\x0f\x38\x97\x26\x61\xc3\xeb\xdf\x64\xa3\xaf\xb3\xc6\x29\xcc\xa5\xec\x93\x8c\x31\xee\x8c\xb6\x82\xdd\x38\xf3\x58\x18\x12\xf7\xba\x64\x31\xc1\x60\x65\x90\x39\xe7\xcf\xe7\x85\x9b\x1a\xa8\x13\x08\x33\xf1\xf6\x37\x24\xf8\x63\xb3\xe2\xa1\x8f\x9e\xbd\x1e\xa6\x14\xd3\x0d\x28\xbd\x4f\x5b\x8c\x26\x17\xbe\xcd\x8a\x4d\x8b\x3a\x9b\x42\xb8\x5d\x8e\x80\xc8\xfa\xf7\xd9\xcf\x56\x37\xdd\x98\x82\x6a\x10\xb6\x92\x40\x29\x33\xd2\xae\x0e\xa9\x08\xff\x5d\x6c\x22\xfc\x33\x5b\xe0\x06\x14\xa0\xf5\xe7\x00\x4e\xbe\xf7\x1f\xd2\x3d\x3f\x90\x11\x59\x84\xf0\xe4\x6e\x82\xac\x8b\x03\xe5\xd2\xbf\xea\xa2\x19\x23\x33\xc1\xa0\xa9\xfb\x19\xa7\x5b\xdc\x8f\x90\x58\x33\x6e\x86\xf3\xf7\xb3\x0f\x0b\xed\x24\xc4\xb2\x30\xcd\xfc\x92\xa9\x88\x5b\xe5\x1c\x0b\x85\x1c\xd7\xa0\x4a\x62\xfb\x3c\xe4\x7e\x76\x5a\x11\x4e\xf7\x68\x6b\xc7\xd8\x2e\xf5\xe1\xca\x02\x14\xb9\x5b\x64\xe5\x7f\x85\x12\x15\xce\x5a\x47\xdd\xfb\x91\x93\x2c\x85\x4c\x65\x25\xeb\xe7\xf6\xe1\x68\x45\xfa\x22\x5a\x74\x09\x3f\x6a\x26\x80\x08\x5a\x8f\xef\x66\x54\x1f\xc3\x64\x3f\xc8\x14\xc5\xa8\x06\x41\x5f\x70\x68\x8a\x4b\xe7\x7b\xea\xf7\x5d\x71\x02\x6e\x4d\xff\x38\x00\x12\x4b\xde\xc0\xe0\x65\x46\x3e\xdc\x69\x64\x1f\x67\xc7\xc4\x2b\x8e\x02\x5f\x81\x40\x6f\xd4\x89\x6d\x5d\xb8\xe1\x9f\xec\x09\x98\x09\xad\x50\xa9\x8a\x83\xb3\xca\xa8\xfd\x87\x31\x05\x14\xf4\xa7\xaf\xd9\xa9\x70\xc4\x56\x23\x1d\x91\x6b\x26\xd5\xc6\x2b\xc4\x83\x4a\xf9\xbc\x27\x77\xa7\xc7\xd3\xbb\xf5\xf2\xc6\xd8\x28\x93\x5f\x3b\x82\x77\x43\xc0\x92\x22\x32\x8e\x8e\x82\x91\xbb\x28\x3e\xba\x7d\x4b\xc8\x97\x87\x7f\x6e\x50\xa5\xfa\xbc\x77\xab\xf3\x15\x34\xd7\x00\x96\x2e\xde\xcb\x1d\xf4\xee\x12\x28\xa7\x29\xdf\x7d\xa8\x57\x71\xa3\xf1\xe3\x04\x29\xfa\xc9\x93\xd9\x73\x8d\x9d\x67\x28\xbf\x49\x2b\x47\x91\x43\x8c\x3c\xf6\xd5\x9a\xf8\x09\x97\x4a\xec\x44\x80\x98\xc2\x6c\xb3\x79\x1e\x43\x72\x40\x76\xef\x5c\xa9\xc7\x0c\xb3\xf5\x8a\xcc\xb5\x39\x94\x37\x86\xce\x98\xb0\x92\xc9\x65\xa1\x47\xd1\x87\x0a\xd4\x54\x68\x6b\xa5\x79\xc9\xd1\x0a\x61\x31\xd4\xd9\x80\xff\x68\x89\x8f\xb1\x1a\x0a\x9f\x61\xe6\x0a\x86\x42\x7f\x60\x66\x00\x88\x98\x4e\xed\x16\xac\xf6\xd3\x14\x30\x18\x3b\x81\x91\x2a\xdc\xde\x80\x84\x45\x71\x22\xec\xdd\x70\x54\xcf\x3d\xdd\xee\x25\xa9\x75\xfb\x24\x48\xe7\x1a\x27\xae\xdf\x68\x68\x5e\x9e\x8b\xf6\x07\x05\x6d\x68\xd7\x20\x60\x75\x99\xcb\x49\x97\xa1\xd5\x91\xa1\xcc\x17\x4e\xdd\xc6\x6f\x39\x16\x0a\x2e\x55\xee\xe6\xc8\x2b\x21\x8c\x5b\x96\x3a\x02\x68\x11\x7f\xcc\xda\x93\x14\xd7\xde\x3b\x1b\xfd\xf1\xde\x33\x83\x10\x41\x8d\xbb\x11\xf7\x3b\xfc\x1a\x70\x5a\x7f\x12\x56\x0c\x6a\x83\x6e\xbc\x1c\x92\x7d\x14\x27\xeb\x6d\x71\x04\xf9\x42\x70\x5a\x25\xe7\xa7\x94\x88\x76\x8c\x70\x7c\xdd\xb0\x59\xd0\x6f\x4f\x55\xd6\x41\x14\x65\x8b\xb3\x27\x07\x2a\x0f\x24\x8f\x91\x91\xae\xbf\x83\x8c\xcf\x46\x4e\x3d\xb3\x8b\xd0\x15\xc1\xfe\x7e\x0a\x1c\xe8\xc8\x54\xe0\x64\xad\x28\xdf\x20\x85\x4e\xca\xf4\x42\x88\x1d\x5b\x92\x2d\xb3\x32\x7a\x73\xa8\x00\x7f\x84\xaa\xcb\x94\x1b\xc1\x23\x27\x42\xd0\xad\x98\xeb\x8f\x05\xa8\x12\xc7\x95\x7f\xb4\xb6\x88\x52\x2e\xa6\xa1\xd5\xef\x22\xda\xbf\x25\x37\xb5\xf6\x8d\x81\xe0\x6b\x51\x78\x39\xb4\x74\x23\x85\x64\x96\x79\x29\xfa\x82\x31\xeb\x8e\xaa\x9b\xf7\x95\x54\x91\x79\x39\x33\x6f\x71\xed\xad\x5c\x01\x1d\xe4\xa9\x88\x7c\x9d\x8b\xfe\x58\x8c\x17\x47\xb4\x7e\xca\xe6\x41\xae\x07\x6a\x53\xcb\x66\x1d\x34\x46\x59\xed\x82\xa4\xf1\x06\x12\xea\x2e\xe0\x0a\x44\x4d\xe7\xe4\xb1\xa0\xc5\x61\x4d\x4a\x63\x69\xb4\x8c\xfa\xe5\x31\x6e\x83\x89\xcb\x72\x0a\x11\x11\x71\x38\x3a\x78\x79\x80\x31\xaf\x5e\x49\x76\xb8\x91\x75\xac\x1e\xfa\x79\xca\x7d\xd7\x28\xd2\x1c\xf2\x85\x3f\x69\x87\x03\x79\xdc\xd6\x91\xf4\x12\xb0\xda\xbb\x49\xf7\x4d\x48\xf9\x31\x3b\xe4\x58\x95\xe8\xd4\xe7\x8e\x23\xe3\x57\xa9\xa2\x29\x4b\xef\xb1\x73\xce\xcc\xdd\xb7\xde\xc8\x47\x81\x92\x0e\x95\x1e\xcc\x86\x3b\xdc\x84\x3a\xf7\x53\x5e\x72\x1a\x7a\x7f\x5b\xd6\xe0\xd3\x7f\xe9\xe5\xb5\xaf\x3f\x2a\xaa\x62\x96\x71\x12\xc0\xfe\x84\x8d\x3c\x38\xa6\x46\xde\xd7\xde\xba\x1a\xb9\x8d\x40\x88\x1b\xa2\xfc\x91\x8a\x86\x64\xbb\xab\xea\x14\xbe\x6f\x5b\xb9\x2e\x25\x4c\x47\x1b\x32\x4a\x02\x6c\x66\x1d\xe4\xb9\x7b\xa0\xae\x1f\x67\x06\x3f\x41\xa5\x61\x9d\xa8\xa4\x9a\x7a\xd6\xcf\x81\x53\x97\x7a\x4c\x63\x17\x1b\xba\x20\x88\x4b\x73\x44\xc4\x05\xd6\x1b\x9c\xe3\xce\x90\xdd\x0b\x6d\x86\xbe\x27\xc0\x28\xa2\xa4\x8f\xe0\x40\xd6\xf9\xd2\xf5\xdc\x24\x66\xcb\x9f\x74\x5e\x5a\x98\xe5\x26\x64\x98\xb1\x4d\x16\xe3\xfc\xee\x12\x02\x6c\x0f\x46\xb7\xfd\x1d\x30\x07\x65\x05\xcd\x64\xc1\xd6\x0c\x5c\xac\x8c\xb4\x00\xea\x6b\x75\x22\xc1\x65\xb0\x09\x4f\xf0\xff\x65\x6d\x08\x16\x73\x05\x6b\x73\xee\xe3\xef\xcb\xfb\xa2\x60\xff\x87\xe4\x30\x4c\x8e\xb1\x4a\xea\xdf\xda\xa0\x95\x70\xf6\x30\x64\x6c", 8192); *(uint64_t*)0x200000006c80 = 0x2000000036c0; *(uint32_t*)0x2000000036c0 = 0x50; *(uint32_t*)0x2000000036c4 = 0; *(uint64_t*)0x2000000036c8 = 8; *(uint32_t*)0x2000000036d0 = 7; *(uint32_t*)0x2000000036d4 = 0x2d; *(uint32_t*)0x2000000036d8 = 7; *(uint32_t*)0x2000000036dc = 0x8000008; *(uint16_t*)0x2000000036e0 = 7; *(uint16_t*)0x2000000036e2 = 0xfc00; *(uint32_t*)0x2000000036e4 = 0x3ff; *(uint32_t*)0x2000000036e8 = 0x59; *(uint16_t*)0x2000000036ec = 0; *(uint16_t*)0x2000000036ee = 0; *(uint32_t*)0x2000000036f0 = 0xe0; *(uint32_t*)0x2000000036f4 = 0x10000; memset((void*)0x2000000036f8, 0, 24); *(uint64_t*)0x200000006c88 = 0x200000003740; *(uint32_t*)0x200000003740 = 0x18; *(uint32_t*)0x200000003744 = 0; *(uint64_t*)0x200000003748 = 6; *(uint64_t*)0x200000003750 = 0x80000001; *(uint64_t*)0x200000006c90 = 0x200000003780; *(uint32_t*)0x200000003780 = 0x18; *(uint32_t*)0x200000003784 = 0; *(uint64_t*)0x200000003788 = 4; *(uint64_t*)0x200000003790 = 2; *(uint64_t*)0x200000006c98 = 0x2000000037c0; *(uint32_t*)0x2000000037c0 = 0x18; *(uint32_t*)0x2000000037c4 = 0xffffffda; *(uint64_t*)0x2000000037c8 = 0x37; *(uint32_t*)0x2000000037d0 = 0; *(uint32_t*)0x2000000037d4 = 0; *(uint64_t*)0x200000006ca0 = 0x200000003800; *(uint32_t*)0x200000003800 = 0x18; *(uint32_t*)0x200000003804 = 0; *(uint64_t*)0x200000003808 = 1; *(uint32_t*)0x200000003810 = 0xff; *(uint32_t*)0x200000003814 = 0; *(uint64_t*)0x200000006ca8 = 0x200000003840; *(uint32_t*)0x200000003840 = 0x28; *(uint32_t*)0x200000003844 = 0x26; *(uint64_t*)0x200000003848 = 0x7fffffffffffffff; *(uint64_t*)0x200000003850 = 0x7a; *(uint64_t*)0x200000003858 = 8; *(uint32_t*)0x200000003860 = 0; *(uint32_t*)0x200000003864 = 0; *(uint64_t*)0x200000006cb0 = 0x200000003880; *(uint32_t*)0x200000003880 = 0x60; *(uint32_t*)0x200000003884 = 0xfffffff5; *(uint64_t*)0x200000003888 = 1; *(uint64_t*)0x200000003890 = 0x81; *(uint64_t*)0x200000003898 = 6; *(uint64_t*)0x2000000038a0 = 0x3ff; *(uint64_t*)0x2000000038a8 = 2; *(uint64_t*)0x2000000038b0 = 4; *(uint32_t*)0x2000000038b8 = 4; *(uint32_t*)0x2000000038bc = 8; *(uint32_t*)0x2000000038c0 = 2; *(uint32_t*)0x2000000038c4 = 0; memset((void*)0x2000000038c8, 0, 24); *(uint64_t*)0x200000006cb8 = 0x200000003900; *(uint32_t*)0x200000003900 = 0x18; *(uint32_t*)0x200000003904 = 0; *(uint64_t*)0x200000003908 = 0; *(uint32_t*)0x200000003910 = 0xb; *(uint32_t*)0x200000003914 = 0; *(uint64_t*)0x200000006cc0 = 0x200000003940; *(uint32_t*)0x200000003940 = 0x12; *(uint32_t*)0x200000003944 = 0xaeab5fde; *(uint64_t*)0x200000003948 = 9; memcpy((void*)0x200000003950, "^\000", 2); *(uint64_t*)0x200000006cc8 = 0x200000003980; *(uint32_t*)0x200000003980 = 0x20; *(uint32_t*)0x200000003984 = 0; *(uint64_t*)0x200000003988 = 0; *(uint64_t*)0x200000003990 = 0; *(uint32_t*)0x200000003998 = 2; *(uint32_t*)0x20000000399c = 0; *(uint64_t*)0x200000006cd0 = 0x2000000039c0; *(uint32_t*)0x2000000039c0 = 0x78; *(uint32_t*)0x2000000039c4 = 0; *(uint64_t*)0x2000000039c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000039d0 = 3; *(uint32_t*)0x2000000039d8 = 0x67; *(uint32_t*)0x2000000039dc = 0; *(uint64_t*)0x2000000039e0 = 3; *(uint64_t*)0x2000000039e8 = 2; *(uint64_t*)0x2000000039f0 = 5; *(uint64_t*)0x2000000039f8 = 2; *(uint64_t*)0x200000003a00 = 0; *(uint64_t*)0x200000003a08 = 0x5b; *(uint32_t*)0x200000003a10 = 0x200; *(uint32_t*)0x200000003a14 = 6; *(uint32_t*)0x200000003a18 = 0xf0b7; *(uint32_t*)0x200000003a1c = 0x1000; *(uint32_t*)0x200000003a20 = 1; *(uint32_t*)0x200000003a24 = -1; *(uint32_t*)0x200000003a28 = -1; *(uint32_t*)0x200000003a2c = 4; *(uint32_t*)0x200000003a30 = 6; *(uint32_t*)0x200000003a34 = 0; *(uint64_t*)0x200000006cd8 = 0x200000004b00; *(uint32_t*)0x200000004b00 = 0x90; *(uint32_t*)0x200000004b04 = 0; *(uint64_t*)0x200000004b08 = 7; *(uint64_t*)0x200000004b10 = 1; *(uint64_t*)0x200000004b18 = 3; *(uint64_t*)0x200000004b20 = 0x10000; *(uint64_t*)0x200000004b28 = 0x200; *(uint32_t*)0x200000004b30 = 8; *(uint32_t*)0x200000004b34 = 0xa87; *(uint64_t*)0x200000004b38 = 4; *(uint64_t*)0x200000004b40 = 1; *(uint64_t*)0x200000004b48 = 7; *(uint64_t*)0x200000004b50 = 1; *(uint64_t*)0x200000004b58 = 0xfffffffffffffffd; *(uint64_t*)0x200000004b60 = 4; *(uint32_t*)0x200000004b68 = 9; *(uint32_t*)0x200000004b6c = 0xffff; *(uint32_t*)0x200000004b70 = 0x10000000; *(uint32_t*)0x200000004b74 = 0; *(uint32_t*)0x200000004b78 = 0xf40; *(uint32_t*)0x200000004b7c = 0; *(uint32_t*)0x200000004b80 = r[10]; *(uint32_t*)0x200000004b84 = 0x8001; *(uint32_t*)0x200000004b88 = 9; *(uint32_t*)0x200000004b8c = 0; *(uint64_t*)0x200000006ce0 = 0x200000004bc0; *(uint32_t*)0x200000004bc0 = 0x48; *(uint32_t*)0x200000004bc4 = 0; *(uint64_t*)0x200000004bc8 = 0x5c; *(uint64_t*)0x200000004bd0 = 1; *(uint64_t*)0x200000004bd8 = 4; *(uint32_t*)0x200000004be0 = 6; *(uint32_t*)0x200000004be4 = 8; memset((void*)0x200000004be8, 255, 6); *(uint64_t*)0x200000004bf0 = 1; *(uint64_t*)0x200000004bf8 = 8; *(uint32_t*)0x200000004c00 = 0; *(uint32_t*)0x200000004c04 = 0xb; *(uint64_t*)0x200000006ce8 = 0x200000006500; *(uint32_t*)0x200000006500 = 0x478; *(uint32_t*)0x200000006504 = 0; *(uint64_t*)0x200000006508 = 2; *(uint64_t*)0x200000006510 = 1; *(uint64_t*)0x200000006518 = 1; *(uint64_t*)0x200000006520 = 0xf; *(uint64_t*)0x200000006528 = 9; *(uint32_t*)0x200000006530 = 0x7fffffff; *(uint32_t*)0x200000006534 = 0x3ff; *(uint64_t*)0x200000006538 = 5; *(uint64_t*)0x200000006540 = 0xb3fc; *(uint64_t*)0x200000006548 = 3; *(uint64_t*)0x200000006550 = 0xa2d9; *(uint64_t*)0x200000006558 = 3; *(uint64_t*)0x200000006560 = 0x80000000; *(uint32_t*)0x200000006568 = 4; *(uint32_t*)0x20000000656c = 5; *(uint32_t*)0x200000006570 = 2; *(uint32_t*)0x200000006574 = 0x6000; *(uint32_t*)0x200000006578 = 0xfff; *(uint32_t*)0x20000000657c = -1; *(uint32_t*)0x200000006580 = 0xee01; *(uint32_t*)0x200000006584 = 5; *(uint32_t*)0x200000006588 = 6; *(uint32_t*)0x20000000658c = 0; *(uint64_t*)0x200000006590 = 5; *(uint64_t*)0x200000006598 = 9; *(uint32_t*)0x2000000065a0 = 6; *(uint32_t*)0x2000000065a4 = 6; memcpy((void*)0x2000000065a8, "wlan1\000", 6); *(uint64_t*)0x2000000065b0 = 3; *(uint64_t*)0x2000000065b8 = 1; *(uint64_t*)0x2000000065c0 = 4; *(uint64_t*)0x2000000065c8 = 0xf; *(uint32_t*)0x2000000065d0 = 1; *(uint32_t*)0x2000000065d4 = 5; *(uint64_t*)0x2000000065d8 = 4; *(uint64_t*)0x2000000065e0 = 0xffc; *(uint64_t*)0x2000000065e8 = 2; *(uint64_t*)0x2000000065f0 = 0xffffffffffffdbca; *(uint64_t*)0x2000000065f8 = 0x35; *(uint64_t*)0x200000006600 = 0x5fa; *(uint32_t*)0x200000006608 = 8; *(uint32_t*)0x20000000660c = 5; *(uint32_t*)0x200000006610 = 0x16d; *(uint32_t*)0x200000006614 = 0x6000; *(uint32_t*)0x200000006618 = 0x8000; *(uint32_t*)0x20000000661c = r[11]; *(uint32_t*)0x200000006620 = 0xee00; *(uint32_t*)0x200000006624 = 8; *(uint32_t*)0x200000006628 = 2; *(uint32_t*)0x20000000662c = 0; *(uint64_t*)0x200000006630 = 2; *(uint64_t*)0x200000006638 = 0x3e8; *(uint32_t*)0x200000006640 = 0x16; *(uint32_t*)0x200000006644 = 5; memcpy((void*)0x200000006648, "bpf_lsm_path_truncate\000", 22); *(uint64_t*)0x200000006660 = 6; *(uint64_t*)0x200000006668 = 3; *(uint64_t*)0x200000006670 = 0xcff0; *(uint64_t*)0x200000006678 = 0xfffffffffffffbff; *(uint32_t*)0x200000006680 = 3; *(uint32_t*)0x200000006684 = 3; *(uint64_t*)0x200000006688 = 5; *(uint64_t*)0x200000006690 = 4; *(uint64_t*)0x200000006698 = 8; *(uint64_t*)0x2000000066a0 = 9; *(uint64_t*)0x2000000066a8 = 0x10; *(uint64_t*)0x2000000066b0 = 5; *(uint32_t*)0x2000000066b8 = 0x91; *(uint32_t*)0x2000000066bc = 0xfff; *(uint32_t*)0x2000000066c0 = 0xfffffffd; *(uint32_t*)0x2000000066c4 = 0xc000; *(uint32_t*)0x2000000066c8 = 3; *(uint32_t*)0x2000000066cc = r[12]; *(uint32_t*)0x2000000066d0 = 0xee00; *(uint32_t*)0x2000000066d4 = 0x80; *(uint32_t*)0x2000000066d8 = 0x40; *(uint32_t*)0x2000000066dc = 0; *(uint64_t*)0x2000000066e0 = 0; *(uint64_t*)0x2000000066e8 = 8; *(uint32_t*)0x2000000066f0 = 6; *(uint32_t*)0x2000000066f4 = 0x80000001; memcpy((void*)0x2000000066f8, "wlan1\000", 6); *(uint64_t*)0x200000006700 = 3; *(uint64_t*)0x200000006708 = 2; *(uint64_t*)0x200000006710 = 8; *(uint64_t*)0x200000006718 = 9; *(uint32_t*)0x200000006720 = 0x80000000; *(uint32_t*)0x200000006724 = 0xd149; *(uint64_t*)0x200000006728 = 3; *(uint64_t*)0x200000006730 = 4; *(uint64_t*)0x200000006738 = 5; *(uint64_t*)0x200000006740 = 0xe; *(uint64_t*)0x200000006748 = 0x7a; *(uint64_t*)0x200000006750 = 0xd52; *(uint32_t*)0x200000006758 = 0; *(uint32_t*)0x20000000675c = 5; *(uint32_t*)0x200000006760 = 6; *(uint32_t*)0x200000006764 = 0xa000; *(uint32_t*)0x200000006768 = 2; *(uint32_t*)0x20000000676c = r[14]; *(uint32_t*)0x200000006770 = 0; *(uint32_t*)0x200000006774 = 0x7fffffff; *(uint32_t*)0x200000006778 = 5; *(uint32_t*)0x20000000677c = 0; *(uint64_t*)0x200000006780 = 4; *(uint64_t*)0x200000006788 = 0x7ff; *(uint32_t*)0x200000006790 = 2; *(uint32_t*)0x200000006794 = 0x78d; memcpy((void*)0x200000006798, "\300\'", 2); *(uint64_t*)0x2000000067a0 = 2; *(uint64_t*)0x2000000067a8 = 0; *(uint64_t*)0x2000000067b0 = 6; *(uint64_t*)0x2000000067b8 = 0x7fffffff; *(uint32_t*)0x2000000067c0 = 5; *(uint32_t*)0x2000000067c4 = 5; *(uint64_t*)0x2000000067c8 = 2; *(uint64_t*)0x2000000067d0 = 0xc; *(uint64_t*)0x2000000067d8 = 0xbde5; *(uint64_t*)0x2000000067e0 = 5; *(uint64_t*)0x2000000067e8 = 8; *(uint64_t*)0x2000000067f0 = 0x10; *(uint32_t*)0x2000000067f8 = 9; *(uint32_t*)0x2000000067fc = 6; *(uint32_t*)0x200000006800 = 0xe31; *(uint32_t*)0x200000006804 = 0x2000; *(uint32_t*)0x200000006808 = 0x5b8; *(uint32_t*)0x20000000680c = r[16]; *(uint32_t*)0x200000006810 = r[18]; *(uint32_t*)0x200000006814 = 6; *(uint32_t*)0x200000006818 = 8; *(uint32_t*)0x20000000681c = 0; *(uint64_t*)0x200000006820 = 2; *(uint64_t*)0x200000006828 = 0x80; *(uint32_t*)0x200000006830 = 0; *(uint32_t*)0x200000006834 = 0xb6; *(uint64_t*)0x200000006838 = 5; *(uint64_t*)0x200000006840 = 2; *(uint64_t*)0x200000006848 = 0x80000001; *(uint64_t*)0x200000006850 = 2; *(uint32_t*)0x200000006858 = 6; *(uint32_t*)0x20000000685c = 0xff; *(uint64_t*)0x200000006860 = 3; *(uint64_t*)0x200000006868 = 5; *(uint64_t*)0x200000006870 = 8; *(uint64_t*)0x200000006878 = 3; *(uint64_t*)0x200000006880 = 0x8001; *(uint64_t*)0x200000006888 = 5; *(uint32_t*)0x200000006890 = 1; *(uint32_t*)0x200000006894 = 7; *(uint32_t*)0x200000006898 = 2; *(uint32_t*)0x20000000689c = 0x1000; *(uint32_t*)0x2000000068a0 = 1; *(uint32_t*)0x2000000068a4 = 0xee01; *(uint32_t*)0x2000000068a8 = r[19]; *(uint32_t*)0x2000000068ac = 0x10001; *(uint32_t*)0x2000000068b0 = 6; *(uint32_t*)0x2000000068b4 = 0; *(uint64_t*)0x2000000068b8 = 0; *(uint64_t*)0x2000000068c0 = 6; *(uint32_t*)0x2000000068c8 = 5; *(uint32_t*)0x2000000068cc = 6; memset((void*)0x2000000068d0, 170, 5); *(uint64_t*)0x2000000068d8 = 3; *(uint64_t*)0x2000000068e0 = 1; *(uint64_t*)0x2000000068e8 = 0x8000000000000000; *(uint64_t*)0x2000000068f0 = 0x2e; *(uint32_t*)0x2000000068f8 = 5; *(uint32_t*)0x2000000068fc = 7; *(uint64_t*)0x200000006900 = 6; *(uint64_t*)0x200000006908 = 5; *(uint64_t*)0x200000006910 = 5; *(uint64_t*)0x200000006918 = 0xb; *(uint64_t*)0x200000006920 = 0; *(uint64_t*)0x200000006928 = 2; *(uint32_t*)0x200000006930 = 0xffff; *(uint32_t*)0x200000006934 = 0; *(uint32_t*)0x200000006938 = 8; *(uint32_t*)0x20000000693c = 0x2000; *(uint32_t*)0x200000006940 = 9; *(uint32_t*)0x200000006944 = r[20]; *(uint32_t*)0x200000006948 = r[21]; *(uint32_t*)0x20000000694c = 2; *(uint32_t*)0x200000006950 = 7; *(uint32_t*)0x200000006954 = 0; *(uint64_t*)0x200000006958 = 6; *(uint64_t*)0x200000006960 = 0xfffffffffffffffb; *(uint32_t*)0x200000006968 = 5; *(uint32_t*)0x20000000696c = 6; memset((void*)0x200000006970, 170, 5); *(uint64_t*)0x200000006cf0 = 0x200000006980; *(uint32_t*)0x200000006980 = 0xa0; *(uint32_t*)0x200000006984 = 0; *(uint64_t*)0x200000006988 = 0xd05; *(uint64_t*)0x200000006990 = 5; *(uint64_t*)0x200000006998 = 3; *(uint64_t*)0x2000000069a0 = 0x8000000000000001; *(uint64_t*)0x2000000069a8 = 7; *(uint32_t*)0x2000000069b0 = 5; *(uint32_t*)0x2000000069b4 = 2; *(uint64_t*)0x2000000069b8 = 3; *(uint64_t*)0x2000000069c0 = 4; *(uint64_t*)0x2000000069c8 = 5; *(uint64_t*)0x2000000069d0 = 3; *(uint64_t*)0x2000000069d8 = 8; *(uint64_t*)0x2000000069e0 = 1; *(uint32_t*)0x2000000069e8 = 0x8001; *(uint32_t*)0x2000000069ec = 0; *(uint32_t*)0x2000000069f0 = 0xfff; *(uint32_t*)0x2000000069f4 = 0x8000; *(uint32_t*)0x2000000069f8 = 0x101; *(uint32_t*)0x2000000069fc = r[22]; *(uint32_t*)0x200000006a00 = 0xee00; *(uint32_t*)0x200000006a04 = 7; *(uint32_t*)0x200000006a08 = 0xac; *(uint32_t*)0x200000006a0c = 0; *(uint64_t*)0x200000006a10 = 0; *(uint32_t*)0x200000006a18 = 0x10; *(uint32_t*)0x200000006a1c = 0; *(uint64_t*)0x200000006cf8 = 0x200000006a40; *(uint32_t*)0x200000006a40 = 0x20; *(uint32_t*)0x200000006a44 = 0; *(uint64_t*)0x200000006a48 = 0xffffffff; *(uint32_t*)0x200000006a50 = 4; *(uint32_t*)0x200000006a54 = 0; *(uint32_t*)0x200000006a58 = 9; *(uint32_t*)0x200000006a5c = 0xa; *(uint64_t*)0x200000006d00 = 0x200000006b40; *(uint32_t*)0x200000006b40 = 0x130; *(uint32_t*)0x200000006b44 = 0; *(uint64_t*)0x200000006b48 = 0x1ff; *(uint64_t*)0x200000006b50 = 0x6276287e; *(uint32_t*)0x200000006b58 = 7; *(uint32_t*)0x200000006b5c = 0; memset((void*)0x200000006b60, 0, 16); *(uint32_t*)0x200000006b70 = 0x800; *(uint32_t*)0x200000006b74 = 2; *(uint64_t*)0x200000006b78 = 3; *(uint32_t*)0x200000006b80 = 0x1e; *(uint32_t*)0x200000006b84 = -1; *(uint32_t*)0x200000006b88 = r[24]; *(uint16_t*)0x200000006b8c = 0x4000; memset((void*)0x200000006b8e, 0, 2); *(uint64_t*)0x200000006b90 = 0x800; *(uint64_t*)0x200000006b98 = 9; *(uint64_t*)0x200000006ba0 = 8; *(uint64_t*)0x200000006ba8 = 0x32f3fcde; *(uint64_t*)0x200000006bb0 = 6; *(uint32_t*)0x200000006bb8 = 1; *(uint32_t*)0x200000006bbc = 0; *(uint64_t*)0x200000006bc0 = 4; *(uint32_t*)0x200000006bc8 = 0xe30; *(uint32_t*)0x200000006bcc = 0; *(uint64_t*)0x200000006bd0 = 0x4d; *(uint32_t*)0x200000006bd8 = 3; *(uint32_t*)0x200000006bdc = 0; *(uint64_t*)0x200000006be0 = 6; *(uint32_t*)0x200000006be8 = 8; *(uint32_t*)0x200000006bec = 0; *(uint32_t*)0x200000006bf0 = 6; *(uint32_t*)0x200000006bf4 = 2; *(uint32_t*)0x200000006bf8 = 0xfb; *(uint32_t*)0x200000006bfc = 2; memset((void*)0x200000006c00, 0, 112); syz_fuse_handle_req(/*fd=*/r[9], /*buf=*/0x2000000016c0, /*len=*/0x2000, /*res=*/0x200000006c80); break; case 30: memcpy((void*)0x200000006d40, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000006d40, /*fd=*/r[23]); break; case 31: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 32: *(uint32_t*)0x200000006d84 = 0xd0f0; *(uint32_t*)0x200000006d88 = 0x20; *(uint32_t*)0x200000006d8c = 0; *(uint32_t*)0x200000006d90 = 0x1e5; *(uint32_t*)0x200000006d98 = -1; memset((void*)0x200000006d9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x28c2, /*params=*/0x200000006d80, /*ring_ptr=*/0x200000006e00, /*sqes_ptr=*/0x200000006e40); if (res != -1) r[25] = *(uint64_t*)0x200000006e00; break; case 33: syz_io_uring_complete(/*ring_ptr=*/r[25]); break; case 34: *(uint32_t*)0x200000006e84 = 0x979d; *(uint32_t*)0x200000006e88 = 4; *(uint32_t*)0x200000006e8c = 1; *(uint32_t*)0x200000006e90 = 0x206; *(uint32_t*)0x200000006e98 = r[9]; memset((void*)0x200000006e9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x7c1f, /*params=*/0x200000006e80, /*ring_ptr=*/0x200000006f00, /*sqes_ptr=*/0x200000006f40); if (res != -1) { r[26] = res; r[27] = *(uint64_t*)0x200000006f00; r[28] = *(uint64_t*)0x200000006f40; } break; case 35: res = syscall(__NR_io_uring_register, /*fd=*/r[26], /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul); if (res != -1) r[29] = res; break; case 36: *(uint8_t*)0x200000007000 = 0x1c; *(uint8_t*)0x200000007001 = 0x14; *(uint16_t*)0x200000007002 = 0; *(uint32_t*)0x200000007004 = r[23]; *(uint64_t*)0x200000007008 = 0x200000006f80; *(uint64_t*)0x200000006f80 = 0x818480; *(uint64_t*)0x200000006f88 = 0; *(uint64_t*)0x200000006f90 = 0x35; *(uint64_t*)0x200000007010 = 0x200000006fc0; memcpy((void*)0x200000006fc0, "./file0\000", 8); *(uint32_t*)0x200000007018 = 0x18; *(uint32_t*)0x20000000701c = 0; *(uint64_t*)0x200000007020 = 0x23456; *(uint16_t*)0x200000007028 = 0; *(uint16_t*)0x20000000702a = r[29]; memset((void*)0x20000000702c, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[27], /*sqes_ptr=*/r[28], /*sqe=*/0x200000007000); break; case 37: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[9], /*usermem=*/0x200000bfd000); if (res != -1) r[30] = res; break; case 38: *(uint64_t*)0x200000007400 = 0; *(uint64_t*)0x200000007408 = 0x200000007040; *(uint64_t*)0x200000007040 = 0x65; *(uint64_t*)0x200000007048 = 0x20; *(uint64_t*)0x200000007050 = 0x92e; *(uint64_t*)0x200000007058 = 8; *(uint64_t*)0x200000007060 = 0x130; *(uint64_t*)0x200000007068 = 0x18; *(uint64_t*)0x200000007070 = 1; *(uint64_t*)0x200000007078 = 0x68; *(uint64_t*)0x200000007080 = 0x20; *(uint64_t*)0x200000007088 = 1; *(uint64_t*)0x200000007090 = 0; *(uint64_t*)0x200000007098 = 0x17d; *(uint64_t*)0x2000000070a0 = 0x20; *(uint64_t*)0x2000000070a8 = 0xffffffff; *(uint64_t*)0x2000000070b0 = 0xbd0d; *(uint64_t*)0x2000000070b8 = 0x183; *(uint64_t*)0x2000000070c0 = 0x18; *(uint64_t*)0x2000000070c8 = 1; *(uint64_t*)0x2000000070d0 = 0xa; *(uint64_t*)0x2000000070d8 = 0x6a; memcpy((void*)0x2000000070e0, "\x36\x49\x0f\xc7\xaa\xd6\x61\x97\xc0\x26\x66\x0f\x38\x80\x94\x5e\x00\x80\x00\x00\x0f\x01\xba\x00\x80\x00\x00\x8f\xc9\xb8\x9b\x29\x47\x0f\xc7\xae\x20\x00\x00\x00\x45\x0f\x09\xc4\xe2\xd1\x39\x67\xc4\x36\x0f\x01\x7f\x05\x66\x64\x2e\x64\x3e\xd8\xf1\xc7\x44\x24\x00\x25\xfd\x00\x00\xc7\x44\x24\x02\x54\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x14\x24", 89); *(uint8_t*)0x200000007139 = 0xc3; *(uint64_t*)0x20000000713a = 0x180; *(uint64_t*)0x200000007142 = 0x38; *(uint64_t*)0x20000000714a = 0; *(uint64_t*)0x200000007152 = 0xb5; *(uint64_t*)0x20000000715a = 7; *(uint64_t*)0x200000007162 = 5; *(uint64_t*)0x20000000716a = 0; *(uint64_t*)0x200000007172 = 0x12f; *(uint64_t*)0x20000000717a = 0x18; *(uint64_t*)0x200000007182 = 3; *(uint64_t*)0x20000000718a = 0x12c; *(uint64_t*)0x200000007192 = 0x18; *(uint64_t*)0x20000000719a = 0; *(uint64_t*)0x2000000071a2 = 0x154; *(uint64_t*)0x2000000071aa = 0x38; *(uint64_t*)0x2000000071b2 = 3; *(uint64_t*)0x2000000071ba = 4; *(uint64_t*)0x2000000071c2 = 5; *(uint64_t*)0x2000000071ca = 0x1ff; *(uint64_t*)0x2000000071d2 = 8; *(uint64_t*)0x2000000071da = 0x130; *(uint64_t*)0x2000000071e2 = 0x18; *(uint64_t*)0x2000000071ea = 0; *(uint64_t*)0x2000000071f2 = 0x6a; *(uint64_t*)0x2000000071fa = 0x28; *(uint64_t*)0x200000007202 = 0xc636; *(uint64_t*)0x20000000720a = 5; *(uint64_t*)0x200000007212 = 4; *(uint64_t*)0x20000000721a = 0x12c; *(uint64_t*)0x200000007222 = 0x18; *(uint64_t*)0x20000000722a = 0; *(uint64_t*)0x200000007232 = 0x12f; *(uint64_t*)0x20000000723a = 0x18; *(uint64_t*)0x200000007242 = 1; *(uint64_t*)0x20000000724a = 0x65; *(uint64_t*)0x200000007252 = 0x20; *(uint64_t*)0x20000000725a = 0x8a3; *(uint64_t*)0x200000007262 = 9; *(uint64_t*)0x20000000726a = 0x68; *(uint64_t*)0x200000007272 = 0x20; *(uint64_t*)0x20000000727a = 4; *(uint64_t*)0x200000007282 = 6; *(uint64_t*)0x20000000728a = 0x12f; *(uint64_t*)0x200000007292 = 0x18; *(uint64_t*)0x20000000729a = 3; *(uint64_t*)0x2000000072a2 = 0x12d; *(uint64_t*)0x2000000072aa = 0x18; *(uint64_t*)0x2000000072b2 = 2; *(uint64_t*)0x2000000072ba = 0x17d; *(uint64_t*)0x2000000072c2 = 0x20; *(uint64_t*)0x2000000072ca = 0x8080000; *(uint64_t*)0x2000000072d2 = 0x943e; *(uint64_t*)0x2000000072da = 0x17c; *(uint64_t*)0x2000000072e2 = 0x38; *(uint64_t*)0x2000000072ea = 3; *(uint64_t*)0x2000000072f2 = 0x31; *(uint64_t*)0x2000000072fa = 0xc; *(uint64_t*)0x200000007302 = 6; *(uint64_t*)0x20000000730a = 8; *(uint64_t*)0x200000007312 = 0x180; *(uint64_t*)0x20000000731a = 0x38; *(uint64_t*)0x200000007322 = 2; *(uint64_t*)0x20000000732a = 0x36; *(uint64_t*)0x200000007332 = 1; *(uint64_t*)0x20000000733a = 2; *(uint64_t*)0x200000007342 = 3; *(uint64_t*)0x20000000734a = 0x130; *(uint64_t*)0x200000007352 = 0x18; *(uint64_t*)0x20000000735a = 1; *(uint64_t*)0x200000007362 = 0x130; *(uint64_t*)0x20000000736a = 0x18; *(uint64_t*)0x200000007372 = 0; *(uint64_t*)0x20000000737a = 0x180; *(uint64_t*)0x200000007382 = 0x38; *(uint64_t*)0x20000000738a = 3; *(uint64_t*)0x200000007392 = 0x72; *(uint64_t*)0x20000000739a = 2; *(uint64_t*)0x2000000073a2 = 5; *(uint64_t*)0x2000000073aa = 2; *(uint64_t*)0x2000000073b2 = 0x12f; *(uint64_t*)0x2000000073ba = 0x18; *(uint64_t*)0x2000000073c2 = 2; *(uint64_t*)0x2000000073ca = 0x12f; *(uint64_t*)0x2000000073d2 = 0x18; *(uint64_t*)0x2000000073da = 2; *(uint64_t*)0x200000007410 = 0x3a2; syz_kvm_add_vcpu(/*vm=*/r[30], /*text=*/0x200000007400); break; case 39: res = syscall(__NR_ioctl, /*fd=*/r[9], /*cmd=*/0xae01, /*type=*/5ul); if (res != -1) r[31] = res; break; case 40: *(uint64_t*)0x200000007680 = 0; *(uint64_t*)0x200000007688 = 0x200000007440; memcpy((void*)0x200000007440, "\xcd\xfa\xef\x13\x00\x00\x00\x3e\x00\x00\x10\x62\x04\x00\x10\x7a\x00\x00\x10\x66\xc1\x00\x10\x62\xa6\x03\x00\x7e\xb9\xf0\x00\x3e\xe9\x0e\x10\x62\x04\x00\x10\x7a\xa3\x30\x10\x66\x88\x26\x10\x62\xa6\x03\x00\x7e\x24\x00\x00\x4c\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xf6\x63\x60\xba\xaa\x80\x3c\x42\xab\x84\x60\x04\x00\x84\x78\xa5\xa4\x84\x64\xdb\xea\x84\x60\xc7\xb2\xa0\x3c\x4e\xd4\xa5\x60\x04\x00\xa5\x78\x8e\xd5\xa5\x64\xc9\xc4\xa5\x60\xf6\x27\xc0\x3c\x0e\x37\xc6\x60\x04\x00\xc6\x78\x10\x50\xc6\x64\xf3\x3c\xc6\x60\x64\xae\xe0\x3c\x0f\xe0\xe7\x60\x04\x00\xe7\x78\xf8\x33\xe7\x64\x27\xe1\xe7\x60\xf9\xfe\x00\x3d\x88\x3a\x08\x61\x04\x00\x08\x79\xf6\x6c\x08\x65\xcb\x9b\x08\x61\xe7\x22\x20\x3d\xa3\x5b\x29\x61\x04\x00\x29\x79\xbb\xbc\x29\x65\x5e\x83\x29\x61\xd9\x75\x40\x3d\x52\x94\x4a\x61\x04\x00\x4a\x79\xdb\x25\x4a\x65\xf3\x5e\x4a\x61\x02\x00\x00\x44\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x50\xf3\x63\x60\x42\x00\x00\x44\x0d\x0b\xc0\x3e\xa1\xda\xd6\x62\x04\x00\xd6\x7a\xeb\x5a\xd6\x66\x62\x96\xd6\x62\x9c\xb0\x00\x7c\xec\x06\x00\x7c\xa4\x00\x00\x4c\x3d\x6a\xa0\x3e\x17\x1b\xb5\x62\x04\x00\xb5\x7a\x72\x93\xb5\x66\x34\x54\xb5\x62\xa6\x03\xa0\x7e\xd4\x8d\xa0\x3e\x12\xd2\xb5\x62\x04\x00\xb5\x7a\xf6\xf5\xb5\x66\x15\xe0\xb5\x62\xa6\x03\xa0\x7e\x24\x00\x00\x4c\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x05\xc0\x3f\x00\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x00\xc0\x3f\x21\x8c\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf6\x78\xbd\x63\x00\x00\xc0\x3f\x0a\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xfa\x78\xbd\x63\x97\x4b\xc0\x3f\x5c\x3b\xde\x63\x00\x00\xdd\x93\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x49\x30\x84\x64\xf2\x78\x84\x60\x22\x00\x00\x44\x00\x00\x80\x3f\x00\x00\x9c\x63\x04\x00\x9c\x7b\x00\x00\x9c\x67\x1a\x00\x9c\x63\x24\x01\xc0\x7f", 524); *(uint64_t*)0x200000007690 = 0x20c; *(uint64_t*)0x2000000076c0 = 1; *(uint64_t*)0x2000000076c8 = 6; syz_kvm_setup_cpu(/*fd=*/r[31], /*cpufd=*/r[23], /*usermem=*/0x200000fe5000, /*text=*/0x200000007680, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_IR*/2, /*opts=*/0x2000000076c0, /*nopt=*/1); break; case 41: syz_kvm_setup_syzos_vm(/*fd=*/r[23], /*usermem=*/0x200000c00000); break; case 42: *(uint32_t*)0x200000007700 = 0; syz_memcpy_off(/*ring_ptr=*/0, /*flag_off=SQ_FLAGS_OFFSET*/0x114, /*src=*/0x200000007700, /*src_off=*/0, /*nbytes=*/4); break; case 43: memcpy((void*)0x200000007740, "fuse\000", 5); memcpy((void*)0x200000007780, "./file0\000", 8); memcpy((void*)0x2000000077c0, "fd", 2); *(uint8_t*)0x2000000077c2 = 0x3d; sprintf((char*)0x2000000077c3, "0x%016llx", (long long)r[23]); *(uint8_t*)0x2000000077d5 = 0x2c; memcpy((void*)0x2000000077d6, "rootmode", 8); *(uint8_t*)0x2000000077de = 0x3d; sprintf((char*)0x2000000077df, "%023llo", (long long)0x6000); *(uint8_t*)0x2000000077f6 = 0x2c; memcpy((void*)0x2000000077f7, "user_id", 7); *(uint8_t*)0x2000000077fe = 0x3d; sprintf((char*)0x2000000077ff, "%020llu", (long long)r[22]); *(uint8_t*)0x200000007813 = 0x2c; memcpy((void*)0x200000007814, "group_id", 8); *(uint8_t*)0x20000000781c = 0x3d; sprintf((char*)0x20000000781d, "%020llu", (long long)r[13]); *(uint8_t*)0x200000007831 = 0x2c; memcpy((void*)0x200000007832, "max_read", 8); *(uint8_t*)0x20000000783a = 0x3d; sprintf((char*)0x20000000783b, "0x%016llx", (long long)3); *(uint8_t*)0x20000000784d = 0x2c; memcpy((void*)0x20000000784e, "default_permissions", 19); *(uint8_t*)0x200000007861 = 0x2c; memcpy((void*)0x200000007862, "allow_other", 11); *(uint8_t*)0x20000000786d = 0x2c; memcpy((void*)0x20000000786e, "default_permissions", 19); *(uint8_t*)0x200000007881 = 0x2c; memcpy((void*)0x200000007882, "allow_other", 11); *(uint8_t*)0x20000000788d = 0x2c; memcpy((void*)0x20000000788e, "default_permissions", 19); *(uint8_t*)0x2000000078a1 = 0x2c; memcpy((void*)0x2000000078a2, "default_permissions", 19); *(uint8_t*)0x2000000078b5 = 0x2c; memcpy((void*)0x2000000078b6, "allow_other", 11); *(uint8_t*)0x2000000078c1 = 0x2c; memcpy((void*)0x2000000078c2, "permit_directio", 15); *(uint8_t*)0x2000000078d1 = 0x2c; memcpy((void*)0x2000000078d2, "uid<", 4); sprintf((char*)0x2000000078d6, "%020llu", (long long)r[17]); *(uint8_t*)0x2000000078ea = 0x2c; memcpy((void*)0x2000000078eb, "appraise", 8); *(uint8_t*)0x2000000078f3 = 0x2c; memcpy((void*)0x2000000078f4, "smackfshat", 10); *(uint8_t*)0x2000000078fe = 0x3d; memcpy((void*)0x2000000078ff, "\300\'", 2); *(uint8_t*)0x200000007901 = 0x2c; memcpy((void*)0x200000007902, "appraise", 8); *(uint8_t*)0x20000000790a = 0x2c; *(uint8_t*)0x20000000790b = 0; memcpy((void*)0x200000007940, "\xa4\xb2\x22\xdf\x2b\xa1\x0d\xf2\x4f\x54\x81\xe0\xdc\x5e\x93\xb8\x1b\x1b\x82\xe9\xa2\x14\xca\xbc\xe3\x44\x80\x0a\xd5\x4d\xe6\x10\xfa\x1e\xda\x44\xb9\x04\x05\x26\xf2\xdc\x7c\x73\x1c\x54\x73\xc8\xc6\xdc\x94\x19\x2a\x03\x48\x4e\x6d\x62\xbb\x49\x12\x86\x12\x54\x3a\x9d\x01\x6e\xd9\xa3\x73\x0e\x51\x08\x0f\x5c\x86\x0d\x03\xa7\x7e\xd5\x01\x64\xbc\xf9\x9c\x42\xd3\x56\x8a\x97\x4a\x92\x7a\x87\x9d\xe4\x1e\xdc\x2f\x55\x52\x36\x58\x86\x12\x1a\x31\x09\x5b\x97\xaa\x08\xee\x29\x77\x11\x1f\x7c\xc5\x6a\x77\xc0\xf2\xa1\x6b\x32\xb1\x9d\xf5\x0a\x24\x9c\xd3\x05\x8e\x60\xa6\xae\x8c\x96\x34\x9d\x5e\x5c\x00\x97\x59\x4c\xe0\x1c\x1f\xbe\xe5\xee\x94\x60\x6f\xef\x67\x32\x31\xe6\x57\x00\xbc\x71\x5f\x1f\x01\x19\xc8\x4e\xd2\x7b\x8a\xf3\x8e\xd1\x53\xd3\x94\xd6\xb2\x2c\xca\x54\xdb\x55\xa3\x1b\xc2\x5b\x45\xe8\x1d\xec\xa7\xbe\xdb\x69\x66\x91\xae\x6b\x92\xf0\x9e\xea\x3e\x2b\x5e\x8a\xf2\xf9\x96\x33\x9d\xec\x59\x2e\xde\xc5\x89\x7e\x94\xeb", 228); syz_mount_image(/*fs=*/0x200000007740, /*dir=*/0x200000007780, /*flags=MS_PRIVATE*/0x40000, /*opts=*/0x2000000077c0, /*chdir=*/1, /*size=*/0, /*img=*/0x200000007940); break; case 44: memcpy((void*)0x200000007a40, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000007a40, /*id=*/7, /*flags=*/0); break; case 45: memcpy((void*)0x200000007a80, "net/psched\000", 11); syz_open_procfs(/*pid=*/r[4], /*file=*/0x200000007a80); break; case 46: syz_open_pts(/*fd=*/r[9], /*flags=O_PATH|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|FASYNC|0x402*/0x292c02); break; case 47: syz_pidfd_open(/*pid=*/r[15], /*flags=*/0); break; case 48: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=*/0ul); if (res != -1) r[32] = res; break; case 49: syz_pkey_set(/*key=*/r[32], /*val=PKEY_DISABLE_WRITE|PKEY_DISABLE_ACCESS*/3); break; case 50: syz_socket_connect_nvme_tcp(); break; case 51: *(uint8_t*)0x200000007ac0 = 0x12; *(uint8_t*)0x200000007ac1 = 1; *(uint16_t*)0x200000007ac2 = 0x250; *(uint8_t*)0x200000007ac4 = 0x58; *(uint8_t*)0x200000007ac5 = 6; *(uint8_t*)0x200000007ac6 = 0x54; *(uint8_t*)0x200000007ac7 = 8; *(uint16_t*)0x200000007ac8 = 0x13d3; *(uint16_t*)0x200000007aca = 0x3348; *(uint16_t*)0x200000007acc = 0x15b2; *(uint8_t*)0x200000007ace = 1; *(uint8_t*)0x200000007acf = 2; *(uint8_t*)0x200000007ad0 = 3; *(uint8_t*)0x200000007ad1 = 1; *(uint8_t*)0x200000007ad2 = 9; *(uint8_t*)0x200000007ad3 = 2; *(uint16_t*)0x200000007ad4 = 0x283; *(uint8_t*)0x200000007ad6 = 2; *(uint8_t*)0x200000007ad7 = 9; *(uint8_t*)0x200000007ad8 = 2; *(uint8_t*)0x200000007ad9 = 0x10; *(uint8_t*)0x200000007ada = 8; *(uint8_t*)0x200000007adb = 9; *(uint8_t*)0x200000007adc = 4; *(uint8_t*)0x200000007add = 0x26; *(uint8_t*)0x200000007ade = 0xb; *(uint8_t*)0x200000007adf = 5; *(uint8_t*)0x200000007ae0 = 0x83; *(uint8_t*)0x200000007ae1 = 0x18; *(uint8_t*)0x200000007ae2 = 0x74; *(uint8_t*)0x200000007ae3 = 0xee; *(uint8_t*)0x200000007ae4 = 9; *(uint8_t*)0x200000007ae5 = 5; *(uint8_t*)0x200000007ae6 = 0xb; *(uint8_t*)0x200000007ae7 = 3; *(uint16_t*)0x200000007ae8 = 8; *(uint8_t*)0x200000007aea = 4; *(uint8_t*)0x200000007aeb = 0xfb; *(uint8_t*)0x200000007aec = 0x6a; *(uint8_t*)0x200000007aed = 0xbd; *(uint8_t*)0x200000007aee = 0xc; memcpy((void*)0x200000007aef, "\x8b\x82\xbd\x3f\xc8\x13\x7d\x3d\x25\x9c\xe7\xbc\x14\x0d\xe0\x82\x3d\xe2\x22\x2e\xed\x4c\x57\x0e\xdc\xb8\x45\x53\xcd\x1e\xfd\x64\x9d\xd3\x52\xdd\x37\x5d\x81\xda\x8d\xa8\xe6\x86\x3f\xb4\x82\xec\xb3\xa1\x6f\x12\x22\x10\xbf\xf2\x5c\x59\xa3\xaf\xc6\x54\x28\x48\xc0\x6e\x1b\x98\x3f\xbc\x8d\xd0\xde\x62\x7c\xfd\xdf\x9f\x90\x5f\x5c\xb6\xed\x4a\x25\xec\x59\x47\x59\x9b\x15\xb5\x38\xc7\xbb\x0b\x0d\x65\xd4\xa3\x1b\x31\x9f\x73\x83\x95\x5c\xe7\x66\xef\x4c\x66\xd1\x8b\xc7\x5d\x69\xb2\xdd\x7d\x13\x6c\x78\xea\xec\x1e\x22\x03\xeb\x91\x8d\xd6\x16\x09\xde\x40\xf4\xf6\x93\x91\x7e\xeb\x17\xfc\x38\x7b\xb4\x27\x34\x1f\x64\x16\xe0\xb8\xc4\x6a\x24\x45\xa5\xc4\x9b\xd9\xc8\x6d\xfe\x21\xc5\x98\xac\xf1\x7e\xa9\x8f\xfe\xce\x20\x2a\x21\xdc\x93\xa0\xb8\x30\xd2\x9a\xf8\x7c", 187); *(uint8_t*)0x200000007baa = 0xc7; *(uint8_t*)0x200000007bab = 6; memcpy((void*)0x200000007bac, "\xf5\x45\x9e\x11\x78\x00\xd2\x2a\x25\xa4\x86\xd1\x44\x2f\x5c\xbd\x4d\x3d\x77\x6c\xd0\x61\xd2\xc1\x85\xf9\x92\x4e\xae\x6a\x4d\x7b\x14\xc5\x8b\x59\x98\x63\xd3\x21\xe3\xea\x80\xa2\x5f\x6d\x8b\xe5\x1d\x5c\xa7\x0c\x27\x6c\xe0\xe6\xd9\x03\x8f\x88\x77\x6b\x96\x14\x28\x7d\xb7\xee\x21\x13\xf0\xe7\xe1\xf0\x18\x73\xb6\x13\xd7\x63\xda\x5f\x87\xf8\x6c\xd1\x86\x0b\xd6\x23\x46\x3f\xc6\xd9\x3d\x9f\x94\x8d\x0d\x4d\x70\xd7\x2a\x8a\xc1\xde\xc1\xad\xce\xb8\x71\x67\x29\x90\x64\x28\xd5\xb6\xe2\x4b\x01\x49\x9b\xfa\x6a\x0a\xa0\x48\x2e\xed\x8c\x77\x51\xa1\xc7\xec\x94\x4d\xb1\x92\x54\xa7\x4b\x61\x14\x2e\x72\x5a\x7a\x29\x0c\x41\x42\x87\x5d\x34\x7b\x3e\x48\x3f\x4e\x2d\xb8\x37\x3e\xf8\xfe\xad\x81\x18\xce\x07\xd8\x12\x33\x2b\x21\x1d\xa9\x73\x3d\x44\x4f\x7d\x70\x6a\x64\x39\xc2\x9a\xea\xed\xd0\x30\x00\xa2\xa8", 197); *(uint8_t*)0x200000007c71 = 9; *(uint8_t*)0x200000007c72 = 5; *(uint8_t*)0x200000007c73 = 0xa; *(uint8_t*)0x200000007c74 = 0xc; *(uint16_t*)0x200000007c75 = 0x400; *(uint8_t*)0x200000007c77 = 0xc; *(uint8_t*)0x200000007c78 = 0; *(uint8_t*)0x200000007c79 = 0xb5; *(uint8_t*)0x200000007c7a = 7; *(uint8_t*)0x200000007c7b = 0x25; *(uint8_t*)0x200000007c7c = 1; *(uint8_t*)0x200000007c7d = 1; *(uint8_t*)0x200000007c7e = 0xb; *(uint16_t*)0x200000007c7f = 7; *(uint8_t*)0x200000007c81 = 9; *(uint8_t*)0x200000007c82 = 5; *(uint8_t*)0x200000007c83 = 2; *(uint8_t*)0x200000007c84 = 0x10; *(uint16_t*)0x200000007c85 = 0x20; *(uint8_t*)0x200000007c87 = 7; *(uint8_t*)0x200000007c88 = 5; *(uint8_t*)0x200000007c89 = 5; *(uint8_t*)0x200000007c8a = 0x24; *(uint8_t*)0x200000007c8b = 7; memcpy((void*)0x200000007c8c, "\xad\x98\x31\x4a\x82\xd7\xae\xbb\xfc\xe8\x51\x78\x75\x22\x71\xb1\x58\xc0\x5d\xea\x1b\xf5\xa2\x45\x9c\x43\x1d\xf1\x80\xc1\xf3\xb2\xbe\x3b", 34); *(uint8_t*)0x200000007cae = 9; *(uint8_t*)0x200000007caf = 5; *(uint8_t*)0x200000007cb0 = 3; *(uint8_t*)0x200000007cb1 = 2; *(uint16_t*)0x200000007cb2 = 8; *(uint8_t*)0x200000007cb4 = 7; *(uint8_t*)0x200000007cb5 = 0xf3; *(uint8_t*)0x200000007cb6 = 4; *(uint8_t*)0x200000007cb7 = 9; *(uint8_t*)0x200000007cb8 = 5; *(uint8_t*)0x200000007cb9 = 5; *(uint8_t*)0x200000007cba = 0; *(uint16_t*)0x200000007cbb = 0x40; *(uint8_t*)0x200000007cbd = 2; *(uint8_t*)0x200000007cbe = 3; *(uint8_t*)0x200000007cbf = 2; *(uint8_t*)0x200000007cc0 = 0x6a; *(uint8_t*)0x200000007cc1 = 0xa; memcpy((void*)0x200000007cc2, "\xf7\xdd\x67\x50\x5d\x35\x3d\x93\xb6\xe1\xf3\xac\x2d\x8f\x9f\x76\x60\x12\xd2\x04\xe5\x58\xa7\x07\x6c\x6a\x1d\xd6\x64\x8b\x29\x28\xac\xaf\x80\x17\x10\xc8\x55\x50\x67\xe0\x71\x5e\x60\x77\x2d\x9a\x84\xc7\x14\xf6\x3d\x52\x7b\x9f\x15\x32\xa5\xac\x65\x11\x62\x7f\x9e\x84\x00\xe6\x2a\xd6\xbd\x25\xec\x51\xec\x63\x0a\xfc\x10\xe1\xf0\xf2\xfe\x01\xc9\x58\x8e\x28\x97\xef\x26\xd5\xea\x8b\xcf\x97\x0e\x51\xfc\x28\xd8\x4a\x62\x8c", 104); *(uint8_t*)0x200000007d2a = 9; *(uint8_t*)0x200000007d2b = 4; *(uint8_t*)0x200000007d2c = 0x48; *(uint8_t*)0x200000007d2d = 0xe; *(uint8_t*)0x200000007d2e = 3; *(uint8_t*)0x200000007d2f = 0xca; *(uint8_t*)0x200000007d30 = 0x1e; *(uint8_t*)0x200000007d31 = 0x4a; *(uint8_t*)0x200000007d32 = 0xf5; *(uint8_t*)0x200000007d33 = 9; *(uint8_t*)0x200000007d34 = 5; *(uint8_t*)0x200000007d35 = 0xb; *(uint8_t*)0x200000007d36 = 4; *(uint16_t*)0x200000007d37 = 0x400; *(uint8_t*)0x200000007d39 = 5; *(uint8_t*)0x200000007d3a = 0xf7; *(uint8_t*)0x200000007d3b = 0xf6; *(uint8_t*)0x200000007d3c = 9; *(uint8_t*)0x200000007d3d = 5; *(uint8_t*)0x200000007d3e = 0xe; *(uint8_t*)0x200000007d3f = 0x10; *(uint16_t*)0x200000007d40 = 0x3ff; *(uint8_t*)0x200000007d42 = 1; *(uint8_t*)0x200000007d43 = 0xd; *(uint8_t*)0x200000007d44 = 0x80; *(uint8_t*)0x200000007d45 = 9; *(uint8_t*)0x200000007d46 = 5; *(uint8_t*)0x200000007d47 = 5; *(uint8_t*)0x200000007d48 = 0x10; *(uint16_t*)0x200000007d49 = 0x10; *(uint8_t*)0x200000007d4b = 0x95; *(uint8_t*)0x200000007d4c = 3; *(uint8_t*)0x200000007d4d = 0; *(uint8_t*)0x200000007d4e = 7; *(uint8_t*)0x200000007d4f = 0x25; *(uint8_t*)0x200000007d50 = 1; *(uint8_t*)0x200000007d51 = 0x82; *(uint8_t*)0x200000007d52 = 0xae; *(uint16_t*)0x200000007d53 = 0x12; *(uint32_t*)0x200000007ec0 = 0xa; *(uint64_t*)0x200000007ec4 = 0x200000007d80; *(uint8_t*)0x200000007d80 = 0xa; *(uint8_t*)0x200000007d81 = 6; *(uint16_t*)0x200000007d82 = 0x110; *(uint8_t*)0x200000007d84 = 4; *(uint8_t*)0x200000007d85 = 1; *(uint8_t*)0x200000007d86 = 6; *(uint8_t*)0x200000007d87 = 8; *(uint8_t*)0x200000007d88 = 0xe; *(uint8_t*)0x200000007d89 = 0; *(uint32_t*)0x200000007ecc = 0x3b; *(uint64_t*)0x200000007ed0 = 0x200000007dc0; *(uint8_t*)0x200000007dc0 = 5; *(uint8_t*)0x200000007dc1 = 0xf; *(uint16_t*)0x200000007dc2 = 0x3b; *(uint8_t*)0x200000007dc4 = 4; *(uint8_t*)0x200000007dc5 = 0x14; *(uint8_t*)0x200000007dc6 = 0x10; *(uint8_t*)0x200000007dc7 = 4; *(uint8_t*)0x200000007dc8 = 6; memcpy((void*)0x200000007dc9, "\xfd\xf4\x04\x3a\xe7\xf5\x9e\x3e\x81\xfe\x30\x3d\x4d\xe3\xea\x16", 16); *(uint8_t*)0x200000007dd9 = 7; *(uint8_t*)0x200000007dda = 0x10; *(uint8_t*)0x200000007ddb = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007ddc, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007dde, 6, 0, 16); *(uint8_t*)0x200000007de0 = 7; *(uint8_t*)0x200000007de1 = 0x10; *(uint8_t*)0x200000007de2 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007de3, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 7, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 0xd, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de5, 0x95d7, 0, 16); *(uint8_t*)0x200000007de7 = 0x14; *(uint8_t*)0x200000007de8 = 0x10; *(uint8_t*)0x200000007de9 = 4; *(uint8_t*)0x200000007dea = 3; memcpy((void*)0x200000007deb, "\xbc\x6a\x92\x66\xbf\x50\x6e\x90\x62\x0d\x9c\x90\x0e\x18\x01\x43", 16); *(uint32_t*)0x200000007ed8 = 1; *(uint32_t*)0x200000007edc = 0x98; *(uint64_t*)0x200000007ee0 = 0x200000007e00; *(uint8_t*)0x200000007e00 = 0x98; *(uint8_t*)0x200000007e01 = 3; memcpy((void*)0x200000007e02, "\xd9\x5f\x3f\xca\xaa\x58\xf9\xd3\x6d\x03\xe3\xa2\xd5\x56\x6a\x51\x91\xf7\x42\xf7\x23\xfa\x49\xe3\x64\xe0\x3b\x0d\x28\x8a\x7f\xcb\x45\x79\xb5\x8c\x56\xd8\x24\xbe\x57\xf9\xad\x0f\x87\x03\xd3\x01\x1c\xac\x46\x84\x33\xfa\x22\xc2\x3b\xfa\xf1\x5d\xad\x54\x1e\xfb\x01\x38\xc4\x6b\xb8\xf8\x86\x92\x15\x15\x5c\x26\x85\xd6\x9b\x75\xff\xe6\x8c\x0c\xbd\x6e\x71\x74\x3a\xbd\x43\x55\xe1\x2d\x9d\xcb\x7d\xff\x16\xbb\x07\x5d\xa5\x53\xc1\x78\x13\x9e\xde\x2c\x28\x5a\x4a\x28\x45\xe8\x88\x9c\x23\x45\x04\xd9\x68\xd8\x70\xb6\x08\x4a\x7b\x4a\xb0\xdc\xdb\x83\xd4\x3b\xb2\xf4\xe7\xa0\x15\x6b\x80\xa6\x89\x19\xcb\xb7\xda\x84", 150); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0x295, /*dev=*/0x200000007ac0, /*conn_descs=*/0x200000007ec0); if (res != -1) r[33] = res; break; case 52: *(uint8_t*)0x200000007f00 = 0x12; *(uint8_t*)0x200000007f01 = 1; *(uint16_t*)0x200000007f02 = 0x200; *(uint8_t*)0x200000007f04 = -1; *(uint8_t*)0x200000007f05 = -1; *(uint8_t*)0x200000007f06 = -1; *(uint8_t*)0x200000007f07 = 0x40; *(uint16_t*)0x200000007f08 = 0xcf3; *(uint16_t*)0x200000007f0a = 0x9271; *(uint16_t*)0x200000007f0c = 0x108; *(uint8_t*)0x200000007f0e = 1; *(uint8_t*)0x200000007f0f = 2; *(uint8_t*)0x200000007f10 = 3; *(uint8_t*)0x200000007f11 = 1; *(uint8_t*)0x200000007f12 = 9; *(uint8_t*)0x200000007f13 = 2; *(uint16_t*)0x200000007f14 = 0x48; *(uint8_t*)0x200000007f16 = 1; *(uint8_t*)0x200000007f17 = 1; *(uint8_t*)0x200000007f18 = 0; *(uint8_t*)0x200000007f19 = 0x80; *(uint8_t*)0x200000007f1a = 0xfa; *(uint8_t*)0x200000007f1b = 9; *(uint8_t*)0x200000007f1c = 4; *(uint8_t*)0x200000007f1d = 0; *(uint8_t*)0x200000007f1e = 0; *(uint8_t*)0x200000007f1f = 6; *(uint8_t*)0x200000007f20 = -1; *(uint8_t*)0x200000007f21 = 0; *(uint8_t*)0x200000007f22 = 0; *(uint8_t*)0x200000007f23 = 0; *(uint8_t*)0x200000007f24 = 9; *(uint8_t*)0x200000007f25 = 5; *(uint8_t*)0x200000007f26 = 1; *(uint8_t*)0x200000007f27 = 2; *(uint16_t*)0x200000007f28 = 0x200; *(uint8_t*)0x200000007f2a = 0; *(uint8_t*)0x200000007f2b = 0; *(uint8_t*)0x200000007f2c = 0; *(uint8_t*)0x200000007f2d = 9; *(uint8_t*)0x200000007f2e = 5; *(uint8_t*)0x200000007f2f = 0x82; *(uint8_t*)0x200000007f30 = 2; *(uint16_t*)0x200000007f31 = 0x200; *(uint8_t*)0x200000007f33 = 0; *(uint8_t*)0x200000007f34 = 0; *(uint8_t*)0x200000007f35 = 0; *(uint8_t*)0x200000007f36 = 9; *(uint8_t*)0x200000007f37 = 5; *(uint8_t*)0x200000007f38 = 0x83; *(uint8_t*)0x200000007f39 = 3; *(uint16_t*)0x200000007f3a = 0x40; *(uint8_t*)0x200000007f3c = 1; *(uint8_t*)0x200000007f3d = 0; *(uint8_t*)0x200000007f3e = 0; *(uint8_t*)0x200000007f3f = 9; *(uint8_t*)0x200000007f40 = 5; *(uint8_t*)0x200000007f41 = 4; *(uint8_t*)0x200000007f42 = 3; *(uint16_t*)0x200000007f43 = 0x40; *(uint8_t*)0x200000007f45 = 1; *(uint8_t*)0x200000007f46 = 0; *(uint8_t*)0x200000007f47 = 0; *(uint8_t*)0x200000007f48 = 9; *(uint8_t*)0x200000007f49 = 5; *(uint8_t*)0x200000007f4a = 5; *(uint8_t*)0x200000007f4b = 2; *(uint16_t*)0x200000007f4c = 0x200; *(uint8_t*)0x200000007f4e = 0; *(uint8_t*)0x200000007f4f = 0; *(uint8_t*)0x200000007f50 = 0; *(uint8_t*)0x200000007f51 = 9; *(uint8_t*)0x200000007f52 = 5; *(uint8_t*)0x200000007f53 = 6; *(uint8_t*)0x200000007f54 = 2; *(uint16_t*)0x200000007f55 = 0x200; *(uint8_t*)0x200000007f57 = 0; *(uint8_t*)0x200000007f58 = 0; *(uint8_t*)0x200000007f59 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000007f00, /*conn_descs=*/0); if (res != -1) r[34] = res; break; case 53: *(uint8_t*)0x200000007f80 = 0x12; *(uint8_t*)0x200000007f81 = 1; *(uint16_t*)0x200000007f82 = 0x110; *(uint8_t*)0x200000007f84 = 0; *(uint8_t*)0x200000007f85 = 0; *(uint8_t*)0x200000007f86 = 0; *(uint8_t*)0x200000007f87 = 0x40; *(uint16_t*)0x200000007f88 = 0x1d6b; *(uint16_t*)0x200000007f8a = 0x101; *(uint16_t*)0x200000007f8c = 0x40; *(uint8_t*)0x200000007f8e = 1; *(uint8_t*)0x200000007f8f = 2; *(uint8_t*)0x200000007f90 = 3; *(uint8_t*)0x200000007f91 = 1; *(uint8_t*)0x200000007f92 = 9; *(uint8_t*)0x200000007f93 = 2; *(uint16_t*)0x200000007f94 = 0xd3; *(uint8_t*)0x200000007f96 = 3; *(uint8_t*)0x200000007f97 = 1; *(uint8_t*)0x200000007f98 = 1; *(uint8_t*)0x200000007f99 = 0x80; *(uint8_t*)0x200000007f9a = 0x80; *(uint8_t*)0x200000007f9b = 9; *(uint8_t*)0x200000007f9c = 4; *(uint8_t*)0x200000007f9d = 0; *(uint8_t*)0x200000007f9e = 0; *(uint8_t*)0x200000007f9f = 0; *(uint8_t*)0x200000007fa0 = 1; *(uint8_t*)0x200000007fa1 = 1; *(uint8_t*)0x200000007fa2 = 0; *(uint8_t*)0x200000007fa3 = 0; *(uint8_t*)0x200000007fa4 = 0xa; *(uint8_t*)0x200000007fa5 = 0x24; *(uint8_t*)0x200000007fa6 = 1; *(uint16_t*)0x200000007fa7 = 0; *(uint8_t*)0x200000007fa9 = 0x7c; *(uint8_t*)0x200000007faa = 2; *(uint8_t*)0x200000007fab = 1; *(uint8_t*)0x200000007fac = 2; *(uint8_t*)0x200000007fad = 0xd; *(uint8_t*)0x200000007fae = 0x24; *(uint8_t*)0x200000007faf = 8; *(uint8_t*)0x200000007fb0 = 2; *(uint16_t*)0x200000007fb1 = 8; *(uint8_t*)0x200000007fb3 = 9; memcpy((void*)0x200000007fb4, "\x0c\xff\xda\x3f\x22\x7b", 6); *(uint8_t*)0x200000007fba = 9; *(uint8_t*)0x200000007fbb = 4; *(uint8_t*)0x200000007fbc = 1; *(uint8_t*)0x200000007fbd = 0; *(uint8_t*)0x200000007fbe = 0; *(uint8_t*)0x200000007fbf = 1; *(uint8_t*)0x200000007fc0 = 2; *(uint8_t*)0x200000007fc1 = 0; *(uint8_t*)0x200000007fc2 = 0; *(uint8_t*)0x200000007fc3 = 9; *(uint8_t*)0x200000007fc4 = 4; *(uint8_t*)0x200000007fc5 = 1; *(uint8_t*)0x200000007fc6 = 1; *(uint8_t*)0x200000007fc7 = 1; *(uint8_t*)0x200000007fc8 = 1; *(uint8_t*)0x200000007fc9 = 2; *(uint8_t*)0x200000007fca = 0; *(uint8_t*)0x200000007fcb = 0; *(uint8_t*)0x200000007fcc = 0x12; *(uint8_t*)0x200000007fcd = 0x24; *(uint8_t*)0x200000007fce = 2; *(uint8_t*)0x200000007fcf = 2; *(uint16_t*)0x200000007fd0 = 6; *(uint16_t*)0x200000007fd2 = 0x9a; *(uint8_t*)0x200000007fd4 = 0x20; memcpy((void*)0x200000007fd5, "\x2d\xa5\xee\x78\xa2\x8e\x1f\x1a\x41", 9); *(uint8_t*)0x200000007fde = 0xd; *(uint8_t*)0x200000007fdf = 0x24; *(uint8_t*)0x200000007fe0 = 2; *(uint8_t*)0x200000007fe1 = 1; *(uint8_t*)0x200000007fe2 = 0xf8; *(uint8_t*)0x200000007fe3 = 3; *(uint8_t*)0x200000007fe4 = 0x69; *(uint8_t*)0x200000007fe5 = 0x6d; memcpy((void*)0x200000007fe6, "e)", 2); memcpy((void*)0x200000007fe8, "\xbf\x07\x94", 3); *(uint8_t*)0x200000007feb = 0xb; *(uint8_t*)0x200000007fec = 0x24; *(uint8_t*)0x200000007fed = 2; *(uint8_t*)0x200000007fee = 1; *(uint8_t*)0x200000007fef = 5; *(uint8_t*)0x200000007ff0 = 4; *(uint8_t*)0x200000007ff1 = 0x5b; *(uint8_t*)0x200000007ff2 = 3; memset((void*)0x200000007ff3, 68, 1); memcpy((void*)0x200000007ff4, "\x26\x18", 2); *(uint8_t*)0x200000007ff6 = 9; *(uint8_t*)0x200000007ff7 = 0x24; *(uint8_t*)0x200000007ff8 = 2; *(uint8_t*)0x200000007ff9 = 2; *(uint16_t*)0x200000007ffa = 0x7b4; *(uint16_t*)0x200000007ffc = 8; *(uint8_t*)0x200000007ffe = 4; *(uint8_t*)0x200000007fff = 0xc; *(uint8_t*)0x200000008000 = 0x24; *(uint8_t*)0x200000008001 = 2; *(uint8_t*)0x200000008002 = 1; *(uint8_t*)0x200000008003 = 0; *(uint8_t*)0x200000008004 = 3; *(uint8_t*)0x200000008005 = 8; *(uint8_t*)0x200000008006 = 8; memset((void*)0x200000008007, 170, 1); memcpy((void*)0x200000008008, "\xe8\xe5\xb4", 3); *(uint8_t*)0x20000000800b = 9; *(uint8_t*)0x20000000800c = 5; *(uint8_t*)0x20000000800d = 1; *(uint8_t*)0x20000000800e = 9; *(uint16_t*)0x20000000800f = 0x40; *(uint8_t*)0x200000008011 = 6; *(uint8_t*)0x200000008012 = 5; *(uint8_t*)0x200000008013 = 0; *(uint8_t*)0x200000008014 = 7; *(uint8_t*)0x200000008015 = 0x25; *(uint8_t*)0x200000008016 = 1; *(uint8_t*)0x200000008017 = 0x80; *(uint8_t*)0x200000008018 = 1; *(uint16_t*)0x200000008019 = 4; *(uint8_t*)0x20000000801b = 9; *(uint8_t*)0x20000000801c = 4; *(uint8_t*)0x20000000801d = 2; *(uint8_t*)0x20000000801e = 0; *(uint8_t*)0x20000000801f = 0; *(uint8_t*)0x200000008020 = 1; *(uint8_t*)0x200000008021 = 2; *(uint8_t*)0x200000008022 = 0; *(uint8_t*)0x200000008023 = 0; *(uint8_t*)0x200000008024 = 9; *(uint8_t*)0x200000008025 = 4; *(uint8_t*)0x200000008026 = 2; *(uint8_t*)0x200000008027 = 1; *(uint8_t*)0x200000008028 = 1; *(uint8_t*)0x200000008029 = 1; *(uint8_t*)0x20000000802a = 2; *(uint8_t*)0x20000000802b = 0; *(uint8_t*)0x20000000802c = 0; *(uint8_t*)0x20000000802d = 7; *(uint8_t*)0x20000000802e = 0x24; *(uint8_t*)0x20000000802f = 1; *(uint8_t*)0x200000008030 = 3; *(uint8_t*)0x200000008031 = 0x1e; *(uint16_t*)0x200000008032 = 4; *(uint8_t*)0x200000008034 = 7; *(uint8_t*)0x200000008035 = 0x24; *(uint8_t*)0x200000008036 = 1; *(uint8_t*)0x200000008037 = 0x6f; *(uint8_t*)0x200000008038 = 7; *(uint16_t*)0x200000008039 = 0; *(uint8_t*)0x20000000803b = 0xa; *(uint8_t*)0x20000000803c = 0x24; *(uint8_t*)0x20000000803d = 2; *(uint8_t*)0x20000000803e = 2; *(uint16_t*)0x20000000803f = 8; *(uint16_t*)0x200000008041 = 2; *(uint8_t*)0x200000008043 = 8; memset((void*)0x200000008044, 102, 1); *(uint8_t*)0x200000008045 = 0x10; *(uint8_t*)0x200000008046 = 0x24; *(uint8_t*)0x200000008047 = 2; *(uint8_t*)0x200000008048 = 2; *(uint16_t*)0x200000008049 = 9; *(uint16_t*)0x20000000804b = 0x401; *(uint8_t*)0x20000000804d = 5; memcpy((void*)0x20000000804e, "\x53\xb1\x1d\xbc\x8c\xd3\x10", 7); *(uint8_t*)0x200000008055 = 9; *(uint8_t*)0x200000008056 = 5; *(uint8_t*)0x200000008057 = 0x82; *(uint8_t*)0x200000008058 = 9; *(uint16_t*)0x200000008059 = 8; *(uint8_t*)0x20000000805b = 0; *(uint8_t*)0x20000000805c = 0x28; *(uint8_t*)0x20000000805d = 6; *(uint8_t*)0x20000000805e = 7; *(uint8_t*)0x20000000805f = 0x25; *(uint8_t*)0x200000008060 = 1; *(uint8_t*)0x200000008061 = 0x80; *(uint8_t*)0x200000008062 = 5; *(uint16_t*)0x200000008063 = 0xd; *(uint32_t*)0x2000000081c0 = 0xa; *(uint64_t*)0x2000000081c4 = 0x200000008080; *(uint8_t*)0x200000008080 = 0xa; *(uint8_t*)0x200000008081 = 6; *(uint16_t*)0x200000008082 = 0x110; *(uint8_t*)0x200000008084 = 0x59; *(uint8_t*)0x200000008085 = 0xa5; *(uint8_t*)0x200000008086 = 5; *(uint8_t*)0x200000008087 = 0x10; *(uint8_t*)0x200000008088 = 1; *(uint8_t*)0x200000008089 = 0; *(uint32_t*)0x2000000081cc = 0x39; *(uint64_t*)0x2000000081d0 = 0x2000000080c0; *(uint8_t*)0x2000000080c0 = 5; *(uint8_t*)0x2000000080c1 = 0xf; *(uint16_t*)0x2000000080c2 = 0x39; *(uint8_t*)0x2000000080c4 = 5; *(uint8_t*)0x2000000080c5 = 0xb; *(uint8_t*)0x2000000080c6 = 0x10; *(uint8_t*)0x2000000080c7 = 1; *(uint8_t*)0x2000000080c8 = 4; *(uint16_t*)0x2000000080c9 = 8; *(uint8_t*)0x2000000080cb = 3; *(uint8_t*)0x2000000080cc = 0xb8; *(uint16_t*)0x2000000080cd = 9; *(uint8_t*)0x2000000080cf = 4; *(uint8_t*)0x2000000080d0 = 0x14; *(uint8_t*)0x2000000080d1 = 0x10; *(uint8_t*)0x2000000080d2 = 4; *(uint8_t*)0x2000000080d3 = 2; memcpy((void*)0x2000000080d4, "\x9d\x9a\xb0\x97\x8e\x2a\xac\xe2\x6d\xe6\x63\x06\xe6\xe2\x96\x3d", 16); *(uint8_t*)0x2000000080e4 = 0xb; *(uint8_t*)0x2000000080e5 = 0x10; *(uint8_t*)0x2000000080e6 = 1; *(uint8_t*)0x2000000080e7 = 4; *(uint16_t*)0x2000000080e8 = 0; *(uint8_t*)0x2000000080ea = 6; *(uint8_t*)0x2000000080eb = 4; *(uint16_t*)0x2000000080ec = 1; *(uint8_t*)0x2000000080ee = 5; *(uint8_t*)0x2000000080ef = 3; *(uint8_t*)0x2000000080f0 = 0x10; *(uint8_t*)0x2000000080f1 = 0xb; *(uint8_t*)0x2000000080f2 = 7; *(uint8_t*)0x2000000080f3 = 0x10; *(uint8_t*)0x2000000080f4 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000080f5, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f7, 0xfff2, 0, 16); *(uint32_t*)0x2000000081d8 = 1; *(uint32_t*)0x2000000081dc = 0x84; *(uint64_t*)0x2000000081e0 = 0x200000008100; *(uint8_t*)0x200000008100 = 0x84; *(uint8_t*)0x200000008101 = 3; memcpy((void*)0x200000008102, "\x00\x0a\x6c\x9f\x4a\x15\xea\xbc\x97\xa9\x2a\xb6\x65\x23\x1b\x2c\xf9\x05\x73\x21\xeb\x43\x0c\x65\x21\xf4\x97\xa8\xc3\xce\x81\x62\x68\xcb\x33\x7f\xa4\x8d\xee\xcf\xeb\x28\xb2\x30\x5f\xcf\x2d\x2e\x98\x8c\xc8\xb8\xb9\x80\xa1\x33\x2d\xc4\x06\xbc\x34\x69\x5f\xa2\x4d\xc3\x60\x9f\x61\x9d\x7a\xc2\x84\xcc\x3a\xe7\xf0\xaf\xe4\x44\xd5\x78\xc9\x51\xd9\xae\xdc\x4c\x68\x2e\x10\x0c\xfe\xb6\x61\x9b\x98\xa9\x6b\x19\x78\xd8\xed\xe7\x57\x4e\x96\x9f\x8a\xe8\xe3\xdf\xb8\x35\xbd\xe5\xcc\xd9\x22\x13\x3e\x53\x03\x6f\xf4\x4e\xda\x52\xa0\xa9", 130); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0xe5, /*dev=*/0x200000007f80, /*conn_descs=*/0x2000000081c0); if (res != -1) r[35] = res; break; case 54: *(uint32_t*)0x200000008380 = 0x2c; *(uint64_t*)0x200000008384 = 0x200000008200; *(uint8_t*)0x200000008200 = 0x40; *(uint8_t*)0x200000008201 = 0x22; *(uint32_t*)0x200000008202 = 0x31; *(uint8_t*)0x200000008206 = 0x31; *(uint8_t*)0x200000008207 = 5; memcpy((void*)0x200000008208, "\x74\xe8\x3d\xcf\x53\xdd\x2d\x0e\xca\xc0\xaa\x34\x67\xb1\x8d\xfa\x71\xb2\x6c\xdd\x40\x3d\x95\x5c\x0f\xfe\x22\x81\x7b\x01\xfe\x57\x95\xd5\x1c\xf2\x4a\x6a\xe3\xb8\xe3\x2f\x1b\x7a\xc5\xf8\xca", 47); *(uint64_t*)0x20000000838c = 0x200000008240; *(uint8_t*)0x200000008240 = 0; *(uint8_t*)0x200000008241 = 3; *(uint32_t*)0x200000008242 = 0x1e; *(uint8_t*)0x200000008246 = 0x1e; *(uint8_t*)0x200000008247 = 3; memcpy((void*)0x200000008248, "\x89\x57\xa5\x01\xd8\x3c\x69\xe5\x4f\x70\xf6\x2f\x93\x2a\x50\xb6\x55\x06\xc3\x88\xc1\x28\x23\x9d\x36\x22\x9e\xe2", 28); *(uint64_t*)0x200000008394 = 0x200000008280; *(uint8_t*)0x200000008280 = 0; *(uint8_t*)0x200000008281 = 0xf; *(uint32_t*)0x200000008282 = 0x4f; *(uint8_t*)0x200000008286 = 5; *(uint8_t*)0x200000008287 = 0xf; *(uint16_t*)0x200000008288 = 0x4f; *(uint8_t*)0x20000000828a = 6; *(uint8_t*)0x20000000828b = 0x1c; *(uint8_t*)0x20000000828c = 0x10; *(uint8_t*)0x20000000828d = 0xa; *(uint8_t*)0x20000000828e = 0; STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 5, 5, 27); *(uint16_t*)0x200000008293 = 0xf000; *(uint16_t*)0x200000008295 = 0x409; *(uint32_t*)0x200000008297 = 0xc000; *(uint32_t*)0x20000000829b = 0x17f; *(uint32_t*)0x20000000829f = 0xff3f30; *(uint32_t*)0x2000000082a3 = 0xffffaf; *(uint8_t*)0x2000000082a7 = 0x10; *(uint8_t*)0x2000000082a8 = 0x10; *(uint8_t*)0x2000000082a9 = 0xa; *(uint8_t*)0x2000000082aa = 9; STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 4, 5, 27); *(uint16_t*)0x2000000082af = 0xff0f; *(uint16_t*)0x2000000082b1 = 0xf87; *(uint32_t*)0x2000000082b3 = 0xc030; *(uint8_t*)0x2000000082b7 = 7; *(uint8_t*)0x2000000082b8 = 0x10; *(uint8_t*)0x2000000082b9 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000082ba, 4, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bc, 5, 0, 16); *(uint8_t*)0x2000000082be = 0xa; *(uint8_t*)0x2000000082bf = 0x10; *(uint8_t*)0x2000000082c0 = 3; *(uint8_t*)0x2000000082c1 = 0; *(uint16_t*)0x2000000082c2 = 4; *(uint8_t*)0x2000000082c4 = 0xd2; *(uint8_t*)0x2000000082c5 = 3; *(uint16_t*)0x2000000082c6 = 5; *(uint8_t*)0x2000000082c8 = 0xa; *(uint8_t*)0x2000000082c9 = 0x10; *(uint8_t*)0x2000000082ca = 3; *(uint8_t*)0x2000000082cb = 0; *(uint16_t*)0x2000000082cc = 0; *(uint8_t*)0x2000000082ce = 1; *(uint8_t*)0x2000000082cf = 7; *(uint16_t*)0x2000000082d0 = 2; *(uint8_t*)0x2000000082d2 = 3; *(uint8_t*)0x2000000082d3 = 0x10; *(uint8_t*)0x2000000082d4 = 0xb; *(uint64_t*)0x20000000839c = 0x200000008300; *(uint8_t*)0x200000008300 = 0x20; *(uint8_t*)0x200000008301 = 0x29; *(uint32_t*)0x200000008302 = 0xf; *(uint8_t*)0x200000008306 = 0xf; *(uint8_t*)0x200000008307 = 0x29; *(uint8_t*)0x200000008308 = 8; *(uint16_t*)0x200000008309 = 1; *(uint8_t*)0x20000000830b = 7; *(uint8_t*)0x20000000830c = 4; memcpy((void*)0x20000000830d, "\b\r$}", 4); memcpy((void*)0x200000008311, "\x67\x01\x6d\xee", 4); *(uint64_t*)0x2000000083a4 = 0x200000008340; *(uint8_t*)0x200000008340 = 0x20; *(uint8_t*)0x200000008341 = 0x2a; *(uint32_t*)0x200000008342 = 0xc; *(uint8_t*)0x200000008346 = 0xc; *(uint8_t*)0x200000008347 = 0x2a; *(uint8_t*)0x200000008348 = 0x16; *(uint16_t*)0x200000008349 = 0x80; *(uint8_t*)0x20000000834b = 9; *(uint8_t*)0x20000000834c = 3; *(uint8_t*)0x20000000834d = 3; *(uint16_t*)0x20000000834e = 2; *(uint16_t*)0x200000008350 = 0xf000; *(uint32_t*)0x2000000087c0 = 0x84; *(uint64_t*)0x2000000087c4 = 0x2000000083c0; *(uint8_t*)0x2000000083c0 = 0; *(uint8_t*)0x2000000083c1 = 0x11; *(uint32_t*)0x2000000083c2 = 0x1f; memcpy((void*)0x2000000083c6, "\x16\xd6\x0d\x77\x43\x50\x14\x52\xff\xd5\x73\x04\x24\xbc\x4a\x97\x0c\xc6\x49\x0b\xb9\xcc\x85\x93\x86\x99\xed\xf2\x7a\x0c\x7d", 31); *(uint64_t*)0x2000000087cc = 0x200000008400; *(uint8_t*)0x200000008400 = 0; *(uint8_t*)0x200000008401 = 0xa; *(uint32_t*)0x200000008402 = 1; *(uint8_t*)0x200000008406 = 9; *(uint64_t*)0x2000000087d4 = 0x200000008440; *(uint8_t*)0x200000008440 = 0; *(uint8_t*)0x200000008441 = 8; *(uint32_t*)0x200000008442 = 1; *(uint8_t*)0x200000008446 = 4; *(uint64_t*)0x2000000087dc = 0x200000008480; *(uint8_t*)0x200000008480 = 0x20; *(uint8_t*)0x200000008481 = 0; *(uint32_t*)0x200000008482 = 4; *(uint16_t*)0x200000008486 = 0xe554; *(uint16_t*)0x200000008488 = 1; *(uint64_t*)0x2000000087e4 = 0x2000000084c0; *(uint8_t*)0x2000000084c0 = 0x20; *(uint8_t*)0x2000000084c1 = 0; *(uint32_t*)0x2000000084c2 = 4; *(uint16_t*)0x2000000084c6 = 0x200; *(uint16_t*)0x2000000084c8 = 0x2b; *(uint64_t*)0x2000000087ec = 0x200000008500; *(uint8_t*)0x200000008500 = 0x40; *(uint8_t*)0x200000008501 = 7; *(uint32_t*)0x200000008502 = 2; *(uint16_t*)0x200000008506 = 0xfd37; *(uint64_t*)0x2000000087f4 = 0x200000008540; *(uint8_t*)0x200000008540 = 0x40; *(uint8_t*)0x200000008541 = 9; *(uint32_t*)0x200000008542 = 1; *(uint8_t*)0x200000008546 = 0; *(uint64_t*)0x2000000087fc = 0x200000008580; *(uint8_t*)0x200000008580 = 0x40; *(uint8_t*)0x200000008581 = 0xb; *(uint32_t*)0x200000008582 = 2; memcpy((void*)0x200000008586, "E\"", 2); *(uint64_t*)0x200000008804 = 0x2000000085c0; *(uint8_t*)0x2000000085c0 = 0x40; *(uint8_t*)0x2000000085c1 = 0xf; *(uint32_t*)0x2000000085c2 = 2; *(uint16_t*)0x2000000085c6 = 2; *(uint64_t*)0x20000000880c = 0x200000008600; *(uint8_t*)0x200000008600 = 0x40; *(uint8_t*)0x200000008601 = 0x13; *(uint32_t*)0x200000008602 = 6; memcpy((void*)0x200000008606, "\x2f\xa6\xdd\xe0\x3a\x0f", 6); *(uint64_t*)0x200000008814 = 0x200000008640; *(uint8_t*)0x200000008640 = 0x40; *(uint8_t*)0x200000008641 = 0x17; *(uint32_t*)0x200000008642 = 6; memcpy((void*)0x200000008646, "\xde\x1c\x10\x2b\x02\x7e", 6); *(uint64_t*)0x20000000881c = 0x200000008680; *(uint8_t*)0x200000008680 = 0x40; *(uint8_t*)0x200000008681 = 0x19; *(uint32_t*)0x200000008682 = 2; memcpy((void*)0x200000008686, "\x0d\x97", 2); *(uint64_t*)0x200000008824 = 0x2000000086c0; *(uint8_t*)0x2000000086c0 = 0x40; *(uint8_t*)0x2000000086c1 = 0x1a; *(uint32_t*)0x2000000086c2 = 2; *(uint16_t*)0x2000000086c6 = 2; *(uint64_t*)0x20000000882c = 0x200000008700; *(uint8_t*)0x200000008700 = 0x40; *(uint8_t*)0x200000008701 = 0x1c; *(uint32_t*)0x200000008702 = 1; *(uint8_t*)0x200000008706 = 0xfd; *(uint64_t*)0x200000008834 = 0x200000008740; *(uint8_t*)0x200000008740 = 0x40; *(uint8_t*)0x200000008741 = 0x1e; *(uint32_t*)0x200000008742 = 1; *(uint8_t*)0x200000008746 = 0xfd; *(uint64_t*)0x20000000883c = 0x200000008780; *(uint8_t*)0x200000008780 = 0x40; *(uint8_t*)0x200000008781 = 0x21; *(uint32_t*)0x200000008782 = 1; *(uint8_t*)0x200000008786 = 0xc9; syz_usb_control_io(/*fd=*/r[35], /*descs=*/0x200000008380, /*resps=*/0x2000000087c0); break; case 55: syz_usb_disconnect(/*fd=*/r[33]); break; case 56: syz_usb_ep_read(/*fd=*/r[34], /*ep=*/7, /*len=*/0xfc, /*data=*/0x200000008880); break; case 57: *(uint8_t*)0x200000008980 = 0x12; *(uint8_t*)0x200000008981 = 1; *(uint16_t*)0x200000008982 = 0x200; *(uint8_t*)0x200000008984 = 7; *(uint8_t*)0x200000008985 = 1; *(uint8_t*)0x200000008986 = 1; *(uint8_t*)0x200000008987 = 0x20; *(uint16_t*)0x200000008988 = 0x525; *(uint16_t*)0x20000000898a = 0xa4a8; *(uint16_t*)0x20000000898c = 0x40; *(uint8_t*)0x20000000898e = 1; *(uint8_t*)0x20000000898f = 2; *(uint8_t*)0x200000008990 = 3; *(uint8_t*)0x200000008991 = 1; *(uint8_t*)0x200000008992 = 9; *(uint8_t*)0x200000008993 = 2; *(uint16_t*)0x200000008994 = 0x24; *(uint8_t*)0x200000008996 = 1; *(uint8_t*)0x200000008997 = 1; *(uint8_t*)0x200000008998 = 0xf4; *(uint8_t*)0x200000008999 = 0x60; *(uint8_t*)0x20000000899a = 4; *(uint8_t*)0x20000000899b = 9; *(uint8_t*)0x20000000899c = 4; *(uint8_t*)0x20000000899d = 0; *(uint8_t*)0x20000000899e = 3; *(uint8_t*)0x20000000899f = 2; *(uint8_t*)0x2000000089a0 = 0; *(uint8_t*)0x2000000089a1 = 0; *(uint8_t*)0x2000000089a2 = 0; *(uint8_t*)0x2000000089a3 = 0x81; *(uint8_t*)0x2000000089a4 = 9; *(uint8_t*)0x2000000089a5 = 5; *(uint8_t*)0x2000000089a6 = 1; *(uint8_t*)0x2000000089a7 = 2; *(uint16_t*)0x2000000089a8 = 0x400; *(uint8_t*)0x2000000089aa = 0; *(uint8_t*)0x2000000089ab = 8; *(uint8_t*)0x2000000089ac = 2; *(uint8_t*)0x2000000089ad = 9; *(uint8_t*)0x2000000089ae = 5; *(uint8_t*)0x2000000089af = 0x82; *(uint8_t*)0x2000000089b0 = 2; *(uint16_t*)0x2000000089b1 = 0x3ff; *(uint8_t*)0x2000000089b3 = 4; *(uint8_t*)0x2000000089b4 = 0x48; *(uint8_t*)0x2000000089b5 = 8; *(uint32_t*)0x200000008f00 = 0xa; *(uint64_t*)0x200000008f04 = 0x2000000089c0; *(uint8_t*)0x2000000089c0 = 0xa; *(uint8_t*)0x2000000089c1 = 6; *(uint16_t*)0x2000000089c2 = 0x250; *(uint8_t*)0x2000000089c4 = 0x7d; *(uint8_t*)0x2000000089c5 = 0xdd; *(uint8_t*)0x2000000089c6 = 3; *(uint8_t*)0x2000000089c7 = 0x20; *(uint8_t*)0x2000000089c8 = 0xfa; *(uint8_t*)0x2000000089c9 = 0; *(uint32_t*)0x200000008f0c = 0x154; *(uint64_t*)0x200000008f10 = 0x200000008a00; *(uint8_t*)0x200000008a00 = 5; *(uint8_t*)0x200000008a01 = 0xf; *(uint16_t*)0x200000008a02 = 0x154; *(uint8_t*)0x200000008a04 = 6; *(uint8_t*)0x200000008a05 = 0xe8; *(uint8_t*)0x200000008a06 = 0x10; *(uint8_t*)0x200000008a07 = 1; memcpy((void*)0x200000008a08, "\xd0\x31\xa9\x16\x5b\x9e\x27\x3f\xf6\xff\xe5\x55\x84\x9a\xf6\xdc\xa6\x6e\x17\xa6\x8e\xe5\xac\x78\x4d\xca\x23\xe4\xa5\x6d\x46\x16\x9a\xd0\x6e\xad\x2b\x8b\xcd\x99\x7e\xac\x2e\xcb\x8b\x2a\x25\x26\xaa\x20\x0d\xb5\x57\x58\xd0\x86\x59\x46\x92\x83\xd6\xec\xfb\xa9\x82\xc3\x00\xae\x82\xcc\xf4\xa8\xbf\x07\x3d\xbd\xe4\x53\x76\xb4\xf6\xfc\x55\x9b\xe5\x19\xf8\x2e\x8e\x5b\x2c\xf5\x9c\x3a\x3a\xf4\xf2\x90\x70\x7e\x76\x7a\x4e\x27\x68\x51\x09\x0d\x90\xbe\x0a\xb6\x6f\x78\x8e\x77\x60\xcd\x71\xab\x86\x5e\xa8\xb6\xbc\xc5\xf3\x5f\x60\x53\x81\x54\xa0\x99\xc3\x54\xa3\x59\x34\x17\x68\x2f\xc3\x9d\x2a\x6a\x25\x5e\xf4\xbb\x65\xf8\xd9\x7a\xf2\x9b\xeb\x0f\x87\x34\xa6\x8e\xd8\x4e\xf0\x8d\xf6\x9e\x9b\x35\xfa\x2e\x3f\xe6\x5e\x99\x38\xff\x44\x1d\xc3\xe7\x98\x2a\x81\xcc\xca\xf9\x62\x1d\x5d\xbc\x66\x3b\x80\xab\x44\x8c\x97\x5c\xbc\x19\xbb\x6c\x39\x01\xa0\x2c\x16\xb3\x2d\xfa\xf9\xf5\xc2\x20\xfa\x21\x43\x49\x37\xb4\x62\x03\x81\x05\xe6\xd0\x86", 229); *(uint8_t*)0x200000008aed = 0x4b; *(uint8_t*)0x200000008aee = 0x10; *(uint8_t*)0x200000008aef = 3; memcpy((void*)0x200000008af0, "\x10\xbe\xd1\x91\x2f\x7d\xc9\x4a\xc6\xd8\x7c\xbc\x68\x96\x2c\x89\xe7\x77\xcc\x51\xa2\x57\xd0\xca\xd3\x3c\xdc\xf3\x36\xa3\x1a\xc3\x9b\x86\x71\x44\xc2\xc9\x6b\xe4\x0f\xcc\xac\x19\x63\x3a\x54\x77\x87\xbc\x6e\x4f\xe9\x1e\x91\xfa\x47\x59\xdb\x2a\x86\x7d\x85\x9c\xd5\xa6\x0c\x84\xc1\xa3\x8e\x09", 72); *(uint8_t*)0x200000008b38 = 0xb; *(uint8_t*)0x200000008b39 = 0x10; *(uint8_t*)0x200000008b3a = 1; *(uint8_t*)0x200000008b3b = 2; *(uint16_t*)0x200000008b3c = 9; *(uint8_t*)0x200000008b3e = 0x77; *(uint8_t*)0x200000008b3f = 9; *(uint16_t*)0x200000008b40 = 0x2cf; *(uint8_t*)0x200000008b42 = 0; *(uint8_t*)0x200000008b43 = 0xb; *(uint8_t*)0x200000008b44 = 0x10; *(uint8_t*)0x200000008b45 = 1; *(uint8_t*)0x200000008b46 = 0xc; *(uint16_t*)0x200000008b47 = 5; *(uint8_t*)0x200000008b49 = 8; *(uint8_t*)0x200000008b4a = 5; *(uint16_t*)0x200000008b4b = 9; *(uint8_t*)0x200000008b4d = 0x16; *(uint8_t*)0x200000008b4e = 3; *(uint8_t*)0x200000008b4f = 0x10; *(uint8_t*)0x200000008b50 = 0xb; *(uint8_t*)0x200000008b51 = 3; *(uint8_t*)0x200000008b52 = 0x10; *(uint8_t*)0x200000008b53 = 0xb; *(uint32_t*)0x200000008f18 = 0xa; *(uint32_t*)0x200000008f1c = 4; *(uint64_t*)0x200000008f20 = 0x200000008b80; *(uint8_t*)0x200000008b80 = 4; *(uint8_t*)0x200000008b81 = 3; *(uint16_t*)0x200000008b82 = 0x40e; *(uint32_t*)0x200000008f28 = 4; *(uint64_t*)0x200000008f2c = 0x200000008bc0; *(uint8_t*)0x200000008bc0 = 4; *(uint8_t*)0x200000008bc1 = 3; *(uint16_t*)0x200000008bc2 = 0x427; *(uint32_t*)0x200000008f34 = 4; *(uint64_t*)0x200000008f38 = 0x200000008c00; *(uint8_t*)0x200000008c00 = 4; *(uint8_t*)0x200000008c01 = 3; *(uint16_t*)0x200000008c02 = 0x415; *(uint32_t*)0x200000008f40 = 4; *(uint64_t*)0x200000008f44 = 0x200000008c40; *(uint8_t*)0x200000008c40 = 4; *(uint8_t*)0x200000008c41 = 3; *(uint16_t*)0x200000008c42 = 0x1c0a; *(uint32_t*)0x200000008f4c = 4; *(uint64_t*)0x200000008f50 = 0x200000008c80; *(uint8_t*)0x200000008c80 = 4; *(uint8_t*)0x200000008c81 = 3; *(uint16_t*)0x200000008c82 = 0x83e; *(uint32_t*)0x200000008f58 = 4; *(uint64_t*)0x200000008f5c = 0x200000008cc0; *(uint8_t*)0x200000008cc0 = 4; *(uint8_t*)0x200000008cc1 = 3; *(uint16_t*)0x200000008cc2 = 0x300a; *(uint32_t*)0x200000008f64 = 4; *(uint64_t*)0x200000008f68 = 0x200000008d00; *(uint8_t*)0x200000008d00 = 4; *(uint8_t*)0x200000008d01 = 3; *(uint16_t*)0x200000008d02 = 0x300a; *(uint32_t*)0x200000008f70 = 4; *(uint64_t*)0x200000008f74 = 0x200000008d40; *(uint8_t*)0x200000008d40 = 4; *(uint8_t*)0x200000008d41 = 3; *(uint16_t*)0x200000008d42 = 0x423; *(uint32_t*)0x200000008f7c = 0x9f; *(uint64_t*)0x200000008f80 = 0x200000008d80; *(uint8_t*)0x200000008d80 = 0x9f; *(uint8_t*)0x200000008d81 = 3; memcpy((void*)0x200000008d82, "\xd4\x8e\x87\x24\x64\x9a\x28\x41\x92\x3d\x48\xb8\xb2\x35\xfd\xc4\x31\x5e\x0d\xfb\xe1\xb8\xa8\xa0\x83\x53\xaf\x5b\x63\x0b\xeb\x6e\xca\x1d\x6b\xe0\x3d\x88\xd5\x58\x79\x33\xd6\xad\xe1\x22\xb2\xad\x4c\x55\x80\x40\xe7\xf2\x03\xd8\xc7\xaf\x79\x0a\xf8\x5d\xe3\x6e\x84\x1e\xb9\x48\x0a\xfa\x1a\xaf\x9a\x22\x6f\x4d\xe2\x8c\xd4\x44\x15\x57\x41\x1c\x77\x37\xf7\x4d\x7d\x60\x31\x3c\xd3\xd0\x51\x28\x4f\xce\xb5\xb3\x27\x83\x73\xf6\x3c\x72\xa8\x4e\x8d\xe4\xe2\x3b\xf6\x4e\x2a\x69\xc0\x57\x91\x06\xc9\x33\x18\x03\xe2\xef\x32\xfd\x09\x88\x9a\xdc\xe7\xbc\xd7\xeb\x61\x34\xc4\x65\xed\x17\x38\x6d\x3f\x97\xa4\xe8\xa4\xe9\xc4\x19\xf9\xc6\xeb\x2d\x32", 157); *(uint32_t*)0x200000008f88 = 0xa4; *(uint64_t*)0x200000008f8c = 0x200000008e40; *(uint8_t*)0x200000008e40 = 0xa4; *(uint8_t*)0x200000008e41 = 3; memcpy((void*)0x200000008e42, "\x81\x10\x3e\x0d\x22\x88\x43\x34\x4b\x9a\x28\x85\x67\x53\x24\xf5\x79\xdf\x27\x8e\x6d\x25\x06\x59\x98\xbd\xbb\x69\xb8\xee\xd0\xe1\xdb\x8d\xf1\x6b\x19\x64\x6d\x92\xc5\xd0\x35\x21\xf7\x73\xc1\x6c\x24\xde\xea\xe5\x56\xbe\x69\xb0\x4e\x1e\x96\x6f\xeb\xfb\xf3\x7f\x3b\xbc\x6d\xd6\x4c\x83\xf4\xc2\xa8\x7d\xaf\x95\xfb\x91\xe1\x0a\x36\xc0\x06\x9f\x4d\x51\x7b\xf3\x96\x21\x11\xd8\xf9\xc8\x45\x32\x3c\x0b\x91\xe6\x8d\xea\x34\xb2\x77\xb4\x10\x72\x0b\xdf\x4a\x58\x64\xfe\x06\x9b\xde\xe8\x4f\xa9\xe4\x46\x55\x49\x71\x3f\xb3\x33\xaa\xed\x85\x5b\xaf\x29\x53\x27\xe1\xfb\x65\x17\x29\xfe\x4a\xcf\x1d\x9e\xbf\x80\xd6\x4c\x29\xfc\xd3\x68\xee\x16\x11\xe5\x50\xd7\xb6\x7a", 162); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_SUPER*/5, /*dev_len=*/0x36, /*dev=*/0x200000008980, /*conn_descs=*/0x200000008f00); if (res != -1) r[36] = res; break; case 58: memcpy((void*)0x200000008fc0, "\x18\x15\x12\xf6\x08\x38\x97\xf1\xb9\x4a\xd0\x1c\x9d\x8c\xc9\xeb\x6d\x7c\x14\x9c\x5e\xdf\x5e\xcf\x21\xcf\x4a\x2b\x2a\x9f\xf0\x2e\x0d\x8f\x8a\x4f\x60\xf7\xb3\x1a\xd0\xb2\x55\x2e\x14\x87\x8f\x84\x0f\x51\xa9\x7c\x25\x63\xb6\x19\xb1\x01\xea\x77\x61\x3b\x97\x52\x36\x7f\x0f\x6e\x6a\x62\x37\x81\xa3\x83\xe4\x99\xdc\x26\xfe\xd6\x0a\xfe\x6f\x15\x6d\x32\x6b\xc1\x41\xd6\x61\x5d\x18\xb6\x1a\x5c\x06\xcb\x49\xd9\xe0\x08\xe0\x5f\x65\x37\x6a\xef\xb5\xec\x21\xed\xc4\x68\xb8\x43\x4a\x0c\x9e\x39\xd1\x20\xbc\xd3\x11\x32\xf0\x75\x5c\x1f\xca\xf9\x1f\xec\xb2\x73\x3f\x98\x18\x42\x56\xd2\xf7\x9e\x80\x45\x2d\xc8\x6c\xf3\x19\x85\x08\x2e\x38\x60\x17\xeb\xe8\x21\x25\xc7\x8b\xee\x42\xf9\x49\xca\x67\x98\x67\x34\x33\xfb\x0a\x20\xd9\x16\x1b\x69\x8f\x04\x66\xb0\xea\x53\x58\x7a\x3f\x08\xcc\x34\x35\xbb\x7c\x19\x3f\x4a\xdc\xd2\xe5\xe1\x04\xf3\x3e\x3e\x1c\xdd\x33\xba\x95\x1f\xc9\xf7\x6b\x10\x8a\x40\x74\xc8\x07\x2b\x16\x46\x59\x62\xeb\x28\xe1\x38\xc9\x18\x8c\x3e\x54\xa0\x0a\xfb\x4f\xb1\x71\x0a\x27\x3a\x1f\x1c\x53\x0a\xda\x0d\x50", 251); syz_usb_ep_write(/*fd=*/r[36], /*ep=*/0xf9, /*len=*/0xfb, /*data=*/0x200000008fc0); break; case 59: syz_usbip_server_init(/*speed=USB_SPEED_FULL*/2); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :5997:17: error: '__NR_socketcall' undeclared (first use in this function) :5997:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor2537697856 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/15 (1.27s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$IMCTRLREQ(0xffffffffffffffff, 0x80044945, &(0x7f0000000000)={0x4006, 0xd, 0x2, 0x8}) (fail_nth: 1) ioctl$SNDRV_TIMER_IOCTL_GINFO(0xffffffffffffffff, 0xc0f85403, &(0x7f0000000040)={{0x0, 0x1, 0x4, 0x2, 0x5}, 0x81, 0x0, 'id1\x00', 'timer0\x00', 0x0, 0x6, 0x3, 0x70a, 0x9}) (async) r0 = syz_open_dev$ircomm(&(0x7f0000000140), 0x0, 0x0) (rerun: 4) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTA3D_RGXCREATERENDERCONTEXT(0xffffffffffffffff, 0xc0206440, &(0x7f0000000340)={0x82, 0x8, &(0x7f0000000280)={0x1, 0x0, 0xc0, &(0x7f0000000180)="5b58ac0ed1d27b217d3fdc6299cdde4d85321f7bbaa064d361519cdde43b225cf00658ddbfbd914cf79eceb348f18692315c3c69ec148e2dd928ac7ee62f5111b9dccaca88524912341955f79b0f2206b80e6e5a7e681a629694a34f9b0e39877eefde60a068cdc44545d6fe45d0000c9961a1ff168747447e346b16460875c691de1183b2d7b032cfae85497d0d8848d4baa9adc6caaccd9af6019ea2ba6f3b4e6018df94cacabeddec7b600230ea7790019399d0beb61f427df8359cc34893", 0x0, 0x0, &(0x7f0000000240), 0x10000, 0x0, 0x0, 0x81, 0xe}, &(0x7f0000000300)={0x0}, 0x44, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXCMP_RGXGETLASTCOMPUTECONTEXTRESETREASON(r0, 0xc0206440, &(0x7f0000000400)={0x81, 0x4, &(0x7f0000000380)={r1}, &(0x7f00000003c0), 0x8, 0xc}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r0, 0xc08c5335, &(0x7f0000000440)={0x3, 0x6, 0x1, 'queue1\x00', 0xdae}) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000540), r0) sendmsg$TIPC_NL_BEARER_GET(r0, &(0x7f0000000880)={&(0x7f0000000500)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000840)={&(0x7f0000000580)={0x2b4, r2, 0x400, 0x70bd2d, 0x25dfdbfb, {}, [@TIPC_NLA_PUBL={0x44, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3f}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x2}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x4c00000}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x67c}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x7}]}, @TIPC_NLA_LINK={0x3c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_PROP={0x2c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x220a}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9c0}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x101}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x8}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x6}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}]}, @TIPC_NLA_BEARER={0xb8, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_PROP={0x24, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8}]}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz2\x00'}, @TIPC_NLA_BEARER_PROP={0xc, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}]}, @TIPC_NLA_BEARER_PROP={0x1c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}]}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @multicast2}}, {0x14, 0x2, @in={0x2, 0x4e20, @broadcast}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0xb}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz1\x00'}]}, @TIPC_NLA_NET={0x20, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x8}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x6}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x80}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK={0x10c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x187}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x40}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x10}]}, @TIPC_NLA_LINK_PROP={0x24, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xc0fb}, @TIPC_NLA_PROP_TOL={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x18}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x80000000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xfffffff2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xd0}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xf}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x401}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK_PROP={0x54, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0xe6a9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x10000}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x81}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3ff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x79}]}]}, 0x2b4}, 0x1, 0x0, 0x0, 0x4040811}, 0x0) read$snddsp(r0, &(0x7f00000008c0)=""/29, 0x1d) ioctl$KBASE_IOCTL_STICKY_RESOURCE_MAP(0xffffffffffffffff, 0x4010801d, &(0x7f0000000980)={0x6, &(0x7f0000000940)=[0x904e, 0x1, 0x9, 0x6, 0xe, 0x5]}) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@mgmt_frame=@deauth={{{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x4}, @device_a, @broadcast, @from_mac=@device_b, {0x1, 0x7f}}, 0x1f, @val={0x8c, 0x18, {0x5d9, "8e85144c6433", @long="e023fbed513011c5707e452472e2055d"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@random="3a386465f389380e26b0cb13f98a36e2214f099ee0d0b29b754e31d6efc82c04", 0x20, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_path_truncate\x00') r3 = syz_clone(0x4004000, &(0x7f0000000140)="daa4ed40f7cf4da86377e864d8e6c6d4fc5486af4a6f23dea58b3243a291b0180dbaf5c92758af73f9", 0x29, &(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)="40f276856b8191c4f312759d795a22c3c7edc91678794f4eeac45746fcc9930722c8189ba59565f7327cbcd4506164eb9f6ff175f1f08d60247091772c185ac38304e9b5b3") r4 = getpgrp(r3) r5 = syz_clone3(&(0x7f0000000500)={0x800, &(0x7f0000000280)=0xffffffffffffffff, &(0x7f00000002c0)=0x0, &(0x7f0000000300)=0x0, {0x12}, &(0x7f0000000340)=""/102, 0x66, &(0x7f00000003c0)=""/198, &(0x7f00000004c0)=[r3, r3, r3, r4], 0x4}, 0x58) syz_create_resource$binfmt(&(0x7f0000000580)='./file0\x00') syz_emit_ethernet(0x101a, &(0x7f00000005c0)={@remote, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}, @val={@void, {0x8100, 0x7, 0x0, 0x3}}, {@llc_tr={0x11, {@snap={0xab, 0x1fe, "fe", "1622d0", 0x1b, "e65515bded2366eb29e120fec39b24808c92d09c78d7f5b7b11d8a64fe8fb0e0ea7a265610503e40fe69ea35f6a592cca6605cbab30ca2b6e81defbfa8975d3233a7b511fa76cb1b755c8d00c96c16443f2b1682d6f197dea702f3216131e4d76b49c13ecc66674fc2fe47ae163527636f868d604cca513f5112bb56c3ab4ba6aea3059e1a484546566112328bdd5ba37697af7f361913e718bf091a66aed625deb89ea8c63fb756c958819dd3d2467301b0cd35eafbcc0f96ca0aaf82d82c8156f5fa27ea2d1d298f564f94160fd4b81af8f9e62eaffd504a2cd9412d4b6df66b447e1029b1a015a3f9207dbf1957660c19a6e0e73660325510e34133ffc4275e4e1d6d7acab29f9b371d0217382faee8c77911aa3f5378b09a5f6523357d2adec78972e15295abedbaa9969f37f316d474b2347dc11b523a88a0cd5745ae30ad7612f830013d78a6b149f3b332e6e7c5fb13bb95845924c3f180c3c6f347bb328022e5d07f540ec60bdbd9e8352d385e1b943062aa0bf38206a1d95e2f42e15838ade610c0c44e038b790096b521d1112f35c9922cbee2bfb184d6f979a7721cf0e6fd69fa705ae3e253113d2fc772ca741e96db42fc8ca72abd6d3d43c4bb64f13d2e5a5a8c433baf25ce3286c2e2355fc130e86841cde79482c3539d57122eecf25f3e35751e81980de375a713c18f9bcd952bde4bf36610a52ae2317c8b6689deb1810a091169200b2a9eeebeff191dafc5bc32b774cad960c8414ff0eee708563daefbfb26f59f6a8f289ea5fcba17412119f3faf53001a0f5a44f9c6dd6ac8d3380273e07c6ffdba5a224636ded1974137a40175f4944941ede7117cd3ddbb800defc6f8306e3f0435eeb74d44e021c9abdc636052b5170da68981617b28471a581a1eb095c6d3c977ef0fce842b5f260f2b276ac6cf24b2297f3e75479c7412f405e48343f4db14e4210bee79d3273bdef00d8175dd603b442210632bc8cb2ebfc4392bf8aefd9d4a264a63341f15189f8ac9add56f605e8797e2d70863afedb792eaf982ffac60ea0af41ceaadd6b2878511c8edd8bb273914bccf17a2d4393d4e235144be8ae79fd28a47d3c33bfc8ac4d199fdc73cf8e03cb6f15f4134599f2d95c46cb1a6e77d816080ae7e1ef85edab4b4553cee197da9594104139276ad2b9099def507e600efbb6a9877d8d7569e0599318aa400ea4674cc2bc0b86efdd2ddfb3966647ab570d200094b6ec63403274201d65481378db16529bd775feed537223c0d4e710125cafea8b65b9ef669cf32592fc3a93dd2d21a95e54ad2362302b1d5db5e6fe547edbac508c82d6b39a820b25bf1078418accf067c018443c430f9f2338afebe9705a654d50bc1595073615c52bc93703e446fe6befd76149bdfa9d69cff69b9d9b4f3fa0bb04900737116e49b4d0c08848215dbf90dbd523e9abff71319cf0a358be976598c41fd6d16edc3f0856ebbcc1e4086e79621a233991554e01420215c5ada574b6442e0134a744db4eddc1142f2936f7d9412dbb63cacddd60b2563fee5623ab0ece52481dac6fae957b61918a871c32652e0e7f73f2c2b424d4dffd636665e06bd0422195a1aa8cf62e89fb47fc0708ebf49a5f3b586ac088f570b11ed8d069dcf88ef1e849a22560ca8b60aec9859719983916a4a4b9246ea2ddb8409b0ec2d36728647a8f7462f2d4c4706c4b1888098d61d3231d89ee15026e63b55e1af3845bd60a72493af19313188400870de9bff53eb68011928201c34828ffcd88b35e4fca14c06a6790b5f28e8f85f0c906e1ea44ef4f6c50bcfa0213d0462fbf90324dcad6fc0008d575e5df11a98b7b231884c0626890f9cb18dcf85063f426fac0025bc6bd16e74c53eabb81423633df7391be5cb1ccd73ea25c7e7055fed3146202b97fd7f1a85890d444a20ce0d051efa2a3357d32f8585c0f798a3607c350f22ddb5c9912ce3684b2d7aa6c785b792504c31c7edb6dc5fa6d069f0352e3e9f771e146ab80ac39a120d005452e190a9147cb48fa8539f3a3c1d88716575003248e021a7038bd63657d46440402571949c24555432d26dbaa9d2cd2906ce0cf746dcd9348433bef36297b4a7a07faf2688249297c960a0fd8a3257534ea1372a3af5cdba9a6a48fbc95a07549a82bdd6181b1fa3fddc71d77b3460c6a32405589b89edf715a910fcc72449d9c36967fa9768a0ee59b23418561cf4f6b0fd9cbe02d19c7997e55259550dfdd97616015d2224c18c15a80b743ef8857d181d7efe40499f66d20158c0f62e4c692b3bd64ef3825a32bd662d9f580779d60a34669150e7874a45a7101af48cb3a6e3f763db20c5014edef61d07887c79d5711ed11be5306f7c4c2b7bba2bc8236c93a49bd2a252c4510785e0cebf75fbe5c69d928d8e48fe9f56a33ce6e0552630f338ab632320e750c32ede137447aa9aa69e3c3ea8ce4daf6eeb91d0a339974ce9875ccc30fcc08ecb203c3e4a7da99224b71d6ebf77331721fbb6ada6403d43eba812c0bddc6018062ca1231994de110586bff4589e52b8ab440baf13c24b35883ba4ae2ea8cc1fcfb49a7123bd6fafbb7291adb7f81fc58208cb7559ee5cfd779f899c11ee49ad92b0057e8dd79dfaa1f15bf659c360c8228eb36a9d17e0d479a88b9da28f3e962bedc108e22332bf55144f0b2ba0e21a334acd8bed5922128dbc75eeed571e1049e2689dda8992e2f9539373f0dd20e2bd43cb5ba34080ad38bf160a37cb0b7c39c015918202dd8349c4eacc0e4a40436b8d1eee12f9a6b9e2dbac9ca7c190c1bedc390dde78f896bd2837ce30d8ea888db6971930feee72206e308c7ada862b664b4b48b11d39dc7b1816d3da555778998eca5e3b4ac20c83c55021db6406eb6ab125f2bb2ec1a2c8fbda5bb0df736393dc62f9078de52e46872b4c18bde2959b18fea581e0eb42038522fb7af7ed40538ea7fd08e865102f5a9929c24a9fe936230655a7b131ab9eaeb9c491ef98d407dbbbded8852c387d6fd7741179775ea4a4562eaf0dee83f87ef117178086544f4cda982d3c0cf618bd1ed663cc9f4bdc77632398d24fe3002a7a78c079d0a5f5ac3bbdabd85309090aa0b5a8c269468ac8b7fa4428bd98bab7bd5643c721dd7d92810bbfde6bf8bf2013ee5e587d0da9991c66f58ccfa0fe497d0d743f0be668cef72d8a922fec8e10f368934227c98e9abe1f85bac46f80f17a15ccea46d256e1f56710e489cd7106fac936aea65f0e8a5d79d43730989a2642ee7ad9f35d8ea7a80647e15fb4db645efd8ca830469261efe740a2288bcc72b5c40a665d51812ce9a1df192dc4d9604153e84b86b8709fbce27aa27a99c73cc948a10561c1d4fcd0aca5e4f52d43b17f6790f1f79f00b90ed573b6a621bf3d64200274321292a04379e0ea3366bfad2d1fcfe3a05608d9be0e459cebc878ba6ad6de83922154a7ecbd01f5cfc77299c69c670a2763660b2ab98539c3050a64f10a89099a8bc54e234512250d273136455fe5825d5dbb4e9b733ee28dc11d0e2b3f9f4072b048771509c017af5d6d64385a54924f55c8d16cc1a72d8519301194f445c424e51d49f6616016580d2ea70ba1e0c86670926c738779ee67c3926bd2f90376e211ec1d7860737af1136446b2faa01baba239b7a5868f40780cdd13329fd67730bdfd298b20d63f1448e9fcff309e9091c39ccc75aabf18e598ecf0342ba94fc420373aedf83d4cbf0e5f176ea4bca7f0cc72faef9bdb6797be191e1d304704659b6b63b2066358d4eca8ea898cdde509cd2b9145c55adc3c46fbd2989817ad2403d4a0d6b6e6aaad0b2311d43d216e6cc8446b0d946e43916e662c5e687bffee3f3f21d9f34ea1624074d1d90273f0683f202b6cc24300b8f5a6325d6ce06bd69c9a95d6c8af3be8967e3bd49efc3e9c5f27ab9aaddc0ffabf87e7ed08d4253844f1f48f08a9fa268e13e0d73dc6af0abfadc5443a9a1daf12b4dbfd5f7902a5d41313683355d5e716f3a65a315170749bbaf8846dfd332bef6cd1443729abf2147120e53018bf2d062dd07bd5e20e30bf58bb4900db9aaea54a6402cc1ad562e8a59233868f38d666afd7b96aca5f9ec2aa94b4c22f6dd54924a1f5d98eaff57f742b01378d3b1c6322781b99d8774b07fd5b4af2b88bd4915f6eae83e33b469afa153324ee889105a74d3680d39e55a4a39183416961346447fc5a8532832031c52517a3896360d51fe593ef5a639eeee83df74db9e4d3218dd901db76a6130aef73955dbc866778a2c3421d4090b1df7648a42c558af46150e902b3129e5fe1071458ac93abc76d495e744412fb98ae401cbe04427d0f30e314eb6047513adffdd11a566f9734e058fa3bd2d1d6506122ae869725e3a6f4252ee5e971c430cd02cff254759c908943953ba8c978f1cae5ddf28c5d9dc85d27c2d4c19a16e34e094f1ca9172397cd4c5615e384715605452919ad74e70c78c282c0cce1bc618ae012f5283d1081399fd79c95e52a523f3729a180780547f9766507e21109254831787c1131ccd4ce8e5e9f3d24750ed3676fbff23dd4218e05eb68efc0a7be9cef8189c08e186f938ba691172d235fa32ca4b0e30b111189f32d15daf3cfff0a429a446aa68ec18c0c0755efc080733e9c3548f029e8dd634b3b6b69ba749486704d0f9ad702961773251624117f56945c04b8c6f0350a3d99a7b6e033f13ac7c01a1ffcb5a4cd7412bc176f50af905b0b6aa36d67289ceb12a6572c4eb872fb06f96735d31e8a153ff9bde2181e235868ad7dde54705c187130ae0fce01bdf3bf64e6ac86842bec3e0ef09b60a4c691134d89b6c6c6465ca949b58ef63a556918bd5c7f835c0e002f2cb4123d66481c737470f26b590fee1ad40eb641e73ec3501c69ca4fa50b75d9f23ae9e041c88df37a8947bbd0722f22911aba12976db4759af63f2b143ac155bf56333f6f6a69219453b92e5361843581802fb722a2c3ce2dec3e1e278444020ec6ee424ec7fc559d9cfcf68b2010eaaa9b391b071b6d53df5a2788cafe84a081bc3f0810194818039e68fc1b76de13ddba48a741b11bc963b8422a510a1a132d870153c2d01305c767c9d188c64b5d14979e1563aa7fdea0b85ff3de913fae64b3a7ccf087e933ab15ccc0c77fdafe42acd070780f2a7cc15a117a2bdd9576e574b10b56a00e007d69291985b50ef1296f37ec9b74c4623da3f94e0bb69f46e52c8765569b8817af5482532a50232f050635e67e235aec75c8f69efbe25383467cc82f43a214a142a8b76817f22338aeb3d4f0d39fc1dd1023a07b53adbe754884af3b789cb2dd9f386b26378d0d54267c47efa0ea5a7c26cc80d9bf9cf16bd217754a1951e9fd7fbe64335610faa909f0d7f77786f974c1becec9cb49be7f79e7bfbe29ea82cd13c197fbaa48f46019617ce6c6ad08c9a1d41c716baef284a4e4d77c06e4ddc07a46c3534beafd3729088ad142cd22bd5a220e589314c242a304581e88a246b51790d238c131ec7b09de7e1c618708363335fccf56eee3000466ce5fd70c5b3f35884a467469673d2dd5a8a2362e6028206a2ecde709d7cb1888bfe78cf6803f05ab0b11eae6d935ae116b3fd841a2717ed52790dd4f802cdcf72e4409d68c086a542d66eb14538421564ac9ed37617987ef2f4b83f43022394a2479c764b30f56c6ea76c1a056f82ad78ad980d1b5603a0ecbb72437bc2a1838b9ae37cd6ddefd2927e9d9adb7d56a98695c78ecb1f65739fe094edbfafce3f"}}}}}, 0x0) syz_emit_vhci(&(0x7f0000001600)=@HCI_VENDOR_PKT, 0x2) syz_extract_tcp_res(&(0x7f0000001640), 0x401, 0x8001) r9 = socketcall$auto_SYS_ACCEPT(0x5, &(0x7f0000001680)=0x4) shmctl$auto_SHM_UNLOCK(0x6, 0xc, &(0x7f0000004a80)={{0x80000000, 0xee01, 0xee01, 0x5, 0xfffffff8, 0x1, 0x6bc1}, 0x40, 0xffff, 0x2265, 0xfffffffffffffff8, @inferred=r3, @inferred=r8, 0xfffa, 0x0, &(0x7f0000003a40)="8917f96eff001e006491da948f25c3ac3665392d077a2878a0c47186fbb59600e8725c574893c0d645651cd496d4d6c43dd8d9e3ceca2e2a35fd60785cd77ec5c5eed5ea44a853769a52cb3e89d06c0995f77e9b7ecc68fa521ac4b193ee67dccec0a7d13f3c068ee046a9a142011cd4ba8e67f381e16745d81a2b5bf11f4ef0014330c95f0f5bc89d00f16129a9637782e5a6f4d922e0f07457ee515e1bbf5654906d887ba02bee664da72a51b5dcdf4becca2d8067e35753c0312359efb6da86149afc1010d0c6c86cc9c8831ca1276ca968811c87baab121c9d817273196e97ae66f397667e023fc23319c24fa823572226fb748ac54ff528236b0781a20ed52e116927a22b11e0b8aceb36d2cf4a78eb3465fcb9c9493eadd44686766fb26d4d0a54d028273a5c605388534e4937f18ca90532445f946651f3634e9b365bb8ed7242b91231ba06347eab1f320096374fbd8a7a94c2fa7154415c923fd66cd626489e7c79cad39b66b0674b9439b57b79ec7903d35ec314db9d7e415df3c4f75514b1c83e9b6b271dabebd3b793a78ad5baef25393934bc1b4969eb6128d3521490470f25e7a47b13ee0c4772d0473da518441b7bd362bc99b09cf696beb9e5f9d3d5e88e9e960e259e4fe67cfa3b2abde10010f3c6a60d269ad13e59052e8ab951401dde345c4fed4fea6d91b84daeeebf45fa7998ee41da06875e7bc48d9de54de36d9e27495fe7e88e024e7dd3587dcbc71cd433b71a4d972b026559efbf17c2b02b2357b9d913a764c95c5aa7b32fd2c0b62b47f27e4785e76d8562b4e43edc6d610d2b97dd1a1ee65bd1ef89e0110b14c2025b04b8cf16f0c2c1ab89ad30bdbd8b9894278b4be8d08155ec0cd20f544f18a4f26a980decac1ce2942127d8d0350dc4a9a32930af33531822319dd139e27cf769d068879608c2517d59965fbffe9879afd487875ad239586bbecad1b00e1377203abe3fc582faaf4f9e08e57658812209b3a8653bf39e126b79474ced54b74fd477b03a80906e346dfc7f5a86410f6bbc64a7ff88c37aa1d1871331ad2a63fecea9b43d3fad062de70ddd1c773ae62568ff3be804583d3a5a10796813cd4b51f67b09910b427eb92804e7f27adcd8ec9afb24e3151b48a38cc5992799df37e5cf6ad577941ad7e2caf15619236927342e87b5b260473716a9bad70b3951f7265c20c000852667fde0c4b7f27a32b7ee133cbc65ba4dc3910c2375e195ba7654e2d2d45f916e47f107595adc63247840df4ecaeb9640fb661986add0dd02796d5810f51c93fdcf8974da1f1014f2f4adb16f04e733b53ac2e8b4a853e93a935a732028c8e3ec120fc541e5126f2d88dd4bbca06fa610163464cb17f45e7a2be0e51d8e45e37c5091d762ce5bfdb69353bafb955c25544702dcf7d1394aac7a49a0787ff1687425a375249ca378bc4f4aa24abca24a871fd67425b2f66093b5b9872499ec85faeffbf43f0a4d3efb5ceae705a1a8e1f2bf79f553c1c9f38bd09f93a822beb454744dd1177eea67b7bd6c421e58246202ab902f79e0155f1de2bf226f61bb39bfc2fba3479f25eea7f01f70bc08a98e8874e5d1384283b99607eaa52e895490bdb21c81cb3b3791c1dece0ebce67cc45bcba299bb892c9d1950bf335e954fd303c65e1afec48a3d3e10a404352a1302efcebe1254eb2b25d6f450b26a3f1bd7f577e54c95e5661174d32782fe6b11996542fe1b9751396288d27a47e3c98d1cc3f3ab558ba3e82a6c3ed4840f4e3d79369573c37534073e79adfd2323832b65e7a6c45b72579138e226291d2700dac3a1cc916140f54cb28b3470856189812544366f757c0a294ee2b5bf6c308ad4df230d5a743b8cf7a1f64a3061983f223850262c7574ae480a02f68c043ba7aa822ff645d4e4482c14cbb58c15f65c98d1692f939d0d95585045424abe5e58651477f91d0c1dafb3f33af9e69b794e13eb0c429de9b92bbc5f9282a2e6c9119f6fd8603fe11af2d516c9a7ad38e3337b969c3d9593f0d4ac95c44e7f47e810f6970a1a6f18f209fedc35656dc5c536b0396aedaf83ca46655edcc4088c6fcffa689a878309c1767b2187c9b5fa575efd80e0574a577673b45edac8b1c912ce60cd18290d31025c80eba3d997e4792be23a49c0094ee28548fa33275e6c280bb6e0a0aa8e7904c641cbcb3d994946f0e4c6d6b191d3465364793a697f2c25d130923c799a3a8d7169a37ac29bddfb766d5130b5e4bd43978aad3549052cf6f564768052032346aef8f5844b9704842c0f1fa7d26c697188c0e8641658d6d299a61ff140a4b94f04f6ec06ffca6e574bdd600372ed5d166aeeae4f24e1ec3c212f05aa8537f0ab831e472f32164a0887c6f4e42532565f055a8cd435e9cc9108967e422c6d0e740633c9778471efa8a44ab55a06bdb6b817f8a6cc55d52ace6ec438ad4fbee7c64e00fc65c76a3616c35fb71bb6084f44f8083dff56d771e1d323584b82f105e0a211ceae9afc0f5e61a2649476440cf68d9abffb48decd0e8d2ed10907d35e390daa1eef83dac8ab44e2ac5886f6235f6bd7b69ff3c098b558894908d4cd28247fb6ec4bb5b163f6b2eef386e7ce26de759bd6e24e46aa2b38f0a4e6a4785af14bd6035a326c29af215a4c1c45ae767bd7e6db1bae69be045ef0b1eb3934ac5ebe3a4c1dd59bb96053beeb5561b521c47852d9a2c66cfaf82c2a016e5de729ea0e0ce4f98085792b5e5a802cd7fbac9ef38e203ebb3651f1b30af6ea29fa179f8b192641604be02929daffadd6c97ba4cd56790cc243d0470eb8c1ae7812da666b0b329fb3f04f78e25ad17b4b39781382ad937e08ad3448b63238185b982242190fd1e4ad8fbba55d6abf96e016e1d98d37d51c2ee1e41f54f8ac7e038e3616f569d024690ea303bec698beb98b9ea49f6b87e3f7104997a6ad7d33db8fb79ada8c5f7f54ee17f7b3d86aa1532b439cd8de90b5fd7fc3325680061d9319d1835e603faf7933bfd60d733965f0f25adf3945092bb99e95346602faf6aabeb33cbca3b219b4f8afafe825c6627c0c7b00c33875b69d01c08b90e6fa64f09b42932e1ccc9b3da36771667d5bb7531a2ac174bc412dffad7c6f8fd4dad330fb415a97e8136cd5c0bb7d00d2b2c956936c9f5f747e3c9a361d79d048cb3f528f187f9bba5d78d7309b1b256fbb349cd52945541a5a57809f2d71a8e80557b23be4fb31caddc59553b6bc0faa165e4ab1f8279ca6e307ce7920c43bdbadec04ef8be70d57af598d1d8a896a0952b23cba464e0e9b3625f993dc12c8f774e87da051eca49bd14e4e2e270cf75dc8343b2ad4b0a2178cb557c6d0eb1a0b23ed92580ce5ada78c2bb10ddd25d4bb147d61a00f5e1d1d5c888d47424c04de7d41384e2c688a57358d05814ad917135a80eccd1d1f147242a5da4dad0838322e9a2fa531fbb6b0832b6700f87279846ce2331679b82f04fe1be1e8ce9f610b63ff30ad0b76977817739a295c9ec9dcf11f81a67619407304c1d594c5196db1bdebfe03f22adaac9253d753967138bc9d2cf4735491d2745c23e5d229c74627dd191bc6c038513914dbdcfacb8bcb2814dc525edad889520999fce64469c60694405961518441c3e84453afa3499e3a8983b57f94593e8664719d5e6598422bb8cbc51620b259413bea16490bbe6c9a72bf21f6b4d499371ad9fc8277dd3f2f7523cc5e6ceebf74fc3944136b2d56daa2040374319a1c83c3bb0c962d321d8039170b98b604c8ed42c596314a01139c9d36ccd6f2cbd3113b2c9d4e19f08694463610a368f8ac74f29794f14560e0a3d481c673410ad9466581aa2a334ff380a100fb049ad8196eb4784ea1bedc139a7054f18a8d44bca0a3d0122f5dc3a1c4d29bde35e332bdf28cb9b98543ad3e33143af87903b5624f62305598de275833208ec8370682ad9f0f9ac64c439044a2de3033468734f49266138859695b60a6fb45d794b871c19cbedf59b764453b78cfead4c501b1f8c0ff827b70297392697adb13ceff2f139bff3ba238798a07fe5f55a0ef5b75ccb498bb8943bab4a671f125fb06f2e59f77fdb02cb23e8687568dc0d5c4860994a37ccab365d7a70803c6a6f48f5b3ff1cbdd51d8961f973c703375d252e6c5a0ff133b59724313f988841bd61ec29767a4608a5bc45b104e4fc98261e4540a10382a495d64dd5f6c039066d9d358efb16671178e884f070a07fd02a00b63b7f575f642bf91eec3bb90dba9a21df3179cf12ea9525d0974d6fc44bf69fc54f8a5ff986706678d7ce06cce44df2974b966e67aca314e0b58acc41554a442ef3587abbaf18295eca59ca8a10edd3fbd1fac0b06013de5f7333751c57deb4daef9e4c55e93741ed1d2f7f963cdedc6efdb5d8b14d7d612e2612f30966f4e6760d1a46fbee50dccffc0b2e5177b1c6027adaee09075b655cf85ddbb4e4483d5de7b38a910f996711c058c1b97e6212748c8cc7de8cf7a56af75e291867c2688e999c6553d7aaf3d2f62c2f53bf88cf2044007dbe929856531b0ad6b48a6118bf35cce827e5d0cd2a19b3fc37395e1ced2137f0c726f5cc991333a0f0794da0b6d757374217eaebcbb6d87431f089a57102ca5373b8d730a92026059c6a88094e9c629d81eccf86b4e8f091d325563d1f4016c97972c584bc76d1fb4ed94b721344d00cc6724f5649dfed84dc511583e1a08a43c2409934172ff3f0dfc93996b8479c050dc19309aa998f709eda3b3cf806bec717e1718b8cc10060b335c46f17c522ac0bb696fb4393a9450be5fa755ea0d71b30a8431515c446390154bc2a4951b3f15f419ce20b0302bd90025d83c47a018f6886ab1fbb7577d5c066bab23d84189ccff6340a3ca41df5c6d994b26b8fc34c690dfb229c83760224bdce8e867d1f5a097736d3f19d8229f9143ac037093d4cc32ab104b5828f1cc84495a68d767b7fbd725d434719a3601b5fb23364a5e4151c6f915ce53f7debbb9f15b811cb02bb87394ffb61e8b8ae5749dc7432b516b8a627990537b9cdfd2a09439b7dc043997e0f59036ab3470af1bc7671011e5b472e3f6ad456ba706d550661cbcf6107e9b7ee49a82052d901bb79fb18d82216aeefa2e76390f80943cc856a008c7256b84d8857fa634ad7dd4501386bbabe238a58aecb77a0de5ffaaa563a1968b72b92ba58d1a1ef6f9ed049ff38b7fc34227461631fec653e781f157ec7386362b66778afc8982cdae50e129f4329bfe35cd9da3d5752204fa7275ccbc01abf85c6cf3ab9eabb2ea7a1c779e673d0f9516b185154dc83cc5f69370e314198b7fa83ce5c5c91c2c50e54489b3a670a330a4e49fca517c83a9532cbc7edc840cd010b37ecc7537453016ed1ab445e45fc1238b14e2f8f93166cbf7d38b8528baa0fad3e9e76f4b32eebb60526881620bca5b11ac063dbe2169e5437843f6d2d486855ad5f192b268b2f3eb25deeabd2de89c48ba28f1ee2c84658656c337339b53acf988baf29ac5c9199ec7912b28940934bc02b131d1461354626b690835ba09abafa0ca7f515579e533c4bbfda2bc9f2faedd3538ce8c1e3606ea98395e0ff88492045f47cca85f4af16f950abbf3f2229de58ea2b45692d4ba843e70e5aeed29f68807138aaf5c994b30d47311ebb969107677dcf007f64d0b32c3600cd32bd42ca69ee46d786cf0cf9496bc51602c989fc54f76c4d383ce414af45fc948e5b971e3020af447c589b09956c9033d0904d6445d7e9fff7c903939f79c2d4c30b6", &(0x7f0000004a40)="884f381309896a88173889994e74c60694f7baa45be088e59bc3e939728257e8d2db71"}) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000004c40)={{{@in, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast1}, 0x0, @in=@remote}}, &(0x7f0000004d40)=0xe8) shmctl$auto(0x5, 0x2, &(0x7f0000004e00)={{0x7, 0xee00, 0xffffffffffffffff, 0x8, 0x80, 0x5, 0xfffc}, 0x1, 0x7, 0x5, 0xbed1, @inferred=r5, @inferred=r7, 0x1, 0x0, &(0x7f0000004d80), &(0x7f0000004dc0)="05c9215687a3ff1747cae5c18cb186ed5c62984337f90f0ab5948e21c63d1686f1da1459a89718a9f84930b892c2ad4de61f714ab8"}) msgctl$auto_IPC_RMID(0x4, 0x0, &(0x7f0000004f00)={{0x7, 0xffffffffffffffff, 0xffffffffffffffff, 0x1, 0x0, 0x98, 0x4}, &(0x7f0000004e80)=0x6, &(0x7f0000004ec0)=0x5, 0xc, 0x1ff800000, 0x8, 0x7f, 0x3, 0x101, 0x8, 0x1000, @inferred=r5, @inferred=r8}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000004f80)={{{@in6=@mcast1, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@multicast2}}, &(0x7f0000005080)=0xe8) shmctl$auto(0x2, 0x5, &(0x7f00000052c0)={{0x8, 0x0, 0x0, 0x7f, 0x5, 0x80000001, 0x43}, 0x7, 0x2, 0x0, 0xffffffffffffffff, @raw=0xf, @inferred=r7, 0x2, 0x0, &(0x7f00000050c0)="bcc4b5d86e91b02b73e16c4665dc3088f7cc9826da7807f9a8300d9d8980de67a1a2a153e95466e76d2c38c41558c08efe37ee81d9904674ced86dda9b2b6cc7c97b199758bef8d92dd20e0e69864d6fcd03a80ca012019cf41e5166475038fcd360338436e7827ef730469187e6a495f5bf018ee7caa71c804a386756c3242b30eca0b841166d7839e94a5639d08fbc06dac1f861494456d8d153de7fc30387d452304e7c3069bbfb424391d04fab12037c6d6ae6025df869fa3a45e03148c2dd052c", &(0x7f00000051c0)="0b7d67852a6f3d8968f476adad1672e6dcfcebe8e6249d8cc72d1a05c28acd3deda6431481c88ee1c2c09944ee7333d9d16b3f9bd186be36210e7e52fdac24099773c07af6f1a940e4baec3ada4766e38014ad527a5df77c9061c5a4caccc48bcf1562207f8db04d608a823c71979bdaf702b9a6ec8f62f23d316b69a8e40f1cd792585f34d8ff6c705641dbc09a0245efad326ca84d8ca39d29cc33a4a3fbe76c240d055e261e16d6bb5d9c231fe3c9e84fe59565befc53fe9d119eb50ce04e6e3c1df216ae69c313d80bb6a77e219b94516572eeaa398bfea649335ae8114cb0574236f4613167d9758b53b66cb6ba75d75af92f3c6e638b82"}) stat$auto(&(0x7f0000005340)='./file0\x00', &(0x7f0000005380)={0x355, 0x100000001, 0x5, 0x7, 0xffffffffffffffff, 0xee01, 0x0, 0x7, 0x2, 0x2, 0x6, 0xfffffffffffffff7, 0x7, 0x4, 0xfff, 0x17b, 0xffffffffffff27a1}) shmctl$auto(0x8001, 0xfffffee8, &(0x7f0000006480)={{0x7, 0xee00, 0x0, 0x0, 0x7, 0x8, 0x3ff}, 0x10, 0x2, 0x8, 0x7fffffff, @inferred=r8, @raw=0xffff, 0xffff, 0x0, &(0x7f0000005440)="4cf77c89a8a36d9b71d16c43ca99caec6590564d8951864cccc348102a7779cd97d951003ae876a9a0301c11867ff6432c9c54bd04ee433fce5f5db9eb71b76221d284c78dc7db27840ca0b1e9a5a119f0d74ff6485b52a986a6717f3cfd726d0a6a038bed2189344a3d14c2f119bf2e543fe4e716bc4c5bec83767da2f97d1cce4b2696bc5f9989fd42dc97a0c16cdc2fa967adaaa2bac730e2cbda744dc3121e3f015b66eae89156b262639f95bb014aba78bf2a4801499bf38268d77d99494aef486b9b388a1ebacb4b771a52bfa29990e93618af03762f953e3480fe01dde92ca7835ccd5e8864dbc9100d25c4fa632c9febddfdb1e77f1bcd7679ea4689d2c8504e50af6952c889d328c12c66c90d8ead369270d94e5aa342fb2387dc7cfe6ede705464985f301feb34b002ccefb80fde10d9fc1cb39b5f877524986dd12447a7c96f63507cb4d88068edfd7748fb2b667ae1aedbb416377574d70a3f6de46e4a3e5c149a64a4364666bd99fdb0e413a1335ba932575d1e9228508d614b663ab17acb21b2ac4d3618a65943804d5ba52cbb043a9619861202b505140e4844b8ceb6faf5024223d9636cb0be384a4cc1dd3d4f357629521a07698418dd1a97c39417196f861afb05bd702f4ccdc3d44b5a4193378b936f53c5c4b09c9858be95e349baeb7eb4da309400a4dbb08a24d0bb3772bee7a3873cf8d76e06df6f7ce591f40bdc849ea04cade886f075e1458f021f1b730b0cb5c328b911412aee9616ab5fdc831e34cea69de1a40806aafd4e64d3cd70c1a6c6f636d3bb94c995977c594f0f4e90d7aec43fec4c8aa707d00dfa26ff9db8a45e6ac65b5e5ceac43f78b50f1e4f494c85827b3f0ea1f7a4fe3bbbd390e3616628ed4770dd366694893513dc1cd252d3887a2f19a846d18ee7baf8b5680e61800baaf0041810a5a21fe06cba83e0621b2626c3ec5ba62dfe1f94ae16114c9f89e89458a069222b43b4504dca5fd969c06666dcf982434631597babaad465cb739e72835f69ad699b0efbe216a12cc188d54beb66861c78c80225438deb75b3af96a60a084e68edceca252c22225b4f3e56e99f976c2a082a29f4a5bc3d0c251f9122b584661f39bfd18dfb9d57a591c6d7013b420bd1e4c47e804cc40edffa4dc90cda1de0a6e5f0d7a4d1c0a02bf92582900643f97f8f2cc13768374cc13610f27c3ab9d6931479d0215c4ad669ef802e32928788c525f752edae477ff89ea3f0c87d9ec7eb1ef512dcab1037284291861322f872aa261fa46746edd83985ee320fef53b11518f5d58f846819b88b16588c13dd019058a1ce865b4e685e9478539b9b9af69a13126d6ad30b2bacb144c02ffb153966d20f565684a8749131c7def88f2c87e48eac6c0af576cc861118a9b718dca2eafbc5413bb6e7513746479bd801f07b9465bd80d0dc3d83eeb7d688f913bbc787b23a90a8637c579884a1585d5323b04a449feebd0cbe2bc32721244e92e5d033e20d0b2ccf8ed5e23900199dc5ecdea429a25961c907af8d93d57d5d0d7ff990310ac092dc447e88cf81617b67754ad8ee0b12532c7313d15fd65c9f65c0a94b755a09d24078bde275a44457eca4c8b2b3bc0dfd4c8acb9d2c6c4a8daa22a6cd961b4476b07880f8cf0988bce7dd8d3c3fbd9cfdb6563b681034b272fb3cde591de803d0b68405d25dea801ee8713aeb5498198395799db2ab19fbcedbaa3ced3e124d293d63ee8c12d931079fd94ca0fb5c456932a07ac665b9410d1237735872766764c05e852e061dc399bb31ed488d1ba5aef53ac7b4536c6e5fc45c96a99385512fe6ee8a2278a06be19a7cddf3ca678bdd73c255c159ea073557d666f67b9d1b9968e023f636c693a8adfc923acff108ed4370bb966b0f4c05034b08576c2bc89ceeb57c633d2a7c87665be7e75ffb30edb5fe9fcdc7256a0112d49f52031800b70f698038f0f1f81223cbe0e30b47e80570971d4fa84da58099f875ac76323c5ac25b69c5eaf67825ab8ac98cbd6dc0163751a47a1e52998e00e05c1c6901f504340318727902b1ed2bd2cff2d2ed09601a8cedf4528c1c13a670375fe3a685c7cb14723b559ce2786ca2955ae351eff839758c311e99ed53ff128372bf9fc38c570bd900b497c93161c34d8b4e4806ebccda1611445ea9d676bdc146ea5ba100fc5d995b2ca60709fabbf6aabb01ef243a129a3c6738cf66f6d3e3b00320be0f85e754878937e39762debbf5a3e7a811103566340fdf7dac8450e68eff102cbfd495a801de06e74df57fe06e15edfba4da71a43339c5248f422ee29a22efa493690d97246e2083be24c21ee4f2f1d60d753b2da75a15408af7f4ffc3f11673b89345795750c2ea6b6c789c9e4ed093056171e9fd9a675486a4a51afa967e009c5ab5da74fb7fcd00044ab94b287b54217848d47848d6a116aed41d454cdcbf4ad8d86e629997e308b86e23ea1bf1a4d25296b19fa79f2a8c9b13702b7628c89f71ba6d5c3aa656d4318c4ec3305b9d7ae29374e9356709c46d401c6b745118bc70d1ac74fbc57d9248b1a915de03df367a9a1044752775e3b336a935bc082a2c88299fad16993f6e3f4373de0c488af1af00adb940cb45f5cfd5372d6c0a4c696f96636d52d27939de729974a9a5be21f99b49fc6d4c65aca98c2874f3671de29264941cd4a4a6be0b2021ac02adcd1756bfcff10e7655db958bb999810d8b3fee9832646dedbeee86892eceb4fa04b7284fdce5669dc7eeb775d009ca176d82bbddd4262716efbbe18c8c79f6c76cb59bfa82a19a6681e0d5a49dbd642933648af881c56940e8c5e18fb8288c35e130e1f62817af3f187d002d1b9a1d584b662ebc5c9c9520c4d516649f2d99363efff116348caed43556b58ea9b7c4255fd27efb05edece75535963d32ef597eb133495dc6ff0117d923027f108dbc64cbaa4bedd565e057a0e28649908d87ab0164a1155abe4603ec3f81c3b5327ed0d5e1fc890162510afca7b91d61857573f6184386a7a7cbfba8eff79fb883d04aa6bb7f93f776a375565f67a037e475e28b57f42ca0fc54a30b9d91eed124cdc1bc53feaa475828f20db8ba50815c812a1e9c7454cd4144eb9a423e6d172edee0bad94cd150bbeb4deabc6e98e3e5f7c6bb47f35f110eec4ba632e9c426af699a5bd6c2331ef0c11d24a5a3f3888fae3a36a89fb8a0dbdba9cadfb9e052a93f00ed75755b4d78d99aaa84f69dcc6a6ab05eadd817b9f704e9a7697a315f36ac99d299b5cb8a2f0c7cd53aa16fdad2331947d81a52734dc38efd0309b4837fcc18c88a0cb8bf5f96e4209192266a2c7f60371d41fc8c7d050ae43bf5f67407b54f4b731e0f7195659cd71ecccf87e68e1b4bb874707336ca5bce6ae7d588d6d68e2f66eaf0faa26d488ef0a1a0b59686af8120558fd76c9d19590a9611d5f3eca00e148194d9b69594124be005cdde6d57b26c53ac6488236de7dc8ef17eee67cd948e32d8c11f14bd2478b5d7e2c1d39d02b47595cebe0851f99448960dd64c14a84dac887ce5b39309b1530b71295c36b1b19592242d6617f9ba315c8d0a9d39792541d11c0ec999975169e8af06a444b716c45240b315a08961fac6a69681d832198aad3de10ef3a488f507ab56fd194f6d94376d24968d5caadf3f2c3efb667dd1d19b18dc8dab53df92c2dc0fb4ad49aa8034cf6f9eae6220beaec08784cac765da9e98219ecae0fba094240d3df34f3c89539b206a9af38dac75874b0beeedc9b3795d5f1d1f9065a81ac5e15588c179c4b0effcba466b9170b12e72fb525acc0e2bf5b8c43efbdf53279e5c9fee04b029db5220ba82d4930e96374baf4338aef5550fb5922015a1f9f076f3615ee6d814da808d1bbcad1b176d5bb20b795882476c0c72345eb16134807a82b9d86c9d7a4d84d189be309ba025303eea1889b05cdcea4c2073cfb30bb3b90f35bcd6ee790f1360f963dcd6be81168de75e1d04e8150d2c00005df7fadeac9e5c3d2026799cbb2a2db4268e4d1cb614f158ef12a0b2282e42ba33ff9d67ceda79320f1d897277f486588a0dc0e46c1c0fa223be06cdaca909483358be8b182b37e3789f7c93959c0b45335b2c00cad1a70f8d04081383a79c3fd595fc8647bb6552c6081c26c720ed1b229a192b9a91fa1e12cd31840f86e0dad7feb7dadeadd232709bc99aa8fbc3a87af0d5c82e53aceb6122bf9b71b7bc92a0a063957cc666fafbad1f688bd911608bfc7681c64d8191c5d0c80f7dedd5a9ad4ebccd04e2618d9aad121fd9aa8b8d6848720a736722c7eced31540419659c0911a06e039e959c84dd5cc1640eba08505ea489a121ddca4a09c63b2e271d1edb91aea042e92bea12939ab6d4157efa94a68d07b5f9b2058bccaef5826ebd37657a99be45134aa30a84a4c4e08e463b75645c2b726c14f35750efa680408d1ea9f3f56feb1060c7b8e8114681c24992aa2e1e65219a036afc034dba75a390afce2963d756c7eaf67d213c75371935f9eab4d428c54322e32498a4340254cc41fbb55cf63b4f3f43c8930101f3ae3542fb96ac776263789a984a3a62bb46c5a4a41b85f9d66b47fb28ea765bbcdb52b01f4c15ebe188b454c3ae277dc8a9f8a1c634163c631bd5430a8a80b80b3733413a1e00eb3fff34bc5aa8d907d79de8866cbc6f10661356277716c88474be9b393018a7d8b9b3e1ce4b7a326b77f62fcfa9494e1b7c0280c3a25ee346c94ae4cb3af3fe09534e63836d5a00a62808742f5cc926088a6ed11ea2051a33c60b2dedd2069fc9fc2f2cd45366618e11000216ef8017163aa828eae1d15f02067aa46af467750cfdd36f7ecba0fd1f7382c2a78aa40ccb037ed72490759f08e4a257b73e1b4519ec4720d9081dd464a47ad468f8881ca3023e753100ae0a1b2989ac574ebb9ac9134bf16202ce61aeaafdf7689bb921c4a39a46f03a14decffec78cf9ffd01b4fca7d7bd40030fefa02591a28451bd35da746db7b5cdfd5ee9eb6c51b3be05fb0cd5d39e8103b0e903eec110b3ff1f9df981232a558234281039b46637641849d6412feb74a37b1393c31513cd994ad239e20addc7b6be2be448857bacb20cb1469fe9446946b6d60349ff39219f7c002ecb4dbfd317f79d950b395dd77cfd49a6fad36be0bd4591e4d2ca837fe7374a36792ccb0b2b027c69dcb0852749309b937177272f4a80d8e2a24997ffca208b7f528be82116556d235f17d574d17acc1c4b58363f03f6b2177a2d9bd31d7da8b2d37ea2a5eace2b4f3eab549cc55b38e0f1731cc82ef548a5cb6a7564b442a86da7312a94a1315e270f390a197b91e435fa70443f387cf53738f775a2362a87217b574f8f63ca63613375205dc194498a0c929ff130014d7426af7c0d098d69aff0da1027b123c023e732e0ca1eb695b4210adcaef9285fec8c83fea7efb3b5a09ab0e26a2c0926e158ee17089ef7f8eab5375718ba2e8ab683d2a1eefe25c2e303f419ed01423799867e02eb01ae20002207136a60a875077393a019ae7df3aadc5d4aed4d459cedde966d84fa64c2e564860172be41b9fbdcc9bb29cc2af86bcb8da14d1d7efd6d90fefd473fbac5b0559ac2bdc110c7fdaa921d920731f362f95d426680b73312da58facc4d0a1d7ba590b3e91c03bf3b5f500a5cae46bed373702129ee2f25b0500219bbec050285949f2de4948328964329b1a46a38421c137cb95b99290b4f6cb46b576697c95b9378e7c15caa04ab0e8a04b8df8bc46d615fa29", &(0x7f0000006440)="1c3d61efc1467b6b61e9e5f06fa3d1dcc0e70035dcc9c6c3b00df58900"}) r21 = getgid() r22 = geteuid() ioctl$auto_XFS_IOC_SWAPEXT(0xffffffffffffffff, 0xc0c0586d, &(0x7f0000006a80)={0xfff, @raw=0xd, @inferred=r6, 0x7, 0x2, '\x00', {0xf, 0x0, 0x46, 0xffffffffffffffff, 0x0, 0xfffffffd, 0xf7, 0x7f, {0x8, 0x9}, {0x3, 0x200}, {0x4, 0x5}, 0x62, 0x5, 0xff, 0x6cbf, 0x48, 0x0, 0x8001, 0x7f, 0x6, 0x8, '\x00', 0x40, 0xffff, 0xa, 0xb04b}}) syz_fuse_handle_req(r9, &(0x7f00000016c0)="27fe2ffe47404c4ac0a1ecab30bbcb864ead78fed0c0e175ac9994f22c05a47188988b3ff7cddec1f6f39e606160f4f199d3745e26e2748d68e35a99f1bc4ac32084634f2c0ba5d1e0000e2d5bee777a2ab509e7c94c43f297b825934378ffa3bb7942256fc52a69e23820cd520e7559ed9a31a954df955de5bc7c1855d974b95ff00a84dc2d9ad67964334434d528bce5934808b48f8e251a179eb47dee2a108b50092f559816136cffe9bd6e0a34004e62d50f73c14b23ce17518f954c4bc61e6175756c1204e2f27c182b9e3a7e3b823dc2d210e5232c7ad0e8d8e049f0e92060b620499b0b8f4b4b971d29a97ae94ce3cea6fb4e4296f72e3deabff562e79243933cfc5300e3c41c6ab9c0559ae24b21ce45bc69b7a1eb56c08b822ba10fbcb0bd238f6fcd60ed24092b3f47f1900e3d3373379649daa3959bcb319d7a74ab3e62bb5fbdfa42f9d3b3e7340efd12d9db738b9a7a581d914f4deb34005aacaee865dd595ad5f007c48b5168e699e52decc666509f0bac516d5d8b1ecc1c99e601b8f85af1c67623fd2cff7b883841aecddf3a85239980d3ea2ae6378d59cc242b2abcda91e918487cfea037839017eefbed85e0de24148b3c67ecadc8bbe51ffdd0696a55d8ff21523178a6829ec4d3f25977433b85e9238fe5d8b1437c54a93382fa152549cfca4e4700705f3ce5a260a4b943dd3e532cc196c8129518225566e93e29a8c6f02f054a94ee5fe21e5ad5bf55dd7fde9ac641f347a992e8197fe5fc4b9c65ef4d687921dff0f6cb82a3a96f6df1cfaedffced7cb06b21de9b83cde5f96bdad6ee4c617b9da766cc443712f84ef7c38708070bd19db90abe251009d9bbcce7c419bf7efa7ea70086a95a27e7359d3bcf81899bb6b7560c58227db92bbe342e60019ff0cdbeec13bdb56c5b5fdfdbce7e2f5a7d971dbbc64c59c5111d0b452af57980e21785d5af0884822d12f4081e8381d16e0f411936274b9030215c4b0b47074dab09b9fa2322a88050a62448ffb2bdbb9d6b87521b3bfeb5de7736a4de11ff4e56d41aaed90061e8f13c3789a44a63e76902c4ee9b6fc735ab8ff9525af0ab52167e04d3479667852b755d0074cc95078094dfe03926007fcf4b2b68e262d117df6c918127cd6a5642b80c30bf916a1e51520229e1e0ece35ac9b909fd5ff92b930aa55ae60a2a7f5274e047ae70cd1d894c3a93094d5e88ca4ff4a1f7a74c2572c591f254ec0946de4f96248388b06f7f0a7daa490f4359184a76a56a9bbca593c6f6fe479c675fb02c63547d0804963bbbfe5c668769f3cf16be9cd51178030d64cc2bb9d82634399db8859e4887c8cece4c852f5cb76ce70a6c4edd0e8a465cbf7827b21b5538579771fb56b79974aa36288516bd08a9394900160f75d6bbe89de70f8b5ceacc9419fc5a3d5ee5ea783d0ca808a6248c13ad17c873bc93e0e50a39487fb25ec3233070d7776e7ce8ba022ccd8e2db5645594e0b2d874ede739f93b617ffefaf3d8468e66eecc8561fdb81dd4fe7c779dd93cce317a8f5cb86551c26166c7824c87140d9647508cbbc15c1d3b7208609168909e890e9e9fd2671d3a9a7527a734471f2c7480926d8d18ba6e24da6d6cee422aebfb14d1f12a915ffb7375ccb3ecc9863c45534a97a922433217dde2203545aa983e2a6c546511d8626428aabe7cec1d0e8124de1983d5ab1ed6e9dee82f0df4699f4ab70706c34c754d0cd8b6de541ca8a71d5f9825fc13158480d5980e6415cca05c5757894169223b43cc2963091824cf953fcf54530558ad5ce422fce99f5f2650b7dec702fe12bbb08c28519f08b6354cf58d01f027237070cb438fe4807b7b1f7ebc27f274fd50ef37ad060a7adcdf65962f8a52c04b569d7db3d86a0feb6c78ed1adb361866f7d5606569d910c6727cdd76c6bb2a405ed12dfc2edc81666787f3a3a239c62f65d2d98d8b07c5911355a3a6206646fe74c075a6778072870fd652aa4df9aa3b96f145c3afa74f5aaa8d7ff0427c9389dd5462af0eb6828f3aa54c752bb4c89d1821076172a925f146aef789deb14c6b6cb2873388cbe0be062871048c49679d72c3f325c77ea319ed28fa27861040f6be5d4f32cf29cac11243da042becf2125d21e735493ac7694aa961ee92443fc588c2adc0f97ac7b5fae10d43ddb81f31128582185b9aa124fe6ed780ac954f84421767f90f5c0b569443d63beac0684ed68bc5039a27567bd233b8f2675e1afa140df8e1e64f0a90ec553b52172739d0d6b3884947f2666929cb5dd7931942c06e9df9ec7917f1d93a2f0fbe5cd0f573c0102ff0205e4d59ddd603db5da56694bd92873ee21fe7786a87428bdf19a1a87d72ba697fbe0ed975db5bb3a705177f3a1369e29dec7581d43aea3855943ff4efa4d7af3622c319d78b31083788d20310208299ca0347afffe54ecaf1fbece6e0935abc7aa8f8553f9996ff1d46b88b78df2fe267f1699f2ebf1925b8e50cb46c8a103cfb556510155ddb84276e1e0aef3f411c7af3d20593b6fec7006aa7a4ee33802aad168949dad9fa911888d7f61bf16db2265003416fb576de44f80b9c901ace454d2b04b374f3dcfc38fdd6edcfab24d367aff3f6d8298a4133d081563de1365beaff74da252b248fa61d80e72cbbd58533e7518dbae1a925d9912bfe70fbc64b8c81ce262530bd11ae83f366e38c53bfd5a0dac9785b922bcdd1a3b683f43f8d485dfcc6dd00b6cddea064f846fb2693d48fa97b5263f537eabf6c0e549a78d2bcadb2e8fdb2b1b0f47fd49dc61ca1058bb8882aa1ca2ed341feb737d5eaae0ea08f945a04a38b6e3137f961a7563ad13cec30072b9143e4f9c7824e7cbda2df89b74c142dadaf5ca24b6fe909ce3a1ff37ee5a0b661d30739ef0c372cf7a1b4c6a0e519b48b40dc794cd61356756609f68dd58f724bdd86db7f2649b90e163530ca69f0696addfcef84efc9f9e04d9d6e18ed17f74ff807e92b0f330fb6e06e0e2f193ea03a181c8673950a19eba22fd6b1b56ebb336e0248c64f936cafd3311fd50c50fc916156bb28156d15d7f4d5a798d8626afc6ba7d217d2c9f1a98fede62b1bacfc314dfa89e8cbb8c37bd526dd53ede81b1953cef517703babce446e863bf9d246b03b88502c7fdbac4d87f1eaad86ed170d710d81eaf395aef60dc164d9116601a5a58c79a89275c95d28912e8708fee2472e6b87d2e077d362c0ba8f4bc6a5e38745eae91046bc61e6a040cbfe38204f17e604f0e1405e8ee07d7141b698bc2be7690a8f0bf31d58ae906cb70e4fe5fe035631d76533b7a7b032e1b1eee21428084afbcc930a9f28e9f17e269a6997af838f95e2fb395b540a1d49f3d4290274d2d31f760835ff7351d25b62e135adf59e0118872d17843d99154f4660fa8f48b6c4868b1fbc6b84da61f98123167b067370a54fc6c5a688e31d4201ac4c4d5646f9a4a4a804a175167cf79dda22f4d6867281cb0b3e0999fad7bf26512d131440a8f9ec75fe9df680547855d8c9b3b3f0d514197c2af0d672991373b8d4ac1dd51e1f907450d62101b5e2613ea289c194d0735e1c5e166909eb71ee2a4ee5ff99140c0becca2672faf6944938c61809d8bf2faa561f9b56dab85ded7ee735d300c8da84c57f067b2fe50929cae139875abbab084742c90706bc31fc4c68538889718769d1c6da0ee1826ecde1f60ea66ced44c24fe2875dcbc87a3572af96455edf31e051e5422a8e2910c7d975df6448da0c0f833f61f7150598fb47fae938357a7b645e406df9a4a30cdd1cef6ddb263c9f06b268767a9a0f92c4ea1380e5e36f5f2a3e90bf87d6818c5aefc3439c4f4de2cfb4db145756848b27b618c22feea3f9f4601557f53c2aae71dbc0e9468243f1bf3b086b4dcab2734d6128c5441546903d2fea40c7ca4840ac4b1b3ea8897cf037623e427fb1ef9c0e7deb9eba0f8e5a5b29d422923f2fc8c5dc1369fe526709247c2776f5b7687ccf420b0dc84461105c2a31cce9decca30b746bfe43440d49c4775a2dfc88f049e23a30e2de2ce634549bbc0c263097ebb8044b4b9bb6f5f95a4a499a3dce9c11b99487d996eb57d654090b436dfe0b94796e93feae2b63d01320af7323a8006bc75f95a0c6ce53691802a097108881bda64a2cf8ed8f6752e19815e71e2b8554fac0301875262109331151915f6b19362c2d82c3047478525a649ae4c9a41f756083f138156f6ec4ea04b44f652ab1e66c5c630e6130062a260be553f10b8b700e6c6b089f0b09ce117ca78d45aec4339764dc2e39b5bb955602d57323e40d49ecf8987184a12d21993c03b458fca98c773071c2242d90596599336e1c69ff551af3ef27aaa74c547f231a1ef64a2fbe5498f5bffd9e597b8d871a073e82f13f5bdf2189d361649dbe144e7c2fb26a518884c4f276afa04450b3b1261511a1861507e94be4b0c301e62471bb953363e54a80ac90b2551b012d74a5621e265bf91260a467fe7606e79592272aa208b12935a8991dfb817a5cb05acba79dccb97d0a0f9eb5825e16d124a77224c9a09a5335f1ced785636ae3581598af5c28e54ea8dcc4c722e4a658a33fa7c473f3b5e74ed5625680f07c7d472966ab646ac3ac2d67469c43dbab6b886779def79417698cfed9472fdcab0f8079f221285441881eaae4c211a814e6d4e6c25d49a5706738b03b35c0d284fcd675505b0adc88d04390f3a1b0c82785ba7bf029aa46187131dbdc36aaed980b90888e67e8a8be7c1f7c5e3ad4442e97aa77c7e1d286c29d8b761ec91250529bfffc56ce2d1f4e79cf74237f02050afb6e25d5436545da66622970e89e4cb9e77e0e9a6672feb03328568d75d51465772b5e408e40ebc9676e7e5ee7ab0cbfca5ff0c023b393529464668b774ae1b5cef76d67f1d735b87281555b396c7858701c6d42b0f365b253e7bccb64c2dc39bfed645906ae68bc5ebc3cda73f386b4b97953b3ca6c735f7c47e4762925d3599480e7c17633e5276af75a60332bab2d8c039e4f980a7de81229bd174f6e50e5de20d20b518c418b6eb6a06ee93789fb6f4a6ecb8b01691ad1eb2ae951a42f976e018ac4b585bbc3f42da79e55d1b7f24e909fcee23436b727dd9ce47b41b3bcaa883715d316acdc55e0fcab97ef90da859a80ebebc6dfd0af9524e8a36b3f71ebd703b0afcbd7acc6aa413648ad935e7094a293f1ad659bf55951511b8feaa0390b982c91b1a1bc04cb1e158b132e8ff2fe46667f10312a25468f07324810a97ddfad6df0d61ee5db1929580227ea260682a8937d0379bbcd796aa13fe92f793e958d28d8e4564bfdd4944d7ebadddd673392c6772d0961cebe60a3d9e9f96e4a4ca07e55d31e9d9425e00171aba02f0aef4b8f5e43ec62327a950fe292427d513476c31839a5d11e03f7949cb2d8343ef4b98268797190344a7a6891cddde29faef1333f7fb75069a74e806a4121addf986835281f4868f15c7343e1307d237bb50a7ec6764b9f4325b6e41357edc33d247a583e285735faffc5bebc400476af6c5cdd349137470860d159a976ef3c4761285ebb8c53a7ef569ee2e710d41819eb85cb3e38c6d6ccd03587fb0828f631c19900153a6f1edb812a58ead041c63a6ac6283806d3cfb69b65591a829baba97a367c9b0f2497b44f3ca85a0731e5942b57ecf9c2dee01ef7ea533f8ba317f74c30f49bd69489735361092292205509c574200663f771cf4d1d484fe5a9c4cd3b0cc432e925b302fab0574b53606f2777563d6794fb5fe487d5ce7b5beab399bf7727b67eebf9b9dacf5c5678ec9821a34dc030d036d04d7025ed5b1782965cf262bba0b3de34974d1e77a63e9bb52dc659de690e47b35f4bbca66f8d5e0a271a04a289435f5dc9013c0652633dcce4102fcbe47fb4c5eb9a6eaff5463c73c11e37e8df9dab0932334922fed80d5e3ed125dde3764f48d496f4f3b49f0322a9b9b968ff75efedb369b4b1c9afc5d27e68d76d17c216c4fed82dc2487aabc660bb55b2ee17d68365da8408c45af38783ac2be54772bbea41f5868456ee66a27a36be499a5e5dd3396f4805e22a2cdc229079c2a53c9299559269ed1c512213544f2bf331388e1cb85e5550915f8f27a47ba9fc9a50ce01cd2b53b37f357966f1d00bd340e050c9d84f2914b8abd4294826e7500b0dcae9cd4d284d17345653ccb469c5ee3a31058eae14fed75585cde2fd71b88ebf517359774e9023466ea5a47956b8225671792df45b9f38b10ab03f9ede1ddb2e157d61c095d9b82b977cc09d929745560fe8106503ff7dd228db22b251776897ee15b180b4b4631f85ecf6a6074efd2cdf40a448dad62331c27ed8b3377fde4b1533126a4dc708b77202f6f8c015966ef711c4c496e9034cf15a33bc998a43265edfe436342d7eb4973be8ab0ae6719a1aaa41e0d76d952b06808dff02fd81603429a36ff7440e0b215d9ebc908efc145b6e1b7feb53bd5e175c7d1a7764f9040744b81db86fd22c0a38a2daf7440bbfe8835009d4aebbb11a0e9148bc04951fc06ec1c2a268a05cc2cc76791b82269f963d3d2f564ae03789601940d56f28e5ab0152acf663e481195209efc1a3a1b472536e0acf9ae383b5951dfbb6bd4d1eb5550102c3d7fa2365a36fb7c5949cc727ce57311dec52a4c3b91f0d5ec3677c265d5835535f16006985ce846ef12a46cb8662cff85af2ffd4b3b35085705d45df3e8c60ee4963823cea99dd55c0c33da9de354f709f2a4583561325c4a5954a34e2ab32738c2f3fbfb2786aa57828ef3091122e5932058c12d50d0e89ee5dc1e3ee4135d38c0c984daf3947670272714de8935720c1f3d3dd9fc57529a75013d85946484233ce69257718d3cd667cd0886d1f3c257ccac6b48ee5cdc03eb6c6aa2a78d68e2a9c2253954450915762f3f2fade0ac78593cc38e55cef3bc0bfb938ebd0a61c739c024addaf443406a7b6026360a7fc87c274a9bdcdb2eb5cf470b53f7fc1bd4ed05ceaa66528cef79e9de78da42b167c82cf4dadca5707d0a166b0f41b7f7e3421a8f88f6d88d24cfd9981b50b6c342bb49cce4b823f3cfdb17bba24fdb1601ba060a4792c0909a7c7cebf0c33e8ff27fb6e327c8877fb31efd8bb0b9fca2829cac2c143f4a5bd0afba4324548af32f05f581ae264c9e20d0f1604e112c6e2bc518b78097c145d871a3c0287371b0cf6bdcf17266371c7464d87a55f52e01e297866d6d498868ac01648249c1edd314580bfc35834b15d108ddbaf6ca3536aa43161019c3af0b331d9d071eb0a50442355a2a2e195474e13b7971d956ad54ed590b429d6a1ec7e38d41a27536bbbfadad1b35fc8f827a92e0baffabb811816cfb4cdac4b98c5f6f71cdcf30649536f7800eb6b7cee222d64165e0ca9504693b6d8459bc327e5da2e6f38a4ee2472ca5e6caa0811d042f8fb32a99bd36101cf19acceeed73b44e3deb223cf282ecd4c439f55f5c274e2c756c67c23c00ef7bffa4b6012a1334d0c97f816a6123cbcb77ace8e7be0515269248622028b7a9c0e49f1c8dde866d3bb0c53db9c67b10b20d4bb263f2c5a0185baccfa7b8fe825657078fabab003b9318a84f765daafc37f496efbbce9fa5d2c1f0a4b2ad0cf9269618440713bc3d92985ffbd6cc19afc86703044370eabc4de11f3bcbfb221dddc51bba352dc28fd49c084047fb0ed8b9742a96e53ef4ccb94ce4cad746e9caeeec843f72b779cc58d25fe931c1af8a795e195685c92185803adbec6066cddd87e0b9a5380afcd80798f580859eab317cb2783112af7b362a59ae7a824749440e66661b788b8560549a0b1350dfb7a5e88928d558cbc8a26a0d74e67634ee9ec1c1ca08afc5beb43da65f4ae0ac7eb257442c9990edcf93b1dadfea90bc292bbf1d823c61ee969249f67be07d70df8afc7c3e5bf145f28a2d06c880eff9a181127c13460a06b3664a94c888b07af77e84d60deab764228ffea21633f0204a5d7ec4a0b303fb08fb76728c43d9073800183c8b99e22d605a5e6399c049f7f887cb9d7fba94db323084bf94df544f6ce2dd49a21d2cab54df04397482a64d2900bb40fa87f42ec75d68bab17714a934bcdf36f87074f6028f9d61a00adffc06d624bc64297059682cc8adc7e2fb210bd22fbd4ad3d3515f71b933126759ec4c001ed5cdbace7cce4319b7ab50ffc8f2f8f1bb81ac07f81dfff335450acf08e13912d3c5f3aa12581811ebdb4416eada259651c070b06ea7e18a8f0c400575a0e7fdc4c88645d35c2d36a8ce6a2972f355d1a5d832cd7ef2c611fd11059da390ec8c87491d4964fa40b80839057362e676455c7172a23154efeba6fc9ab4c15a737e299c1f14daa8f3497e3370a523ec15c52bad987109003f8dcee4ac6c90b0f8e4b7491978788a9c1b23a14396b508aa95175fe3bd6a8b4a9c217f4c9842c1c339d4d95db83ce6e7e7ac88eae0413961055220b65693d49a2f696f641421925b42f77b0f9431239527fd6d86d6f9abdf3d27c0a79a6b05a61dd7d993de2d4ee9973b778ff195d1240db1836a5258b4f574497ca2f9b34977800e728297d983e1e585faf45381b476d2531e86cc6e835a972c3a5bbccba7d852edc83bbad4c852064007087bbd36bf8a800f91eea0a72d9a75f5db35b1098686d51340a172c701bc47b140ce52ef47502d0071e545597975a55ca1e91217645e3cfebf4a6201a8481f65113860f592863af1dd473383b1b79ab32cfcd46e6ace2958d42cce5f9b2347681f7707ab4a35f9af521d4c1bad7513033a5f7af2b7a2d3a4914d38462b16b85d69fa60c0c5ef54ba2fb78fb156a947cf80b1daccd589fdd0791b3a9eb835b61534a16f8f4b1cabbd386b4c21ba97de916d2cf48b7208c1bda77ecf81677cbce25582ccab9a65a2b73dd34b002c234948a42b5664d56d824429a78b6970367ec170d1b110b2223175872bdc866318de066fea560151d8825dee82d344b816fb55aaa524e860862ac0c36cb6b6e81f4123da59cb3effe29ce7698e2aa0c6036820c457f404233e32261319a46bc8bd3de3c948dc52e27ca527df7ad68e6c4d4ba8f6b4313a29402981059a148797fa0880257fe0427011928af752f81b8186802108f0590195039c838257202421410b8a359e69ddcd47470f4d05ae289834be304caf49bbbacfdbe927f423be9b87882b0fab4f50bc7cdbff6ef101f33f703556d45b6ace1643cd7e75acf74063e3e34e963db19f0d19f14829c91c450661d0e809d5b7909695ba15446c876a167ecca09fc00e1737cbd4ef4f70a50e3a00fc96f0e1023e5c81e67d247ae0ec7ec267252804a65b301b91a599b8ce37d95a93dd9a911dfb395f361924e82ea281efd7a2e015aadaf6485fceaee0ab905e1396c125603aff4ca165f749c23310250f800b2a87917b9421b0b4cdec9d86414eb822374b0d4325358b2bf43e0e312588879765c25c098d1718653bea52768dd7f100fbd2b6afccf0213469a7fa25b5f77c6b56ca09df886a16ed24f51e21d078f25c48887da12dea57c8f4825f27ae3d9160196eb6be09f7be8b239a05dbf6aaeca9637090d1e6f76eb9369274c3aada336243b8b9c59c3f9c91ab43fc9273bb5bf2b59de8fbc506c9436565e4c9ba29650b3784d87f337a4a4b528ca2a280cedc369b0090c3f69c7604a6df31fba781c07d58dbadd7c85a626f885f09a91224e79bd68793f167ebd8da10e5da78cfa7ebf10a8f2c9003fb1cdd87e469861f3ed23d25bcb14530a8ff8d91e9e0c7c3976c3afc7bd5005ccef59faec52ba35693d0f0dceba843add5a747e0aa72f09f2f45281c9d4c6f1bb78379aec782c64810de323c8abacc9fb7e7dbc1e2913a85df0bdb6ac701a68269e79ab28458c0291e1840b34ace2d0dca9029f6d950e6ef1e5cbb9524db501dc3022733cb10bb74e9e698245a98dffe2378c42548119dd60f2b021953b300f38972661c3ebdf64a3afb3c629cca5ec938c31ee8cb682dd38f3581812f7ba6431c160659039e7cfe7859b1aa8130833f1f63724f863b3e2a18f9ebd1ea614d30d28bd4f5b8c2617becd8a4d8b3a9b42b85d8e80c8faf7d9cf5637dd98826a10b692402933d2ae0ea908ff5d6c22fc335be00614a0f5e7004ebef71fd23d3f90115984f0e46e82ac8b03e5d2bfeaa2192333c1a0a9fb19a75bdc8f9058336e86f3f7b30f0bed24c4b230cdfc92a9885be51c0b851cd7a04a62fb3ce47e765a114ef7686bc7d82ef5e1ca0214b95b64e57f851215ce5a47ddfb91932c854c6525ebe7f6e16845fa225a74093f6a2680085a8fef66541fc3643fc814c5a806415f70688a4be77beaf75d71026e4dff3800124bdec0e065463edc69641f67c7c42b8e025f81406fd4896d5db8e19fec099809ad50a98a83b3caa8fd87310514f4a7afd9a970c456231d916b26d5c62bc4834af9bc2777a7c7d3bbf5f2c6d828935f3b827743c09222328e8e8291bb283eba7d4bc897877f6e50a5fabc77abf31534d700962edecb1df4ee1228a729df7da85771a3f1e30429fac993d9738d9d6728bf492b4791438c3cf6d59af809974aec448098c26cb3791e43724076ef5ca9c70cb3f58accb539943786ce98b092c965a147d1870ad454686ba579c9d10a6131d4d980ff68898fb11a0a9f61e60a86427f60660088984eed16acf6d31430183b81912adcde8084457122ecdd7054cf3dddee25a975fb2448e71a27aedf68685e9e8bf607056d68d720607599cb4997a1d591a1cc174eddc66f39160a2e55eee6c82b218c5b963a0268117fccda9314d7de3b1bfdf1de338310418dbb11f73bfc1a705a7f12560c6a836ebc1c927d1427eb6d7104f942705a25e7a79488768c707cddb059d06f4f55d64114658bb327072a0f248f9191aebf838ccf464e3db38bd015c1fe7e0a1ce8c854e064ad28df20854ecaf442881d5b922db3327a73a8007f84aacb941bc1232742d0ad98eb8f05a812c7957fb4b688522ea6a1d5ef22dabf2537b5f68d81e06b517839b474238564967929fa8231eb8eaa9bf79554917939336f71edad5c011de4a9887c9d8bfe588c1747b47ecae641ae076a53cb661d344659ed82a4f10612ea2ee00a444de7e4b1a0c5614d4a6369b48cfae5316e8389cb720a111171383a78798031af5e4976b89175ac1efa79ca7dd728d21cf2853f69870379dcd691f412b0dabb49f74d48f9313be45895e8d4e78e23e357a9a2294befb173ceccddb7dec84781920e951ecc863bdc843af7535e721a7a7f5bd6e0d37fe9e5b5af3f2aaa62967112c0fe848d3c38a646ded7deba1ab98d40881ba2fc918a8664bbabea14be6f5bb92e254c471b324a026c661de4b97ba0ae1f67063f41a5619da8a49a7ad6cf8153977a4c63171bba20884b7344c405d61b9ce3ce90dd0b6d86be27c028a2a48fe040d6f9d2f5dc2466cb9f745e5a98e5266498b14d16e3fcee12026c0f46b7fd1d30076505cd64c1d60c5cac8cb400ea6b7522c165b0094ff0ff656d081673056b73eee3efcbfba260ff87e4304c8eb14aeadfdaa09570f630646c", 0x2000, &(0x7f0000006c80)={&(0x7f00000036c0)={0x50, 0x0, 0x8, {0x7, 0x2d, 0x7, 0x8000008, 0x7, 0xfc00, 0x3ff, 0x59, 0x0, 0x0, 0xe0, 0x10000}}, &(0x7f0000003740)={0x18, 0x0, 0x6, {0x80000001}}, &(0x7f0000003780)={0x18, 0x0, 0x4, {0x2}}, &(0x7f00000037c0)={0x18, 0xffffffffffffffda, 0x37}, &(0x7f0000003800)={0x18, 0x0, 0x1, {0xff}}, &(0x7f0000003840)={0x28, 0x26, 0x7fffffffffffffff, {{0x7a, 0x8}}}, &(0x7f0000003880)={0x60, 0xfffffffffffffff5, 0x1, {{0x81, 0x6, 0x3ff, 0x2, 0x4, 0x4, 0x8, 0x2}}}, &(0x7f0000003900)={0x18, 0x0, 0x0, {0xb}}, &(0x7f0000003940)={0x12, 0xf92c178daeab5fde, 0x9, {'^\x00'}}, &(0x7f0000003980)={0x20, 0x0, 0x0, {0x0, 0x2}}, &(0x7f00000039c0)={0x78, 0x0, 0xfffffffffffffff7, {0x3, 0x67, 0x0, {0x3, 0x2, 0x5, 0x2, 0x0, 0x5b, 0x200, 0x6, 0xf0b7, 0x1000, 0x1, 0xffffffffffffffff, 0xffffffffffffffff, 0x4, 0x6}}}, &(0x7f0000004b00)={0x90, 0x0, 0x7, {0x1, 0x3, 0x10000, 0x200, 0x8, 0xa87, {0x4, 0x1, 0x7, 0x1, 0xfffffffffffffffd, 0x4, 0x9, 0xffff, 0x10000000, 0x0, 0xf40, 0x0, r10, 0x8001, 0x9}}}, &(0x7f0000004bc0)={0x48, 0x0, 0x5c, [{0x1, 0x4, 0x6, 0x8, '\xff\xff\xff\xff\xff\xff'}, {0x1, 0x8, 0x0, 0xb}]}, &(0x7f0000006500)={0x478, 0x0, 0x2, [{{0x1, 0x1, 0xf, 0x9, 0x7fffffff, 0x3ff, {0x5, 0xb3fc, 0x3, 0xa2d9, 0x3, 0x80000000, 0x4, 0x5, 0x2, 0x6000, 0xfff, 0xffffffffffffffff, 0xee01, 0x5, 0x6}}, {0x5, 0x9, 0x6, 0x6, 'wlan1\x00'}}, {{0x3, 0x1, 0x4, 0xf, 0x1, 0x5, {0x4, 0xffc, 0x2, 0xffffffffffffdbca, 0x35, 0x5fa, 0x8, 0x5, 0x16d, 0x6000, 0x8000, r11, 0xee00, 0x8, 0x2}}, {0x2, 0x3e8, 0x16, 0x5, 'bpf_lsm_path_truncate\x00'}}, {{0x6, 0x3, 0xcff0, 0xfffffffffffffbff, 0x3, 0x3, {0x5, 0x4, 0x8, 0x9, 0x10, 0x5, 0x91, 0xfff, 0xfffffffd, 0xc000, 0x3, r12, 0xee00, 0x80, 0x40}}, {0x0, 0x8, 0x6, 0x80000001, 'wlan1\x00'}}, {{0x3, 0x2, 0x8, 0x9, 0x80000000, 0xd149, {0x3, 0x4, 0x5, 0xe, 0x7a, 0xd52, 0x0, 0x5, 0x6, 0xa000, 0x2, r14, 0x0, 0x7fffffff, 0x5}}, {0x4, 0x7ff, 0x2, 0x78d, '\xc0\''}}, {{0x2, 0x0, 0x6, 0x7fffffff, 0x5, 0x5, {0x2, 0xc, 0xbde5, 0x5, 0x8, 0x10, 0x9, 0x6, 0xe31, 0x2000, 0x5b8, r16, r18, 0x6, 0x8}}, {0x2, 0x80, 0x0, 0xb6}}, {{0x5, 0x2, 0x80000001, 0x2, 0x6, 0xff, {0x3, 0x5, 0x8, 0x3, 0x8001, 0x5, 0x1, 0x7, 0x2, 0x1000, 0x1, 0xee01, r19, 0x10001, 0x6}}, {0x0, 0x6, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}, {{0x3, 0x1, 0x8000000000000000, 0x2e, 0x5, 0x7, {0x6, 0x5, 0x5, 0xb, 0x0, 0x2, 0xffff, 0x0, 0x8, 0x2000, 0x9, r20, r21, 0x2, 0x7}}, {0x6, 0xfffffffffffffffb, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000006980)={0xa0, 0x0, 0xd05, {{0x5, 0x3, 0x8000000000000001, 0x7, 0x5, 0x2, {0x3, 0x4, 0x5, 0x3, 0x8, 0x1, 0x8001, 0x0, 0xfff, 0x8000, 0x101, r22, 0xee00, 0x7, 0xac}}, {0x0, 0x10}}}, &(0x7f0000006a40)={0x20, 0x0, 0xffffffff, {0x4, 0x0, 0x9, 0xa}}, &(0x7f0000006b40)={0x130, 0x0, 0x1ff, {0x6276287e, 0x7, 0x0, '\x00', {0x800, 0x2, 0x3, 0x1e, 0xffffffffffffffff, r24, 0x4000, '\x00', 0x800, 0x9, 0x8, 0x32f3fcde, {0x6, 0x1}, {0x4, 0xe30}, {0x4d, 0x3}, {0x6, 0x8}, 0x6, 0x2, 0xfb, 0x2}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000006d40), r23) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) syz_io_uring_setup(0x28c2, &(0x7f0000006d80)={0x0, 0xd0f0, 0x20, 0x0, 0x1e5}, &(0x7f0000006e00)=0x0, &(0x7f0000006e40)) syz_io_uring_complete(r25) r26 = syz_io_uring_setup(0x7c1f, &(0x7f0000006e80)={0x0, 0x979d, 0x4, 0x1, 0x206, 0x0, r9}, &(0x7f0000006f00)=0x0, &(0x7f0000006f40)=0x0) r29 = io_uring_register$IORING_REGISTER_PERSONALITY(r26, 0x9, 0x0, 0x0) syz_io_uring_submit(r27, r28, &(0x7f0000007000)=@IORING_OP_OPENAT2={0x1c, 0x14, 0x0, r23, &(0x7f0000006f80)={0x818480, 0x0, 0x35}, &(0x7f0000006fc0)='./file0\x00', 0x18, 0x0, 0x23456, {0x0, r29}}) r30 = syz_kvm_setup_syzos_vm$x86(r9, &(0x7f0000bfd000/0x400000)=nil) syz_kvm_add_vcpu$x86(r30, &(0x7f0000007400)={0x0, &(0x7f0000007040)=[@wrmsr={0x65, 0x20, {0x92e, 0x8}}, @nested_vmresume={0x130, 0x18, 0x1}, @wr_drn={0x68, 0x20, {0x1}}, @nested_amd_invlpga={0x17d, 0x20, {0xffffffff, 0xbd0d}}, @nested_amd_vmsave={0x183, 0x18, 0x1}, @code={0xa, 0x6a, {"36490fc7aad66197c026660f3880945e008000000f01ba008000008fc9b89b29470fc7ae20000000450f09c4e2d13967c4360f017f0566642e643ed8f1c744240025fd0000c744240254000000c7442406000000000f011424"}}, @nested_amd_inject_event={0x180, 0x38, {0x0, 0xb5, 0x7, 0x5}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @enable_nested={0x12c, 0x18}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x3, @control16=0x4, 0x5, 0x1ff, 0x8}}, @nested_vmresume={0x130, 0x18}, @out_dx={0x6a, 0x28, {0xc636, 0x5, 0x4}}, @enable_nested={0x12c, 0x18}, @nested_vmlaunch={0x12f, 0x18, 0x1}, @wrmsr={0x65, 0x20, {0x8a3, 0x9}}, @wr_drn={0x68, 0x20, {0x4, 0x6}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @nested_create_vm={0x12d, 0x18, 0x2}, @nested_amd_invlpga={0x17d, 0x20, {0x8080000, 0x943e}}, @nested_amd_vmcb_write_mask={0x17c, 0x38, {0x3, @control_area=0x31, 0xc, 0x6, 0x8}}, @nested_amd_inject_event={0x180, 0x38, {0x2, 0x36, 0x1, 0x2, 0x3}}, @nested_vmresume={0x130, 0x18, 0x1}, @nested_vmresume={0x130, 0x18}, @nested_amd_inject_event={0x180, 0x38, {0x3, 0x72, 0x2, 0x5, 0x2}}, @nested_vmlaunch={0x12f, 0x18, 0x2}, @nested_vmlaunch={0x12f, 0x18, 0x2}], 0x3a2}) r31 = ioctl$KVM_CREATE_VM(r9, 0xae01, 0x5) syz_kvm_setup_cpu$ppc64(r31, r23, &(0x7f0000fe5000/0x18000)=nil, &(0x7f0000007680)=[{0x0, &(0x7f0000007440)="cdfaef130000003e000010620400107a00001066c1001062a603007eb9f0003ee90e10620400107aa330106688261062a603007e2400004c0000603c0000636004006378000063640cf66360baaa803c42ab846004008478a5a48464dbea8460c7b2a03c4ed4a5600400a5788ed5a564c9c4a560f627c03c0e37c6600400c6781050c664f33cc66064aee03c0fe0e7600400e778f833e76427e1e760f9fe003d883a086104000879f66c0865cb9b0861e722203da35b296104002979bbbc29655e832961d975403d52944a6104004a79db254a65f35e4a61020000440000603c00006360040063780000636450f36360420000440d0bc03ea1dad6620400d67aeb5ad6666296d6629cb0007cec06007ca400004c3d6aa03e171bb5620400b57a7293b5663454b562a603a07ed48da03e12d2b5620400b57af6f5b56615e0b562a603a07e2400004c0000a03f0000bd630400bd7b4930bd67f278bd630005c03f0000de630000dd930000a03f0000bd630400bd7b4930bd67f278bd630000c03f218cde630000dd930000a03f0000bd630400bd7b4930bd67f678bd630000c03f0a00de630000dd930000a03f0000bd630400bd7b4930bd67fa78bd63974bc03f5c3bde630000dd930000603c00006360040063780000636400f063600000803c000084600400847849308464f2788460220000440000803f00009c6304009c7b00009c671a009c632401c07f", 0x20c}], 0x1, 0x2, &(0x7f00000076c0)=[@featur2={0x1, 0x6}], 0x1) syz_kvm_setup_syzos_vm$x86(r23, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(0x0, 0x114, &(0x7f0000007700), 0x0, 0x4) syz_mount_image$fuse(&(0x7f0000007740), &(0x7f0000007780)='./file0\x00', 0x40000, &(0x7f00000077c0)={{'fd', 0x3d, r23}, 0x2c, {'rootmode', 0x3d, 0x6000}, 0x2c, {'user_id', 0x3d, r22}, 0x2c, {'group_id', 0x3d, r13}, 0x2c, {[{@max_read={'max_read', 0x3d, 0x3}}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@default_permissions}, {@allow_other}], [{@permit_directio}, {@uid_lt={'uid<', r17}}, {@appraise}, {@smackfshat={'smackfshat', 0x3d, '\xc0\''}}, {@appraise}]}}, 0x1, 0x0, &(0x7f0000007940)="a4b222df2ba10df24f5481e0dc5e93b81b1b82e9a214cabce344800ad54de610fa1eda44b9040526f2dc7c731c5473c8c6dc94192a03484e6d62bb49128612543a9d016ed9a3730e51080f5c860d03a77ed50164bcf99c42d3568a974a927a879de41edc2f5552365886121a31095b97aa08ee2977111f7cc56a77c0f2a16b32b19df50a249cd3058e60a6ae8c96349d5e5c0097594ce01c1fbee5ee94606fef673231e65700bc715f1f0119c84ed27b8af38ed153d394d6b22cca54db55a31bc25b45e81deca7bedb696691ae6b92f09eea3e2b5e8af2f996339dec592edec5897e94eb") syz_open_dev$I2C(&(0x7f0000007a40), 0x7, 0x0) syz_open_procfs(r4, &(0x7f0000007a80)='net/psched\x00') syz_open_pts(r9, 0x292c02) syz_pidfd_open(r15, 0x0) r32 = pkey_alloc(0x0, 0x0) syz_pkey_set(r32, 0x3) syz_socket_connect_nvme_tcp() r33 = syz_usb_connect(0x1, 0x295, &(0x7f0000007ac0)={{0x12, 0x1, 0x250, 0x58, 0x6, 0x54, 0x8, 0x13d3, 0x3348, 0x15b2, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x283, 0x2, 0x9, 0x2, 0x10, 0x8, [{{0x9, 0x4, 0x26, 0xb, 0x5, 0x83, 0x18, 0x74, 0xee, [], [{{0x9, 0x5, 0xb, 0x3, 0x8, 0x4, 0xfb, 0x6a, [@generic={0xbd, 0xc, "8b82bd3fc8137d3d259ce7bc140de0823de2222eed4c570edcb84553cd1efd649dd352dd375d81da8da8e6863fb482ecb3a16f122210bff25c59a3afc6542848c06e1b983fbc8dd0de627cfddf9f905f5cb6ed4a25ec5947599b15b538c7bb0b0d65d4a31b319f7383955ce766ef4c66d18bc75d69b2dd7d136c78eaec1e2203eb918dd61609de40f4f693917eeb17fc387bb427341f6416e0b8c46a2445a5c49bd9c86dfe21c598acf17ea98ffece202a21dc93a0b830d29af87c"}, @generic={0xc7, 0x6, "f5459e117800d22a25a486d1442f5cbd4d3d776cd061d2c185f9924eae6a4d7b14c58b599863d321e3ea80a25f6d8be51d5ca70c276ce0e6d9038f88776b9614287db7ee2113f0e7e1f01873b613d763da5f87f86cd1860bd623463fc6d93d9f948d0d4d70d72a8ac1dec1adceb8716729906428d5b6e24b01499bfa6a0aa0482eed8c7751a1c7ec944db19254a74b61142e725a7a290c4142875d347b3e483f4e2db8373ef8fead8118ce07d812332b211da9733d444f7d706a6439c29aeaedd03000a2a8"}]}}, {{0x9, 0x5, 0xa, 0xc, 0x400, 0xc, 0x0, 0xb5, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0xb, 0x7}]}}, {{0x9, 0x5, 0x2, 0x10, 0x20, 0x7, 0x5, 0x5, [@generic={0x24, 0x7, "ad98314a82d7aebbfce85178752271b158c05dea1bf5a2459c431df180c1f3b2be3b"}]}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x7, 0xf3, 0x4}}, {{0x9, 0x5, 0x5, 0x0, 0x40, 0x2, 0x3, 0x2, [@generic={0x6a, 0xa, "f7dd67505d353d93b6e1f3ac2d8f9f766012d204e558a7076c6a1dd6648b2928acaf801710c8555067e0715e60772d9a84c714f63d527b9f1532a5ac6511627f9e8400e62ad6bd25ec51ec630afc10e1f0f2fe01c9588e2897ef26d5ea8bcf970e51fc28d84a628c"}]}}]}}, {{0x9, 0x4, 0x48, 0xe, 0x3, 0xca, 0x1e, 0x4a, 0xf5, [], [{{0x9, 0x5, 0xb, 0x4, 0x400, 0x5, 0xf7, 0xf6}}, {{0x9, 0x5, 0xe, 0x10, 0x3ff, 0x1, 0xd, 0x80}}, {{0x9, 0x5, 0x5, 0x10, 0x10, 0x95, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xae, 0x12}]}}]}}]}}]}}, &(0x7f0000007ec0)={0xa, &(0x7f0000007d80)={0xa, 0x6, 0x110, 0x4, 0x1, 0x6, 0x8, 0xe}, 0x3b, &(0x7f0000007dc0)={0x5, 0xf, 0x3b, 0x4, [@ss_container_id={0x14, 0x10, 0x4, 0x6, "fdf4043ae7f59e3e81fe303d4de3ea16"}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x8, 0x6, 0x6}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x7, 0xd, 0x95d7}, @ss_container_id={0x14, 0x10, 0x4, 0x3, "bc6a9266bf506e90620d9c900e180143"}]}, 0x1, [{0x98, &(0x7f0000007e00)=@string={0x98, 0x3, "d95f3fcaaa58f9d36d03e3a2d5566a5191f742f723fa49e364e03b0d288a7fcb4579b58c56d824be57f9ad0f8703d3011cac468433fa22c23bfaf15dad541efb0138c46bb8f8869215155c2685d69b75ffe68c0cbd6e71743abd4355e12d9dcb7dff16bb075da553c178139ede2c285a4a2845e8889c234504d968d870b6084a7b4ab0dcdb83d43bb2f4e7a0156b80a68919cbb7da84"}}]}) r34 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007f00)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r35 = syz_usb_connect$uac1(0x3, 0xe5, &(0x7f0000007f80)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xd3, 0x3, 0x1, 0x1, 0x80, 0x80, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x0, 0x7c}, [@extension_unit={0xd, 0x24, 0x8, 0x2, 0x8, 0x9, "0cffda3f227b"}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x6, 0x9a, 0x20, "2da5ee78a28e1f1a41"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0xf8, 0x3, 0x69, 0x6d, 'e)', "bf0794"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x5, 0x4, 0x5b, 0x3, 'D', "2618"}, @format_type_ii_discrete={0x9, 0x24, 0x2, 0x2, 0x7b4, 0x8, 0x4}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x0, 0x3, 0x8, 0x8, "aa", "e8e5b4"}]}, {{0x9, 0x5, 0x1, 0x9, 0x40, 0x6, 0x5, 0x0, {0x7, 0x25, 0x1, 0x80, 0x1, 0x4}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@as_header={0x7, 0x24, 0x1, 0x3, 0x1e, 0x4}, @as_header={0x7, 0x24, 0x1, 0x6f, 0x7}, @format_type_ii_discrete={0xa, 0x24, 0x2, 0x2, 0x8, 0x2, 0x8, 'f'}, @format_type_ii_discrete={0x10, 0x24, 0x2, 0x2, 0x9, 0x401, 0x5, "53b11dbc8cd310"}]}, {{0x9, 0x5, 0x82, 0x9, 0x8, 0x0, 0x28, 0x6, {0x7, 0x25, 0x1, 0x80, 0x5, 0xd}}}}}}}]}}, &(0x7f00000081c0)={0xa, &(0x7f0000008080)={0xa, 0x6, 0x110, 0x59, 0xa5, 0x5, 0x10, 0x1}, 0x39, &(0x7f00000080c0)={0x5, 0xf, 0x39, 0x5, [@wireless={0xb, 0x10, 0x1, 0x4, 0x8, 0x3, 0xb8, 0x9, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0x2, "9d9ab0978e2aace26de66306e6e2963d"}, @wireless={0xb, 0x10, 0x1, 0x4, 0x0, 0x6, 0x4, 0x1, 0x5}, @ptm_cap={0x3}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x5, 0x6, 0xfff2}]}, 0x1, [{0x84, &(0x7f0000008100)=@string={0x84, 0x3, "000a6c9f4a15eabc97a92ab665231b2cf9057321eb430c6521f497a8c3ce816268cb337fa48deecfeb28b2305fcf2d2e988cc8b8b980a1332dc406bc34695fa24dc3609f619d7ac284cc3ae7f0afe444d578c951d9aedc4c682e100cfeb6619b98a96b1978d8ede7574e969f8ae8e3dfb835bde5ccd922133e53036ff44eda52a0a9"}}]}) syz_usb_control_io(r35, &(0x7f0000008380)={0x2c, &(0x7f0000008200)={0x40, 0x22, 0x31, {0x31, 0x5, "74e83dcf53dd2d0ecac0aa3467b18dfa71b26cdd403d955c0ffe22817b01fe5795d51cf24a6ae3b8e32f1b7ac5f8ca"}}, &(0x7f0000008240)={0x0, 0x3, 0x1e, @string={0x1e, 0x3, "8957a501d83c69e54f70f62f932a50b65506c388c128239d36229ee2"}}, &(0x7f0000008280)={0x0, 0xf, 0x4f, {0x5, 0xf, 0x4f, 0x6, [@ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x5, 0xf000, 0x409, [0xc000, 0x17f, 0xff3f30, 0xffffaf]}, @ssp_cap={0x10, 0x10, 0xa, 0x9, 0x1, 0x4, 0xff0f, 0xf87, [0xc030]}, @ext_cap={0x7, 0x10, 0x2, 0x4, 0x1, 0x4, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x4, 0xd2, 0x3, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x1, 0x7, 0x2}, @ptm_cap={0x3}]}}, &(0x7f0000008300)={0x20, 0x29, 0xf, {0xf, 0x29, 0x8, 0x1, 0x7, 0x4, '\b\r$}', "67016dee"}}, &(0x7f0000008340)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x16, 0x80, 0x9, 0x3, 0x3, 0x2, 0xf000}}}, &(0x7f00000087c0)={0x84, &(0x7f00000083c0)={0x0, 0x11, 0x1f, "16d60d7743501452ffd5730424bc4a970cc6490bb9cc85938699edf27a0c7d"}, &(0x7f0000008400)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000008440)={0x0, 0x8, 0x1, 0x4}, &(0x7f0000008480)={0x20, 0x0, 0x4, {0x2f1050d721a8e554, 0x1}}, &(0x7f00000084c0)={0x20, 0x0, 0x4, {0x200, 0x2b}}, &(0x7f0000008500)={0x40, 0x7, 0x2, 0xfd37}, &(0x7f0000008540)={0x40, 0x9, 0x1}, &(0x7f0000008580)={0x40, 0xb, 0x2, 'E\"'}, &(0x7f00000085c0)={0x40, 0xf, 0x2, 0x2}, &(0x7f0000008600)={0x40, 0x13, 0x6, @random="2fa6dde03a0f"}, &(0x7f0000008640)={0x40, 0x17, 0x6, @random="de1c102b027e"}, &(0x7f0000008680)={0x40, 0x19, 0x2, "0d97"}, &(0x7f00000086c0)={0x40, 0x1a, 0x2, 0x2}, &(0x7f0000008700)={0x40, 0x1c, 0x1, 0xfd}, &(0x7f0000008740)={0x40, 0x1e, 0x1, 0xfd}, &(0x7f0000008780)={0x40, 0x21, 0x1, 0xc9}}) syz_usb_disconnect(r33) syz_usb_ep_read(r34, 0x7, 0xfc, &(0x7f0000008880)=""/252) r36 = syz_usb_connect$printer(0x5, 0x36, &(0x7f0000008980)={{0x12, 0x1, 0x200, 0x7, 0x1, 0x1, 0x20, 0x525, 0xa4a8, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0xf4, 0x60, 0x4, [{{0x9, 0x4, 0x0, 0x3, 0x2, 0x0, 0x0, 0x0, 0x81, "", {{{0x9, 0x5, 0x1, 0x2, 0x400, 0x0, 0x8, 0x2}}, [{{0x9, 0x5, 0x82, 0x2, 0x3ff, 0x4, 0x48, 0x8}}]}}}]}}]}}, &(0x7f0000008f00)={0xa, &(0x7f00000089c0)={0xa, 0x6, 0x250, 0x7d, 0xdd, 0x3, 0x20, 0xfa}, 0x154, &(0x7f0000008a00)={0x5, 0xf, 0x154, 0x6, [@generic={0xe8, 0x10, 0x1, "d031a9165b9e273ff6ffe555849af6dca66e17a68ee5ac784dca23e4a56d46169ad06ead2b8bcd997eac2ecb8b2a2526aa200db55758d08659469283d6ecfba982c300ae82ccf4a8bf073dbde45376b4f6fc559be519f82e8e5b2cf59c3a3af4f290707e767a4e276851090d90be0ab66f788e7760cd71ab865ea8b6bcc5f35f60538154a099c354a3593417682fc39d2a6a255ef4bb65f8d97af29beb0f8734a68ed84ef08df69e9b35fa2e3fe65e9938ff441dc3e7982a81cccaf9621d5dbc663b80ab448c975cbc19bb6c3901a02c16b32dfaf9f5c220fa21434937b462038105e6d086"}, @generic={0x4b, 0x10, 0x3, "10bed1912f7dc94ac6d87cbc68962c89e777cc51a257d0cad33cdcf336a31ac39b867144c2c96be40fccac19633a547787bc6e4fe91e91fa4759db2a867d859cd5a60c84c1a38e09"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x9, 0x77, 0x9, 0x2cf}, @wireless={0xb, 0x10, 0x1, 0xc, 0x5, 0x8, 0x5, 0x9, 0x16}, @ptm_cap={0x3}, @ptm_cap={0x3}]}, 0xa, [{0x4, &(0x7f0000008b80)=@lang_id={0x4, 0x3, 0x40e}}, {0x4, &(0x7f0000008bc0)=@lang_id={0x4, 0x3, 0x427}}, {0x4, &(0x7f0000008c00)=@lang_id={0x4, 0x3, 0x415}}, {0x4, &(0x7f0000008c40)=@lang_id={0x4, 0x3, 0x1c0a}}, {0x4, &(0x7f0000008c80)=@lang_id={0x4, 0x3, 0x83e}}, {0x4, &(0x7f0000008cc0)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d00)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d40)=@lang_id={0x4, 0x3, 0x423}}, {0x9f, &(0x7f0000008d80)=@string={0x9f, 0x3, "d48e8724649a2841923d48b8b235fdc4315e0dfbe1b8a8a08353af5b630beb6eca1d6be03d88d5587933d6ade122b2ad4c558040e7f203d8c7af790af85de36e841eb9480afa1aaf9a226f4de28cd4441557411c7737f74d7d60313cd3d051284fceb5b3278373f63c72a84e8de4e23bf64e2a69c0579106c9331803e2ef32fd09889adce7bcd7eb6134c465ed17386d3f97a4e8a4e9c419f9c6eb2d32"}}, {0xa4, &(0x7f0000008e40)=@string={0xa4, 0x3, "81103e0d228843344b9a2885675324f579df278e6d25065998bdbb69b8eed0e1db8df16b19646d92c5d03521f773c16c24deeae556be69b04e1e966febfbf37f3bbc6dd64c83f4c2a87daf95fb91e10a36c0069f4d517bf3962111d8f9c845323c0b91e68dea34b277b410720bdf4a5864fe069bdee84fa9e4465549713fb333aaed855baf295327e1fb651729fe4acf1d9ebf80d64c29fcd368ee1611e550d7b67a"}}]}) syz_usb_ep_write(r36, 0xf9, 0xfb, &(0x7f0000008fc0)="181512f6083897f1b94ad01c9d8cc9eb6d7c149c5edf5ecf21cf4a2b2a9ff02e0d8f8a4f60f7b31ad0b2552e14878f840f51a97c2563b619b101ea77613b9752367f0f6e6a623781a383e499dc26fed60afe6f156d326bc141d6615d18b61a5c06cb49d9e008e05f65376aefb5ec21edc468b8434a0c9e39d120bcd31132f0755c1fcaf91fecb2733f98184256d2f79e80452dc86cf31985082e386017ebe82125c78bee42f949ca6798673433fb0a20d9161b698f0466b0ea53587a3f08cc3435bb7c193f4adcd2e5e104f33e3e1cdd33ba951fc9f76b108a4074c8072b16465962eb28e138c9188c3e54a00afb4fb1710a273a1f1c530ada0d50") syz_usbip_server_init(0x2) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static void netlink_nest(struct nlmsg* nlmsg, int typ) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_type = typ; nlmsg->pos += sizeof(*attr); nlmsg->nested[nlmsg->nesting++] = attr; } static void netlink_done(struct nlmsg* nlmsg) { struct nlattr* attr = nlmsg->nested[--nlmsg->nesting]; attr->nla_len = nlmsg->pos - (char*)attr; } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static int netlink_next_msg(struct nlmsg* nlmsg, unsigned int offset, unsigned int total_len) { struct nlmsghdr* hdr = (struct nlmsghdr*)(nlmsg->buf + offset); if (offset == total_len || offset + hdr->nlmsg_len > total_len) return -1; return hdr->nlmsg_len; } static unsigned int queue_count = 2; static void netlink_add_device_impl(struct nlmsg* nlmsg, const char* type, const char* name, bool up) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; netlink_init(nlmsg, RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); if (name) netlink_attr(nlmsg, IFLA_IFNAME, name, strlen(name)); netlink_attr(nlmsg, IFLA_NUM_TX_QUEUES, &queue_count, sizeof(queue_count)); netlink_attr(nlmsg, IFLA_NUM_RX_QUEUES, &queue_count, sizeof(queue_count)); netlink_nest(nlmsg, IFLA_LINKINFO); netlink_attr(nlmsg, IFLA_INFO_KIND, type, strlen(type)); } static void netlink_add_device(struct nlmsg* nlmsg, int sock, const char* type, const char* name) { netlink_add_device_impl(nlmsg, type, name, false); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_veth(struct nlmsg* nlmsg, int sock, const char* name, const char* peer) { netlink_add_device_impl(nlmsg, "veth", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_nest(nlmsg, VETH_INFO_PEER); nlmsg->pos += sizeof(struct ifinfomsg); netlink_attr(nlmsg, IFLA_IFNAME, peer, strlen(peer)); netlink_attr(nlmsg, IFLA_NUM_TX_QUEUES, &queue_count, sizeof(queue_count)); netlink_attr(nlmsg, IFLA_NUM_RX_QUEUES, &queue_count, sizeof(queue_count)); netlink_done(nlmsg); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_xfrm(struct nlmsg* nlmsg, int sock, const char* name) { netlink_add_device_impl(nlmsg, "xfrm", name, true); netlink_nest(nlmsg, IFLA_INFO_DATA); int if_id = 1; netlink_attr(nlmsg, 2, &if_id, sizeof(if_id)); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_hsr(struct nlmsg* nlmsg, int sock, const char* name, const char* slave1, const char* slave2) { netlink_add_device_impl(nlmsg, "hsr", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); int ifindex1 = if_nametoindex(slave1); netlink_attr(nlmsg, IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1)); int ifindex2 = if_nametoindex(slave2); netlink_attr(nlmsg, IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2)); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_linked(struct nlmsg* nlmsg, int sock, const char* type, const char* name, const char* link) { netlink_add_device_impl(nlmsg, type, name, false); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_vlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link, uint16_t id, uint16_t proto) { netlink_add_device_impl(nlmsg, "vlan", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_attr(nlmsg, IFLA_VLAN_ID, &id, sizeof(id)); netlink_attr(nlmsg, IFLA_VLAN_PROTOCOL, &proto, sizeof(proto)); netlink_done(nlmsg); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_macvlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link) { netlink_add_device_impl(nlmsg, "macvlan", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); uint32_t mode = MACVLAN_MODE_BRIDGE; netlink_attr(nlmsg, IFLA_MACVLAN_MODE, &mode, sizeof(mode)); netlink_done(nlmsg); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_geneve(struct nlmsg* nlmsg, int sock, const char* name, uint32_t vni, struct in_addr* addr4, struct in6_addr* addr6) { netlink_add_device_impl(nlmsg, "geneve", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_attr(nlmsg, IFLA_GENEVE_ID, &vni, sizeof(vni)); if (addr4) netlink_attr(nlmsg, IFLA_GENEVE_REMOTE, addr4, sizeof(*addr4)); if (addr6) netlink_attr(nlmsg, IFLA_GENEVE_REMOTE6, addr6, sizeof(*addr6)); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } #define IFLA_IPVLAN_FLAGS 2 #define IPVLAN_MODE_L3S 2 #undef IPVLAN_F_VEPA #define IPVLAN_F_VEPA 2 static void netlink_add_ipvlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link, uint16_t mode, uint16_t flags) { netlink_add_device_impl(nlmsg, "ipvlan", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_attr(nlmsg, IFLA_IPVLAN_MODE, &mode, sizeof(mode)); netlink_attr(nlmsg, IFLA_IPVLAN_FLAGS, &flags, sizeof(flags)); netlink_done(nlmsg); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev, const void* addr, int addrsize) { struct ifaddrmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120; hdr.ifa_scope = RT_SCOPE_UNIVERSE; hdr.ifa_index = if_nametoindex(dev); netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize); netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize); return netlink_send(nlmsg, sock); } static void netlink_add_addr4(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in_addr in_addr; inet_pton(AF_INET, addr, &in_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr)); if (err < 0) { } } static void netlink_add_addr6(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in6_addr in6_addr; inet_pton(AF_INET6, addr, &in6_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr)); if (err < 0) { } } static struct nlmsg nlmsg; const int kInitNetNsFd = 201; #define DEVLINK_FAMILY_NAME "devlink" #define DEVLINK_CMD_PORT_GET 5 #define DEVLINK_ATTR_BUS_NAME 1 #define DEVLINK_ATTR_DEV_NAME 2 #define DEVLINK_ATTR_NETDEV_NAME 7 static struct nlmsg nlmsg2; static void initialize_devlink_ports(const char* bus_name, const char* dev_name, const char* netdev_prefix) { struct genlmsghdr genlhdr; int len, total_len, id, err, offset; uint16_t netdev_index; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) exit(1); int rtsock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (rtsock == -1) exit(1); id = netlink_query_family_id(&nlmsg, sock, DEVLINK_FAMILY_NAME, true); if (id == -1) goto error; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = DEVLINK_CMD_PORT_GET; netlink_init(&nlmsg, id, NLM_F_DUMP, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1); err = netlink_send_ext(&nlmsg, sock, id, &total_len, true); if (err < 0) { goto error; } offset = 0; netdev_index = 0; while ((len = netlink_next_msg(&nlmsg, offset, total_len)) != -1) { struct nlattr* attr = (struct nlattr*)(nlmsg.buf + offset + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg.buf + offset + len; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == DEVLINK_ATTR_NETDEV_NAME) { char* port_name; char netdev_name[IFNAMSIZ]; port_name = (char*)(attr + 1); snprintf(netdev_name, sizeof(netdev_name), "%s%d", netdev_prefix, netdev_index); netlink_device_change(&nlmsg2, rtsock, port_name, true, 0, 0, 0, netdev_name); break; } } offset += len; netdev_index++; } error: close(rtsock); close(sock); } #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define DEV_IPV4 "172.20.20.%d" #define DEV_IPV6 "fe80::%02x" #define DEV_MAC 0x00aaaaaaaaaa static void netdevsim_add(unsigned int addr, unsigned int port_count) { write_file("/sys/bus/netdevsim/del_device", "%u", addr); if (write_file("/sys/bus/netdevsim/new_device", "%u %u", addr, port_count)) { char buf[32]; snprintf(buf, sizeof(buf), "netdevsim%d", addr); initialize_devlink_ports("netdevsim", buf, "netdevsim"); } } #define WG_GENL_NAME "wireguard" enum wg_cmd { WG_CMD_GET_DEVICE, WG_CMD_SET_DEVICE, }; enum wgdevice_attribute { WGDEVICE_A_UNSPEC, WGDEVICE_A_IFINDEX, WGDEVICE_A_IFNAME, WGDEVICE_A_PRIVATE_KEY, WGDEVICE_A_PUBLIC_KEY, WGDEVICE_A_FLAGS, WGDEVICE_A_LISTEN_PORT, WGDEVICE_A_FWMARK, WGDEVICE_A_PEERS, }; enum wgpeer_attribute { WGPEER_A_UNSPEC, WGPEER_A_PUBLIC_KEY, WGPEER_A_PRESHARED_KEY, WGPEER_A_FLAGS, WGPEER_A_ENDPOINT, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, WGPEER_A_LAST_HANDSHAKE_TIME, WGPEER_A_RX_BYTES, WGPEER_A_TX_BYTES, WGPEER_A_ALLOWEDIPS, WGPEER_A_PROTOCOL_VERSION, }; enum wgallowedip_attribute { WGALLOWEDIP_A_UNSPEC, WGALLOWEDIP_A_FAMILY, WGALLOWEDIP_A_IPADDR, WGALLOWEDIP_A_CIDR_MASK, }; static void netlink_wireguard_setup(void) { const char ifname_a[] = "wg0"; const char ifname_b[] = "wg1"; const char ifname_c[] = "wg2"; const char private_a[] = "\xa0\x5c\xa8\x4f\x6c\x9c\x8e\x38\x53\xe2\xfd\x7a\x70\xae\x0f\xb2\x0f\xa1\x52\x60\x0c\xb0\x08\x45\x17\x4f\x08\x07\x6f\x8d\x78\x43"; const char private_b[] = "\xb0\x80\x73\xe8\xd4\x4e\x91\xe3\xda\x92\x2c\x22\x43\x82\x44\xbb\x88\x5c\x69\xe2\x69\xc8\xe9\xd8\x35\xb1\x14\x29\x3a\x4d\xdc\x6e"; const char private_c[] = "\xa0\xcb\x87\x9a\x47\xf5\xbc\x64\x4c\x0e\x69\x3f\xa6\xd0\x31\xc7\x4a\x15\x53\xb6\xe9\x01\xb9\xff\x2f\x51\x8c\x78\x04\x2f\xb5\x42"; const char public_a[] = "\x97\x5c\x9d\x81\xc9\x83\xc8\x20\x9e\xe7\x81\x25\x4b\x89\x9f\x8e\xd9\x25\xae\x9f\x09\x23\xc2\x3c\x62\xf5\x3c\x57\xcd\xbf\x69\x1c"; const char public_b[] = "\xd1\x73\x28\x99\xf6\x11\xcd\x89\x94\x03\x4d\x7f\x41\x3d\xc9\x57\x63\x0e\x54\x93\xc2\x85\xac\xa4\x00\x65\xcb\x63\x11\xbe\x69\x6b"; const char public_c[] = "\xf4\x4d\xa3\x67\xa8\x8e\xe6\x56\x4f\x02\x02\x11\x45\x67\x27\x08\x2f\x5c\xeb\xee\x8b\x1b\xf5\xeb\x73\x37\x34\x1b\x45\x9b\x39\x22"; const uint16_t listen_a = 20001; const uint16_t listen_b = 20002; const uint16_t listen_c = 20003; const uint16_t af_inet = AF_INET; const uint16_t af_inet6 = AF_INET6; const struct sockaddr_in endpoint_b_v4 = { .sin_family = AF_INET, .sin_port = htons(listen_b), .sin_addr = {htonl(INADDR_LOOPBACK)}}; const struct sockaddr_in endpoint_c_v4 = { .sin_family = AF_INET, .sin_port = htons(listen_c), .sin_addr = {htonl(INADDR_LOOPBACK)}}; struct sockaddr_in6 endpoint_a_v6 = { .sin6_family = AF_INET6, .sin6_port = htons(listen_a)}; endpoint_a_v6.sin6_addr = in6addr_loopback; struct sockaddr_in6 endpoint_c_v6 = { .sin6_family = AF_INET6, .sin6_port = htons(listen_c)}; endpoint_c_v6.sin6_addr = in6addr_loopback; const struct in_addr first_half_v4 = {0}; const struct in_addr second_half_v4 = {(uint32_t)htonl(128 << 24)}; const struct in6_addr first_half_v6 = {{{0}}}; const struct in6_addr second_half_v6 = {{{0x80}}}; const uint8_t half_cidr = 1; const uint16_t persistent_keepalives[] = {1, 3, 7, 9, 14, 19}; struct genlmsghdr genlhdr = { .cmd = WG_CMD_SET_DEVICE, .version = 1}; int sock; int id, err; sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) { return; } id = netlink_query_family_id(&nlmsg, sock, WG_GENL_NAME, true); if (id == -1) goto error; netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_a, strlen(ifname_a) + 1); netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_a, 32); netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_a, 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_b, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_b_v4, sizeof(endpoint_b_v4)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[0], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4, sizeof(first_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6, sizeof(first_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_c, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_c_v6, sizeof(endpoint_c_v6)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[1], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4, sizeof(second_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6, sizeof(second_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); err = netlink_send(&nlmsg, sock); if (err < 0) { } netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_b, strlen(ifname_b) + 1); netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_b, 32); netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_b, 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_a, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_a_v6, sizeof(endpoint_a_v6)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[2], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4, sizeof(first_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6, sizeof(first_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_c, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_c_v4, sizeof(endpoint_c_v4)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[3], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4, sizeof(second_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6, sizeof(second_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); err = netlink_send(&nlmsg, sock); if (err < 0) { } netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_c, strlen(ifname_c) + 1); netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_c, 32); netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_c, 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_a, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_a_v6, sizeof(endpoint_a_v6)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[4], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4, sizeof(first_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6, sizeof(first_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_b, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_b_v4, sizeof(endpoint_b_v4)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[5], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4, sizeof(second_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6, sizeof(second_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); err = netlink_send(&nlmsg, sock); if (err < 0) { } error: close(sock); } static void initialize_netdevices(void) { char netdevsim[16]; sprintf(netdevsim, "netdevsim%d", (int)procid); struct { const char* type; const char* dev; } devtypes[] = { {"ip6gretap", "ip6gretap0"}, {"bridge", "bridge0"}, {"vcan", "vcan0"}, {"bond", "bond0"}, {"team", "team0"}, {"dummy", "dummy0"}, {"nlmon", "nlmon0"}, {"caif", "caif0"}, {"batadv", "batadv0"}, {"vxcan", "vxcan1"}, {"veth", 0}, {"wireguard", "wg0"}, {"wireguard", "wg1"}, {"wireguard", "wg2"}, }; const char* devmasters[] = {"bridge", "bond", "team", "batadv"}; struct { const char* name; int macsize; bool noipv6; } devices[] = { {"lo", ETH_ALEN}, {"sit0", 0}, {"bridge0", ETH_ALEN}, {"vcan0", 0, true}, {"tunl0", 0}, {"gre0", 0}, {"gretap0", ETH_ALEN}, {"ip_vti0", 0}, {"ip6_vti0", 0}, {"ip6tnl0", 0}, {"ip6gre0", 0}, {"ip6gretap0", ETH_ALEN}, {"erspan0", ETH_ALEN}, {"bond0", ETH_ALEN}, {"veth0", ETH_ALEN}, {"veth1", ETH_ALEN}, {"team0", ETH_ALEN}, {"veth0_to_bridge", ETH_ALEN}, {"veth1_to_bridge", ETH_ALEN}, {"veth0_to_bond", ETH_ALEN}, {"veth1_to_bond", ETH_ALEN}, {"veth0_to_team", ETH_ALEN}, {"veth1_to_team", ETH_ALEN}, {"veth0_to_hsr", ETH_ALEN}, {"veth1_to_hsr", ETH_ALEN}, {"hsr0", 0}, {"dummy0", ETH_ALEN}, {"nlmon0", 0}, {"vxcan0", 0, true}, {"vxcan1", 0, true}, {"caif0", ETH_ALEN}, {"batadv0", ETH_ALEN}, {netdevsim, ETH_ALEN}, {"xfrm0", ETH_ALEN}, {"veth0_virt_wifi", ETH_ALEN}, {"veth1_virt_wifi", ETH_ALEN}, {"virt_wifi0", ETH_ALEN}, {"veth0_vlan", ETH_ALEN}, {"veth1_vlan", ETH_ALEN}, {"vlan0", ETH_ALEN}, {"vlan1", ETH_ALEN}, {"macvlan0", ETH_ALEN}, {"macvlan1", ETH_ALEN}, {"ipvlan0", ETH_ALEN}, {"ipvlan1", ETH_ALEN}, {"veth0_macvtap", ETH_ALEN}, {"veth1_macvtap", ETH_ALEN}, {"macvtap0", ETH_ALEN}, {"macsec0", ETH_ALEN}, {"veth0_to_batadv", ETH_ALEN}, {"veth1_to_batadv", ETH_ALEN}, {"batadv_slave_0", ETH_ALEN}, {"batadv_slave_1", ETH_ALEN}, {"geneve0", ETH_ALEN}, {"geneve1", ETH_ALEN}, {"wg0", 0}, {"wg1", 0}, {"wg2", 0}, }; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); unsigned i; for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) netlink_add_device(&nlmsg, sock, devtypes[i].type, devtypes[i].dev); for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) { char master[32], slave0[32], veth0[32], slave1[32], veth1[32]; sprintf(slave0, "%s_slave_0", devmasters[i]); sprintf(veth0, "veth0_to_%s", devmasters[i]); netlink_add_veth(&nlmsg, sock, slave0, veth0); sprintf(slave1, "%s_slave_1", devmasters[i]); sprintf(veth1, "veth1_to_%s", devmasters[i]); netlink_add_veth(&nlmsg, sock, slave1, veth1); sprintf(master, "%s0", devmasters[i]); netlink_device_change(&nlmsg, sock, slave0, false, master, 0, 0, NULL); netlink_device_change(&nlmsg, sock, slave1, false, master, 0, 0, NULL); } netlink_add_xfrm(&nlmsg, sock, "xfrm0"); netlink_device_change(&nlmsg, sock, "bridge_slave_0", true, 0, 0, 0, NULL); netlink_device_change(&nlmsg, sock, "bridge_slave_1", true, 0, 0, 0, NULL); netlink_add_veth(&nlmsg, sock, "hsr_slave_0", "veth0_to_hsr"); netlink_add_veth(&nlmsg, sock, "hsr_slave_1", "veth1_to_hsr"); netlink_add_hsr(&nlmsg, sock, "hsr0", "hsr_slave_0", "hsr_slave_1"); netlink_device_change(&nlmsg, sock, "hsr_slave_0", true, 0, 0, 0, NULL); netlink_device_change(&nlmsg, sock, "hsr_slave_1", true, 0, 0, 0, NULL); netlink_add_veth(&nlmsg, sock, "veth0_virt_wifi", "veth1_virt_wifi"); netlink_add_linked(&nlmsg, sock, "virt_wifi", "virt_wifi0", "veth1_virt_wifi"); netlink_add_veth(&nlmsg, sock, "veth0_vlan", "veth1_vlan"); netlink_add_vlan(&nlmsg, sock, "vlan0", "veth0_vlan", 0, htons(ETH_P_8021Q)); netlink_add_vlan(&nlmsg, sock, "vlan1", "veth0_vlan", 1, htons(ETH_P_8021AD)); netlink_add_macvlan(&nlmsg, sock, "macvlan0", "veth1_vlan"); netlink_add_macvlan(&nlmsg, sock, "macvlan1", "veth1_vlan"); netlink_add_ipvlan(&nlmsg, sock, "ipvlan0", "veth0_vlan", IPVLAN_MODE_L2, 0); netlink_add_ipvlan(&nlmsg, sock, "ipvlan1", "veth0_vlan", IPVLAN_MODE_L3S, IPVLAN_F_VEPA); netlink_add_veth(&nlmsg, sock, "veth0_macvtap", "veth1_macvtap"); netlink_add_linked(&nlmsg, sock, "macvtap", "macvtap0", "veth0_macvtap"); netlink_add_linked(&nlmsg, sock, "macsec", "macsec0", "veth1_macvtap"); char addr[32]; sprintf(addr, DEV_IPV4, 14 + 10); struct in_addr geneve_addr4; if (inet_pton(AF_INET, addr, &geneve_addr4) <= 0) exit(1); struct in6_addr geneve_addr6; if (inet_pton(AF_INET6, "fc00::01", &geneve_addr6) <= 0) exit(1); netlink_add_geneve(&nlmsg, sock, "geneve0", 0, &geneve_addr4, 0); netlink_add_geneve(&nlmsg, sock, "geneve1", 1, 0, &geneve_addr6); netdevsim_add((int)procid, 4); netlink_wireguard_setup(); for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) { char addr[32]; sprintf(addr, DEV_IPV4, i + 10); netlink_add_addr4(&nlmsg, sock, devices[i].name, addr); if (!devices[i].noipv6) { sprintf(addr, DEV_IPV6, i + 10); netlink_add_addr6(&nlmsg, sock, devices[i].name, addr); } uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40); netlink_device_change(&nlmsg, sock, devices[i].name, true, 0, &macaddr, devices[i].macsize, NULL); } close(sock); } static void initialize_netdevices_init(void) { int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); struct { const char* type; int macsize; bool noipv6; bool noup; } devtypes[] = { {"nr", 7, true}, {"rose", 5, true, true}, }; unsigned i; for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) { char dev[32], addr[32]; sprintf(dev, "%s%d", devtypes[i].type, (int)procid); sprintf(addr, "172.30.%d.%d", i, (int)procid + 1); netlink_add_addr4(&nlmsg, sock, dev, addr); if (!devtypes[i].noipv6) { sprintf(addr, "fe88::%02x:%02x", i, (int)procid + 1); netlink_add_addr6(&nlmsg, sock, dev, addr); } int macsize = devtypes[i].macsize; uint64_t macaddr = 0xbbbbbb + ((unsigned long long)i << (8 * (macsize - 2))) + (procid << (8 * (macsize - 1))); netlink_device_change(&nlmsg, sock, dev, !devtypes[i].noup, 0, &macaddr, macsize, NULL); } close(sock); } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_PT_POOL 0x5000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x70000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x200000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 8) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t size, uint64_t cpu) { uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; if (cmd->call >= SYZOS_API_STOP) return; if (cmd->size > size) return; volatile uint64_t call = cmd->call; if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit((uint64_t)-1); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; *ptr = exit_code; } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_pdpt_addr = l2_pml4_addr + KVM_PAGE_SIZE; uint64_t l2_pd_addr = l2_pml4_addr + 2 * KVM_PAGE_SIZE; uint64_t l2_pt_addr = l2_pml4_addr + 3 * KVM_PAGE_SIZE; volatile uint64_t* pml4 = (volatile uint64_t*)l2_pml4_addr; volatile uint64_t* pdpt = (volatile uint64_t*)l2_pdpt_addr; volatile uint64_t* pd = (volatile uint64_t*)l2_pd_addr; volatile uint64_t* pt = (volatile uint64_t*)l2_pt_addr; guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pdpt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pd_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id), 0, KVM_PAGE_SIZE); uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; pml4[0] = l2_pdpt_addr | flags; pdpt[0] = l2_pd_addr | flags; pd[0] = l2_pt_addr | flags; uint64_t pt_flags = flags; if (vendor == CPU_VENDOR_INTEL) { pt_flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { pt_flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } for (int i = 0; i < 512; i++) pt[i] = (i * KVM_PAGE_SIZE) | pt_flags; } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%rax push %%rbx push %%rcx push %%rdx push %%rsi push %%rdi push %%rbp push %%r8 push %%r9 push %%r10 push %%r11 push %%r12 push %%r13 push %%r14 push %%r15 mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[stack_cleanup_size], %%rsp jmp after_vmentry_label )" : : [stack_cleanup_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, 0); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); uint64_t tmpreg = 0; asm volatile("mov %%rsp, %0" : "=r"(tmpreg)); vmwrite(VMCS_HOST_RSP, tmpreg); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, VMX_AR_TSS_AVAILABLE); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_DEBUGCTL, 0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR6, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR7, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, efer & ~X86_EFER_SCE); vmcb_write64(vmcb_addr, VMCB_GUEST_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_addr, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline __optnone void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { uint64_t vmx_error_code = 0; uint8_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); if (is_launch) { asm volatile(R"( vmlaunch setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } else { asm volatile(R"( vmresume setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } asm volatile(".globl after_vmentry_label\nafter_vmentry_label:"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile uint8_t* vmcb_ptr = (volatile uint8_t*)vmcb_addr; uint8_t fail_flag = 0; asm volatile( "mov %1, %%rax\n\t" "vmrun\n\t" "setc %0\n\t" : "=q"(fail_flag) : "m"(vmcb_addr) : "rax", "cc", "memory"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } uint64_t exit_reason = vmcb_read64(vmcb_ptr, VMCB_EXIT_CODE); nested_vm_exit_handler_amd(exit_reason, cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 48, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, }; struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; }; #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)((uint64_t)vm->host_mem + sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static void map_4k_page(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)(host_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = (uint64_t*)(host_mem + (pml4[pml4_idx] & PAGE_MASK)); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = (uint64_t*)(host_mem + (pdpt[pdpt_idx] & PAGE_MASK)); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = (uint64_t*)(host_mem + (pd[pd_idx] & PAGE_MASK)); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(host_mem, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; uint64_t host_mem = (uint64_t)vm->gpa0_mem; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + 32 * KVM_PAGE_SIZE}; for (uint64_t i = 0; i < (alloc.last_page - alloc.next_page); i += KVM_PAGE_SIZE) memset((void*)(host_mem + alloc.next_page + i), 0, KVM_PAGE_SIZE); for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) total -= map_4k_region(host_mem, &alloc, syzos_mem_regions[i].gpa, syzos_mem_regions[i].pages); map_4k_region(host_mem, &alloc, X86_SYZOS_ADDR_UNUSED, total); } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = 0, .base_mid = 0, .access = 0x89, .limit_high_and_flags = 0x00, .base_high = 0}; } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)((uint64_t)vm->host_mem + sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)((uint64_t)vm->host_mem + X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); setup_pg_table(vm); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, int cpu_id, size_t text_size) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = executor_fn_guest_addr(guest_main); regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = text_size; regs.rsi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd); setup_cpuid(cpufd); reset_cpu_regs(cpufd, cpu_id, text_size); } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; struct addr_size next = alloc_guest_mem(&allocator, r->pages * KVM_PAGE_SIZE); uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); } struct addr_size next = alloc_guest_mem(&allocator, allocator.size); vm_set_user_memory_region(vmfd, slot++, 0, X86_SYZOS_ADDR_UNUSED, next.size, (uintptr_t)next.addr); } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); initialize_netdevices_init(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); initialize_netdevices(); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 60; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 51 ? 3000 : 0) + (call == 52 ? 3000 : 0) + (call == 53 ? 3000 : 0) + (call == 54 ? 300 : 0) + (call == 55 ? 300 : 0) + (call == 56 ? 300 : 0) + (call == 57 ? 3000 : 0) + (call == 58 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[37] = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x200000000000 = 0x4006; *(uint32_t*)0x200000000004 = 0xd; *(uint32_t*)0x200000000008 = 2; *(uint32_t*)0x20000000000c = 8; inject_fault(1); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x80044945, /*arg=*/0x200000000000ul); break; case 1: *(uint32_t*)0x200000000040 = 0; *(uint32_t*)0x200000000044 = 1; *(uint32_t*)0x200000000048 = 4; *(uint32_t*)0x20000000004c = 2; *(uint32_t*)0x200000000050 = 5; *(uint32_t*)0x200000000054 = 0x81; *(uint32_t*)0x200000000058 = 0; memcpy((void*)0x20000000005c, "id1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); memcpy((void*)0x20000000009c, "timer0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 80); *(uint64_t*)0x2000000000f0 = 0; *(uint64_t*)0x2000000000f8 = 6; *(uint64_t*)0x200000000100 = 3; *(uint64_t*)0x200000000108 = 0x70a; *(uint32_t*)0x200000000110 = 9; memset((void*)0x200000000114, 0, 32); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0f85403, /*arg=*/0x200000000040ul); break; case 2: memcpy((void*)0x200000000140, "/dev/ircomm#\000", 13); res = -1; res = syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); for (int i = 0; i < 4; i++) { syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); } if (res != -1) r[0] = res; break; case 3: *(uint32_t*)0x200000000340 = 0x82; *(uint32_t*)0x200000000344 = 8; *(uint64_t*)0x200000000348 = 0x200000000280; *(uint32_t*)0x200000000280 = 1; *(uint64_t*)0x200000000284 = 0; *(uint32_t*)0x20000000028c = 0xc0; *(uint64_t*)0x200000000290 = 0x200000000180; memcpy((void*)0x200000000180, "\x5b\x58\xac\x0e\xd1\xd2\x7b\x21\x7d\x3f\xdc\x62\x99\xcd\xde\x4d\x85\x32\x1f\x7b\xba\xa0\x64\xd3\x61\x51\x9c\xdd\xe4\x3b\x22\x5c\xf0\x06\x58\xdd\xbf\xbd\x91\x4c\xf7\x9e\xce\xb3\x48\xf1\x86\x92\x31\x5c\x3c\x69\xec\x14\x8e\x2d\xd9\x28\xac\x7e\xe6\x2f\x51\x11\xb9\xdc\xca\xca\x88\x52\x49\x12\x34\x19\x55\xf7\x9b\x0f\x22\x06\xb8\x0e\x6e\x5a\x7e\x68\x1a\x62\x96\x94\xa3\x4f\x9b\x0e\x39\x87\x7e\xef\xde\x60\xa0\x68\xcd\xc4\x45\x45\xd6\xfe\x45\xd0\x00\x0c\x99\x61\xa1\xff\x16\x87\x47\x44\x7e\x34\x6b\x16\x46\x08\x75\xc6\x91\xde\x11\x83\xb2\xd7\xb0\x32\xcf\xae\x85\x49\x7d\x0d\x88\x48\xd4\xba\xa9\xad\xc6\xca\xac\xcd\x9a\xf6\x01\x9e\xa2\xba\x6f\x3b\x4e\x60\x18\xdf\x94\xca\xca\xbe\xdd\xec\x7b\x60\x02\x30\xea\x77\x90\x01\x93\x99\xd0\xbe\xb6\x1f\x42\x7d\xf8\x35\x9c\xc3\x48\x93", 192); *(uint64_t*)0x200000000298 = 0; *(uint32_t*)0x2000000002a0 = 0; *(uint64_t*)0x2000000002a4 = 0x200000000240; *(uint32_t*)0x2000000002ac = 0x10000; *(uint32_t*)0x2000000002b0 = 0; *(uint64_t*)0x2000000002b4 = 0; *(uint32_t*)0x2000000002bc = 0x81; *(uint32_t*)0x2000000002c0 = 0xe; *(uint64_t*)0x200000000350 = 0x200000000300; *(uint32_t*)0x200000000358 = 0x44; *(uint32_t*)0x20000000035c = 0xc; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0206440, /*arg=*/0x200000000340ul); if (res != -1) r[1] = *(uint64_t*)0x200000000300; break; case 4: *(uint32_t*)0x200000000400 = 0x81; *(uint32_t*)0x200000000404 = 4; *(uint64_t*)0x200000000408 = 0x200000000380; *(uint64_t*)0x200000000380 = r[1]; *(uint64_t*)0x200000000410 = 0x2000000003c0; *(uint32_t*)0x200000000418 = 8; *(uint32_t*)0x20000000041c = 0xc; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000400ul); break; case 5: *(uint32_t*)0x200000000440 = 3; *(uint32_t*)0x200000000444 = 6; STORE_BY_BITMASK(uint32_t, , 0x200000000448, 1, 0, 1); memcpy((void*)0x200000000449, "queue1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); *(uint32_t*)0x20000000048c = 0xdae; memset((void*)0x200000000490, 0, 60); syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc08c5335, /*arg=*/0x200000000440ul); break; case 6: memcpy((void*)0x200000000540, "TIPCv2\000", 7); res = -1; res = syz_genetlink_get_family_id(/*name=*/0x200000000540, /*fd=*/r[0]); if (res != -1) r[2] = res; break; case 7: *(uint64_t*)0x200000000880 = 0x200000000500; *(uint16_t*)0x200000000500 = 0x10; *(uint16_t*)0x200000000502 = 0; *(uint32_t*)0x200000000504 = 0; *(uint32_t*)0x200000000508 = 0x1000000; *(uint32_t*)0x200000000888 = 0xc; *(uint64_t*)0x200000000890 = 0x200000000840; *(uint64_t*)0x200000000840 = 0x200000000580; *(uint32_t*)0x200000000580 = 0x2b4; *(uint16_t*)0x200000000584 = r[2]; *(uint16_t*)0x200000000586 = 0x400; *(uint32_t*)0x200000000588 = 0x70bd2d; *(uint32_t*)0x20000000058c = 0x25dfdbfb; *(uint8_t*)0x200000000590 = 4; *(uint8_t*)0x200000000591 = 0; *(uint16_t*)0x200000000592 = 0; *(uint16_t*)0x200000000594 = 0x44; STORE_BY_BITMASK(uint16_t, , 0x200000000596, 3, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 1, 7, 1); *(uint16_t*)0x200000000598 = 8; *(uint16_t*)0x20000000059a = 1; *(uint32_t*)0x20000000059c = 6; *(uint16_t*)0x2000000005a0 = 8; *(uint16_t*)0x2000000005a2 = 1; *(uint32_t*)0x2000000005a4 = 0x3f; *(uint16_t*)0x2000000005a8 = 8; *(uint16_t*)0x2000000005aa = 1; *(uint32_t*)0x2000000005ac = 2; *(uint16_t*)0x2000000005b0 = 8; *(uint16_t*)0x2000000005b2 = 1; *(uint32_t*)0x2000000005b4 = 0x4c00000; *(uint16_t*)0x2000000005b8 = 8; *(uint16_t*)0x2000000005ba = 1; *(uint32_t*)0x2000000005bc = 3; *(uint16_t*)0x2000000005c0 = 8; *(uint16_t*)0x2000000005c2 = 1; *(uint32_t*)0x2000000005c4 = 6; *(uint16_t*)0x2000000005c8 = 8; *(uint16_t*)0x2000000005ca = 3; *(uint32_t*)0x2000000005cc = 0x67c; *(uint16_t*)0x2000000005d0 = 8; *(uint16_t*)0x2000000005d2 = 1; *(uint32_t*)0x2000000005d4 = 7; *(uint16_t*)0x2000000005d8 = 0x3c; STORE_BY_BITMASK(uint16_t, , 0x2000000005da, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 1, 7, 1); *(uint16_t*)0x2000000005dc = 9; *(uint16_t*)0x2000000005de = 1; memcpy((void*)0x2000000005e0, "syz1\000", 5); *(uint16_t*)0x2000000005e8 = 0x2c; STORE_BY_BITMASK(uint16_t, , 0x2000000005ea, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 1, 7, 1); *(uint16_t*)0x2000000005ec = 8; *(uint16_t*)0x2000000005ee = 3; *(uint32_t*)0x2000000005f0 = 0x220a; *(uint16_t*)0x2000000005f4 = 8; *(uint16_t*)0x2000000005f6 = 4; *(uint32_t*)0x2000000005f8 = 0x9c0; *(uint16_t*)0x2000000005fc = 8; *(uint16_t*)0x2000000005fe = 2; *(uint32_t*)0x200000000600 = 0x101; *(uint16_t*)0x200000000604 = 8; *(uint16_t*)0x200000000606 = 4; *(uint32_t*)0x200000000608 = 3; *(uint16_t*)0x20000000060c = 8; *(uint16_t*)0x20000000060e = 1; *(uint32_t*)0x200000000610 = 8; *(uint16_t*)0x200000000614 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000616, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 1, 7, 1); *(uint16_t*)0x200000000618 = 8; *(uint16_t*)0x20000000061a = 2; *(uint32_t*)0x20000000061c = 6; *(uint16_t*)0x200000000620 = 8; *(uint16_t*)0x200000000622 = 1; *(uint32_t*)0x200000000624 = 1; *(uint16_t*)0x200000000628 = 0xb8; STORE_BY_BITMASK(uint16_t, , 0x20000000062a, 1, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 1, 7, 1); *(uint16_t*)0x20000000062c = 0x24; STORE_BY_BITMASK(uint16_t, , 0x20000000062e, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 1, 7, 1); *(uint16_t*)0x200000000630 = 8; *(uint16_t*)0x200000000632 = 2; *(uint32_t*)0x200000000634 = 9; *(uint16_t*)0x200000000638 = 8; *(uint16_t*)0x20000000063a = 4; *(uint32_t*)0x20000000063c = 7; *(uint16_t*)0x200000000640 = 8; *(uint16_t*)0x200000000642 = 2; *(uint32_t*)0x200000000644 = 5; *(uint16_t*)0x200000000648 = 8; *(uint16_t*)0x20000000064a = 2; *(uint32_t*)0x20000000064c = 2; *(uint16_t*)0x200000000650 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000652, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 1, 7, 1); *(uint16_t*)0x200000000654 = 8; *(uint16_t*)0x200000000656 = 3; *(uint32_t*)0x200000000658 = 6; *(uint16_t*)0x20000000065c = 8; *(uint16_t*)0x20000000065e = 4; *(uint32_t*)0x200000000660 = 0; *(uint16_t*)0x200000000664 = 0xd; *(uint16_t*)0x200000000666 = 1; memcpy((void*)0x200000000668, "udp:syz2\000", 9); *(uint16_t*)0x200000000674 = 0xc; STORE_BY_BITMASK(uint16_t, , 0x200000000676, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 1, 7, 1); *(uint16_t*)0x200000000678 = 8; *(uint16_t*)0x20000000067a = 4; *(uint32_t*)0x20000000067c = 7; *(uint16_t*)0x200000000680 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000682, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 1, 7, 1); *(uint16_t*)0x200000000684 = 8; *(uint16_t*)0x200000000686 = 1; *(uint32_t*)0x200000000688 = 0x17; *(uint16_t*)0x20000000068c = 8; *(uint16_t*)0x20000000068e = 1; *(uint32_t*)0x200000000690 = 0x17; *(uint16_t*)0x200000000694 = 8; *(uint16_t*)0x200000000696 = 1; *(uint32_t*)0x200000000698 = 0x12; *(uint16_t*)0x20000000069c = 0x2c; *(uint16_t*)0x20000000069e = 4; *(uint16_t*)0x2000000006a0 = 0x14; *(uint16_t*)0x2000000006a2 = 1; *(uint16_t*)0x2000000006a4 = 2; *(uint16_t*)0x2000000006a6 = htobe16(0x4e21); *(uint32_t*)0x2000000006a8 = htobe32(0xe0000002); *(uint16_t*)0x2000000006b4 = 0x14; *(uint16_t*)0x2000000006b6 = 2; *(uint16_t*)0x2000000006b8 = 2; *(uint16_t*)0x2000000006ba = htobe16(0x4e20); *(uint32_t*)0x2000000006bc = htobe32(-1); *(uint16_t*)0x2000000006c8 = 8; *(uint16_t*)0x2000000006ca = 3; *(uint32_t*)0x2000000006cc = 0xb; *(uint16_t*)0x2000000006d0 = 0xd; *(uint16_t*)0x2000000006d2 = 1; memcpy((void*)0x2000000006d4, "udp:syz1\000", 9); *(uint16_t*)0x2000000006e0 = 0x20; STORE_BY_BITMASK(uint16_t, , 0x2000000006e2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 1, 7, 1); *(uint16_t*)0x2000000006e4 = 8; *(uint16_t*)0x2000000006e6 = 1; *(uint32_t*)0x2000000006e8 = 8; *(uint16_t*)0x2000000006ec = 0xc; *(uint16_t*)0x2000000006ee = 3; *(uint64_t*)0x2000000006f0 = 6; *(uint16_t*)0x2000000006f8 = 8; *(uint16_t*)0x2000000006fa = 1; *(uint32_t*)0x2000000006fc = 0x80; *(uint16_t*)0x200000000700 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000702, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 1, 7, 1); *(uint16_t*)0x200000000704 = 8; *(uint16_t*)0x200000000706 = 1; *(uint32_t*)0x200000000708 = 2; *(uint16_t*)0x20000000070c = 8; *(uint16_t*)0x20000000070e = 1; *(uint32_t*)0x200000000710 = 9; *(uint16_t*)0x200000000714 = 0x10c; STORE_BY_BITMASK(uint16_t, , 0x200000000716, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 1, 7, 1); *(uint16_t*)0x200000000718 = 9; *(uint16_t*)0x20000000071a = 1; memcpy((void*)0x20000000071c, "syz1\000", 5); *(uint16_t*)0x200000000724 = 0x13; *(uint16_t*)0x200000000726 = 1; memcpy((void*)0x200000000728, "broadcast-link\000", 15); *(uint16_t*)0x200000000738 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000073a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 1, 7, 1); *(uint16_t*)0x20000000073c = 8; *(uint16_t*)0x20000000073e = 2; *(uint32_t*)0x200000000740 = 0x187; *(uint16_t*)0x200000000744 = 8; *(uint16_t*)0x200000000746 = 4; *(uint32_t*)0x200000000748 = 0x40; *(uint16_t*)0x20000000074c = 8; *(uint16_t*)0x20000000074e = 1; *(uint32_t*)0x200000000750 = 0x10; *(uint16_t*)0x200000000754 = 0x24; STORE_BY_BITMASK(uint16_t, , 0x200000000756, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 1, 7, 1); *(uint16_t*)0x200000000758 = 8; *(uint16_t*)0x20000000075a = 2; *(uint32_t*)0x20000000075c = 0xc0fb; *(uint16_t*)0x200000000760 = 8; *(uint16_t*)0x200000000762 = 2; *(uint32_t*)0x200000000764 = 0; *(uint16_t*)0x200000000768 = 8; *(uint16_t*)0x20000000076a = 2; *(uint32_t*)0x20000000076c = 3; *(uint16_t*)0x200000000770 = 8; *(uint16_t*)0x200000000772 = 4; *(uint32_t*)0x200000000774 = 6; *(uint16_t*)0x200000000778 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000077a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 1, 7, 1); *(uint16_t*)0x20000000077c = 8; *(uint16_t*)0x20000000077e = 1; *(uint32_t*)0x200000000780 = 0x18; *(uint16_t*)0x200000000784 = 8; *(uint16_t*)0x200000000786 = 2; *(uint32_t*)0x200000000788 = 0x80000000; *(uint16_t*)0x20000000078c = 8; *(uint16_t*)0x20000000078e = 2; *(uint32_t*)0x200000000790 = 2; *(uint16_t*)0x200000000794 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000796, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 1, 7, 1); *(uint16_t*)0x200000000798 = 8; *(uint16_t*)0x20000000079a = 4; *(uint32_t*)0x20000000079c = 0xfffffff2; *(uint16_t*)0x2000000007a0 = 8; *(uint16_t*)0x2000000007a2 = 3; *(uint32_t*)0x2000000007a4 = 7; *(uint16_t*)0x2000000007a8 = 8; *(uint16_t*)0x2000000007aa = 3; *(uint32_t*)0x2000000007ac = 0xd0; *(uint16_t*)0x2000000007b0 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x2000000007b2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 1, 7, 1); *(uint16_t*)0x2000000007b4 = 8; *(uint16_t*)0x2000000007b6 = 1; *(uint32_t*)0x2000000007b8 = 0xf; *(uint16_t*)0x2000000007bc = 8; *(uint16_t*)0x2000000007be = 4; *(uint32_t*)0x2000000007c0 = 0x401; *(uint16_t*)0x2000000007c4 = 8; *(uint16_t*)0x2000000007c6 = 1; *(uint32_t*)0x2000000007c8 = 9; *(uint16_t*)0x2000000007cc = 0x54; STORE_BY_BITMASK(uint16_t, , 0x2000000007ce, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 1, 7, 1); *(uint16_t*)0x2000000007d0 = 8; *(uint16_t*)0x2000000007d2 = 3; *(uint32_t*)0x2000000007d4 = 0xe6a9; *(uint16_t*)0x2000000007d8 = 8; *(uint16_t*)0x2000000007da = 4; *(uint32_t*)0x2000000007dc = 7; *(uint16_t*)0x2000000007e0 = 8; *(uint16_t*)0x2000000007e2 = 3; *(uint32_t*)0x2000000007e4 = 0x10000; *(uint16_t*)0x2000000007e8 = 8; *(uint16_t*)0x2000000007ea = 3; *(uint32_t*)0x2000000007ec = 0x2000; *(uint16_t*)0x2000000007f0 = 8; *(uint16_t*)0x2000000007f2 = 2; *(uint32_t*)0x2000000007f4 = 9; *(uint16_t*)0x2000000007f8 = 8; *(uint16_t*)0x2000000007fa = 3; *(uint32_t*)0x2000000007fc = 6; *(uint16_t*)0x200000000800 = 8; *(uint16_t*)0x200000000802 = 4; *(uint32_t*)0x200000000804 = 0x81; *(uint16_t*)0x200000000808 = 8; *(uint16_t*)0x20000000080a = 3; *(uint32_t*)0x20000000080c = 0x3ff; *(uint16_t*)0x200000000810 = 8; *(uint16_t*)0x200000000812 = 1; *(uint32_t*)0x200000000814 = 0x19; *(uint16_t*)0x200000000818 = 8; *(uint16_t*)0x20000000081a = 1; *(uint32_t*)0x20000000081c = 0x1a; *(uint16_t*)0x200000000820 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000822, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 1, 7, 1); *(uint16_t*)0x200000000824 = 8; *(uint16_t*)0x200000000826 = 1; *(uint32_t*)0x200000000828 = 1; *(uint16_t*)0x20000000082c = 8; *(uint16_t*)0x20000000082e = 2; *(uint32_t*)0x200000000830 = 0x79; *(uint64_t*)0x200000000848 = 0x2b4; *(uint64_t*)0x200000000898 = 1; *(uint64_t*)0x2000000008a0 = 0; *(uint64_t*)0x2000000008a8 = 0; *(uint32_t*)0x2000000008b0 = 0x4040811; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x200000000880ul, /*f=*/0ul); break; case 8: syscall(__NR_read, /*fd=*/r[0], /*data=*/0x2000000008c0ul, /*len=*/0x1dul); break; case 9: *(uint64_t*)0x200000000980 = 6; *(uint64_t*)0x200000000988 = 0x200000000940; *(uint64_t*)0x200000000940 = 0x904e; *(uint64_t*)0x200000000948 = 1; *(uint64_t*)0x200000000950 = 9; *(uint64_t*)0x200000000958 = 6; *(uint64_t*)0x200000000960 = 0xe; *(uint64_t*)0x200000000968 = 5; syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x4010801d, /*arg=*/0x200000000980ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 4, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 0; memset((void*)0x20000000004a, 255, 6); *(uint8_t*)0x200000000050 = 8; *(uint8_t*)0x200000000051 = 2; *(uint8_t*)0x200000000052 = 0x11; *(uint8_t*)0x200000000053 = 0; *(uint8_t*)0x200000000054 = 0; *(uint8_t*)0x200000000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x200000000056, 1, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 0x7f, 4, 12); *(uint16_t*)0x200000000058 = 0x1f; *(uint8_t*)0x20000000005a = 0x8c; *(uint8_t*)0x20000000005b = 0x18; *(uint16_t*)0x20000000005c = 0x5d9; memcpy((void*)0x20000000005e, "\x8e\x85\x14\x4c\x64\x33", 6); memcpy((void*)0x200000000064, "\xe0\x23\xfb\xed\x51\x30\x11\xc5\x70\x7e\x45\x24\x72\xe2\x05\x5d", 16); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x34); break; case 11: memcpy((void*)0x200000000080, "wlan1\000", 6); memcpy((void*)0x2000000000c0, "\x3a\x38\x64\x65\xf3\x89\x38\x0e\x26\xb0\xcb\x13\xf9\x8a\x36\xe2\x21\x4f\x09\x9e\xe0\xd0\xb2\x9b\x75\x4e\x31\xd6\xef\xc8\x2c\x04", 32); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/0x20, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_path_truncate\000", 22); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\xda\xa4\xed\x40\xf7\xcf\x4d\xa8\x63\x77\xe8\x64\xd8\xe6\xc6\xd4\xfc\x54\x86\xaf\x4a\x6f\x23\xde\xa5\x8b\x32\x43\xa2\x91\xb0\x18\x0d\xba\xf5\xc9\x27\x58\xaf\x73\xf9", 41); memcpy((void*)0x200000000200, "\x40\xf2\x76\x85\x6b\x81\x91\xc4\xf3\x12\x75\x9d\x79\x5a\x22\xc3\xc7\xed\xc9\x16\x78\x79\x4f\x4e\xea\xc4\x57\x46\xfc\xc9\x93\x07\x22\xc8\x18\x9b\xa5\x95\x65\xf7\x32\x7c\xbc\xd4\x50\x61\x64\xeb\x9f\x6f\xf1\x75\xf1\xf0\x8d\x60\x24\x70\x91\x77\x2c\x18\x5a\xc3\x83\x04\xe9\xb5\xb3", 69); res = -1; res = syz_clone(/*flags=CLONE_NEWUTS|CLONE_VFORK*/0x4004000, /*stack=*/0x200000000140, /*stack_len=*/0x29, /*parentid=*/0x200000000180, /*childtid=*/0x2000000001c0, /*tls=*/0x200000000200); if (res != -1) r[3] = res; break; case 14: res = syscall(__NR_getpgrp, /*pid=*/r[3]); if (res != -1) r[4] = res; break; case 15: *(uint64_t*)0x200000000500 = 0x800; *(uint64_t*)0x200000000508 = 0x200000000280; *(uint64_t*)0x200000000510 = 0x2000000002c0; *(uint64_t*)0x200000000518 = 0x200000000300; *(uint32_t*)0x200000000520 = 0x12; *(uint64_t*)0x200000000528 = 0x200000000340; *(uint64_t*)0x200000000530 = 0x66; *(uint64_t*)0x200000000538 = 0x2000000003c0; *(uint64_t*)0x200000000540 = 0x2000000004c0; *(uint32_t*)0x2000000004c0 = r[3]; *(uint32_t*)0x2000000004c4 = r[3]; *(uint32_t*)0x2000000004c8 = r[3]; *(uint32_t*)0x2000000004cc = r[4]; *(uint64_t*)0x200000000548 = 4; *(uint32_t*)0x200000000550 = -1; res = -1; res = syz_clone3(/*args=*/0x200000000500, /*size=*/0x58); if (res != -1) { r[5] = res; r[6] = *(uint32_t*)0x200000000280; r[7] = *(uint32_t*)0x2000000002c0; r[8] = *(uint32_t*)0x200000000300; } break; case 16: memcpy((void*)0x200000000580, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000580); break; case 17: *(uint64_t*)0x200000001680 = 4; res = syscall(__NR_socketcall, /*call=*/5ul, /*args=*/0x200000001680ul); if (res != -1) r[9] = res; break; case 18: *(uint32_t*)0x200000004a80 = 0x80000000; *(uint32_t*)0x200000004a84 = 0xee01; *(uint32_t*)0x200000004a88 = 0xee01; *(uint32_t*)0x200000004a8c = 5; *(uint32_t*)0x200000004a90 = 0xfffffff8; *(uint32_t*)0x200000004a94 = 1; *(uint16_t*)0x200000004a98 = 0x6bc1; *(uint32_t*)0x200000004a9c = 0x40; *(uint64_t*)0x200000004aa0 = 0xffff; *(uint64_t*)0x200000004aa8 = 0x2265; *(uint64_t*)0x200000004ab0 = 0xfffffffffffffff8; *(uint32_t*)0x200000004ab8 = r[3]; *(uint32_t*)0x200000004abc = r[8]; *(uint16_t*)0x200000004ac0 = 0xfffa; *(uint16_t*)0x200000004ac2 = 0; *(uint64_t*)0x200000004ac8 = 0x200000003a40; memcpy((void*)0x200000003a40, "\x89\x17\xf9\x6e\xff\x00\x1e\x00\x64\x91\xda\x94\x8f\x25\xc3\xac\x36\x65\x39\x2d\x07\x7a\x28\x78\xa0\xc4\x71\x86\xfb\xb5\x96\x00\xe8\x72\x5c\x57\x48\x93\xc0\xd6\x45\x65\x1c\xd4\x96\xd4\xd6\xc4\x3d\xd8\xd9\xe3\xce\xca\x2e\x2a\x35\xfd\x60\x78\x5c\xd7\x7e\xc5\xc5\xee\xd5\xea\x44\xa8\x53\x76\x9a\x52\xcb\x3e\x89\xd0\x6c\x09\x95\xf7\x7e\x9b\x7e\xcc\x68\xfa\x52\x1a\xc4\xb1\x93\xee\x67\xdc\xce\xc0\xa7\xd1\x3f\x3c\x06\x8e\xe0\x46\xa9\xa1\x42\x01\x1c\xd4\xba\x8e\x67\xf3\x81\xe1\x67\x45\xd8\x1a\x2b\x5b\xf1\x1f\x4e\xf0\x01\x43\x30\xc9\x5f\x0f\x5b\xc8\x9d\x00\xf1\x61\x29\xa9\x63\x77\x82\xe5\xa6\xf4\xd9\x22\xe0\xf0\x74\x57\xee\x51\x5e\x1b\xbf\x56\x54\x90\x6d\x88\x7b\xa0\x2b\xee\x66\x4d\xa7\x2a\x51\xb5\xdc\xdf\x4b\xec\xca\x2d\x80\x67\xe3\x57\x53\xc0\x31\x23\x59\xef\xb6\xda\x86\x14\x9a\xfc\x10\x10\xd0\xc6\xc8\x6c\xc9\xc8\x83\x1c\xa1\x27\x6c\xa9\x68\x81\x1c\x87\xba\xab\x12\x1c\x9d\x81\x72\x73\x19\x6e\x97\xae\x66\xf3\x97\x66\x7e\x02\x3f\xc2\x33\x19\xc2\x4f\xa8\x23\x57\x22\x26\xfb\x74\x8a\xc5\x4f\xf5\x28\x23\x6b\x07\x81\xa2\x0e\xd5\x2e\x11\x69\x27\xa2\x2b\x11\xe0\xb8\xac\xeb\x36\xd2\xcf\x4a\x78\xeb\x34\x65\xfc\xb9\xc9\x49\x3e\xad\xd4\x46\x86\x76\x6f\xb2\x6d\x4d\x0a\x54\xd0\x28\x27\x3a\x5c\x60\x53\x88\x53\x4e\x49\x37\xf1\x8c\xa9\x05\x32\x44\x5f\x94\x66\x51\xf3\x63\x4e\x9b\x36\x5b\xb8\xed\x72\x42\xb9\x12\x31\xba\x06\x34\x7e\xab\x1f\x32\x00\x96\x37\x4f\xbd\x8a\x7a\x94\xc2\xfa\x71\x54\x41\x5c\x92\x3f\xd6\x6c\xd6\x26\x48\x9e\x7c\x79\xca\xd3\x9b\x66\xb0\x67\x4b\x94\x39\xb5\x7b\x79\xec\x79\x03\xd3\x5e\xc3\x14\xdb\x9d\x7e\x41\x5d\xf3\xc4\xf7\x55\x14\xb1\xc8\x3e\x9b\x6b\x27\x1d\xab\xeb\xd3\xb7\x93\xa7\x8a\xd5\xba\xef\x25\x39\x39\x34\xbc\x1b\x49\x69\xeb\x61\x28\xd3\x52\x14\x90\x47\x0f\x25\xe7\xa4\x7b\x13\xee\x0c\x47\x72\xd0\x47\x3d\xa5\x18\x44\x1b\x7b\xd3\x62\xbc\x99\xb0\x9c\xf6\x96\xbe\xb9\xe5\xf9\xd3\xd5\xe8\x8e\x9e\x96\x0e\x25\x9e\x4f\xe6\x7c\xfa\x3b\x2a\xbd\xe1\x00\x10\xf3\xc6\xa6\x0d\x26\x9a\xd1\x3e\x59\x05\x2e\x8a\xb9\x51\x40\x1d\xde\x34\x5c\x4f\xed\x4f\xea\x6d\x91\xb8\x4d\xae\xee\xbf\x45\xfa\x79\x98\xee\x41\xda\x06\x87\x5e\x7b\xc4\x8d\x9d\xe5\x4d\xe3\x6d\x9e\x27\x49\x5f\xe7\xe8\x8e\x02\x4e\x7d\xd3\x58\x7d\xcb\xc7\x1c\xd4\x33\xb7\x1a\x4d\x97\x2b\x02\x65\x59\xef\xbf\x17\xc2\xb0\x2b\x23\x57\xb9\xd9\x13\xa7\x64\xc9\x5c\x5a\xa7\xb3\x2f\xd2\xc0\xb6\x2b\x47\xf2\x7e\x47\x85\xe7\x6d\x85\x62\xb4\xe4\x3e\xdc\x6d\x61\x0d\x2b\x97\xdd\x1a\x1e\xe6\x5b\xd1\xef\x89\xe0\x11\x0b\x14\xc2\x02\x5b\x04\xb8\xcf\x16\xf0\xc2\xc1\xab\x89\xad\x30\xbd\xbd\x8b\x98\x94\x27\x8b\x4b\xe8\xd0\x81\x55\xec\x0c\xd2\x0f\x54\x4f\x18\xa4\xf2\x6a\x98\x0d\xec\xac\x1c\xe2\x94\x21\x27\xd8\xd0\x35\x0d\xc4\xa9\xa3\x29\x30\xaf\x33\x53\x18\x22\x31\x9d\xd1\x39\xe2\x7c\xf7\x69\xd0\x68\x87\x96\x08\xc2\x51\x7d\x59\x96\x5f\xbf\xfe\x98\x79\xaf\xd4\x87\x87\x5a\xd2\x39\x58\x6b\xbe\xca\xd1\xb0\x0e\x13\x77\x20\x3a\xbe\x3f\xc5\x82\xfa\xaf\x4f\x9e\x08\xe5\x76\x58\x81\x22\x09\xb3\xa8\x65\x3b\xf3\x9e\x12\x6b\x79\x47\x4c\xed\x54\xb7\x4f\xd4\x77\xb0\x3a\x80\x90\x6e\x34\x6d\xfc\x7f\x5a\x86\x41\x0f\x6b\xbc\x64\xa7\xff\x88\xc3\x7a\xa1\xd1\x87\x13\x31\xad\x2a\x63\xfe\xce\xa9\xb4\x3d\x3f\xad\x06\x2d\xe7\x0d\xdd\x1c\x77\x3a\xe6\x25\x68\xff\x3b\xe8\x04\x58\x3d\x3a\x5a\x10\x79\x68\x13\xcd\x4b\x51\xf6\x7b\x09\x91\x0b\x42\x7e\xb9\x28\x04\xe7\xf2\x7a\xdc\xd8\xec\x9a\xfb\x24\xe3\x15\x1b\x48\xa3\x8c\xc5\x99\x27\x99\xdf\x37\xe5\xcf\x6a\xd5\x77\x94\x1a\xd7\xe2\xca\xf1\x56\x19\x23\x69\x27\x34\x2e\x87\xb5\xb2\x60\x47\x37\x16\xa9\xba\xd7\x0b\x39\x51\xf7\x26\x5c\x20\xc0\x00\x85\x26\x67\xfd\xe0\xc4\xb7\xf2\x7a\x32\xb7\xee\x13\x3c\xbc\x65\xba\x4d\xc3\x91\x0c\x23\x75\xe1\x95\xba\x76\x54\xe2\xd2\xd4\x5f\x91\x6e\x47\xf1\x07\x59\x5a\xdc\x63\x24\x78\x40\xdf\x4e\xca\xeb\x96\x40\xfb\x66\x19\x86\xad\xd0\xdd\x02\x79\x6d\x58\x10\xf5\x1c\x93\xfd\xcf\x89\x74\xda\x1f\x10\x14\xf2\xf4\xad\xb1\x6f\x04\xe7\x33\xb5\x3a\xc2\xe8\xb4\xa8\x53\xe9\x3a\x93\x5a\x73\x20\x28\xc8\xe3\xec\x12\x0f\xc5\x41\xe5\x12\x6f\x2d\x88\xdd\x4b\xbc\xa0\x6f\xa6\x10\x16\x34\x64\xcb\x17\xf4\x5e\x7a\x2b\xe0\xe5\x1d\x8e\x45\xe3\x7c\x50\x91\xd7\x62\xce\x5b\xfd\xb6\x93\x53\xba\xfb\x95\x5c\x25\x54\x47\x02\xdc\xf7\xd1\x39\x4a\xac\x7a\x49\xa0\x78\x7f\xf1\x68\x74\x25\xa3\x75\x24\x9c\xa3\x78\xbc\x4f\x4a\xa2\x4a\xbc\xa2\x4a\x87\x1f\xd6\x74\x25\xb2\xf6\x60\x93\xb5\xb9\x87\x24\x99\xec\x85\xfa\xef\xfb\xf4\x3f\x0a\x4d\x3e\xfb\x5c\xea\xe7\x05\xa1\xa8\xe1\xf2\xbf\x79\xf5\x53\xc1\xc9\xf3\x8b\xd0\x9f\x93\xa8\x22\xbe\xb4\x54\x74\x4d\xd1\x17\x7e\xea\x67\xb7\xbd\x6c\x42\x1e\x58\x24\x62\x02\xab\x90\x2f\x79\xe0\x15\x5f\x1d\xe2\xbf\x22\x6f\x61\xbb\x39\xbf\xc2\xfb\xa3\x47\x9f\x25\xee\xa7\xf0\x1f\x70\xbc\x08\xa9\x8e\x88\x74\xe5\xd1\x38\x42\x83\xb9\x96\x07\xea\xa5\x2e\x89\x54\x90\xbd\xb2\x1c\x81\xcb\x3b\x37\x91\xc1\xde\xce\x0e\xbc\xe6\x7c\xc4\x5b\xcb\xa2\x99\xbb\x89\x2c\x9d\x19\x50\xbf\x33\x5e\x95\x4f\xd3\x03\xc6\x5e\x1a\xfe\xc4\x8a\x3d\x3e\x10\xa4\x04\x35\x2a\x13\x02\xef\xce\xbe\x12\x54\xeb\x2b\x25\xd6\xf4\x50\xb2\x6a\x3f\x1b\xd7\xf5\x77\xe5\x4c\x95\xe5\x66\x11\x74\xd3\x27\x82\xfe\x6b\x11\x99\x65\x42\xfe\x1b\x97\x51\x39\x62\x88\xd2\x7a\x47\xe3\xc9\x8d\x1c\xc3\xf3\xab\x55\x8b\xa3\xe8\x2a\x6c\x3e\xd4\x84\x0f\x4e\x3d\x79\x36\x95\x73\xc3\x75\x34\x07\x3e\x79\xad\xfd\x23\x23\x83\x2b\x65\xe7\xa6\xc4\x5b\x72\x57\x91\x38\xe2\x26\x29\x1d\x27\x00\xda\xc3\xa1\xcc\x91\x61\x40\xf5\x4c\xb2\x8b\x34\x70\x85\x61\x89\x81\x25\x44\x36\x6f\x75\x7c\x0a\x29\x4e\xe2\xb5\xbf\x6c\x30\x8a\xd4\xdf\x23\x0d\x5a\x74\x3b\x8c\xf7\xa1\xf6\x4a\x30\x61\x98\x3f\x22\x38\x50\x26\x2c\x75\x74\xae\x48\x0a\x02\xf6\x8c\x04\x3b\xa7\xaa\x82\x2f\xf6\x45\xd4\xe4\x48\x2c\x14\xcb\xb5\x8c\x15\xf6\x5c\x98\xd1\x69\x2f\x93\x9d\x0d\x95\x58\x50\x45\x42\x4a\xbe\x5e\x58\x65\x14\x77\xf9\x1d\x0c\x1d\xaf\xb3\xf3\x3a\xf9\xe6\x9b\x79\x4e\x13\xeb\x0c\x42\x9d\xe9\xb9\x2b\xbc\x5f\x92\x82\xa2\xe6\xc9\x11\x9f\x6f\xd8\x60\x3f\xe1\x1a\xf2\xd5\x16\xc9\xa7\xad\x38\xe3\x33\x7b\x96\x9c\x3d\x95\x93\xf0\xd4\xac\x95\xc4\x4e\x7f\x47\xe8\x10\xf6\x97\x0a\x1a\x6f\x18\xf2\x09\xfe\xdc\x35\x65\x6d\xc5\xc5\x36\xb0\x39\x6a\xed\xaf\x83\xca\x46\x65\x5e\xdc\xc4\x08\x8c\x6f\xcf\xfa\x68\x9a\x87\x83\x09\xc1\x76\x7b\x21\x87\xc9\xb5\xfa\x57\x5e\xfd\x80\xe0\x57\x4a\x57\x76\x73\xb4\x5e\xda\xc8\xb1\xc9\x12\xce\x60\xcd\x18\x29\x0d\x31\x02\x5c\x80\xeb\xa3\xd9\x97\xe4\x79\x2b\xe2\x3a\x49\xc0\x09\x4e\xe2\x85\x48\xfa\x33\x27\x5e\x6c\x28\x0b\xb6\xe0\xa0\xaa\x8e\x79\x04\xc6\x41\xcb\xcb\x3d\x99\x49\x46\xf0\xe4\xc6\xd6\xb1\x91\xd3\x46\x53\x64\x79\x3a\x69\x7f\x2c\x25\xd1\x30\x92\x3c\x79\x9a\x3a\x8d\x71\x69\xa3\x7a\xc2\x9b\xdd\xfb\x76\x6d\x51\x30\xb5\xe4\xbd\x43\x97\x8a\xad\x35\x49\x05\x2c\xf6\xf5\x64\x76\x80\x52\x03\x23\x46\xae\xf8\xf5\x84\x4b\x97\x04\x84\x2c\x0f\x1f\xa7\xd2\x6c\x69\x71\x88\xc0\xe8\x64\x16\x58\xd6\xd2\x99\xa6\x1f\xf1\x40\xa4\xb9\x4f\x04\xf6\xec\x06\xff\xca\x6e\x57\x4b\xdd\x60\x03\x72\xed\x5d\x16\x6a\xee\xae\x4f\x24\xe1\xec\x3c\x21\x2f\x05\xaa\x85\x37\xf0\xab\x83\x1e\x47\x2f\x32\x16\x4a\x08\x87\xc6\xf4\xe4\x25\x32\x56\x5f\x05\x5a\x8c\xd4\x35\xe9\xcc\x91\x08\x96\x7e\x42\x2c\x6d\x0e\x74\x06\x33\xc9\x77\x84\x71\xef\xa8\xa4\x4a\xb5\x5a\x06\xbd\xb6\xb8\x17\xf8\xa6\xcc\x55\xd5\x2a\xce\x6e\xc4\x38\xad\x4f\xbe\xe7\xc6\x4e\x00\xfc\x65\xc7\x6a\x36\x16\xc3\x5f\xb7\x1b\xb6\x08\x4f\x44\xf8\x08\x3d\xff\x56\xd7\x71\xe1\xd3\x23\x58\x4b\x82\xf1\x05\xe0\xa2\x11\xce\xae\x9a\xfc\x0f\x5e\x61\xa2\x64\x94\x76\x44\x0c\xf6\x8d\x9a\xbf\xfb\x48\xde\xcd\x0e\x8d\x2e\xd1\x09\x07\xd3\x5e\x39\x0d\xaa\x1e\xef\x83\xda\xc8\xab\x44\xe2\xac\x58\x86\xf6\x23\x5f\x6b\xd7\xb6\x9f\xf3\xc0\x98\xb5\x58\x89\x49\x08\xd4\xcd\x28\x24\x7f\xb6\xec\x4b\xb5\xb1\x63\xf6\xb2\xee\xf3\x86\xe7\xce\x26\xde\x75\x9b\xd6\xe2\x4e\x46\xaa\x2b\x38\xf0\xa4\xe6\xa4\x78\x5a\xf1\x4b\xd6\x03\x5a\x32\x6c\x29\xaf\x21\x5a\x4c\x1c\x45\xae\x76\x7b\xd7\xe6\xdb\x1b\xae\x69\xbe\x04\x5e\xf0\xb1\xeb\x39\x34\xac\x5e\xbe\x3a\x4c\x1d\xd5\x9b\xb9\x60\x53\xbe\xeb\x55\x61\xb5\x21\xc4\x78\x52\xd9\xa2\xc6\x6c\xfa\xf8\x2c\x2a\x01\x6e\x5d\xe7\x29\xea\x0e\x0c\xe4\xf9\x80\x85\x79\x2b\x5e\x5a\x80\x2c\xd7\xfb\xac\x9e\xf3\x8e\x20\x3e\xbb\x36\x51\xf1\xb3\x0a\xf6\xea\x29\xfa\x17\x9f\x8b\x19\x26\x41\x60\x4b\xe0\x29\x29\xda\xff\xad\xd6\xc9\x7b\xa4\xcd\x56\x79\x0c\xc2\x43\xd0\x47\x0e\xb8\xc1\xae\x78\x12\xda\x66\x6b\x0b\x32\x9f\xb3\xf0\x4f\x78\xe2\x5a\xd1\x7b\x4b\x39\x78\x13\x82\xad\x93\x7e\x08\xad\x34\x48\xb6\x32\x38\x18\x5b\x98\x22\x42\x19\x0f\xd1\xe4\xad\x8f\xbb\xa5\x5d\x6a\xbf\x96\xe0\x16\xe1\xd9\x8d\x37\xd5\x1c\x2e\xe1\xe4\x1f\x54\xf8\xac\x7e\x03\x8e\x36\x16\xf5\x69\xd0\x24\x69\x0e\xa3\x03\xbe\xc6\x98\xbe\xb9\x8b\x9e\xa4\x9f\x6b\x87\xe3\xf7\x10\x49\x97\xa6\xad\x7d\x33\xdb\x8f\xb7\x9a\xda\x8c\x5f\x7f\x54\xee\x17\xf7\xb3\xd8\x6a\xa1\x53\x2b\x43\x9c\xd8\xde\x90\xb5\xfd\x7f\xc3\x32\x56\x80\x06\x1d\x93\x19\xd1\x83\x5e\x60\x3f\xaf\x79\x33\xbf\xd6\x0d\x73\x39\x65\xf0\xf2\x5a\xdf\x39\x45\x09\x2b\xb9\x9e\x95\x34\x66\x02\xfa\xf6\xaa\xbe\xb3\x3c\xbc\xa3\xb2\x19\xb4\xf8\xaf\xaf\xe8\x25\xc6\x62\x7c\x0c\x7b\x00\xc3\x38\x75\xb6\x9d\x01\xc0\x8b\x90\xe6\xfa\x64\xf0\x9b\x42\x93\x2e\x1c\xcc\x9b\x3d\xa3\x67\x71\x66\x7d\x5b\xb7\x53\x1a\x2a\xc1\x74\xbc\x41\x2d\xff\xad\x7c\x6f\x8f\xd4\xda\xd3\x30\xfb\x41\x5a\x97\xe8\x13\x6c\xd5\xc0\xbb\x7d\x00\xd2\xb2\xc9\x56\x93\x6c\x9f\x5f\x74\x7e\x3c\x9a\x36\x1d\x79\xd0\x48\xcb\x3f\x52\x8f\x18\x7f\x9b\xba\x5d\x78\xd7\x30\x9b\x1b\x25\x6f\xbb\x34\x9c\xd5\x29\x45\x54\x1a\x5a\x57\x80\x9f\x2d\x71\xa8\xe8\x05\x57\xb2\x3b\xe4\xfb\x31\xca\xdd\xc5\x95\x53\xb6\xbc\x0f\xaa\x16\x5e\x4a\xb1\xf8\x27\x9c\xa6\xe3\x07\xce\x79\x20\xc4\x3b\xdb\xad\xec\x04\xef\x8b\xe7\x0d\x57\xaf\x59\x8d\x1d\x8a\x89\x6a\x09\x52\xb2\x3c\xba\x46\x4e\x0e\x9b\x36\x25\xf9\x93\xdc\x12\xc8\xf7\x74\xe8\x7d\xa0\x51\xec\xa4\x9b\xd1\x4e\x4e\x2e\x27\x0c\xf7\x5d\xc8\x34\x3b\x2a\xd4\xb0\xa2\x17\x8c\xb5\x57\xc6\xd0\xeb\x1a\x0b\x23\xed\x92\x58\x0c\xe5\xad\xa7\x8c\x2b\xb1\x0d\xdd\x25\xd4\xbb\x14\x7d\x61\xa0\x0f\x5e\x1d\x1d\x5c\x88\x8d\x47\x42\x4c\x04\xde\x7d\x41\x38\x4e\x2c\x68\x8a\x57\x35\x8d\x05\x81\x4a\xd9\x17\x13\x5a\x80\xec\xcd\x1d\x1f\x14\x72\x42\xa5\xda\x4d\xad\x08\x38\x32\x2e\x9a\x2f\xa5\x31\xfb\xb6\xb0\x83\x2b\x67\x00\xf8\x72\x79\x84\x6c\xe2\x33\x16\x79\xb8\x2f\x04\xfe\x1b\xe1\xe8\xce\x9f\x61\x0b\x63\xff\x30\xad\x0b\x76\x97\x78\x17\x73\x9a\x29\x5c\x9e\xc9\xdc\xf1\x1f\x81\xa6\x76\x19\x40\x73\x04\xc1\xd5\x94\xc5\x19\x6d\xb1\xbd\xeb\xfe\x03\xf2\x2a\xda\xac\x92\x53\xd7\x53\x96\x71\x38\xbc\x9d\x2c\xf4\x73\x54\x91\xd2\x74\x5c\x23\xe5\xd2\x29\xc7\x46\x27\xdd\x19\x1b\xc6\xc0\x38\x51\x39\x14\xdb\xdc\xfa\xcb\x8b\xcb\x28\x14\xdc\x52\x5e\xda\xd8\x89\x52\x09\x99\xfc\xe6\x44\x69\xc6\x06\x94\x40\x59\x61\x51\x84\x41\xc3\xe8\x44\x53\xaf\xa3\x49\x9e\x3a\x89\x83\xb5\x7f\x94\x59\x3e\x86\x64\x71\x9d\x5e\x65\x98\x42\x2b\xb8\xcb\xc5\x16\x20\xb2\x59\x41\x3b\xea\x16\x49\x0b\xbe\x6c\x9a\x72\xbf\x21\xf6\xb4\xd4\x99\x37\x1a\xd9\xfc\x82\x77\xdd\x3f\x2f\x75\x23\xcc\x5e\x6c\xee\xbf\x74\xfc\x39\x44\x13\x6b\x2d\x56\xda\xa2\x04\x03\x74\x31\x9a\x1c\x83\xc3\xbb\x0c\x96\x2d\x32\x1d\x80\x39\x17\x0b\x98\xb6\x04\xc8\xed\x42\xc5\x96\x31\x4a\x01\x13\x9c\x9d\x36\xcc\xd6\xf2\xcb\xd3\x11\x3b\x2c\x9d\x4e\x19\xf0\x86\x94\x46\x36\x10\xa3\x68\xf8\xac\x74\xf2\x97\x94\xf1\x45\x60\xe0\xa3\xd4\x81\xc6\x73\x41\x0a\xd9\x46\x65\x81\xaa\x2a\x33\x4f\xf3\x80\xa1\x00\xfb\x04\x9a\xd8\x19\x6e\xb4\x78\x4e\xa1\xbe\xdc\x13\x9a\x70\x54\xf1\x8a\x8d\x44\xbc\xa0\xa3\xd0\x12\x2f\x5d\xc3\xa1\xc4\xd2\x9b\xde\x35\xe3\x32\xbd\xf2\x8c\xb9\xb9\x85\x43\xad\x3e\x33\x14\x3a\xf8\x79\x03\xb5\x62\x4f\x62\x30\x55\x98\xde\x27\x58\x33\x20\x8e\xc8\x37\x06\x82\xad\x9f\x0f\x9a\xc6\x4c\x43\x90\x44\xa2\xde\x30\x33\x46\x87\x34\xf4\x92\x66\x13\x88\x59\x69\x5b\x60\xa6\xfb\x45\xd7\x94\xb8\x71\xc1\x9c\xbe\xdf\x59\xb7\x64\x45\x3b\x78\xcf\xea\xd4\xc5\x01\xb1\xf8\xc0\xff\x82\x7b\x70\x29\x73\x92\x69\x7a\xdb\x13\xce\xff\x2f\x13\x9b\xff\x3b\xa2\x38\x79\x8a\x07\xfe\x5f\x55\xa0\xef\x5b\x75\xcc\xb4\x98\xbb\x89\x43\xba\xb4\xa6\x71\xf1\x25\xfb\x06\xf2\xe5\x9f\x77\xfd\xb0\x2c\xb2\x3e\x86\x87\x56\x8d\xc0\xd5\xc4\x86\x09\x94\xa3\x7c\xca\xb3\x65\xd7\xa7\x08\x03\xc6\xa6\xf4\x8f\x5b\x3f\xf1\xcb\xdd\x51\xd8\x96\x1f\x97\x3c\x70\x33\x75\xd2\x52\xe6\xc5\xa0\xff\x13\x3b\x59\x72\x43\x13\xf9\x88\x84\x1b\xd6\x1e\xc2\x97\x67\xa4\x60\x8a\x5b\xc4\x5b\x10\x4e\x4f\xc9\x82\x61\xe4\x54\x0a\x10\x38\x2a\x49\x5d\x64\xdd\x5f\x6c\x03\x90\x66\xd9\xd3\x58\xef\xb1\x66\x71\x17\x8e\x88\x4f\x07\x0a\x07\xfd\x02\xa0\x0b\x63\xb7\xf5\x75\xf6\x42\xbf\x91\xee\xc3\xbb\x90\xdb\xa9\xa2\x1d\xf3\x17\x9c\xf1\x2e\xa9\x52\x5d\x09\x74\xd6\xfc\x44\xbf\x69\xfc\x54\xf8\xa5\xff\x98\x67\x06\x67\x8d\x7c\xe0\x6c\xce\x44\xdf\x29\x74\xb9\x66\xe6\x7a\xca\x31\x4e\x0b\x58\xac\xc4\x15\x54\xa4\x42\xef\x35\x87\xab\xba\xf1\x82\x95\xec\xa5\x9c\xa8\xa1\x0e\xdd\x3f\xbd\x1f\xac\x0b\x06\x01\x3d\xe5\xf7\x33\x37\x51\xc5\x7d\xeb\x4d\xae\xf9\xe4\xc5\x5e\x93\x74\x1e\xd1\xd2\xf7\xf9\x63\xcd\xed\xc6\xef\xdb\x5d\x8b\x14\xd7\xd6\x12\xe2\x61\x2f\x30\x96\x6f\x4e\x67\x60\xd1\xa4\x6f\xbe\xe5\x0d\xcc\xff\xc0\xb2\xe5\x17\x7b\x1c\x60\x27\xad\xae\xe0\x90\x75\xb6\x55\xcf\x85\xdd\xbb\x4e\x44\x83\xd5\xde\x7b\x38\xa9\x10\xf9\x96\x71\x1c\x05\x8c\x1b\x97\xe6\x21\x27\x48\xc8\xcc\x7d\xe8\xcf\x7a\x56\xaf\x75\xe2\x91\x86\x7c\x26\x88\xe9\x99\xc6\x55\x3d\x7a\xaf\x3d\x2f\x62\xc2\xf5\x3b\xf8\x8c\xf2\x04\x40\x07\xdb\xe9\x29\x85\x65\x31\xb0\xad\x6b\x48\xa6\x11\x8b\xf3\x5c\xce\x82\x7e\x5d\x0c\xd2\xa1\x9b\x3f\xc3\x73\x95\xe1\xce\xd2\x13\x7f\x0c\x72\x6f\x5c\xc9\x91\x33\x3a\x0f\x07\x94\xda\x0b\x6d\x75\x73\x74\x21\x7e\xae\xbc\xbb\x6d\x87\x43\x1f\x08\x9a\x57\x10\x2c\xa5\x37\x3b\x8d\x73\x0a\x92\x02\x60\x59\xc6\xa8\x80\x94\xe9\xc6\x29\xd8\x1e\xcc\xf8\x6b\x4e\x8f\x09\x1d\x32\x55\x63\xd1\xf4\x01\x6c\x97\x97\x2c\x58\x4b\xc7\x6d\x1f\xb4\xed\x94\xb7\x21\x34\x4d\x00\xcc\x67\x24\xf5\x64\x9d\xfe\xd8\x4d\xc5\x11\x58\x3e\x1a\x08\xa4\x3c\x24\x09\x93\x41\x72\xff\x3f\x0d\xfc\x93\x99\x6b\x84\x79\xc0\x50\xdc\x19\x30\x9a\xa9\x98\xf7\x09\xed\xa3\xb3\xcf\x80\x6b\xec\x71\x7e\x17\x18\xb8\xcc\x10\x06\x0b\x33\x5c\x46\xf1\x7c\x52\x2a\xc0\xbb\x69\x6f\xb4\x39\x3a\x94\x50\xbe\x5f\xa7\x55\xea\x0d\x71\xb3\x0a\x84\x31\x51\x5c\x44\x63\x90\x15\x4b\xc2\xa4\x95\x1b\x3f\x15\xf4\x19\xce\x20\xb0\x30\x2b\xd9\x00\x25\xd8\x3c\x47\xa0\x18\xf6\x88\x6a\xb1\xfb\xb7\x57\x7d\x5c\x06\x6b\xab\x23\xd8\x41\x89\xcc\xff\x63\x40\xa3\xca\x41\xdf\x5c\x6d\x99\x4b\x26\xb8\xfc\x34\xc6\x90\xdf\xb2\x29\xc8\x37\x60\x22\x4b\xdc\xe8\xe8\x67\xd1\xf5\xa0\x97\x73\x6d\x3f\x19\xd8\x22\x9f\x91\x43\xac\x03\x70\x93\xd4\xcc\x32\xab\x10\x4b\x58\x28\xf1\xcc\x84\x49\x5a\x68\xd7\x67\xb7\xfb\xd7\x25\xd4\x34\x71\x9a\x36\x01\xb5\xfb\x23\x36\x4a\x5e\x41\x51\xc6\xf9\x15\xce\x53\xf7\xde\xbb\xb9\xf1\x5b\x81\x1c\xb0\x2b\xb8\x73\x94\xff\xb6\x1e\x8b\x8a\xe5\x74\x9d\xc7\x43\x2b\x51\x6b\x8a\x62\x79\x90\x53\x7b\x9c\xdf\xd2\xa0\x94\x39\xb7\xdc\x04\x39\x97\xe0\xf5\x90\x36\xab\x34\x70\xaf\x1b\xc7\x67\x10\x11\xe5\xb4\x72\xe3\xf6\xad\x45\x6b\xa7\x06\xd5\x50\x66\x1c\xbc\xf6\x10\x7e\x9b\x7e\xe4\x9a\x82\x05\x2d\x90\x1b\xb7\x9f\xb1\x8d\x82\x21\x6a\xee\xfa\x2e\x76\x39\x0f\x80\x94\x3c\xc8\x56\xa0\x08\xc7\x25\x6b\x84\xd8\x85\x7f\xa6\x34\xad\x7d\xd4\x50\x13\x86\xbb\xab\xe2\x38\xa5\x8a\xec\xb7\x7a\x0d\xe5\xff\xaa\xa5\x63\xa1\x96\x8b\x72\xb9\x2b\xa5\x8d\x1a\x1e\xf6\xf9\xed\x04\x9f\xf3\x8b\x7f\xc3\x42\x27\x46\x16\x31\xfe\xc6\x53\xe7\x81\xf1\x57\xec\x73\x86\x36\x2b\x66\x77\x8a\xfc\x89\x82\xcd\xae\x50\xe1\x29\xf4\x32\x9b\xfe\x35\xcd\x9d\xa3\xd5\x75\x22\x04\xfa\x72\x75\xcc\xbc\x01\xab\xf8\x5c\x6c\xf3\xab\x9e\xab\xb2\xea\x7a\x1c\x77\x9e\x67\x3d\x0f\x95\x16\xb1\x85\x15\x4d\xc8\x3c\xc5\xf6\x93\x70\xe3\x14\x19\x8b\x7f\xa8\x3c\xe5\xc5\xc9\x1c\x2c\x50\xe5\x44\x89\xb3\xa6\x70\xa3\x30\xa4\xe4\x9f\xca\x51\x7c\x83\xa9\x53\x2c\xbc\x7e\xdc\x84\x0c\xd0\x10\xb3\x7e\xcc\x75\x37\x45\x30\x16\xed\x1a\xb4\x45\xe4\x5f\xc1\x23\x8b\x14\xe2\xf8\xf9\x31\x66\xcb\xf7\xd3\x8b\x85\x28\xba\xa0\xfa\xd3\xe9\xe7\x6f\x4b\x32\xee\xbb\x60\x52\x68\x81\x62\x0b\xca\x5b\x11\xac\x06\x3d\xbe\x21\x69\xe5\x43\x78\x43\xf6\xd2\xd4\x86\x85\x5a\xd5\xf1\x92\xb2\x68\xb2\xf3\xeb\x25\xde\xea\xbd\x2d\xe8\x9c\x48\xba\x28\xf1\xee\x2c\x84\x65\x86\x56\xc3\x37\x33\x9b\x53\xac\xf9\x88\xba\xf2\x9a\xc5\xc9\x19\x9e\xc7\x91\x2b\x28\x94\x09\x34\xbc\x02\xb1\x31\xd1\x46\x13\x54\x62\x6b\x69\x08\x35\xba\x09\xab\xaf\xa0\xca\x7f\x51\x55\x79\xe5\x33\xc4\xbb\xfd\xa2\xbc\x9f\x2f\xae\xdd\x35\x38\xce\x8c\x1e\x36\x06\xea\x98\x39\x5e\x0f\xf8\x84\x92\x04\x5f\x47\xcc\xa8\x5f\x4a\xf1\x6f\x95\x0a\xbb\xf3\xf2\x22\x9d\xe5\x8e\xa2\xb4\x56\x92\xd4\xba\x84\x3e\x70\xe5\xae\xed\x29\xf6\x88\x07\x13\x8a\xaf\x5c\x99\x4b\x30\xd4\x73\x11\xeb\xb9\x69\x10\x76\x77\xdc\xf0\x07\xf6\x4d\x0b\x32\xc3\x60\x0c\xd3\x2b\xd4\x2c\xa6\x9e\xe4\x6d\x78\x6c\xf0\xcf\x94\x96\xbc\x51\x60\x2c\x98\x9f\xc5\x4f\x76\xc4\xd3\x83\xce\x41\x4a\xf4\x5f\xc9\x48\xe5\xb9\x71\xe3\x02\x0a\xf4\x47\xc5\x89\xb0\x99\x56\xc9\x03\x3d\x09\x04\xd6\x44\x5d\x7e\x9f\xff\x7c\x90\x39\x39\xf7\x9c\x2d\x4c\x30\xb6", 4096); *(uint64_t*)0x200000004ad0 = 0x200000004a40; memcpy((void*)0x200000004a40, "\x88\x4f\x38\x13\x09\x89\x6a\x88\x17\x38\x89\x99\x4e\x74\xc6\x06\x94\xf7\xba\xa4\x5b\xe0\x88\xe5\x9b\xc3\xe9\x39\x72\x82\x57\xe8\xd2\xdb\x71", 35); res = syscall(__NR_shmctl, /*shmid=*/6, /*cmd=*/0xcul, /*buf=*/0x200000004a80ul); if (res != -1) r[10] = *(uint32_t*)0x200000004a88; break; case 19: *(uint32_t*)0x200000004d40 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x23, /*optval=*/0x200000004c40ul, /*optlen=*/0x200000004d40ul); if (res != -1) r[11] = *(uint32_t*)0x200000004c74; break; case 20: *(uint32_t*)0x200000004e00 = 7; *(uint32_t*)0x200000004e04 = 0xee00; *(uint32_t*)0x200000004e08 = -1; *(uint32_t*)0x200000004e0c = 8; *(uint32_t*)0x200000004e10 = 0x80; *(uint32_t*)0x200000004e14 = 5; *(uint16_t*)0x200000004e18 = 0xfffc; *(uint32_t*)0x200000004e1c = 1; *(uint64_t*)0x200000004e20 = 7; *(uint64_t*)0x200000004e28 = 5; *(uint64_t*)0x200000004e30 = 0xbed1; *(uint32_t*)0x200000004e38 = r[5]; *(uint32_t*)0x200000004e3c = r[7]; *(uint16_t*)0x200000004e40 = 1; *(uint16_t*)0x200000004e42 = 0; *(uint64_t*)0x200000004e48 = 0x200000004d80; *(uint64_t*)0x200000004e50 = 0x200000004dc0; memcpy((void*)0x200000004dc0, "\x05\xc9\x21\x56\x87\xa3\xff\x17\x47\xca\xe5\xc1\x8c\xb1\x86\xed\x5c\x62\x98\x43\x37\xf9\x0f\x0a\xb5\x94\x8e\x21\xc6\x3d\x16\x86\xf1\xda\x14\x59\xa8\x97\x18\xa9\xf8\x49\x30\xb8\x92\xc2\xad\x4d\xe6\x1f\x71\x4a\xb8", 53); res = syscall(__NR_shmctl, /*shmid=*/5, /*cmd=*/2, /*buf=*/0x200000004e00ul); if (res != -1) { r[12] = *(uint32_t*)0x200000004e04; r[13] = *(uint32_t*)0x200000004e08; } break; case 21: *(uint32_t*)0x200000004f00 = 7; *(uint32_t*)0x200000004f04 = -1; *(uint32_t*)0x200000004f08 = -1; *(uint32_t*)0x200000004f0c = 1; *(uint32_t*)0x200000004f10 = 0; *(uint32_t*)0x200000004f14 = 0x98; *(uint16_t*)0x200000004f18 = 4; *(uint64_t*)0x200000004f20 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 6; *(uint64_t*)0x200000004f28 = 0x200000004ec0; *(uint8_t*)0x200000004ec0 = 5; *(uint64_t*)0x200000004f30 = 0xc; *(uint64_t*)0x200000004f38 = 0x1ff800000; *(uint64_t*)0x200000004f40 = 8; *(uint64_t*)0x200000004f48 = 0x7f; *(uint64_t*)0x200000004f50 = 3; *(uint16_t*)0x200000004f58 = 0x101; *(uint16_t*)0x200000004f5a = 8; *(uint16_t*)0x200000004f5c = 0x1000; *(uint32_t*)0x200000004f60 = r[5]; *(uint32_t*)0x200000004f64 = r[8]; res = syscall(__NR_msgctl, /*msqid=*/4, /*cmd=*/0ul, /*buf=*/0x200000004f00ul); if (res != -1) { r[14] = *(uint32_t*)0x200000004f04; r[15] = *(uint32_t*)0x200000004f60; } break; case 22: *(uint32_t*)0x200000005080 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x22, /*optval=*/0x200000004f80ul, /*optlen=*/0x200000005080ul); if (res != -1) r[16] = *(uint32_t*)0x200000004fb4; break; case 23: *(uint32_t*)0x2000000052c0 = 8; *(uint32_t*)0x2000000052c4 = 0; *(uint32_t*)0x2000000052c8 = 0; *(uint32_t*)0x2000000052cc = 0x7f; *(uint32_t*)0x2000000052d0 = 5; *(uint32_t*)0x2000000052d4 = 0x80000001; *(uint16_t*)0x2000000052d8 = 0x43; *(uint32_t*)0x2000000052dc = 7; *(uint64_t*)0x2000000052e0 = 2; *(uint64_t*)0x2000000052e8 = 0; *(uint64_t*)0x2000000052f0 = -1; *(uint32_t*)0x2000000052f8 = 0xf; *(uint32_t*)0x2000000052fc = r[7]; *(uint16_t*)0x200000005300 = 2; *(uint16_t*)0x200000005302 = 0; *(uint64_t*)0x200000005308 = 0x2000000050c0; memcpy((void*)0x2000000050c0, "\xbc\xc4\xb5\xd8\x6e\x91\xb0\x2b\x73\xe1\x6c\x46\x65\xdc\x30\x88\xf7\xcc\x98\x26\xda\x78\x07\xf9\xa8\x30\x0d\x9d\x89\x80\xde\x67\xa1\xa2\xa1\x53\xe9\x54\x66\xe7\x6d\x2c\x38\xc4\x15\x58\xc0\x8e\xfe\x37\xee\x81\xd9\x90\x46\x74\xce\xd8\x6d\xda\x9b\x2b\x6c\xc7\xc9\x7b\x19\x97\x58\xbe\xf8\xd9\x2d\xd2\x0e\x0e\x69\x86\x4d\x6f\xcd\x03\xa8\x0c\xa0\x12\x01\x9c\xf4\x1e\x51\x66\x47\x50\x38\xfc\xd3\x60\x33\x84\x36\xe7\x82\x7e\xf7\x30\x46\x91\x87\xe6\xa4\x95\xf5\xbf\x01\x8e\xe7\xca\xa7\x1c\x80\x4a\x38\x67\x56\xc3\x24\x2b\x30\xec\xa0\xb8\x41\x16\x6d\x78\x39\xe9\x4a\x56\x39\xd0\x8f\xbc\x06\xda\xc1\xf8\x61\x49\x44\x56\xd8\xd1\x53\xde\x7f\xc3\x03\x87\xd4\x52\x30\x4e\x7c\x30\x69\xbb\xfb\x42\x43\x91\xd0\x4f\xab\x12\x03\x7c\x6d\x6a\xe6\x02\x5d\xf8\x69\xfa\x3a\x45\xe0\x31\x48\xc2\xdd\x05\x2c", 195); *(uint64_t*)0x200000005310 = 0x2000000051c0; memcpy((void*)0x2000000051c0, "\x0b\x7d\x67\x85\x2a\x6f\x3d\x89\x68\xf4\x76\xad\xad\x16\x72\xe6\xdc\xfc\xeb\xe8\xe6\x24\x9d\x8c\xc7\x2d\x1a\x05\xc2\x8a\xcd\x3d\xed\xa6\x43\x14\x81\xc8\x8e\xe1\xc2\xc0\x99\x44\xee\x73\x33\xd9\xd1\x6b\x3f\x9b\xd1\x86\xbe\x36\x21\x0e\x7e\x52\xfd\xac\x24\x09\x97\x73\xc0\x7a\xf6\xf1\xa9\x40\xe4\xba\xec\x3a\xda\x47\x66\xe3\x80\x14\xad\x52\x7a\x5d\xf7\x7c\x90\x61\xc5\xa4\xca\xcc\xc4\x8b\xcf\x15\x62\x20\x7f\x8d\xb0\x4d\x60\x8a\x82\x3c\x71\x97\x9b\xda\xf7\x02\xb9\xa6\xec\x8f\x62\xf2\x3d\x31\x6b\x69\xa8\xe4\x0f\x1c\xd7\x92\x58\x5f\x34\xd8\xff\x6c\x70\x56\x41\xdb\xc0\x9a\x02\x45\xef\xad\x32\x6c\xa8\x4d\x8c\xa3\x9d\x29\xcc\x33\xa4\xa3\xfb\xe7\x6c\x24\x0d\x05\x5e\x26\x1e\x16\xd6\xbb\x5d\x9c\x23\x1f\xe3\xc9\xe8\x4f\xe5\x95\x65\xbe\xfc\x53\xfe\x9d\x11\x9e\xb5\x0c\xe0\x4e\x6e\x3c\x1d\xf2\x16\xae\x69\xc3\x13\xd8\x0b\xb6\xa7\x7e\x21\x9b\x94\x51\x65\x72\xee\xaa\x39\x8b\xfe\xa6\x49\x33\x5a\xe8\x11\x4c\xb0\x57\x42\x36\xf4\x61\x31\x67\xd9\x75\x8b\x53\xb6\x6c\xb6\xba\x75\xd7\x5a\xf9\x2f\x3c\x6e\x63\x8b\x82", 250); res = syscall(__NR_shmctl, /*shmid=*/2, /*cmd=*/5, /*buf=*/0x2000000052c0ul); if (res != -1) { r[17] = *(uint32_t*)0x2000000052c4; r[18] = *(uint32_t*)0x2000000052c8; } break; case 24: memcpy((void*)0x200000005340, "./file0\000", 8); *(uint64_t*)0x200000005380 = 0x355; *(uint64_t*)0x200000005388 = 0x100000001; *(uint64_t*)0x200000005390 = 5; *(uint32_t*)0x200000005398 = 7; *(uint32_t*)0x20000000539c = -1; *(uint32_t*)0x2000000053a0 = 0xee01; *(uint32_t*)0x2000000053a4 = 0; *(uint64_t*)0x2000000053a8 = 7; *(uint64_t*)0x2000000053b0 = 2; *(uint64_t*)0x2000000053b8 = 2; *(uint64_t*)0x2000000053c0 = 6; *(uint64_t*)0x2000000053c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000053d0 = 7; *(uint64_t*)0x2000000053d8 = 4; *(uint64_t*)0x2000000053e0 = 0xfff; *(uint64_t*)0x2000000053e8 = 0x17b; *(uint64_t*)0x2000000053f0 = 0xffffffffffff27a1; memset((void*)0x2000000053f8, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000005340ul, /*statbuf=*/0x200000005380ul); if (res != -1) r[19] = *(uint32_t*)0x2000000053a0; break; case 25: *(uint32_t*)0x200000006480 = 7; *(uint32_t*)0x200000006484 = 0xee00; *(uint32_t*)0x200000006488 = 0; *(uint32_t*)0x20000000648c = 0; *(uint32_t*)0x200000006490 = 7; *(uint32_t*)0x200000006494 = 8; *(uint16_t*)0x200000006498 = 0x3ff; *(uint32_t*)0x20000000649c = 0x10; *(uint64_t*)0x2000000064a0 = 2; *(uint64_t*)0x2000000064a8 = 8; *(uint64_t*)0x2000000064b0 = 0x7fffffff; *(uint32_t*)0x2000000064b8 = r[8]; *(uint32_t*)0x2000000064bc = 0xffff; *(uint16_t*)0x2000000064c0 = -1; *(uint16_t*)0x2000000064c2 = 0; *(uint64_t*)0x2000000064c8 = 0x200000005440; memcpy((void*)0x200000005440, "\x4c\xf7\x7c\x89\xa8\xa3\x6d\x9b\x71\xd1\x6c\x43\xca\x99\xca\xec\x65\x90\x56\x4d\x89\x51\x86\x4c\xcc\xc3\x48\x10\x2a\x77\x79\xcd\x97\xd9\x51\x00\x3a\xe8\x76\xa9\xa0\x30\x1c\x11\x86\x7f\xf6\x43\x2c\x9c\x54\xbd\x04\xee\x43\x3f\xce\x5f\x5d\xb9\xeb\x71\xb7\x62\x21\xd2\x84\xc7\x8d\xc7\xdb\x27\x84\x0c\xa0\xb1\xe9\xa5\xa1\x19\xf0\xd7\x4f\xf6\x48\x5b\x52\xa9\x86\xa6\x71\x7f\x3c\xfd\x72\x6d\x0a\x6a\x03\x8b\xed\x21\x89\x34\x4a\x3d\x14\xc2\xf1\x19\xbf\x2e\x54\x3f\xe4\xe7\x16\xbc\x4c\x5b\xec\x83\x76\x7d\xa2\xf9\x7d\x1c\xce\x4b\x26\x96\xbc\x5f\x99\x89\xfd\x42\xdc\x97\xa0\xc1\x6c\xdc\x2f\xa9\x67\xad\xaa\xa2\xba\xc7\x30\xe2\xcb\xda\x74\x4d\xc3\x12\x1e\x3f\x01\x5b\x66\xea\xe8\x91\x56\xb2\x62\x63\x9f\x95\xbb\x01\x4a\xba\x78\xbf\x2a\x48\x01\x49\x9b\xf3\x82\x68\xd7\x7d\x99\x49\x4a\xef\x48\x6b\x9b\x38\x8a\x1e\xba\xcb\x4b\x77\x1a\x52\xbf\xa2\x99\x90\xe9\x36\x18\xaf\x03\x76\x2f\x95\x3e\x34\x80\xfe\x01\xdd\xe9\x2c\xa7\x83\x5c\xcd\x5e\x88\x64\xdb\xc9\x10\x0d\x25\xc4\xfa\x63\x2c\x9f\xeb\xdd\xfd\xb1\xe7\x7f\x1b\xcd\x76\x79\xea\x46\x89\xd2\xc8\x50\x4e\x50\xaf\x69\x52\xc8\x89\xd3\x28\xc1\x2c\x66\xc9\x0d\x8e\xad\x36\x92\x70\xd9\x4e\x5a\xa3\x42\xfb\x23\x87\xdc\x7c\xfe\x6e\xde\x70\x54\x64\x98\x5f\x30\x1f\xeb\x34\xb0\x02\xcc\xef\xb8\x0f\xde\x10\xd9\xfc\x1c\xb3\x9b\x5f\x87\x75\x24\x98\x6d\xd1\x24\x47\xa7\xc9\x6f\x63\x50\x7c\xb4\xd8\x80\x68\xed\xfd\x77\x48\xfb\x2b\x66\x7a\xe1\xae\xdb\xb4\x16\x37\x75\x74\xd7\x0a\x3f\x6d\xe4\x6e\x4a\x3e\x5c\x14\x9a\x64\xa4\x36\x46\x66\xbd\x99\xfd\xb0\xe4\x13\xa1\x33\x5b\xa9\x32\x57\x5d\x1e\x92\x28\x50\x8d\x61\x4b\x66\x3a\xb1\x7a\xcb\x21\xb2\xac\x4d\x36\x18\xa6\x59\x43\x80\x4d\x5b\xa5\x2c\xbb\x04\x3a\x96\x19\x86\x12\x02\xb5\x05\x14\x0e\x48\x44\xb8\xce\xb6\xfa\xf5\x02\x42\x23\xd9\x63\x6c\xb0\xbe\x38\x4a\x4c\xc1\xdd\x3d\x4f\x35\x76\x29\x52\x1a\x07\x69\x84\x18\xdd\x1a\x97\xc3\x94\x17\x19\x6f\x86\x1a\xfb\x05\xbd\x70\x2f\x4c\xcd\xc3\xd4\x4b\x5a\x41\x93\x37\x8b\x93\x6f\x53\xc5\xc4\xb0\x9c\x98\x58\xbe\x95\xe3\x49\xba\xeb\x7e\xb4\xda\x30\x94\x00\xa4\xdb\xb0\x8a\x24\xd0\xbb\x37\x72\xbe\xe7\xa3\x87\x3c\xf8\xd7\x6e\x06\xdf\x6f\x7c\xe5\x91\xf4\x0b\xdc\x84\x9e\xa0\x4c\xad\xe8\x86\xf0\x75\xe1\x45\x8f\x02\x1f\x1b\x73\x0b\x0c\xb5\xc3\x28\xb9\x11\x41\x2a\xee\x96\x16\xab\x5f\xdc\x83\x1e\x34\xce\xa6\x9d\xe1\xa4\x08\x06\xaa\xfd\x4e\x64\xd3\xcd\x70\xc1\xa6\xc6\xf6\x36\xd3\xbb\x94\xc9\x95\x97\x7c\x59\x4f\x0f\x4e\x90\xd7\xae\xc4\x3f\xec\x4c\x8a\xa7\x07\xd0\x0d\xfa\x26\xff\x9d\xb8\xa4\x5e\x6a\xc6\x5b\x5e\x5c\xea\xc4\x3f\x78\xb5\x0f\x1e\x4f\x49\x4c\x85\x82\x7b\x3f\x0e\xa1\xf7\xa4\xfe\x3b\xbb\xd3\x90\xe3\x61\x66\x28\xed\x47\x70\xdd\x36\x66\x94\x89\x35\x13\xdc\x1c\xd2\x52\xd3\x88\x7a\x2f\x19\xa8\x46\xd1\x8e\xe7\xba\xf8\xb5\x68\x0e\x61\x80\x0b\xaa\xf0\x04\x18\x10\xa5\xa2\x1f\xe0\x6c\xba\x83\xe0\x62\x1b\x26\x26\xc3\xec\x5b\xa6\x2d\xfe\x1f\x94\xae\x16\x11\x4c\x9f\x89\xe8\x94\x58\xa0\x69\x22\x2b\x43\xb4\x50\x4d\xca\x5f\xd9\x69\xc0\x66\x66\xdc\xf9\x82\x43\x46\x31\x59\x7b\xab\xaa\xd4\x65\xcb\x73\x9e\x72\x83\x5f\x69\xad\x69\x9b\x0e\xfb\xe2\x16\xa1\x2c\xc1\x88\xd5\x4b\xeb\x66\x86\x1c\x78\xc8\x02\x25\x43\x8d\xeb\x75\xb3\xaf\x96\xa6\x0a\x08\x4e\x68\xed\xce\xca\x25\x2c\x22\x22\x5b\x4f\x3e\x56\xe9\x9f\x97\x6c\x2a\x08\x2a\x29\xf4\xa5\xbc\x3d\x0c\x25\x1f\x91\x22\xb5\x84\x66\x1f\x39\xbf\xd1\x8d\xfb\x9d\x57\xa5\x91\xc6\xd7\x01\x3b\x42\x0b\xd1\xe4\xc4\x7e\x80\x4c\xc4\x0e\xdf\xfa\x4d\xc9\x0c\xda\x1d\xe0\xa6\xe5\xf0\xd7\xa4\xd1\xc0\xa0\x2b\xf9\x25\x82\x90\x06\x43\xf9\x7f\x8f\x2c\xc1\x37\x68\x37\x4c\xc1\x36\x10\xf2\x7c\x3a\xb9\xd6\x93\x14\x79\xd0\x21\x5c\x4a\xd6\x69\xef\x80\x2e\x32\x92\x87\x88\xc5\x25\xf7\x52\xed\xae\x47\x7f\xf8\x9e\xa3\xf0\xc8\x7d\x9e\xc7\xeb\x1e\xf5\x12\xdc\xab\x10\x37\x28\x42\x91\x86\x13\x22\xf8\x72\xaa\x26\x1f\xa4\x67\x46\xed\xd8\x39\x85\xee\x32\x0f\xef\x53\xb1\x15\x18\xf5\xd5\x8f\x84\x68\x19\xb8\x8b\x16\x58\x8c\x13\xdd\x01\x90\x58\xa1\xce\x86\x5b\x4e\x68\x5e\x94\x78\x53\x9b\x9b\x9a\xf6\x9a\x13\x12\x6d\x6a\xd3\x0b\x2b\xac\xb1\x44\xc0\x2f\xfb\x15\x39\x66\xd2\x0f\x56\x56\x84\xa8\x74\x91\x31\xc7\xde\xf8\x8f\x2c\x87\xe4\x8e\xac\x6c\x0a\xf5\x76\xcc\x86\x11\x18\xa9\xb7\x18\xdc\xa2\xea\xfb\xc5\x41\x3b\xb6\xe7\x51\x37\x46\x47\x9b\xd8\x01\xf0\x7b\x94\x65\xbd\x80\xd0\xdc\x3d\x83\xee\xb7\xd6\x88\xf9\x13\xbb\xc7\x87\xb2\x3a\x90\xa8\x63\x7c\x57\x98\x84\xa1\x58\x5d\x53\x23\xb0\x4a\x44\x9f\xee\xbd\x0c\xbe\x2b\xc3\x27\x21\x24\x4e\x92\xe5\xd0\x33\xe2\x0d\x0b\x2c\xcf\x8e\xd5\xe2\x39\x00\x19\x9d\xc5\xec\xde\xa4\x29\xa2\x59\x61\xc9\x07\xaf\x8d\x93\xd5\x7d\x5d\x0d\x7f\xf9\x90\x31\x0a\xc0\x92\xdc\x44\x7e\x88\xcf\x81\x61\x7b\x67\x75\x4a\xd8\xee\x0b\x12\x53\x2c\x73\x13\xd1\x5f\xd6\x5c\x9f\x65\xc0\xa9\x4b\x75\x5a\x09\xd2\x40\x78\xbd\xe2\x75\xa4\x44\x57\xec\xa4\xc8\xb2\xb3\xbc\x0d\xfd\x4c\x8a\xcb\x9d\x2c\x6c\x4a\x8d\xaa\x22\xa6\xcd\x96\x1b\x44\x76\xb0\x78\x80\xf8\xcf\x09\x88\xbc\xe7\xdd\x8d\x3c\x3f\xbd\x9c\xfd\xb6\x56\x3b\x68\x10\x34\xb2\x72\xfb\x3c\xde\x59\x1d\xe8\x03\xd0\xb6\x84\x05\xd2\x5d\xea\x80\x1e\xe8\x71\x3a\xeb\x54\x98\x19\x83\x95\x79\x9d\xb2\xab\x19\xfb\xce\xdb\xaa\x3c\xed\x3e\x12\x4d\x29\x3d\x63\xee\x8c\x12\xd9\x31\x07\x9f\xd9\x4c\xa0\xfb\x5c\x45\x69\x32\xa0\x7a\xc6\x65\xb9\x41\x0d\x12\x37\x73\x58\x72\x76\x67\x64\xc0\x5e\x85\x2e\x06\x1d\xc3\x99\xbb\x31\xed\x48\x8d\x1b\xa5\xae\xf5\x3a\xc7\xb4\x53\x6c\x6e\x5f\xc4\x5c\x96\xa9\x93\x85\x51\x2f\xe6\xee\x8a\x22\x78\xa0\x6b\xe1\x9a\x7c\xdd\xf3\xca\x67\x8b\xdd\x73\xc2\x55\xc1\x59\xea\x07\x35\x57\xd6\x66\xf6\x7b\x9d\x1b\x99\x68\xe0\x23\xf6\x36\xc6\x93\xa8\xad\xfc\x92\x3a\xcf\xf1\x08\xed\x43\x70\xbb\x96\x6b\x0f\x4c\x05\x03\x4b\x08\x57\x6c\x2b\xc8\x9c\xee\xb5\x7c\x63\x3d\x2a\x7c\x87\x66\x5b\xe7\xe7\x5f\xfb\x30\xed\xb5\xfe\x9f\xcd\xc7\x25\x6a\x01\x12\xd4\x9f\x52\x03\x18\x00\xb7\x0f\x69\x80\x38\xf0\xf1\xf8\x12\x23\xcb\xe0\xe3\x0b\x47\xe8\x05\x70\x97\x1d\x4f\xa8\x4d\xa5\x80\x99\xf8\x75\xac\x76\x32\x3c\x5a\xc2\x5b\x69\xc5\xea\xf6\x78\x25\xab\x8a\xc9\x8c\xbd\x6d\xc0\x16\x37\x51\xa4\x7a\x1e\x52\x99\x8e\x00\xe0\x5c\x1c\x69\x01\xf5\x04\x34\x03\x18\x72\x79\x02\xb1\xed\x2b\xd2\xcf\xf2\xd2\xed\x09\x60\x1a\x8c\xed\xf4\x52\x8c\x1c\x13\xa6\x70\x37\x5f\xe3\xa6\x85\xc7\xcb\x14\x72\x3b\x55\x9c\xe2\x78\x6c\xa2\x95\x5a\xe3\x51\xef\xf8\x39\x75\x8c\x31\x1e\x99\xed\x53\xff\x12\x83\x72\xbf\x9f\xc3\x8c\x57\x0b\xd9\x00\xb4\x97\xc9\x31\x61\xc3\x4d\x8b\x4e\x48\x06\xeb\xcc\xda\x16\x11\x44\x5e\xa9\xd6\x76\xbd\xc1\x46\xea\x5b\xa1\x00\xfc\x5d\x99\x5b\x2c\xa6\x07\x09\xfa\xbb\xf6\xaa\xbb\x01\xef\x24\x3a\x12\x9a\x3c\x67\x38\xcf\x66\xf6\xd3\xe3\xb0\x03\x20\xbe\x0f\x85\xe7\x54\x87\x89\x37\xe3\x97\x62\xde\xbb\xf5\xa3\xe7\xa8\x11\x10\x35\x66\x34\x0f\xdf\x7d\xac\x84\x50\xe6\x8e\xff\x10\x2c\xbf\xd4\x95\xa8\x01\xde\x06\xe7\x4d\xf5\x7f\xe0\x6e\x15\xed\xfb\xa4\xda\x71\xa4\x33\x39\xc5\x24\x8f\x42\x2e\xe2\x9a\x22\xef\xa4\x93\x69\x0d\x97\x24\x6e\x20\x83\xbe\x24\xc2\x1e\xe4\xf2\xf1\xd6\x0d\x75\x3b\x2d\xa7\x5a\x15\x40\x8a\xf7\xf4\xff\xc3\xf1\x16\x73\xb8\x93\x45\x79\x57\x50\xc2\xea\x6b\x6c\x78\x9c\x9e\x4e\xd0\x93\x05\x61\x71\xe9\xfd\x9a\x67\x54\x86\xa4\xa5\x1a\xfa\x96\x7e\x00\x9c\x5a\xb5\xda\x74\xfb\x7f\xcd\x00\x04\x4a\xb9\x4b\x28\x7b\x54\x21\x78\x48\xd4\x78\x48\xd6\xa1\x16\xae\xd4\x1d\x45\x4c\xdc\xbf\x4a\xd8\xd8\x6e\x62\x99\x97\xe3\x08\xb8\x6e\x23\xea\x1b\xf1\xa4\xd2\x52\x96\xb1\x9f\xa7\x9f\x2a\x8c\x9b\x13\x70\x2b\x76\x28\xc8\x9f\x71\xba\x6d\x5c\x3a\xa6\x56\xd4\x31\x8c\x4e\xc3\x30\x5b\x9d\x7a\xe2\x93\x74\xe9\x35\x67\x09\xc4\x6d\x40\x1c\x6b\x74\x51\x18\xbc\x70\xd1\xac\x74\xfb\xc5\x7d\x92\x48\xb1\xa9\x15\xde\x03\xdf\x36\x7a\x9a\x10\x44\x75\x27\x75\xe3\xb3\x36\xa9\x35\xbc\x08\x2a\x2c\x88\x29\x9f\xad\x16\x99\x3f\x6e\x3f\x43\x73\xde\x0c\x48\x8a\xf1\xaf\x00\xad\xb9\x40\xcb\x45\xf5\xcf\xd5\x37\x2d\x6c\x0a\x4c\x69\x6f\x96\x63\x6d\x52\xd2\x79\x39\xde\x72\x99\x74\xa9\xa5\xbe\x21\xf9\x9b\x49\xfc\x6d\x4c\x65\xac\xa9\x8c\x28\x74\xf3\x67\x1d\xe2\x92\x64\x94\x1c\xd4\xa4\xa6\xbe\x0b\x20\x21\xac\x02\xad\xcd\x17\x56\xbf\xcf\xf1\x0e\x76\x55\xdb\x95\x8b\xb9\x99\x81\x0d\x8b\x3f\xee\x98\x32\x64\x6d\xed\xbe\xee\x86\x89\x2e\xce\xb4\xfa\x04\xb7\x28\x4f\xdc\xe5\x66\x9d\xc7\xee\xb7\x75\xd0\x09\xca\x17\x6d\x82\xbb\xdd\xd4\x26\x27\x16\xef\xbb\xe1\x8c\x8c\x79\xf6\xc7\x6c\xb5\x9b\xfa\x82\xa1\x9a\x66\x81\xe0\xd5\xa4\x9d\xbd\x64\x29\x33\x64\x8a\xf8\x81\xc5\x69\x40\xe8\xc5\xe1\x8f\xb8\x28\x8c\x35\xe1\x30\xe1\xf6\x28\x17\xaf\x3f\x18\x7d\x00\x2d\x1b\x9a\x1d\x58\x4b\x66\x2e\xbc\x5c\x9c\x95\x20\xc4\xd5\x16\x64\x9f\x2d\x99\x36\x3e\xff\xf1\x16\x34\x8c\xae\xd4\x35\x56\xb5\x8e\xa9\xb7\xc4\x25\x5f\xd2\x7e\xfb\x05\xed\xec\xe7\x55\x35\x96\x3d\x32\xef\x59\x7e\xb1\x33\x49\x5d\xc6\xff\x01\x17\xd9\x23\x02\x7f\x10\x8d\xbc\x64\xcb\xaa\x4b\xed\xd5\x65\xe0\x57\xa0\xe2\x86\x49\x90\x8d\x87\xab\x01\x64\xa1\x15\x5a\xbe\x46\x03\xec\x3f\x81\xc3\xb5\x32\x7e\xd0\xd5\xe1\xfc\x89\x01\x62\x51\x0a\xfc\xa7\xb9\x1d\x61\x85\x75\x73\xf6\x18\x43\x86\xa7\xa7\xcb\xfb\xa8\xef\xf7\x9f\xb8\x83\xd0\x4a\xa6\xbb\x7f\x93\xf7\x76\xa3\x75\x56\x5f\x67\xa0\x37\xe4\x75\xe2\x8b\x57\xf4\x2c\xa0\xfc\x54\xa3\x0b\x9d\x91\xee\xd1\x24\xcd\xc1\xbc\x53\xfe\xaa\x47\x58\x28\xf2\x0d\xb8\xba\x50\x81\x5c\x81\x2a\x1e\x9c\x74\x54\xcd\x41\x44\xeb\x9a\x42\x3e\x6d\x17\x2e\xde\xe0\xba\xd9\x4c\xd1\x50\xbb\xeb\x4d\xea\xbc\x6e\x98\xe3\xe5\xf7\xc6\xbb\x47\xf3\x5f\x11\x0e\xec\x4b\xa6\x32\xe9\xc4\x26\xaf\x69\x9a\x5b\xd6\xc2\x33\x1e\xf0\xc1\x1d\x24\xa5\xa3\xf3\x88\x8f\xae\x3a\x36\xa8\x9f\xb8\xa0\xdb\xdb\xa9\xca\xdf\xb9\xe0\x52\xa9\x3f\x00\xed\x75\x75\x5b\x4d\x78\xd9\x9a\xaa\x84\xf6\x9d\xcc\x6a\x6a\xb0\x5e\xad\xd8\x17\xb9\xf7\x04\xe9\xa7\x69\x7a\x31\x5f\x36\xac\x99\xd2\x99\xb5\xcb\x8a\x2f\x0c\x7c\xd5\x3a\xa1\x6f\xda\xd2\x33\x19\x47\xd8\x1a\x52\x73\x4d\xc3\x8e\xfd\x03\x09\xb4\x83\x7f\xcc\x18\xc8\x8a\x0c\xb8\xbf\x5f\x96\xe4\x20\x91\x92\x26\x6a\x2c\x7f\x60\x37\x1d\x41\xfc\x8c\x7d\x05\x0a\xe4\x3b\xf5\xf6\x74\x07\xb5\x4f\x4b\x73\x1e\x0f\x71\x95\x65\x9c\xd7\x1e\xcc\xcf\x87\xe6\x8e\x1b\x4b\xb8\x74\x70\x73\x36\xca\x5b\xce\x6a\xe7\xd5\x88\xd6\xd6\x8e\x2f\x66\xea\xf0\xfa\xa2\x6d\x48\x8e\xf0\xa1\xa0\xb5\x96\x86\xaf\x81\x20\x55\x8f\xd7\x6c\x9d\x19\x59\x0a\x96\x11\xd5\xf3\xec\xa0\x0e\x14\x81\x94\xd9\xb6\x95\x94\x12\x4b\xe0\x05\xcd\xde\x6d\x57\xb2\x6c\x53\xac\x64\x88\x23\x6d\xe7\xdc\x8e\xf1\x7e\xee\x67\xcd\x94\x8e\x32\xd8\xc1\x1f\x14\xbd\x24\x78\xb5\xd7\xe2\xc1\xd3\x9d\x02\xb4\x75\x95\xce\xbe\x08\x51\xf9\x94\x48\x96\x0d\xd6\x4c\x14\xa8\x4d\xac\x88\x7c\xe5\xb3\x93\x09\xb1\x53\x0b\x71\x29\x5c\x36\xb1\xb1\x95\x92\x24\x2d\x66\x17\xf9\xba\x31\x5c\x8d\x0a\x9d\x39\x79\x25\x41\xd1\x1c\x0e\xc9\x99\x97\x51\x69\xe8\xaf\x06\xa4\x44\xb7\x16\xc4\x52\x40\xb3\x15\xa0\x89\x61\xfa\xc6\xa6\x96\x81\xd8\x32\x19\x8a\xad\x3d\xe1\x0e\xf3\xa4\x88\xf5\x07\xab\x56\xfd\x19\x4f\x6d\x94\x37\x6d\x24\x96\x8d\x5c\xaa\xdf\x3f\x2c\x3e\xfb\x66\x7d\xd1\xd1\x9b\x18\xdc\x8d\xab\x53\xdf\x92\xc2\xdc\x0f\xb4\xad\x49\xaa\x80\x34\xcf\x6f\x9e\xae\x62\x20\xbe\xae\xc0\x87\x84\xca\xc7\x65\xda\x9e\x98\x21\x9e\xca\xe0\xfb\xa0\x94\x24\x0d\x3d\xf3\x4f\x3c\x89\x53\x9b\x20\x6a\x9a\xf3\x8d\xac\x75\x87\x4b\x0b\xee\xed\xc9\xb3\x79\x5d\x5f\x1d\x1f\x90\x65\xa8\x1a\xc5\xe1\x55\x88\xc1\x79\xc4\xb0\xef\xfc\xba\x46\x6b\x91\x70\xb1\x2e\x72\xfb\x52\x5a\xcc\x0e\x2b\xf5\xb8\xc4\x3e\xfb\xdf\x53\x27\x9e\x5c\x9f\xee\x04\xb0\x29\xdb\x52\x20\xba\x82\xd4\x93\x0e\x96\x37\x4b\xaf\x43\x38\xae\xf5\x55\x0f\xb5\x92\x20\x15\xa1\xf9\xf0\x76\xf3\x61\x5e\xe6\xd8\x14\xda\x80\x8d\x1b\xbc\xad\x1b\x17\x6d\x5b\xb2\x0b\x79\x58\x82\x47\x6c\x0c\x72\x34\x5e\xb1\x61\x34\x80\x7a\x82\xb9\xd8\x6c\x9d\x7a\x4d\x84\xd1\x89\xbe\x30\x9b\xa0\x25\x30\x3e\xea\x18\x89\xb0\x5c\xdc\xea\x4c\x20\x73\xcf\xb3\x0b\xb3\xb9\x0f\x35\xbc\xd6\xee\x79\x0f\x13\x60\xf9\x63\xdc\xd6\xbe\x81\x16\x8d\xe7\x5e\x1d\x04\xe8\x15\x0d\x2c\x00\x00\x5d\xf7\xfa\xde\xac\x9e\x5c\x3d\x20\x26\x79\x9c\xbb\x2a\x2d\xb4\x26\x8e\x4d\x1c\xb6\x14\xf1\x58\xef\x12\xa0\xb2\x28\x2e\x42\xba\x33\xff\x9d\x67\xce\xda\x79\x32\x0f\x1d\x89\x72\x77\xf4\x86\x58\x8a\x0d\xc0\xe4\x6c\x1c\x0f\xa2\x23\xbe\x06\xcd\xac\xa9\x09\x48\x33\x58\xbe\x8b\x18\x2b\x37\xe3\x78\x9f\x7c\x93\x95\x9c\x0b\x45\x33\x5b\x2c\x00\xca\xd1\xa7\x0f\x8d\x04\x08\x13\x83\xa7\x9c\x3f\xd5\x95\xfc\x86\x47\xbb\x65\x52\xc6\x08\x1c\x26\xc7\x20\xed\x1b\x22\x9a\x19\x2b\x9a\x91\xfa\x1e\x12\xcd\x31\x84\x0f\x86\xe0\xda\xd7\xfe\xb7\xda\xde\xad\xd2\x32\x70\x9b\xc9\x9a\xa8\xfb\xc3\xa8\x7a\xf0\xd5\xc8\x2e\x53\xac\xeb\x61\x22\xbf\x9b\x71\xb7\xbc\x92\xa0\xa0\x63\x95\x7c\xc6\x66\xfa\xfb\xad\x1f\x68\x8b\xd9\x11\x60\x8b\xfc\x76\x81\xc6\x4d\x81\x91\xc5\xd0\xc8\x0f\x7d\xed\xd5\xa9\xad\x4e\xbc\xcd\x04\xe2\x61\x8d\x9a\xad\x12\x1f\xd9\xaa\x8b\x8d\x68\x48\x72\x0a\x73\x67\x22\xc7\xec\xed\x31\x54\x04\x19\x65\x9c\x09\x11\xa0\x6e\x03\x9e\x95\x9c\x84\xdd\x5c\xc1\x64\x0e\xba\x08\x50\x5e\xa4\x89\xa1\x21\xdd\xca\x4a\x09\xc6\x3b\x2e\x27\x1d\x1e\xdb\x91\xae\xa0\x42\xe9\x2b\xea\x12\x93\x9a\xb6\xd4\x15\x7e\xfa\x94\xa6\x8d\x07\xb5\xf9\xb2\x05\x8b\xcc\xae\xf5\x82\x6e\xbd\x37\x65\x7a\x99\xbe\x45\x13\x4a\xa3\x0a\x84\xa4\xc4\xe0\x8e\x46\x3b\x75\x64\x5c\x2b\x72\x6c\x14\xf3\x57\x50\xef\xa6\x80\x40\x8d\x1e\xa9\xf3\xf5\x6f\xeb\x10\x60\xc7\xb8\xe8\x11\x46\x81\xc2\x49\x92\xaa\x2e\x1e\x65\x21\x9a\x03\x6a\xfc\x03\x4d\xba\x75\xa3\x90\xaf\xce\x29\x63\xd7\x56\xc7\xea\xf6\x7d\x21\x3c\x75\x37\x19\x35\xf9\xea\xb4\xd4\x28\xc5\x43\x22\xe3\x24\x98\xa4\x34\x02\x54\xcc\x41\xfb\xb5\x5c\xf6\x3b\x4f\x3f\x43\xc8\x93\x01\x01\xf3\xae\x35\x42\xfb\x96\xac\x77\x62\x63\x78\x9a\x98\x4a\x3a\x62\xbb\x46\xc5\xa4\xa4\x1b\x85\xf9\xd6\x6b\x47\xfb\x28\xea\x76\x5b\xbc\xdb\x52\xb0\x1f\x4c\x15\xeb\xe1\x88\xb4\x54\xc3\xae\x27\x7d\xc8\xa9\xf8\xa1\xc6\x34\x16\x3c\x63\x1b\xd5\x43\x0a\x8a\x80\xb8\x0b\x37\x33\x41\x3a\x1e\x00\xeb\x3f\xff\x34\xbc\x5a\xa8\xd9\x07\xd7\x9d\xe8\x86\x6c\xbc\x6f\x10\x66\x13\x56\x27\x77\x16\xc8\x84\x74\xbe\x9b\x39\x30\x18\xa7\xd8\xb9\xb3\xe1\xce\x4b\x7a\x32\x6b\x77\xf6\x2f\xcf\xa9\x49\x4e\x1b\x7c\x02\x80\xc3\xa2\x5e\xe3\x46\xc9\x4a\xe4\xcb\x3a\xf3\xfe\x09\x53\x4e\x63\x83\x6d\x5a\x00\xa6\x28\x08\x74\x2f\x5c\xc9\x26\x08\x8a\x6e\xd1\x1e\xa2\x05\x1a\x33\xc6\x0b\x2d\xed\xd2\x06\x9f\xc9\xfc\x2f\x2c\xd4\x53\x66\x61\x8e\x11\x00\x02\x16\xef\x80\x17\x16\x3a\xa8\x28\xea\xe1\xd1\x5f\x02\x06\x7a\xa4\x6a\xf4\x67\x75\x0c\xfd\xd3\x6f\x7e\xcb\xa0\xfd\x1f\x73\x82\xc2\xa7\x8a\xa4\x0c\xcb\x03\x7e\xd7\x24\x90\x75\x9f\x08\xe4\xa2\x57\xb7\x3e\x1b\x45\x19\xec\x47\x20\xd9\x08\x1d\xd4\x64\xa4\x7a\xd4\x68\xf8\x88\x1c\xa3\x02\x3e\x75\x31\x00\xae\x0a\x1b\x29\x89\xac\x57\x4e\xbb\x9a\xc9\x13\x4b\xf1\x62\x02\xce\x61\xae\xaa\xfd\xf7\x68\x9b\xb9\x21\xc4\xa3\x9a\x46\xf0\x3a\x14\xde\xcf\xfe\xc7\x8c\xf9\xff\xd0\x1b\x4f\xca\x7d\x7b\xd4\x00\x30\xfe\xfa\x02\x59\x1a\x28\x45\x1b\xd3\x5d\xa7\x46\xdb\x7b\x5c\xdf\xd5\xee\x9e\xb6\xc5\x1b\x3b\xe0\x5f\xb0\xcd\x5d\x39\xe8\x10\x3b\x0e\x90\x3e\xec\x11\x0b\x3f\xf1\xf9\xdf\x98\x12\x32\xa5\x58\x23\x42\x81\x03\x9b\x46\x63\x76\x41\x84\x9d\x64\x12\xfe\xb7\x4a\x37\xb1\x39\x3c\x31\x51\x3c\xd9\x94\xad\x23\x9e\x20\xad\xdc\x7b\x6b\xe2\xbe\x44\x88\x57\xba\xcb\x20\xcb\x14\x69\xfe\x94\x46\x94\x6b\x6d\x60\x34\x9f\xf3\x92\x19\xf7\xc0\x02\xec\xb4\xdb\xfd\x31\x7f\x79\xd9\x50\xb3\x95\xdd\x77\xcf\xd4\x9a\x6f\xad\x36\xbe\x0b\xd4\x59\x1e\x4d\x2c\xa8\x37\xfe\x73\x74\xa3\x67\x92\xcc\xb0\xb2\xb0\x27\xc6\x9d\xcb\x08\x52\x74\x93\x09\xb9\x37\x17\x72\x72\xf4\xa8\x0d\x8e\x2a\x24\x99\x7f\xfc\xa2\x08\xb7\xf5\x28\xbe\x82\x11\x65\x56\xd2\x35\xf1\x7d\x57\x4d\x17\xac\xc1\xc4\xb5\x83\x63\xf0\x3f\x6b\x21\x77\xa2\xd9\xbd\x31\xd7\xda\x8b\x2d\x37\xea\x2a\x5e\xac\xe2\xb4\xf3\xea\xb5\x49\xcc\x55\xb3\x8e\x0f\x17\x31\xcc\x82\xef\x54\x8a\x5c\xb6\xa7\x56\x4b\x44\x2a\x86\xda\x73\x12\xa9\x4a\x13\x15\xe2\x70\xf3\x90\xa1\x97\xb9\x1e\x43\x5f\xa7\x04\x43\xf3\x87\xcf\x53\x73\x8f\x77\x5a\x23\x62\xa8\x72\x17\xb5\x74\xf8\xf6\x3c\xa6\x36\x13\x37\x52\x05\xdc\x19\x44\x98\xa0\xc9\x29\xff\x13\x00\x14\xd7\x42\x6a\xf7\xc0\xd0\x98\xd6\x9a\xff\x0d\xa1\x02\x7b\x12\x3c\x02\x3e\x73\x2e\x0c\xa1\xeb\x69\x5b\x42\x10\xad\xca\xef\x92\x85\xfe\xc8\xc8\x3f\xea\x7e\xfb\x3b\x5a\x09\xab\x0e\x26\xa2\xc0\x92\x6e\x15\x8e\xe1\x70\x89\xef\x7f\x8e\xab\x53\x75\x71\x8b\xa2\xe8\xab\x68\x3d\x2a\x1e\xef\xe2\x5c\x2e\x30\x3f\x41\x9e\xd0\x14\x23\x79\x98\x67\xe0\x2e\xb0\x1a\xe2\x00\x02\x20\x71\x36\xa6\x0a\x87\x50\x77\x39\x3a\x01\x9a\xe7\xdf\x3a\xad\xc5\xd4\xae\xd4\xd4\x59\xce\xdd\xe9\x66\xd8\x4f\xa6\x4c\x2e\x56\x48\x60\x17\x2b\xe4\x1b\x9f\xbd\xcc\x9b\xb2\x9c\xc2\xaf\x86\xbc\xb8\xda\x14\xd1\xd7\xef\xd6\xd9\x0f\xef\xd4\x73\xfb\xac\x5b\x05\x59\xac\x2b\xdc\x11\x0c\x7f\xda\xa9\x21\xd9\x20\x73\x1f\x36\x2f\x95\xd4\x26\x68\x0b\x73\x31\x2d\xa5\x8f\xac\xc4\xd0\xa1\xd7\xba\x59\x0b\x3e\x91\xc0\x3b\xf3\xb5\xf5\x00\xa5\xca\xe4\x6b\xed\x37\x37\x02\x12\x9e\xe2\xf2\x5b\x05\x00\x21\x9b\xbe\xc0\x50\x28\x59\x49\xf2\xde\x49\x48\x32\x89\x64\x32\x9b\x1a\x46\xa3\x84\x21\xc1\x37\xcb\x95\xb9\x92\x90\xb4\xf6\xcb\x46\xb5\x76\x69\x7c\x95\xb9\x37\x8e\x7c\x15\xca\xa0\x4a\xb0\xe8\xa0\x4b\x8d\xf8\xbc\x46\xd6\x15\xfa\x29", 4096); *(uint64_t*)0x2000000064d0 = 0x200000006440; memcpy((void*)0x200000006440, "\x1c\x3d\x61\xef\xc1\x46\x7b\x6b\x61\xe9\xe5\xf0\x6f\xa3\xd1\xdc\xc0\xe7\x00\x35\xdc\xc9\xc6\xc3\xb0\x0d\xf5\x89\x00", 29); res = syscall(__NR_shmctl, /*shmid=*/0x8001, /*cmd=*/0xfffffee8, /*buf=*/0x200000006480ul); if (res != -1) r[20] = *(uint32_t*)0x200000006484; break; case 26: res = syscall(__NR_getgid); if (res != -1) r[21] = res; break; case 27: res = syscall(__NR_geteuid); if (res != -1) r[22] = res; break; case 28: *(uint64_t*)0x200000006a80 = 0xfff; *(uint64_t*)0x200000006a88 = 0xd; *(uint32_t*)0x200000006a90 = r[6]; *(uint64_t*)0x200000006a98 = 7; *(uint64_t*)0x200000006aa0 = 2; memset((void*)0x200000006aa8, 0, 16); *(uint64_t*)0x200000006ab8 = 0xf; *(uint16_t*)0x200000006ac0 = 0; *(uint16_t*)0x200000006ac2 = 0x46; *(uint32_t*)0x200000006ac4 = -1; *(uint32_t*)0x200000006ac8 = 0; *(uint32_t*)0x200000006acc = 0xfffffffd; *(uint32_t*)0x200000006ad0 = 0xf7; *(uint64_t*)0x200000006ad8 = 0x7f; *(uint64_t*)0x200000006ae0 = 8; *(uint32_t*)0x200000006ae8 = 9; *(uint64_t*)0x200000006af0 = 3; *(uint32_t*)0x200000006af8 = 0x200; *(uint64_t*)0x200000006b00 = 4; *(uint32_t*)0x200000006b08 = 5; *(uint64_t*)0x200000006b10 = 0x62; *(uint32_t*)0x200000006b18 = 5; *(uint32_t*)0x200000006b1c = 0xff; *(uint32_t*)0x200000006b20 = 0x6cbf; *(uint32_t*)0x200000006b24 = 0x48; *(uint16_t*)0x200000006b28 = 0; *(uint16_t*)0x200000006b2a = 0x8001; *(uint16_t*)0x200000006b2c = 0x7f; *(uint16_t*)0x200000006b2e = 6; *(uint16_t*)0x200000006b30 = 8; memset((void*)0x200000006b32, 0, 2); *(uint32_t*)0x200000006b34 = 0x40; *(uint32_t*)0x200000006b38 = 0xffff; *(uint16_t*)0x200000006b3c = 0xa; *(uint16_t*)0x200000006b3e = 0xb04b; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0c0586d, /*arg=*/0x200000006a80ul); if (res != -1) { r[23] = *(uint32_t*)0x200000006a90; r[24] = *(uint32_t*)0x200000006ac8; } break; case 29: memcpy((void*)0x2000000016c0, "\x27\xfe\x2f\xfe\x47\x40\x4c\x4a\xc0\xa1\xec\xab\x30\xbb\xcb\x86\x4e\xad\x78\xfe\xd0\xc0\xe1\x75\xac\x99\x94\xf2\x2c\x05\xa4\x71\x88\x98\x8b\x3f\xf7\xcd\xde\xc1\xf6\xf3\x9e\x60\x61\x60\xf4\xf1\x99\xd3\x74\x5e\x26\xe2\x74\x8d\x68\xe3\x5a\x99\xf1\xbc\x4a\xc3\x20\x84\x63\x4f\x2c\x0b\xa5\xd1\xe0\x00\x0e\x2d\x5b\xee\x77\x7a\x2a\xb5\x09\xe7\xc9\x4c\x43\xf2\x97\xb8\x25\x93\x43\x78\xff\xa3\xbb\x79\x42\x25\x6f\xc5\x2a\x69\xe2\x38\x20\xcd\x52\x0e\x75\x59\xed\x9a\x31\xa9\x54\xdf\x95\x5d\xe5\xbc\x7c\x18\x55\xd9\x74\xb9\x5f\xf0\x0a\x84\xdc\x2d\x9a\xd6\x79\x64\x33\x44\x34\xd5\x28\xbc\xe5\x93\x48\x08\xb4\x8f\x8e\x25\x1a\x17\x9e\xb4\x7d\xee\x2a\x10\x8b\x50\x09\x2f\x55\x98\x16\x13\x6c\xff\xe9\xbd\x6e\x0a\x34\x00\x4e\x62\xd5\x0f\x73\xc1\x4b\x23\xce\x17\x51\x8f\x95\x4c\x4b\xc6\x1e\x61\x75\x75\x6c\x12\x04\xe2\xf2\x7c\x18\x2b\x9e\x3a\x7e\x3b\x82\x3d\xc2\xd2\x10\xe5\x23\x2c\x7a\xd0\xe8\xd8\xe0\x49\xf0\xe9\x20\x60\xb6\x20\x49\x9b\x0b\x8f\x4b\x4b\x97\x1d\x29\xa9\x7a\xe9\x4c\xe3\xce\xa6\xfb\x4e\x42\x96\xf7\x2e\x3d\xea\xbf\xf5\x62\xe7\x92\x43\x93\x3c\xfc\x53\x00\xe3\xc4\x1c\x6a\xb9\xc0\x55\x9a\xe2\x4b\x21\xce\x45\xbc\x69\xb7\xa1\xeb\x56\xc0\x8b\x82\x2b\xa1\x0f\xbc\xb0\xbd\x23\x8f\x6f\xcd\x60\xed\x24\x09\x2b\x3f\x47\xf1\x90\x0e\x3d\x33\x73\x37\x96\x49\xda\xa3\x95\x9b\xcb\x31\x9d\x7a\x74\xab\x3e\x62\xbb\x5f\xbd\xfa\x42\xf9\xd3\xb3\xe7\x34\x0e\xfd\x12\xd9\xdb\x73\x8b\x9a\x7a\x58\x1d\x91\x4f\x4d\xeb\x34\x00\x5a\xac\xae\xe8\x65\xdd\x59\x5a\xd5\xf0\x07\xc4\x8b\x51\x68\xe6\x99\xe5\x2d\xec\xc6\x66\x50\x9f\x0b\xac\x51\x6d\x5d\x8b\x1e\xcc\x1c\x99\xe6\x01\xb8\xf8\x5a\xf1\xc6\x76\x23\xfd\x2c\xff\x7b\x88\x38\x41\xae\xcd\xdf\x3a\x85\x23\x99\x80\xd3\xea\x2a\xe6\x37\x8d\x59\xcc\x24\x2b\x2a\xbc\xda\x91\xe9\x18\x48\x7c\xfe\xa0\x37\x83\x90\x17\xee\xfb\xed\x85\xe0\xde\x24\x14\x8b\x3c\x67\xec\xad\xc8\xbb\xe5\x1f\xfd\xd0\x69\x6a\x55\xd8\xff\x21\x52\x31\x78\xa6\x82\x9e\xc4\xd3\xf2\x59\x77\x43\x3b\x85\xe9\x23\x8f\xe5\xd8\xb1\x43\x7c\x54\xa9\x33\x82\xfa\x15\x25\x49\xcf\xca\x4e\x47\x00\x70\x5f\x3c\xe5\xa2\x60\xa4\xb9\x43\xdd\x3e\x53\x2c\xc1\x96\xc8\x12\x95\x18\x22\x55\x66\xe9\x3e\x29\xa8\xc6\xf0\x2f\x05\x4a\x94\xee\x5f\xe2\x1e\x5a\xd5\xbf\x55\xdd\x7f\xde\x9a\xc6\x41\xf3\x47\xa9\x92\xe8\x19\x7f\xe5\xfc\x4b\x9c\x65\xef\x4d\x68\x79\x21\xdf\xf0\xf6\xcb\x82\xa3\xa9\x6f\x6d\xf1\xcf\xae\xdf\xfc\xed\x7c\xb0\x6b\x21\xde\x9b\x83\xcd\xe5\xf9\x6b\xda\xd6\xee\x4c\x61\x7b\x9d\xa7\x66\xcc\x44\x37\x12\xf8\x4e\xf7\xc3\x87\x08\x07\x0b\xd1\x9d\xb9\x0a\xbe\x25\x10\x09\xd9\xbb\xcc\xe7\xc4\x19\xbf\x7e\xfa\x7e\xa7\x00\x86\xa9\x5a\x27\xe7\x35\x9d\x3b\xcf\x81\x89\x9b\xb6\xb7\x56\x0c\x58\x22\x7d\xb9\x2b\xbe\x34\x2e\x60\x01\x9f\xf0\xcd\xbe\xec\x13\xbd\xb5\x6c\x5b\x5f\xdf\xdb\xce\x7e\x2f\x5a\x7d\x97\x1d\xbb\xc6\x4c\x59\xc5\x11\x1d\x0b\x45\x2a\xf5\x79\x80\xe2\x17\x85\xd5\xaf\x08\x84\x82\x2d\x12\xf4\x08\x1e\x83\x81\xd1\x6e\x0f\x41\x19\x36\x27\x4b\x90\x30\x21\x5c\x4b\x0b\x47\x07\x4d\xab\x09\xb9\xfa\x23\x22\xa8\x80\x50\xa6\x24\x48\xff\xb2\xbd\xbb\x9d\x6b\x87\x52\x1b\x3b\xfe\xb5\xde\x77\x36\xa4\xde\x11\xff\x4e\x56\xd4\x1a\xae\xd9\x00\x61\xe8\xf1\x3c\x37\x89\xa4\x4a\x63\xe7\x69\x02\xc4\xee\x9b\x6f\xc7\x35\xab\x8f\xf9\x52\x5a\xf0\xab\x52\x16\x7e\x04\xd3\x47\x96\x67\x85\x2b\x75\x5d\x00\x74\xcc\x95\x07\x80\x94\xdf\xe0\x39\x26\x00\x7f\xcf\x4b\x2b\x68\xe2\x62\xd1\x17\xdf\x6c\x91\x81\x27\xcd\x6a\x56\x42\xb8\x0c\x30\xbf\x91\x6a\x1e\x51\x52\x02\x29\xe1\xe0\xec\xe3\x5a\xc9\xb9\x09\xfd\x5f\xf9\x2b\x93\x0a\xa5\x5a\xe6\x0a\x2a\x7f\x52\x74\xe0\x47\xae\x70\xcd\x1d\x89\x4c\x3a\x93\x09\x4d\x5e\x88\xca\x4f\xf4\xa1\xf7\xa7\x4c\x25\x72\xc5\x91\xf2\x54\xec\x09\x46\xde\x4f\x96\x24\x83\x88\xb0\x6f\x7f\x0a\x7d\xaa\x49\x0f\x43\x59\x18\x4a\x76\xa5\x6a\x9b\xbc\xa5\x93\xc6\xf6\xfe\x47\x9c\x67\x5f\xb0\x2c\x63\x54\x7d\x08\x04\x96\x3b\xbb\xfe\x5c\x66\x87\x69\xf3\xcf\x16\xbe\x9c\xd5\x11\x78\x03\x0d\x64\xcc\x2b\xb9\xd8\x26\x34\x39\x9d\xb8\x85\x9e\x48\x87\xc8\xce\xce\x4c\x85\x2f\x5c\xb7\x6c\xe7\x0a\x6c\x4e\xdd\x0e\x8a\x46\x5c\xbf\x78\x27\xb2\x1b\x55\x38\x57\x97\x71\xfb\x56\xb7\x99\x74\xaa\x36\x28\x85\x16\xbd\x08\xa9\x39\x49\x00\x16\x0f\x75\xd6\xbb\xe8\x9d\xe7\x0f\x8b\x5c\xea\xcc\x94\x19\xfc\x5a\x3d\x5e\xe5\xea\x78\x3d\x0c\xa8\x08\xa6\x24\x8c\x13\xad\x17\xc8\x73\xbc\x93\xe0\xe5\x0a\x39\x48\x7f\xb2\x5e\xc3\x23\x30\x70\xd7\x77\x6e\x7c\xe8\xba\x02\x2c\xcd\x8e\x2d\xb5\x64\x55\x94\xe0\xb2\xd8\x74\xed\xe7\x39\xf9\x3b\x61\x7f\xfe\xfa\xf3\xd8\x46\x8e\x66\xee\xcc\x85\x61\xfd\xb8\x1d\xd4\xfe\x7c\x77\x9d\xd9\x3c\xce\x31\x7a\x8f\x5c\xb8\x65\x51\xc2\x61\x66\xc7\x82\x4c\x87\x14\x0d\x96\x47\x50\x8c\xbb\xc1\x5c\x1d\x3b\x72\x08\x60\x91\x68\x90\x9e\x89\x0e\x9e\x9f\xd2\x67\x1d\x3a\x9a\x75\x27\xa7\x34\x47\x1f\x2c\x74\x80\x92\x6d\x8d\x18\xba\x6e\x24\xda\x6d\x6c\xee\x42\x2a\xeb\xfb\x14\xd1\xf1\x2a\x91\x5f\xfb\x73\x75\xcc\xb3\xec\xc9\x86\x3c\x45\x53\x4a\x97\xa9\x22\x43\x32\x17\xdd\xe2\x20\x35\x45\xaa\x98\x3e\x2a\x6c\x54\x65\x11\xd8\x62\x64\x28\xaa\xbe\x7c\xec\x1d\x0e\x81\x24\xde\x19\x83\xd5\xab\x1e\xd6\xe9\xde\xe8\x2f\x0d\xf4\x69\x9f\x4a\xb7\x07\x06\xc3\x4c\x75\x4d\x0c\xd8\xb6\xde\x54\x1c\xa8\xa7\x1d\x5f\x98\x25\xfc\x13\x15\x84\x80\xd5\x98\x0e\x64\x15\xcc\xa0\x5c\x57\x57\x89\x41\x69\x22\x3b\x43\xcc\x29\x63\x09\x18\x24\xcf\x95\x3f\xcf\x54\x53\x05\x58\xad\x5c\xe4\x22\xfc\xe9\x9f\x5f\x26\x50\xb7\xde\xc7\x02\xfe\x12\xbb\xb0\x8c\x28\x51\x9f\x08\xb6\x35\x4c\xf5\x8d\x01\xf0\x27\x23\x70\x70\xcb\x43\x8f\xe4\x80\x7b\x7b\x1f\x7e\xbc\x27\xf2\x74\xfd\x50\xef\x37\xad\x06\x0a\x7a\xdc\xdf\x65\x96\x2f\x8a\x52\xc0\x4b\x56\x9d\x7d\xb3\xd8\x6a\x0f\xeb\x6c\x78\xed\x1a\xdb\x36\x18\x66\xf7\xd5\x60\x65\x69\xd9\x10\xc6\x72\x7c\xdd\x76\xc6\xbb\x2a\x40\x5e\xd1\x2d\xfc\x2e\xdc\x81\x66\x67\x87\xf3\xa3\xa2\x39\xc6\x2f\x65\xd2\xd9\x8d\x8b\x07\xc5\x91\x13\x55\xa3\xa6\x20\x66\x46\xfe\x74\xc0\x75\xa6\x77\x80\x72\x87\x0f\xd6\x52\xaa\x4d\xf9\xaa\x3b\x96\xf1\x45\xc3\xaf\xa7\x4f\x5a\xaa\x8d\x7f\xf0\x42\x7c\x93\x89\xdd\x54\x62\xaf\x0e\xb6\x82\x8f\x3a\xa5\x4c\x75\x2b\xb4\xc8\x9d\x18\x21\x07\x61\x72\xa9\x25\xf1\x46\xae\xf7\x89\xde\xb1\x4c\x6b\x6c\xb2\x87\x33\x88\xcb\xe0\xbe\x06\x28\x71\x04\x8c\x49\x67\x9d\x72\xc3\xf3\x25\xc7\x7e\xa3\x19\xed\x28\xfa\x27\x86\x10\x40\xf6\xbe\x5d\x4f\x32\xcf\x29\xca\xc1\x12\x43\xda\x04\x2b\xec\xf2\x12\x5d\x21\xe7\x35\x49\x3a\xc7\x69\x4a\xa9\x61\xee\x92\x44\x3f\xc5\x88\xc2\xad\xc0\xf9\x7a\xc7\xb5\xfa\xe1\x0d\x43\xdd\xb8\x1f\x31\x12\x85\x82\x18\x5b\x9a\xa1\x24\xfe\x6e\xd7\x80\xac\x95\x4f\x84\x42\x17\x67\xf9\x0f\x5c\x0b\x56\x94\x43\xd6\x3b\xea\xc0\x68\x4e\xd6\x8b\xc5\x03\x9a\x27\x56\x7b\xd2\x33\xb8\xf2\x67\x5e\x1a\xfa\x14\x0d\xf8\xe1\xe6\x4f\x0a\x90\xec\x55\x3b\x52\x17\x27\x39\xd0\xd6\xb3\x88\x49\x47\xf2\x66\x69\x29\xcb\x5d\xd7\x93\x19\x42\xc0\x6e\x9d\xf9\xec\x79\x17\xf1\xd9\x3a\x2f\x0f\xbe\x5c\xd0\xf5\x73\xc0\x10\x2f\xf0\x20\x5e\x4d\x59\xdd\xd6\x03\xdb\x5d\xa5\x66\x94\xbd\x92\x87\x3e\xe2\x1f\xe7\x78\x6a\x87\x42\x8b\xdf\x19\xa1\xa8\x7d\x72\xba\x69\x7f\xbe\x0e\xd9\x75\xdb\x5b\xb3\xa7\x05\x17\x7f\x3a\x13\x69\xe2\x9d\xec\x75\x81\xd4\x3a\xea\x38\x55\x94\x3f\xf4\xef\xa4\xd7\xaf\x36\x22\xc3\x19\xd7\x8b\x31\x08\x37\x88\xd2\x03\x10\x20\x82\x99\xca\x03\x47\xaf\xff\xe5\x4e\xca\xf1\xfb\xec\xe6\xe0\x93\x5a\xbc\x7a\xa8\xf8\x55\x3f\x99\x96\xff\x1d\x46\xb8\x8b\x78\xdf\x2f\xe2\x67\xf1\x69\x9f\x2e\xbf\x19\x25\xb8\xe5\x0c\xb4\x6c\x8a\x10\x3c\xfb\x55\x65\x10\x15\x5d\xdb\x84\x27\x6e\x1e\x0a\xef\x3f\x41\x1c\x7a\xf3\xd2\x05\x93\xb6\xfe\xc7\x00\x6a\xa7\xa4\xee\x33\x80\x2a\xad\x16\x89\x49\xda\xd9\xfa\x91\x18\x88\xd7\xf6\x1b\xf1\x6d\xb2\x26\x50\x03\x41\x6f\xb5\x76\xde\x44\xf8\x0b\x9c\x90\x1a\xce\x45\x4d\x2b\x04\xb3\x74\xf3\xdc\xfc\x38\xfd\xd6\xed\xcf\xab\x24\xd3\x67\xaf\xf3\xf6\xd8\x29\x8a\x41\x33\xd0\x81\x56\x3d\xe1\x36\x5b\xea\xff\x74\xda\x25\x2b\x24\x8f\xa6\x1d\x80\xe7\x2c\xbb\xd5\x85\x33\xe7\x51\x8d\xba\xe1\xa9\x25\xd9\x91\x2b\xfe\x70\xfb\xc6\x4b\x8c\x81\xce\x26\x25\x30\xbd\x11\xae\x83\xf3\x66\xe3\x8c\x53\xbf\xd5\xa0\xda\xc9\x78\x5b\x92\x2b\xcd\xd1\xa3\xb6\x83\xf4\x3f\x8d\x48\x5d\xfc\xc6\xdd\x00\xb6\xcd\xde\xa0\x64\xf8\x46\xfb\x26\x93\xd4\x8f\xa9\x7b\x52\x63\xf5\x37\xea\xbf\x6c\x0e\x54\x9a\x78\xd2\xbc\xad\xb2\xe8\xfd\xb2\xb1\xb0\xf4\x7f\xd4\x9d\xc6\x1c\xa1\x05\x8b\xb8\x88\x2a\xa1\xca\x2e\xd3\x41\xfe\xb7\x37\xd5\xea\xae\x0e\xa0\x8f\x94\x5a\x04\xa3\x8b\x6e\x31\x37\xf9\x61\xa7\x56\x3a\xd1\x3c\xec\x30\x07\x2b\x91\x43\xe4\xf9\xc7\x82\x4e\x7c\xbd\xa2\xdf\x89\xb7\x4c\x14\x2d\xad\xaf\x5c\xa2\x4b\x6f\xe9\x09\xce\x3a\x1f\xf3\x7e\xe5\xa0\xb6\x61\xd3\x07\x39\xef\x0c\x37\x2c\xf7\xa1\xb4\xc6\xa0\xe5\x19\xb4\x8b\x40\xdc\x79\x4c\xd6\x13\x56\x75\x66\x09\xf6\x8d\xd5\x8f\x72\x4b\xdd\x86\xdb\x7f\x26\x49\xb9\x0e\x16\x35\x30\xca\x69\xf0\x69\x6a\xdd\xfc\xef\x84\xef\xc9\xf9\xe0\x4d\x9d\x6e\x18\xed\x17\xf7\x4f\xf8\x07\xe9\x2b\x0f\x33\x0f\xb6\xe0\x6e\x0e\x2f\x19\x3e\xa0\x3a\x18\x1c\x86\x73\x95\x0a\x19\xeb\xa2\x2f\xd6\xb1\xb5\x6e\xbb\x33\x6e\x02\x48\xc6\x4f\x93\x6c\xaf\xd3\x31\x1f\xd5\x0c\x50\xfc\x91\x61\x56\xbb\x28\x15\x6d\x15\xd7\xf4\xd5\xa7\x98\xd8\x62\x6a\xfc\x6b\xa7\xd2\x17\xd2\xc9\xf1\xa9\x8f\xed\xe6\x2b\x1b\xac\xfc\x31\x4d\xfa\x89\xe8\xcb\xb8\xc3\x7b\xd5\x26\xdd\x53\xed\xe8\x1b\x19\x53\xce\xf5\x17\x70\x3b\xab\xce\x44\x6e\x86\x3b\xf9\xd2\x46\xb0\x3b\x88\x50\x2c\x7f\xdb\xac\x4d\x87\xf1\xea\xad\x86\xed\x17\x0d\x71\x0d\x81\xea\xf3\x95\xae\xf6\x0d\xc1\x64\xd9\x11\x66\x01\xa5\xa5\x8c\x79\xa8\x92\x75\xc9\x5d\x28\x91\x2e\x87\x08\xfe\xe2\x47\x2e\x6b\x87\xd2\xe0\x77\xd3\x62\xc0\xba\x8f\x4b\xc6\xa5\xe3\x87\x45\xea\xe9\x10\x46\xbc\x61\xe6\xa0\x40\xcb\xfe\x38\x20\x4f\x17\xe6\x04\xf0\xe1\x40\x5e\x8e\xe0\x7d\x71\x41\xb6\x98\xbc\x2b\xe7\x69\x0a\x8f\x0b\xf3\x1d\x58\xae\x90\x6c\xb7\x0e\x4f\xe5\xfe\x03\x56\x31\xd7\x65\x33\xb7\xa7\xb0\x32\xe1\xb1\xee\xe2\x14\x28\x08\x4a\xfb\xcc\x93\x0a\x9f\x28\xe9\xf1\x7e\x26\x9a\x69\x97\xaf\x83\x8f\x95\xe2\xfb\x39\x5b\x54\x0a\x1d\x49\xf3\xd4\x29\x02\x74\xd2\xd3\x1f\x76\x08\x35\xff\x73\x51\xd2\x5b\x62\xe1\x35\xad\xf5\x9e\x01\x18\x87\x2d\x17\x84\x3d\x99\x15\x4f\x46\x60\xfa\x8f\x48\xb6\xc4\x86\x8b\x1f\xbc\x6b\x84\xda\x61\xf9\x81\x23\x16\x7b\x06\x73\x70\xa5\x4f\xc6\xc5\xa6\x88\xe3\x1d\x42\x01\xac\x4c\x4d\x56\x46\xf9\xa4\xa4\xa8\x04\xa1\x75\x16\x7c\xf7\x9d\xda\x22\xf4\xd6\x86\x72\x81\xcb\x0b\x3e\x09\x99\xfa\xd7\xbf\x26\x51\x2d\x13\x14\x40\xa8\xf9\xec\x75\xfe\x9d\xf6\x80\x54\x78\x55\xd8\xc9\xb3\xb3\xf0\xd5\x14\x19\x7c\x2a\xf0\xd6\x72\x99\x13\x73\xb8\xd4\xac\x1d\xd5\x1e\x1f\x90\x74\x50\xd6\x21\x01\xb5\xe2\x61\x3e\xa2\x89\xc1\x94\xd0\x73\x5e\x1c\x5e\x16\x69\x09\xeb\x71\xee\x2a\x4e\xe5\xff\x99\x14\x0c\x0b\xec\xca\x26\x72\xfa\xf6\x94\x49\x38\xc6\x18\x09\xd8\xbf\x2f\xaa\x56\x1f\x9b\x56\xda\xb8\x5d\xed\x7e\xe7\x35\xd3\x00\xc8\xda\x84\xc5\x7f\x06\x7b\x2f\xe5\x09\x29\xca\xe1\x39\x87\x5a\xbb\xab\x08\x47\x42\xc9\x07\x06\xbc\x31\xfc\x4c\x68\x53\x88\x89\x71\x87\x69\xd1\xc6\xda\x0e\xe1\x82\x6e\xcd\xe1\xf6\x0e\xa6\x6c\xed\x44\xc2\x4f\xe2\x87\x5d\xcb\xc8\x7a\x35\x72\xaf\x96\x45\x5e\xdf\x31\xe0\x51\xe5\x42\x2a\x8e\x29\x10\xc7\xd9\x75\xdf\x64\x48\xda\x0c\x0f\x83\x3f\x61\xf7\x15\x05\x98\xfb\x47\xfa\xe9\x38\x35\x7a\x7b\x64\x5e\x40\x6d\xf9\xa4\xa3\x0c\xdd\x1c\xef\x6d\xdb\x26\x3c\x9f\x06\xb2\x68\x76\x7a\x9a\x0f\x92\xc4\xea\x13\x80\xe5\xe3\x6f\x5f\x2a\x3e\x90\xbf\x87\xd6\x81\x8c\x5a\xef\xc3\x43\x9c\x4f\x4d\xe2\xcf\xb4\xdb\x14\x57\x56\x84\x8b\x27\xb6\x18\xc2\x2f\xee\xa3\xf9\xf4\x60\x15\x57\xf5\x3c\x2a\xae\x71\xdb\xc0\xe9\x46\x82\x43\xf1\xbf\x3b\x08\x6b\x4d\xca\xb2\x73\x4d\x61\x28\xc5\x44\x15\x46\x90\x3d\x2f\xea\x40\xc7\xca\x48\x40\xac\x4b\x1b\x3e\xa8\x89\x7c\xf0\x37\x62\x3e\x42\x7f\xb1\xef\x9c\x0e\x7d\xeb\x9e\xba\x0f\x8e\x5a\x5b\x29\xd4\x22\x92\x3f\x2f\xc8\xc5\xdc\x13\x69\xfe\x52\x67\x09\x24\x7c\x27\x76\xf5\xb7\x68\x7c\xcf\x42\x0b\x0d\xc8\x44\x61\x10\x5c\x2a\x31\xcc\xe9\xde\xcc\xa3\x0b\x74\x6b\xfe\x43\x44\x0d\x49\xc4\x77\x5a\x2d\xfc\x88\xf0\x49\xe2\x3a\x30\xe2\xde\x2c\xe6\x34\x54\x9b\xbc\x0c\x26\x30\x97\xeb\xb8\x04\x4b\x4b\x9b\xb6\xf5\xf9\x5a\x4a\x49\x9a\x3d\xce\x9c\x11\xb9\x94\x87\xd9\x96\xeb\x57\xd6\x54\x09\x0b\x43\x6d\xfe\x0b\x94\x79\x6e\x93\xfe\xae\x2b\x63\xd0\x13\x20\xaf\x73\x23\xa8\x00\x6b\xc7\x5f\x95\xa0\xc6\xce\x53\x69\x18\x02\xa0\x97\x10\x88\x81\xbd\xa6\x4a\x2c\xf8\xed\x8f\x67\x52\xe1\x98\x15\xe7\x1e\x2b\x85\x54\xfa\xc0\x30\x18\x75\x26\x21\x09\x33\x11\x51\x91\x5f\x6b\x19\x36\x2c\x2d\x82\xc3\x04\x74\x78\x52\x5a\x64\x9a\xe4\xc9\xa4\x1f\x75\x60\x83\xf1\x38\x15\x6f\x6e\xc4\xea\x04\xb4\x4f\x65\x2a\xb1\xe6\x6c\x5c\x63\x0e\x61\x30\x06\x2a\x26\x0b\xe5\x53\xf1\x0b\x8b\x70\x0e\x6c\x6b\x08\x9f\x0b\x09\xce\x11\x7c\xa7\x8d\x45\xae\xc4\x33\x97\x64\xdc\x2e\x39\xb5\xbb\x95\x56\x02\xd5\x73\x23\xe4\x0d\x49\xec\xf8\x98\x71\x84\xa1\x2d\x21\x99\x3c\x03\xb4\x58\xfc\xa9\x8c\x77\x30\x71\xc2\x24\x2d\x90\x59\x65\x99\x33\x6e\x1c\x69\xff\x55\x1a\xf3\xef\x27\xaa\xa7\x4c\x54\x7f\x23\x1a\x1e\xf6\x4a\x2f\xbe\x54\x98\xf5\xbf\xfd\x9e\x59\x7b\x8d\x87\x1a\x07\x3e\x82\xf1\x3f\x5b\xdf\x21\x89\xd3\x61\x64\x9d\xbe\x14\x4e\x7c\x2f\xb2\x6a\x51\x88\x84\xc4\xf2\x76\xaf\xa0\x44\x50\xb3\xb1\x26\x15\x11\xa1\x86\x15\x07\xe9\x4b\xe4\xb0\xc3\x01\xe6\x24\x71\xbb\x95\x33\x63\xe5\x4a\x80\xac\x90\xb2\x55\x1b\x01\x2d\x74\xa5\x62\x1e\x26\x5b\xf9\x12\x60\xa4\x67\xfe\x76\x06\xe7\x95\x92\x27\x2a\xa2\x08\xb1\x29\x35\xa8\x99\x1d\xfb\x81\x7a\x5c\xb0\x5a\xcb\xa7\x9d\xcc\xb9\x7d\x0a\x0f\x9e\xb5\x82\x5e\x16\xd1\x24\xa7\x72\x24\xc9\xa0\x9a\x53\x35\xf1\xce\xd7\x85\x63\x6a\xe3\x58\x15\x98\xaf\x5c\x28\xe5\x4e\xa8\xdc\xc4\xc7\x22\xe4\xa6\x58\xa3\x3f\xa7\xc4\x73\xf3\xb5\xe7\x4e\xd5\x62\x56\x80\xf0\x7c\x7d\x47\x29\x66\xab\x64\x6a\xc3\xac\x2d\x67\x46\x9c\x43\xdb\xab\x6b\x88\x67\x79\xde\xf7\x94\x17\x69\x8c\xfe\xd9\x47\x2f\xdc\xab\x0f\x80\x79\xf2\x21\x28\x54\x41\x88\x1e\xaa\xe4\xc2\x11\xa8\x14\xe6\xd4\xe6\xc2\x5d\x49\xa5\x70\x67\x38\xb0\x3b\x35\xc0\xd2\x84\xfc\xd6\x75\x50\x5b\x0a\xdc\x88\xd0\x43\x90\xf3\xa1\xb0\xc8\x27\x85\xba\x7b\xf0\x29\xaa\x46\x18\x71\x31\xdb\xdc\x36\xaa\xed\x98\x0b\x90\x88\x8e\x67\xe8\xa8\xbe\x7c\x1f\x7c\x5e\x3a\xd4\x44\x2e\x97\xaa\x77\xc7\xe1\xd2\x86\xc2\x9d\x8b\x76\x1e\xc9\x12\x50\x52\x9b\xff\xfc\x56\xce\x2d\x1f\x4e\x79\xcf\x74\x23\x7f\x02\x05\x0a\xfb\x6e\x25\xd5\x43\x65\x45\xda\x66\x62\x29\x70\xe8\x9e\x4c\xb9\xe7\x7e\x0e\x9a\x66\x72\xfe\xb0\x33\x28\x56\x8d\x75\xd5\x14\x65\x77\x2b\x5e\x40\x8e\x40\xeb\xc9\x67\x6e\x7e\x5e\xe7\xab\x0c\xbf\xca\x5f\xf0\xc0\x23\xb3\x93\x52\x94\x64\x66\x8b\x77\x4a\xe1\xb5\xce\xf7\x6d\x67\xf1\xd7\x35\xb8\x72\x81\x55\x5b\x39\x6c\x78\x58\x70\x1c\x6d\x42\xb0\xf3\x65\xb2\x53\xe7\xbc\xcb\x64\xc2\xdc\x39\xbf\xed\x64\x59\x06\xae\x68\xbc\x5e\xbc\x3c\xda\x73\xf3\x86\xb4\xb9\x79\x53\xb3\xca\x6c\x73\x5f\x7c\x47\xe4\x76\x29\x25\xd3\x59\x94\x80\xe7\xc1\x76\x33\xe5\x27\x6a\xf7\x5a\x60\x33\x2b\xab\x2d\x8c\x03\x9e\x4f\x98\x0a\x7d\xe8\x12\x29\xbd\x17\x4f\x6e\x50\xe5\xde\x20\xd2\x0b\x51\x8c\x41\x8b\x6e\xb6\xa0\x6e\xe9\x37\x89\xfb\x6f\x4a\x6e\xcb\x8b\x01\x69\x1a\xd1\xeb\x2a\xe9\x51\xa4\x2f\x97\x6e\x01\x8a\xc4\xb5\x85\xbb\xc3\xf4\x2d\xa7\x9e\x55\xd1\xb7\xf2\x4e\x90\x9f\xce\xe2\x34\x36\xb7\x27\xdd\x9c\xe4\x7b\x41\xb3\xbc\xaa\x88\x37\x15\xd3\x16\xac\xdc\x55\xe0\xfc\xab\x97\xef\x90\xda\x85\x9a\x80\xeb\xeb\xc6\xdf\xd0\xaf\x95\x24\xe8\xa3\x6b\x3f\x71\xeb\xd7\x03\xb0\xaf\xcb\xd7\xac\xc6\xaa\x41\x36\x48\xad\x93\x5e\x70\x94\xa2\x93\xf1\xad\x65\x9b\xf5\x59\x51\x51\x1b\x8f\xea\xa0\x39\x0b\x98\x2c\x91\xb1\xa1\xbc\x04\xcb\x1e\x15\x8b\x13\x2e\x8f\xf2\xfe\x46\x66\x7f\x10\x31\x2a\x25\x46\x8f\x07\x32\x48\x10\xa9\x7d\xdf\xad\x6d\xf0\xd6\x1e\xe5\xdb\x19\x29\x58\x02\x27\xea\x26\x06\x82\xa8\x93\x7d\x03\x79\xbb\xcd\x79\x6a\xa1\x3f\xe9\x2f\x79\x3e\x95\x8d\x28\xd8\xe4\x56\x4b\xfd\xd4\x94\x4d\x7e\xba\xdd\xdd\x67\x33\x92\xc6\x77\x2d\x09\x61\xce\xbe\x60\xa3\xd9\xe9\xf9\x6e\x4a\x4c\xa0\x7e\x55\xd3\x1e\x9d\x94\x25\xe0\x01\x71\xab\xa0\x2f\x0a\xef\x4b\x8f\x5e\x43\xec\x62\x32\x7a\x95\x0f\xe2\x92\x42\x7d\x51\x34\x76\xc3\x18\x39\xa5\xd1\x1e\x03\xf7\x94\x9c\xb2\xd8\x34\x3e\xf4\xb9\x82\x68\x79\x71\x90\x34\x4a\x7a\x68\x91\xcd\xdd\xe2\x9f\xae\xf1\x33\x3f\x7f\xb7\x50\x69\xa7\x4e\x80\x6a\x41\x21\xad\xdf\x98\x68\x35\x28\x1f\x48\x68\xf1\x5c\x73\x43\xe1\x30\x7d\x23\x7b\xb5\x0a\x7e\xc6\x76\x4b\x9f\x43\x25\xb6\xe4\x13\x57\xed\xc3\x3d\x24\x7a\x58\x3e\x28\x57\x35\xfa\xff\xc5\xbe\xbc\x40\x04\x76\xaf\x6c\x5c\xdd\x34\x91\x37\x47\x08\x60\xd1\x59\xa9\x76\xef\x3c\x47\x61\x28\x5e\xbb\x8c\x53\xa7\xef\x56\x9e\xe2\xe7\x10\xd4\x18\x19\xeb\x85\xcb\x3e\x38\xc6\xd6\xcc\xd0\x35\x87\xfb\x08\x28\xf6\x31\xc1\x99\x00\x15\x3a\x6f\x1e\xdb\x81\x2a\x58\xea\xd0\x41\xc6\x3a\x6a\xc6\x28\x38\x06\xd3\xcf\xb6\x9b\x65\x59\x1a\x82\x9b\xab\xa9\x7a\x36\x7c\x9b\x0f\x24\x97\xb4\x4f\x3c\xa8\x5a\x07\x31\xe5\x94\x2b\x57\xec\xf9\xc2\xde\xe0\x1e\xf7\xea\x53\x3f\x8b\xa3\x17\xf7\x4c\x30\xf4\x9b\xd6\x94\x89\x73\x53\x61\x09\x22\x92\x20\x55\x09\xc5\x74\x20\x06\x63\xf7\x71\xcf\x4d\x1d\x48\x4f\xe5\xa9\xc4\xcd\x3b\x0c\xc4\x32\xe9\x25\xb3\x02\xfa\xb0\x57\x4b\x53\x60\x6f\x27\x77\x56\x3d\x67\x94\xfb\x5f\xe4\x87\xd5\xce\x7b\x5b\xea\xb3\x99\xbf\x77\x27\xb6\x7e\xeb\xf9\xb9\xda\xcf\x5c\x56\x78\xec\x98\x21\xa3\x4d\xc0\x30\xd0\x36\xd0\x4d\x70\x25\xed\x5b\x17\x82\x96\x5c\xf2\x62\xbb\xa0\xb3\xde\x34\x97\x4d\x1e\x77\xa6\x3e\x9b\xb5\x2d\xc6\x59\xde\x69\x0e\x47\xb3\x5f\x4b\xbc\xa6\x6f\x8d\x5e\x0a\x27\x1a\x04\xa2\x89\x43\x5f\x5d\xc9\x01\x3c\x06\x52\x63\x3d\xcc\xe4\x10\x2f\xcb\xe4\x7f\xb4\xc5\xeb\x9a\x6e\xaf\xf5\x46\x3c\x73\xc1\x1e\x37\xe8\xdf\x9d\xab\x09\x32\x33\x49\x22\xfe\xd8\x0d\x5e\x3e\xd1\x25\xdd\xe3\x76\x4f\x48\xd4\x96\xf4\xf3\xb4\x9f\x03\x22\xa9\xb9\xb9\x68\xff\x75\xef\xed\xb3\x69\xb4\xb1\xc9\xaf\xc5\xd2\x7e\x68\xd7\x6d\x17\xc2\x16\xc4\xfe\xd8\x2d\xc2\x48\x7a\xab\xc6\x60\xbb\x55\xb2\xee\x17\xd6\x83\x65\xda\x84\x08\xc4\x5a\xf3\x87\x83\xac\x2b\xe5\x47\x72\xbb\xea\x41\xf5\x86\x84\x56\xee\x66\xa2\x7a\x36\xbe\x49\x9a\x5e\x5d\xd3\x39\x6f\x48\x05\xe2\x2a\x2c\xdc\x22\x90\x79\xc2\xa5\x3c\x92\x99\x55\x92\x69\xed\x1c\x51\x22\x13\x54\x4f\x2b\xf3\x31\x38\x8e\x1c\xb8\x5e\x55\x50\x91\x5f\x8f\x27\xa4\x7b\xa9\xfc\x9a\x50\xce\x01\xcd\x2b\x53\xb3\x7f\x35\x79\x66\xf1\xd0\x0b\xd3\x40\xe0\x50\xc9\xd8\x4f\x29\x14\xb8\xab\xd4\x29\x48\x26\xe7\x50\x0b\x0d\xca\xe9\xcd\x4d\x28\x4d\x17\x34\x56\x53\xcc\xb4\x69\xc5\xee\x3a\x31\x05\x8e\xae\x14\xfe\xd7\x55\x85\xcd\xe2\xfd\x71\xb8\x8e\xbf\x51\x73\x59\x77\x4e\x90\x23\x46\x6e\xa5\xa4\x79\x56\xb8\x22\x56\x71\x79\x2d\xf4\x5b\x9f\x38\xb1\x0a\xb0\x3f\x9e\xde\x1d\xdb\x2e\x15\x7d\x61\xc0\x95\xd9\xb8\x2b\x97\x7c\xc0\x9d\x92\x97\x45\x56\x0f\xe8\x10\x65\x03\xff\x7d\xd2\x28\xdb\x22\xb2\x51\x77\x68\x97\xee\x15\xb1\x80\xb4\xb4\x63\x1f\x85\xec\xf6\xa6\x07\x4e\xfd\x2c\xdf\x40\xa4\x48\xda\xd6\x23\x31\xc2\x7e\xd8\xb3\x37\x7f\xde\x4b\x15\x33\x12\x6a\x4d\xc7\x08\xb7\x72\x02\xf6\xf8\xc0\x15\x96\x6e\xf7\x11\xc4\xc4\x96\xe9\x03\x4c\xf1\x5a\x33\xbc\x99\x8a\x43\x26\x5e\xdf\xe4\x36\x34\x2d\x7e\xb4\x97\x3b\xe8\xab\x0a\xe6\x71\x9a\x1a\xaa\x41\xe0\xd7\x6d\x95\x2b\x06\x80\x8d\xff\x02\xfd\x81\x60\x34\x29\xa3\x6f\xf7\x44\x0e\x0b\x21\x5d\x9e\xbc\x90\x8e\xfc\x14\x5b\x6e\x1b\x7f\xeb\x53\xbd\x5e\x17\x5c\x7d\x1a\x77\x64\xf9\x04\x07\x44\xb8\x1d\xb8\x6f\xd2\x2c\x0a\x38\xa2\xda\xf7\x44\x0b\xbf\xe8\x83\x50\x09\xd4\xae\xbb\xb1\x1a\x0e\x91\x48\xbc\x04\x95\x1f\xc0\x6e\xc1\xc2\xa2\x68\xa0\x5c\xc2\xcc\x76\x79\x1b\x82\x26\x9f\x96\x3d\x3d\x2f\x56\x4a\xe0\x37\x89\x60\x19\x40\xd5\x6f\x28\xe5\xab\x01\x52\xac\xf6\x63\xe4\x81\x19\x52\x09\xef\xc1\xa3\xa1\xb4\x72\x53\x6e\x0a\xcf\x9a\xe3\x83\xb5\x95\x1d\xfb\xb6\xbd\x4d\x1e\xb5\x55\x01\x02\xc3\xd7\xfa\x23\x65\xa3\x6f\xb7\xc5\x94\x9c\xc7\x27\xce\x57\x31\x1d\xec\x52\xa4\xc3\xb9\x1f\x0d\x5e\xc3\x67\x7c\x26\x5d\x58\x35\x53\x5f\x16\x00\x69\x85\xce\x84\x6e\xf1\x2a\x46\xcb\x86\x62\xcf\xf8\x5a\xf2\xff\xd4\xb3\xb3\x50\x85\x70\x5d\x45\xdf\x3e\x8c\x60\xee\x49\x63\x82\x3c\xea\x99\xdd\x55\xc0\xc3\x3d\xa9\xde\x35\x4f\x70\x9f\x2a\x45\x83\x56\x13\x25\xc4\xa5\x95\x4a\x34\xe2\xab\x32\x73\x8c\x2f\x3f\xbf\xb2\x78\x6a\xa5\x78\x28\xef\x30\x91\x12\x2e\x59\x32\x05\x8c\x12\xd5\x0d\x0e\x89\xee\x5d\xc1\xe3\xee\x41\x35\xd3\x8c\x0c\x98\x4d\xaf\x39\x47\x67\x02\x72\x71\x4d\xe8\x93\x57\x20\xc1\xf3\xd3\xdd\x9f\xc5\x75\x29\xa7\x50\x13\xd8\x59\x46\x48\x42\x33\xce\x69\x25\x77\x18\xd3\xcd\x66\x7c\xd0\x88\x6d\x1f\x3c\x25\x7c\xca\xc6\xb4\x8e\xe5\xcd\xc0\x3e\xb6\xc6\xaa\x2a\x78\xd6\x8e\x2a\x9c\x22\x53\x95\x44\x50\x91\x57\x62\xf3\xf2\xfa\xde\x0a\xc7\x85\x93\xcc\x38\xe5\x5c\xef\x3b\xc0\xbf\xb9\x38\xeb\xd0\xa6\x1c\x73\x9c\x02\x4a\xdd\xaf\x44\x34\x06\xa7\xb6\x02\x63\x60\xa7\xfc\x87\xc2\x74\xa9\xbd\xcd\xb2\xeb\x5c\xf4\x70\xb5\x3f\x7f\xc1\xbd\x4e\xd0\x5c\xea\xa6\x65\x28\xce\xf7\x9e\x9d\xe7\x8d\xa4\x2b\x16\x7c\x82\xcf\x4d\xad\xca\x57\x07\xd0\xa1\x66\xb0\xf4\x1b\x7f\x7e\x34\x21\xa8\xf8\x8f\x6d\x88\xd2\x4c\xfd\x99\x81\xb5\x0b\x6c\x34\x2b\xb4\x9c\xce\x4b\x82\x3f\x3c\xfd\xb1\x7b\xba\x24\xfd\xb1\x60\x1b\xa0\x60\xa4\x79\x2c\x09\x09\xa7\xc7\xce\xbf\x0c\x33\xe8\xff\x27\xfb\x6e\x32\x7c\x88\x77\xfb\x31\xef\xd8\xbb\x0b\x9f\xca\x28\x29\xca\xc2\xc1\x43\xf4\xa5\xbd\x0a\xfb\xa4\x32\x45\x48\xaf\x32\xf0\x5f\x58\x1a\xe2\x64\xc9\xe2\x0d\x0f\x16\x04\xe1\x12\xc6\xe2\xbc\x51\x8b\x78\x09\x7c\x14\x5d\x87\x1a\x3c\x02\x87\x37\x1b\x0c\xf6\xbd\xcf\x17\x26\x63\x71\xc7\x46\x4d\x87\xa5\x5f\x52\xe0\x1e\x29\x78\x66\xd6\xd4\x98\x86\x8a\xc0\x16\x48\x24\x9c\x1e\xdd\x31\x45\x80\xbf\xc3\x58\x34\xb1\x5d\x10\x8d\xdb\xaf\x6c\xa3\x53\x6a\xa4\x31\x61\x01\x9c\x3a\xf0\xb3\x31\xd9\xd0\x71\xeb\x0a\x50\x44\x23\x55\xa2\xa2\xe1\x95\x47\x4e\x13\xb7\x97\x1d\x95\x6a\xd5\x4e\xd5\x90\xb4\x29\xd6\xa1\xec\x7e\x38\xd4\x1a\x27\x53\x6b\xbb\xfa\xda\xd1\xb3\x5f\xc8\xf8\x27\xa9\x2e\x0b\xaf\xfa\xbb\x81\x18\x16\xcf\xb4\xcd\xac\x4b\x98\xc5\xf6\xf7\x1c\xdc\xf3\x06\x49\x53\x6f\x78\x00\xeb\x6b\x7c\xee\x22\x2d\x64\x16\x5e\x0c\xa9\x50\x46\x93\xb6\xd8\x45\x9b\xc3\x27\xe5\xda\x2e\x6f\x38\xa4\xee\x24\x72\xca\x5e\x6c\xaa\x08\x11\xd0\x42\xf8\xfb\x32\xa9\x9b\xd3\x61\x01\xcf\x19\xac\xce\xee\xd7\x3b\x44\xe3\xde\xb2\x23\xcf\x28\x2e\xcd\x4c\x43\x9f\x55\xf5\xc2\x74\xe2\xc7\x56\xc6\x7c\x23\xc0\x0e\xf7\xbf\xfa\x4b\x60\x12\xa1\x33\x4d\x0c\x97\xf8\x16\xa6\x12\x3c\xbc\xb7\x7a\xce\x8e\x7b\xe0\x51\x52\x69\x24\x86\x22\x02\x8b\x7a\x9c\x0e\x49\xf1\xc8\xdd\xe8\x66\xd3\xbb\x0c\x53\xdb\x9c\x67\xb1\x0b\x20\xd4\xbb\x26\x3f\x2c\x5a\x01\x85\xba\xcc\xfa\x7b\x8f\xe8\x25\x65\x70\x78\xfa\xba\xb0\x03\xb9\x31\x8a\x84\xf7\x65\xda\xaf\xc3\x7f\x49\x6e\xfb\xbc\xe9\xfa\x5d\x2c\x1f\x0a\x4b\x2a\xd0\xcf\x92\x69\x61\x84\x40\x71\x3b\xc3\xd9\x29\x85\xff\xbd\x6c\xc1\x9a\xfc\x86\x70\x30\x44\x37\x0e\xab\xc4\xde\x11\xf3\xbc\xbf\xb2\x21\xdd\xdc\x51\xbb\xa3\x52\xdc\x28\xfd\x49\xc0\x84\x04\x7f\xb0\xed\x8b\x97\x42\xa9\x6e\x53\xef\x4c\xcb\x94\xce\x4c\xad\x74\x6e\x9c\xae\xee\xc8\x43\xf7\x2b\x77\x9c\xc5\x8d\x25\xfe\x93\x1c\x1a\xf8\xa7\x95\xe1\x95\x68\x5c\x92\x18\x58\x03\xad\xbe\xc6\x06\x6c\xdd\xd8\x7e\x0b\x9a\x53\x80\xaf\xcd\x80\x79\x8f\x58\x08\x59\xea\xb3\x17\xcb\x27\x83\x11\x2a\xf7\xb3\x62\xa5\x9a\xe7\xa8\x24\x74\x94\x40\xe6\x66\x61\xb7\x88\xb8\x56\x05\x49\xa0\xb1\x35\x0d\xfb\x7a\x5e\x88\x92\x8d\x55\x8c\xbc\x8a\x26\xa0\xd7\x4e\x67\x63\x4e\xe9\xec\x1c\x1c\xa0\x8a\xfc\x5b\xeb\x43\xda\x65\xf4\xae\x0a\xc7\xeb\x25\x74\x42\xc9\x99\x0e\xdc\xf9\x3b\x1d\xad\xfe\xa9\x0b\xc2\x92\xbb\xf1\xd8\x23\xc6\x1e\xe9\x69\x24\x9f\x67\xbe\x07\xd7\x0d\xf8\xaf\xc7\xc3\xe5\xbf\x14\x5f\x28\xa2\xd0\x6c\x88\x0e\xff\x9a\x18\x11\x27\xc1\x34\x60\xa0\x6b\x36\x64\xa9\x4c\x88\x8b\x07\xaf\x77\xe8\x4d\x60\xde\xab\x76\x42\x28\xff\xea\x21\x63\x3f\x02\x04\xa5\xd7\xec\x4a\x0b\x30\x3f\xb0\x8f\xb7\x67\x28\xc4\x3d\x90\x73\x80\x01\x83\xc8\xb9\x9e\x22\xd6\x05\xa5\xe6\x39\x9c\x04\x9f\x7f\x88\x7c\xb9\xd7\xfb\xa9\x4d\xb3\x23\x08\x4b\xf9\x4d\xf5\x44\xf6\xce\x2d\xd4\x9a\x21\xd2\xca\xb5\x4d\xf0\x43\x97\x48\x2a\x64\xd2\x90\x0b\xb4\x0f\xa8\x7f\x42\xec\x75\xd6\x8b\xab\x17\x71\x4a\x93\x4b\xcd\xf3\x6f\x87\x07\x4f\x60\x28\xf9\xd6\x1a\x00\xad\xff\xc0\x6d\x62\x4b\xc6\x42\x97\x05\x96\x82\xcc\x8a\xdc\x7e\x2f\xb2\x10\xbd\x22\xfb\xd4\xad\x3d\x35\x15\xf7\x1b\x93\x31\x26\x75\x9e\xc4\xc0\x01\xed\x5c\xdb\xac\xe7\xcc\xe4\x31\x9b\x7a\xb5\x0f\xfc\x8f\x2f\x8f\x1b\xb8\x1a\xc0\x7f\x81\xdf\xff\x33\x54\x50\xac\xf0\x8e\x13\x91\x2d\x3c\x5f\x3a\xa1\x25\x81\x81\x1e\xbd\xb4\x41\x6e\xad\xa2\x59\x65\x1c\x07\x0b\x06\xea\x7e\x18\xa8\xf0\xc4\x00\x57\x5a\x0e\x7f\xdc\x4c\x88\x64\x5d\x35\xc2\xd3\x6a\x8c\xe6\xa2\x97\x2f\x35\x5d\x1a\x5d\x83\x2c\xd7\xef\x2c\x61\x1f\xd1\x10\x59\xda\x39\x0e\xc8\xc8\x74\x91\xd4\x96\x4f\xa4\x0b\x80\x83\x90\x57\x36\x2e\x67\x64\x55\xc7\x17\x2a\x23\x15\x4e\xfe\xba\x6f\xc9\xab\x4c\x15\xa7\x37\xe2\x99\xc1\xf1\x4d\xaa\x8f\x34\x97\xe3\x37\x0a\x52\x3e\xc1\x5c\x52\xba\xd9\x87\x10\x90\x03\xf8\xdc\xee\x4a\xc6\xc9\x0b\x0f\x8e\x4b\x74\x91\x97\x87\x88\xa9\xc1\xb2\x3a\x14\x39\x6b\x50\x8a\xa9\x51\x75\xfe\x3b\xd6\xa8\xb4\xa9\xc2\x17\xf4\xc9\x84\x2c\x1c\x33\x9d\x4d\x95\xdb\x83\xce\x6e\x7e\x7a\xc8\x8e\xae\x04\x13\x96\x10\x55\x22\x0b\x65\x69\x3d\x49\xa2\xf6\x96\xf6\x41\x42\x19\x25\xb4\x2f\x77\xb0\xf9\x43\x12\x39\x52\x7f\xd6\xd8\x6d\x6f\x9a\xbd\xf3\xd2\x7c\x0a\x79\xa6\xb0\x5a\x61\xdd\x7d\x99\x3d\xe2\xd4\xee\x99\x73\xb7\x78\xff\x19\x5d\x12\x40\xdb\x18\x36\xa5\x25\x8b\x4f\x57\x44\x97\xca\x2f\x9b\x34\x97\x78\x00\xe7\x28\x29\x7d\x98\x3e\x1e\x58\x5f\xaf\x45\x38\x1b\x47\x6d\x25\x31\xe8\x6c\xc6\xe8\x35\xa9\x72\xc3\xa5\xbb\xcc\xba\x7d\x85\x2e\xdc\x83\xbb\xad\x4c\x85\x20\x64\x00\x70\x87\xbb\xd3\x6b\xf8\xa8\x00\xf9\x1e\xea\x0a\x72\xd9\xa7\x5f\x5d\xb3\x5b\x10\x98\x68\x6d\x51\x34\x0a\x17\x2c\x70\x1b\xc4\x7b\x14\x0c\xe5\x2e\xf4\x75\x02\xd0\x07\x1e\x54\x55\x97\x97\x5a\x55\xca\x1e\x91\x21\x76\x45\xe3\xcf\xeb\xf4\xa6\x20\x1a\x84\x81\xf6\x51\x13\x86\x0f\x59\x28\x63\xaf\x1d\xd4\x73\x38\x3b\x1b\x79\xab\x32\xcf\xcd\x46\xe6\xac\xe2\x95\x8d\x42\xcc\xe5\xf9\xb2\x34\x76\x81\xf7\x70\x7a\xb4\xa3\x5f\x9a\xf5\x21\xd4\xc1\xba\xd7\x51\x30\x33\xa5\xf7\xaf\x2b\x7a\x2d\x3a\x49\x14\xd3\x84\x62\xb1\x6b\x85\xd6\x9f\xa6\x0c\x0c\x5e\xf5\x4b\xa2\xfb\x78\xfb\x15\x6a\x94\x7c\xf8\x0b\x1d\xac\xcd\x58\x9f\xdd\x07\x91\xb3\xa9\xeb\x83\x5b\x61\x53\x4a\x16\xf8\xf4\xb1\xca\xbb\xd3\x86\xb4\xc2\x1b\xa9\x7d\xe9\x16\xd2\xcf\x48\xb7\x20\x8c\x1b\xda\x77\xec\xf8\x16\x77\xcb\xce\x25\x58\x2c\xca\xb9\xa6\x5a\x2b\x73\xdd\x34\xb0\x02\xc2\x34\x94\x8a\x42\xb5\x66\x4d\x56\xd8\x24\x42\x9a\x78\xb6\x97\x03\x67\xec\x17\x0d\x1b\x11\x0b\x22\x23\x17\x58\x72\xbd\xc8\x66\x31\x8d\xe0\x66\xfe\xa5\x60\x15\x1d\x88\x25\xde\xe8\x2d\x34\x4b\x81\x6f\xb5\x5a\xaa\x52\x4e\x86\x08\x62\xac\x0c\x36\xcb\x6b\x6e\x81\xf4\x12\x3d\xa5\x9c\xb3\xef\xfe\x29\xce\x76\x98\xe2\xaa\x0c\x60\x36\x82\x0c\x45\x7f\x40\x42\x33\xe3\x22\x61\x31\x9a\x46\xbc\x8b\xd3\xde\x3c\x94\x8d\xc5\x2e\x27\xca\x52\x7d\xf7\xad\x68\xe6\xc4\xd4\xba\x8f\x6b\x43\x13\xa2\x94\x02\x98\x10\x59\xa1\x48\x79\x7f\xa0\x88\x02\x57\xfe\x04\x27\x01\x19\x28\xaf\x75\x2f\x81\xb8\x18\x68\x02\x10\x8f\x05\x90\x19\x50\x39\xc8\x38\x25\x72\x02\x42\x14\x10\xb8\xa3\x59\xe6\x9d\xdc\xd4\x74\x70\xf4\xd0\x5a\xe2\x89\x83\x4b\xe3\x04\xca\xf4\x9b\xbb\xac\xfd\xbe\x92\x7f\x42\x3b\xe9\xb8\x78\x82\xb0\xfa\xb4\xf5\x0b\xc7\xcd\xbf\xf6\xef\x10\x1f\x33\xf7\x03\x55\x6d\x45\xb6\xac\xe1\x64\x3c\xd7\xe7\x5a\xcf\x74\x06\x3e\x3e\x34\xe9\x63\xdb\x19\xf0\xd1\x9f\x14\x82\x9c\x91\xc4\x50\x66\x1d\x0e\x80\x9d\x5b\x79\x09\x69\x5b\xa1\x54\x46\xc8\x76\xa1\x67\xec\xca\x09\xfc\x00\xe1\x73\x7c\xbd\x4e\xf4\xf7\x0a\x50\xe3\xa0\x0f\xc9\x6f\x0e\x10\x23\xe5\xc8\x1e\x67\xd2\x47\xae\x0e\xc7\xec\x26\x72\x52\x80\x4a\x65\xb3\x01\xb9\x1a\x59\x9b\x8c\xe3\x7d\x95\xa9\x3d\xd9\xa9\x11\xdf\xb3\x95\xf3\x61\x92\x4e\x82\xea\x28\x1e\xfd\x7a\x2e\x01\x5a\xad\xaf\x64\x85\xfc\xea\xee\x0a\xb9\x05\xe1\x39\x6c\x12\x56\x03\xaf\xf4\xca\x16\x5f\x74\x9c\x23\x31\x02\x50\xf8\x00\xb2\xa8\x79\x17\xb9\x42\x1b\x0b\x4c\xde\xc9\xd8\x64\x14\xeb\x82\x23\x74\xb0\xd4\x32\x53\x58\xb2\xbf\x43\xe0\xe3\x12\x58\x88\x79\x76\x5c\x25\xc0\x98\xd1\x71\x86\x53\xbe\xa5\x27\x68\xdd\x7f\x10\x0f\xbd\x2b\x6a\xfc\xcf\x02\x13\x46\x9a\x7f\xa2\x5b\x5f\x77\xc6\xb5\x6c\xa0\x9d\xf8\x86\xa1\x6e\xd2\x4f\x51\xe2\x1d\x07\x8f\x25\xc4\x88\x87\xda\x12\xde\xa5\x7c\x8f\x48\x25\xf2\x7a\xe3\xd9\x16\x01\x96\xeb\x6b\xe0\x9f\x7b\xe8\xb2\x39\xa0\x5d\xbf\x6a\xae\xca\x96\x37\x09\x0d\x1e\x6f\x76\xeb\x93\x69\x27\x4c\x3a\xad\xa3\x36\x24\x3b\x8b\x9c\x59\xc3\xf9\xc9\x1a\xb4\x3f\xc9\x27\x3b\xb5\xbf\x2b\x59\xde\x8f\xbc\x50\x6c\x94\x36\x56\x5e\x4c\x9b\xa2\x96\x50\xb3\x78\x4d\x87\xf3\x37\xa4\xa4\xb5\x28\xca\x2a\x28\x0c\xed\xc3\x69\xb0\x09\x0c\x3f\x69\xc7\x60\x4a\x6d\xf3\x1f\xba\x78\x1c\x07\xd5\x8d\xba\xdd\x7c\x85\xa6\x26\xf8\x85\xf0\x9a\x91\x22\x4e\x79\xbd\x68\x79\x3f\x16\x7e\xbd\x8d\xa1\x0e\x5d\xa7\x8c\xfa\x7e\xbf\x10\xa8\xf2\xc9\x00\x3f\xb1\xcd\xd8\x7e\x46\x98\x61\xf3\xed\x23\xd2\x5b\xcb\x14\x53\x0a\x8f\xf8\xd9\x1e\x9e\x0c\x7c\x39\x76\xc3\xaf\xc7\xbd\x50\x05\xcc\xef\x59\xfa\xec\x52\xba\x35\x69\x3d\x0f\x0d\xce\xba\x84\x3a\xdd\x5a\x74\x7e\x0a\xa7\x2f\x09\xf2\xf4\x52\x81\xc9\xd4\xc6\xf1\xbb\x78\x37\x9a\xec\x78\x2c\x64\x81\x0d\xe3\x23\xc8\xab\xac\xc9\xfb\x7e\x7d\xbc\x1e\x29\x13\xa8\x5d\xf0\xbd\xb6\xac\x70\x1a\x68\x26\x9e\x79\xab\x28\x45\x8c\x02\x91\xe1\x84\x0b\x34\xac\xe2\xd0\xdc\xa9\x02\x9f\x6d\x95\x0e\x6e\xf1\xe5\xcb\xb9\x52\x4d\xb5\x01\xdc\x30\x22\x73\x3c\xb1\x0b\xb7\x4e\x9e\x69\x82\x45\xa9\x8d\xff\xe2\x37\x8c\x42\x54\x81\x19\xdd\x60\xf2\xb0\x21\x95\x3b\x30\x0f\x38\x97\x26\x61\xc3\xeb\xdf\x64\xa3\xaf\xb3\xc6\x29\xcc\xa5\xec\x93\x8c\x31\xee\x8c\xb6\x82\xdd\x38\xf3\x58\x18\x12\xf7\xba\x64\x31\xc1\x60\x65\x90\x39\xe7\xcf\xe7\x85\x9b\x1a\xa8\x13\x08\x33\xf1\xf6\x37\x24\xf8\x63\xb3\xe2\xa1\x8f\x9e\xbd\x1e\xa6\x14\xd3\x0d\x28\xbd\x4f\x5b\x8c\x26\x17\xbe\xcd\x8a\x4d\x8b\x3a\x9b\x42\xb8\x5d\x8e\x80\xc8\xfa\xf7\xd9\xcf\x56\x37\xdd\x98\x82\x6a\x10\xb6\x92\x40\x29\x33\xd2\xae\x0e\xa9\x08\xff\x5d\x6c\x22\xfc\x33\x5b\xe0\x06\x14\xa0\xf5\xe7\x00\x4e\xbe\xf7\x1f\xd2\x3d\x3f\x90\x11\x59\x84\xf0\xe4\x6e\x82\xac\x8b\x03\xe5\xd2\xbf\xea\xa2\x19\x23\x33\xc1\xa0\xa9\xfb\x19\xa7\x5b\xdc\x8f\x90\x58\x33\x6e\x86\xf3\xf7\xb3\x0f\x0b\xed\x24\xc4\xb2\x30\xcd\xfc\x92\xa9\x88\x5b\xe5\x1c\x0b\x85\x1c\xd7\xa0\x4a\x62\xfb\x3c\xe4\x7e\x76\x5a\x11\x4e\xf7\x68\x6b\xc7\xd8\x2e\xf5\xe1\xca\x02\x14\xb9\x5b\x64\xe5\x7f\x85\x12\x15\xce\x5a\x47\xdd\xfb\x91\x93\x2c\x85\x4c\x65\x25\xeb\xe7\xf6\xe1\x68\x45\xfa\x22\x5a\x74\x09\x3f\x6a\x26\x80\x08\x5a\x8f\xef\x66\x54\x1f\xc3\x64\x3f\xc8\x14\xc5\xa8\x06\x41\x5f\x70\x68\x8a\x4b\xe7\x7b\xea\xf7\x5d\x71\x02\x6e\x4d\xff\x38\x00\x12\x4b\xde\xc0\xe0\x65\x46\x3e\xdc\x69\x64\x1f\x67\xc7\xc4\x2b\x8e\x02\x5f\x81\x40\x6f\xd4\x89\x6d\x5d\xb8\xe1\x9f\xec\x09\x98\x09\xad\x50\xa9\x8a\x83\xb3\xca\xa8\xfd\x87\x31\x05\x14\xf4\xa7\xaf\xd9\xa9\x70\xc4\x56\x23\x1d\x91\x6b\x26\xd5\xc6\x2b\xc4\x83\x4a\xf9\xbc\x27\x77\xa7\xc7\xd3\xbb\xf5\xf2\xc6\xd8\x28\x93\x5f\x3b\x82\x77\x43\xc0\x92\x22\x32\x8e\x8e\x82\x91\xbb\x28\x3e\xba\x7d\x4b\xc8\x97\x87\x7f\x6e\x50\xa5\xfa\xbc\x77\xab\xf3\x15\x34\xd7\x00\x96\x2e\xde\xcb\x1d\xf4\xee\x12\x28\xa7\x29\xdf\x7d\xa8\x57\x71\xa3\xf1\xe3\x04\x29\xfa\xc9\x93\xd9\x73\x8d\x9d\x67\x28\xbf\x49\x2b\x47\x91\x43\x8c\x3c\xf6\xd5\x9a\xf8\x09\x97\x4a\xec\x44\x80\x98\xc2\x6c\xb3\x79\x1e\x43\x72\x40\x76\xef\x5c\xa9\xc7\x0c\xb3\xf5\x8a\xcc\xb5\x39\x94\x37\x86\xce\x98\xb0\x92\xc9\x65\xa1\x47\xd1\x87\x0a\xd4\x54\x68\x6b\xa5\x79\xc9\xd1\x0a\x61\x31\xd4\xd9\x80\xff\x68\x89\x8f\xb1\x1a\x0a\x9f\x61\xe6\x0a\x86\x42\x7f\x60\x66\x00\x88\x98\x4e\xed\x16\xac\xf6\xd3\x14\x30\x18\x3b\x81\x91\x2a\xdc\xde\x80\x84\x45\x71\x22\xec\xdd\x70\x54\xcf\x3d\xdd\xee\x25\xa9\x75\xfb\x24\x48\xe7\x1a\x27\xae\xdf\x68\x68\x5e\x9e\x8b\xf6\x07\x05\x6d\x68\xd7\x20\x60\x75\x99\xcb\x49\x97\xa1\xd5\x91\xa1\xcc\x17\x4e\xdd\xc6\x6f\x39\x16\x0a\x2e\x55\xee\xe6\xc8\x2b\x21\x8c\x5b\x96\x3a\x02\x68\x11\x7f\xcc\xda\x93\x14\xd7\xde\x3b\x1b\xfd\xf1\xde\x33\x83\x10\x41\x8d\xbb\x11\xf7\x3b\xfc\x1a\x70\x5a\x7f\x12\x56\x0c\x6a\x83\x6e\xbc\x1c\x92\x7d\x14\x27\xeb\x6d\x71\x04\xf9\x42\x70\x5a\x25\xe7\xa7\x94\x88\x76\x8c\x70\x7c\xdd\xb0\x59\xd0\x6f\x4f\x55\xd6\x41\x14\x65\x8b\xb3\x27\x07\x2a\x0f\x24\x8f\x91\x91\xae\xbf\x83\x8c\xcf\x46\x4e\x3d\xb3\x8b\xd0\x15\xc1\xfe\x7e\x0a\x1c\xe8\xc8\x54\xe0\x64\xad\x28\xdf\x20\x85\x4e\xca\xf4\x42\x88\x1d\x5b\x92\x2d\xb3\x32\x7a\x73\xa8\x00\x7f\x84\xaa\xcb\x94\x1b\xc1\x23\x27\x42\xd0\xad\x98\xeb\x8f\x05\xa8\x12\xc7\x95\x7f\xb4\xb6\x88\x52\x2e\xa6\xa1\xd5\xef\x22\xda\xbf\x25\x37\xb5\xf6\x8d\x81\xe0\x6b\x51\x78\x39\xb4\x74\x23\x85\x64\x96\x79\x29\xfa\x82\x31\xeb\x8e\xaa\x9b\xf7\x95\x54\x91\x79\x39\x33\x6f\x71\xed\xad\x5c\x01\x1d\xe4\xa9\x88\x7c\x9d\x8b\xfe\x58\x8c\x17\x47\xb4\x7e\xca\xe6\x41\xae\x07\x6a\x53\xcb\x66\x1d\x34\x46\x59\xed\x82\xa4\xf1\x06\x12\xea\x2e\xe0\x0a\x44\x4d\xe7\xe4\xb1\xa0\xc5\x61\x4d\x4a\x63\x69\xb4\x8c\xfa\xe5\x31\x6e\x83\x89\xcb\x72\x0a\x11\x11\x71\x38\x3a\x78\x79\x80\x31\xaf\x5e\x49\x76\xb8\x91\x75\xac\x1e\xfa\x79\xca\x7d\xd7\x28\xd2\x1c\xf2\x85\x3f\x69\x87\x03\x79\xdc\xd6\x91\xf4\x12\xb0\xda\xbb\x49\xf7\x4d\x48\xf9\x31\x3b\xe4\x58\x95\xe8\xd4\xe7\x8e\x23\xe3\x57\xa9\xa2\x29\x4b\xef\xb1\x73\xce\xcc\xdd\xb7\xde\xc8\x47\x81\x92\x0e\x95\x1e\xcc\x86\x3b\xdc\x84\x3a\xf7\x53\x5e\x72\x1a\x7a\x7f\x5b\xd6\xe0\xd3\x7f\xe9\xe5\xb5\xaf\x3f\x2a\xaa\x62\x96\x71\x12\xc0\xfe\x84\x8d\x3c\x38\xa6\x46\xde\xd7\xde\xba\x1a\xb9\x8d\x40\x88\x1b\xa2\xfc\x91\x8a\x86\x64\xbb\xab\xea\x14\xbe\x6f\x5b\xb9\x2e\x25\x4c\x47\x1b\x32\x4a\x02\x6c\x66\x1d\xe4\xb9\x7b\xa0\xae\x1f\x67\x06\x3f\x41\xa5\x61\x9d\xa8\xa4\x9a\x7a\xd6\xcf\x81\x53\x97\x7a\x4c\x63\x17\x1b\xba\x20\x88\x4b\x73\x44\xc4\x05\xd6\x1b\x9c\xe3\xce\x90\xdd\x0b\x6d\x86\xbe\x27\xc0\x28\xa2\xa4\x8f\xe0\x40\xd6\xf9\xd2\xf5\xdc\x24\x66\xcb\x9f\x74\x5e\x5a\x98\xe5\x26\x64\x98\xb1\x4d\x16\xe3\xfc\xee\x12\x02\x6c\x0f\x46\xb7\xfd\x1d\x30\x07\x65\x05\xcd\x64\xc1\xd6\x0c\x5c\xac\x8c\xb4\x00\xea\x6b\x75\x22\xc1\x65\xb0\x09\x4f\xf0\xff\x65\x6d\x08\x16\x73\x05\x6b\x73\xee\xe3\xef\xcb\xfb\xa2\x60\xff\x87\xe4\x30\x4c\x8e\xb1\x4a\xea\xdf\xda\xa0\x95\x70\xf6\x30\x64\x6c", 8192); *(uint64_t*)0x200000006c80 = 0x2000000036c0; *(uint32_t*)0x2000000036c0 = 0x50; *(uint32_t*)0x2000000036c4 = 0; *(uint64_t*)0x2000000036c8 = 8; *(uint32_t*)0x2000000036d0 = 7; *(uint32_t*)0x2000000036d4 = 0x2d; *(uint32_t*)0x2000000036d8 = 7; *(uint32_t*)0x2000000036dc = 0x8000008; *(uint16_t*)0x2000000036e0 = 7; *(uint16_t*)0x2000000036e2 = 0xfc00; *(uint32_t*)0x2000000036e4 = 0x3ff; *(uint32_t*)0x2000000036e8 = 0x59; *(uint16_t*)0x2000000036ec = 0; *(uint16_t*)0x2000000036ee = 0; *(uint32_t*)0x2000000036f0 = 0xe0; *(uint32_t*)0x2000000036f4 = 0x10000; memset((void*)0x2000000036f8, 0, 24); *(uint64_t*)0x200000006c88 = 0x200000003740; *(uint32_t*)0x200000003740 = 0x18; *(uint32_t*)0x200000003744 = 0; *(uint64_t*)0x200000003748 = 6; *(uint64_t*)0x200000003750 = 0x80000001; *(uint64_t*)0x200000006c90 = 0x200000003780; *(uint32_t*)0x200000003780 = 0x18; *(uint32_t*)0x200000003784 = 0; *(uint64_t*)0x200000003788 = 4; *(uint64_t*)0x200000003790 = 2; *(uint64_t*)0x200000006c98 = 0x2000000037c0; *(uint32_t*)0x2000000037c0 = 0x18; *(uint32_t*)0x2000000037c4 = 0xffffffda; *(uint64_t*)0x2000000037c8 = 0x37; *(uint32_t*)0x2000000037d0 = 0; *(uint32_t*)0x2000000037d4 = 0; *(uint64_t*)0x200000006ca0 = 0x200000003800; *(uint32_t*)0x200000003800 = 0x18; *(uint32_t*)0x200000003804 = 0; *(uint64_t*)0x200000003808 = 1; *(uint32_t*)0x200000003810 = 0xff; *(uint32_t*)0x200000003814 = 0; *(uint64_t*)0x200000006ca8 = 0x200000003840; *(uint32_t*)0x200000003840 = 0x28; *(uint32_t*)0x200000003844 = 0x26; *(uint64_t*)0x200000003848 = 0x7fffffffffffffff; *(uint64_t*)0x200000003850 = 0x7a; *(uint64_t*)0x200000003858 = 8; *(uint32_t*)0x200000003860 = 0; *(uint32_t*)0x200000003864 = 0; *(uint64_t*)0x200000006cb0 = 0x200000003880; *(uint32_t*)0x200000003880 = 0x60; *(uint32_t*)0x200000003884 = 0xfffffff5; *(uint64_t*)0x200000003888 = 1; *(uint64_t*)0x200000003890 = 0x81; *(uint64_t*)0x200000003898 = 6; *(uint64_t*)0x2000000038a0 = 0x3ff; *(uint64_t*)0x2000000038a8 = 2; *(uint64_t*)0x2000000038b0 = 4; *(uint32_t*)0x2000000038b8 = 4; *(uint32_t*)0x2000000038bc = 8; *(uint32_t*)0x2000000038c0 = 2; *(uint32_t*)0x2000000038c4 = 0; memset((void*)0x2000000038c8, 0, 24); *(uint64_t*)0x200000006cb8 = 0x200000003900; *(uint32_t*)0x200000003900 = 0x18; *(uint32_t*)0x200000003904 = 0; *(uint64_t*)0x200000003908 = 0; *(uint32_t*)0x200000003910 = 0xb; *(uint32_t*)0x200000003914 = 0; *(uint64_t*)0x200000006cc0 = 0x200000003940; *(uint32_t*)0x200000003940 = 0x12; *(uint32_t*)0x200000003944 = 0xaeab5fde; *(uint64_t*)0x200000003948 = 9; memcpy((void*)0x200000003950, "^\000", 2); *(uint64_t*)0x200000006cc8 = 0x200000003980; *(uint32_t*)0x200000003980 = 0x20; *(uint32_t*)0x200000003984 = 0; *(uint64_t*)0x200000003988 = 0; *(uint64_t*)0x200000003990 = 0; *(uint32_t*)0x200000003998 = 2; *(uint32_t*)0x20000000399c = 0; *(uint64_t*)0x200000006cd0 = 0x2000000039c0; *(uint32_t*)0x2000000039c0 = 0x78; *(uint32_t*)0x2000000039c4 = 0; *(uint64_t*)0x2000000039c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000039d0 = 3; *(uint32_t*)0x2000000039d8 = 0x67; *(uint32_t*)0x2000000039dc = 0; *(uint64_t*)0x2000000039e0 = 3; *(uint64_t*)0x2000000039e8 = 2; *(uint64_t*)0x2000000039f0 = 5; *(uint64_t*)0x2000000039f8 = 2; *(uint64_t*)0x200000003a00 = 0; *(uint64_t*)0x200000003a08 = 0x5b; *(uint32_t*)0x200000003a10 = 0x200; *(uint32_t*)0x200000003a14 = 6; *(uint32_t*)0x200000003a18 = 0xf0b7; *(uint32_t*)0x200000003a1c = 0x1000; *(uint32_t*)0x200000003a20 = 1; *(uint32_t*)0x200000003a24 = -1; *(uint32_t*)0x200000003a28 = -1; *(uint32_t*)0x200000003a2c = 4; *(uint32_t*)0x200000003a30 = 6; *(uint32_t*)0x200000003a34 = 0; *(uint64_t*)0x200000006cd8 = 0x200000004b00; *(uint32_t*)0x200000004b00 = 0x90; *(uint32_t*)0x200000004b04 = 0; *(uint64_t*)0x200000004b08 = 7; *(uint64_t*)0x200000004b10 = 1; *(uint64_t*)0x200000004b18 = 3; *(uint64_t*)0x200000004b20 = 0x10000; *(uint64_t*)0x200000004b28 = 0x200; *(uint32_t*)0x200000004b30 = 8; *(uint32_t*)0x200000004b34 = 0xa87; *(uint64_t*)0x200000004b38 = 4; *(uint64_t*)0x200000004b40 = 1; *(uint64_t*)0x200000004b48 = 7; *(uint64_t*)0x200000004b50 = 1; *(uint64_t*)0x200000004b58 = 0xfffffffffffffffd; *(uint64_t*)0x200000004b60 = 4; *(uint32_t*)0x200000004b68 = 9; *(uint32_t*)0x200000004b6c = 0xffff; *(uint32_t*)0x200000004b70 = 0x10000000; *(uint32_t*)0x200000004b74 = 0; *(uint32_t*)0x200000004b78 = 0xf40; *(uint32_t*)0x200000004b7c = 0; *(uint32_t*)0x200000004b80 = r[10]; *(uint32_t*)0x200000004b84 = 0x8001; *(uint32_t*)0x200000004b88 = 9; *(uint32_t*)0x200000004b8c = 0; *(uint64_t*)0x200000006ce0 = 0x200000004bc0; *(uint32_t*)0x200000004bc0 = 0x48; *(uint32_t*)0x200000004bc4 = 0; *(uint64_t*)0x200000004bc8 = 0x5c; *(uint64_t*)0x200000004bd0 = 1; *(uint64_t*)0x200000004bd8 = 4; *(uint32_t*)0x200000004be0 = 6; *(uint32_t*)0x200000004be4 = 8; memset((void*)0x200000004be8, 255, 6); *(uint64_t*)0x200000004bf0 = 1; *(uint64_t*)0x200000004bf8 = 8; *(uint32_t*)0x200000004c00 = 0; *(uint32_t*)0x200000004c04 = 0xb; *(uint64_t*)0x200000006ce8 = 0x200000006500; *(uint32_t*)0x200000006500 = 0x478; *(uint32_t*)0x200000006504 = 0; *(uint64_t*)0x200000006508 = 2; *(uint64_t*)0x200000006510 = 1; *(uint64_t*)0x200000006518 = 1; *(uint64_t*)0x200000006520 = 0xf; *(uint64_t*)0x200000006528 = 9; *(uint32_t*)0x200000006530 = 0x7fffffff; *(uint32_t*)0x200000006534 = 0x3ff; *(uint64_t*)0x200000006538 = 5; *(uint64_t*)0x200000006540 = 0xb3fc; *(uint64_t*)0x200000006548 = 3; *(uint64_t*)0x200000006550 = 0xa2d9; *(uint64_t*)0x200000006558 = 3; *(uint64_t*)0x200000006560 = 0x80000000; *(uint32_t*)0x200000006568 = 4; *(uint32_t*)0x20000000656c = 5; *(uint32_t*)0x200000006570 = 2; *(uint32_t*)0x200000006574 = 0x6000; *(uint32_t*)0x200000006578 = 0xfff; *(uint32_t*)0x20000000657c = -1; *(uint32_t*)0x200000006580 = 0xee01; *(uint32_t*)0x200000006584 = 5; *(uint32_t*)0x200000006588 = 6; *(uint32_t*)0x20000000658c = 0; *(uint64_t*)0x200000006590 = 5; *(uint64_t*)0x200000006598 = 9; *(uint32_t*)0x2000000065a0 = 6; *(uint32_t*)0x2000000065a4 = 6; memcpy((void*)0x2000000065a8, "wlan1\000", 6); *(uint64_t*)0x2000000065b0 = 3; *(uint64_t*)0x2000000065b8 = 1; *(uint64_t*)0x2000000065c0 = 4; *(uint64_t*)0x2000000065c8 = 0xf; *(uint32_t*)0x2000000065d0 = 1; *(uint32_t*)0x2000000065d4 = 5; *(uint64_t*)0x2000000065d8 = 4; *(uint64_t*)0x2000000065e0 = 0xffc; *(uint64_t*)0x2000000065e8 = 2; *(uint64_t*)0x2000000065f0 = 0xffffffffffffdbca; *(uint64_t*)0x2000000065f8 = 0x35; *(uint64_t*)0x200000006600 = 0x5fa; *(uint32_t*)0x200000006608 = 8; *(uint32_t*)0x20000000660c = 5; *(uint32_t*)0x200000006610 = 0x16d; *(uint32_t*)0x200000006614 = 0x6000; *(uint32_t*)0x200000006618 = 0x8000; *(uint32_t*)0x20000000661c = r[11]; *(uint32_t*)0x200000006620 = 0xee00; *(uint32_t*)0x200000006624 = 8; *(uint32_t*)0x200000006628 = 2; *(uint32_t*)0x20000000662c = 0; *(uint64_t*)0x200000006630 = 2; *(uint64_t*)0x200000006638 = 0x3e8; *(uint32_t*)0x200000006640 = 0x16; *(uint32_t*)0x200000006644 = 5; memcpy((void*)0x200000006648, "bpf_lsm_path_truncate\000", 22); *(uint64_t*)0x200000006660 = 6; *(uint64_t*)0x200000006668 = 3; *(uint64_t*)0x200000006670 = 0xcff0; *(uint64_t*)0x200000006678 = 0xfffffffffffffbff; *(uint32_t*)0x200000006680 = 3; *(uint32_t*)0x200000006684 = 3; *(uint64_t*)0x200000006688 = 5; *(uint64_t*)0x200000006690 = 4; *(uint64_t*)0x200000006698 = 8; *(uint64_t*)0x2000000066a0 = 9; *(uint64_t*)0x2000000066a8 = 0x10; *(uint64_t*)0x2000000066b0 = 5; *(uint32_t*)0x2000000066b8 = 0x91; *(uint32_t*)0x2000000066bc = 0xfff; *(uint32_t*)0x2000000066c0 = 0xfffffffd; *(uint32_t*)0x2000000066c4 = 0xc000; *(uint32_t*)0x2000000066c8 = 3; *(uint32_t*)0x2000000066cc = r[12]; *(uint32_t*)0x2000000066d0 = 0xee00; *(uint32_t*)0x2000000066d4 = 0x80; *(uint32_t*)0x2000000066d8 = 0x40; *(uint32_t*)0x2000000066dc = 0; *(uint64_t*)0x2000000066e0 = 0; *(uint64_t*)0x2000000066e8 = 8; *(uint32_t*)0x2000000066f0 = 6; *(uint32_t*)0x2000000066f4 = 0x80000001; memcpy((void*)0x2000000066f8, "wlan1\000", 6); *(uint64_t*)0x200000006700 = 3; *(uint64_t*)0x200000006708 = 2; *(uint64_t*)0x200000006710 = 8; *(uint64_t*)0x200000006718 = 9; *(uint32_t*)0x200000006720 = 0x80000000; *(uint32_t*)0x200000006724 = 0xd149; *(uint64_t*)0x200000006728 = 3; *(uint64_t*)0x200000006730 = 4; *(uint64_t*)0x200000006738 = 5; *(uint64_t*)0x200000006740 = 0xe; *(uint64_t*)0x200000006748 = 0x7a; *(uint64_t*)0x200000006750 = 0xd52; *(uint32_t*)0x200000006758 = 0; *(uint32_t*)0x20000000675c = 5; *(uint32_t*)0x200000006760 = 6; *(uint32_t*)0x200000006764 = 0xa000; *(uint32_t*)0x200000006768 = 2; *(uint32_t*)0x20000000676c = r[14]; *(uint32_t*)0x200000006770 = 0; *(uint32_t*)0x200000006774 = 0x7fffffff; *(uint32_t*)0x200000006778 = 5; *(uint32_t*)0x20000000677c = 0; *(uint64_t*)0x200000006780 = 4; *(uint64_t*)0x200000006788 = 0x7ff; *(uint32_t*)0x200000006790 = 2; *(uint32_t*)0x200000006794 = 0x78d; memcpy((void*)0x200000006798, "\300\'", 2); *(uint64_t*)0x2000000067a0 = 2; *(uint64_t*)0x2000000067a8 = 0; *(uint64_t*)0x2000000067b0 = 6; *(uint64_t*)0x2000000067b8 = 0x7fffffff; *(uint32_t*)0x2000000067c0 = 5; *(uint32_t*)0x2000000067c4 = 5; *(uint64_t*)0x2000000067c8 = 2; *(uint64_t*)0x2000000067d0 = 0xc; *(uint64_t*)0x2000000067d8 = 0xbde5; *(uint64_t*)0x2000000067e0 = 5; *(uint64_t*)0x2000000067e8 = 8; *(uint64_t*)0x2000000067f0 = 0x10; *(uint32_t*)0x2000000067f8 = 9; *(uint32_t*)0x2000000067fc = 6; *(uint32_t*)0x200000006800 = 0xe31; *(uint32_t*)0x200000006804 = 0x2000; *(uint32_t*)0x200000006808 = 0x5b8; *(uint32_t*)0x20000000680c = r[16]; *(uint32_t*)0x200000006810 = r[18]; *(uint32_t*)0x200000006814 = 6; *(uint32_t*)0x200000006818 = 8; *(uint32_t*)0x20000000681c = 0; *(uint64_t*)0x200000006820 = 2; *(uint64_t*)0x200000006828 = 0x80; *(uint32_t*)0x200000006830 = 0; *(uint32_t*)0x200000006834 = 0xb6; *(uint64_t*)0x200000006838 = 5; *(uint64_t*)0x200000006840 = 2; *(uint64_t*)0x200000006848 = 0x80000001; *(uint64_t*)0x200000006850 = 2; *(uint32_t*)0x200000006858 = 6; *(uint32_t*)0x20000000685c = 0xff; *(uint64_t*)0x200000006860 = 3; *(uint64_t*)0x200000006868 = 5; *(uint64_t*)0x200000006870 = 8; *(uint64_t*)0x200000006878 = 3; *(uint64_t*)0x200000006880 = 0x8001; *(uint64_t*)0x200000006888 = 5; *(uint32_t*)0x200000006890 = 1; *(uint32_t*)0x200000006894 = 7; *(uint32_t*)0x200000006898 = 2; *(uint32_t*)0x20000000689c = 0x1000; *(uint32_t*)0x2000000068a0 = 1; *(uint32_t*)0x2000000068a4 = 0xee01; *(uint32_t*)0x2000000068a8 = r[19]; *(uint32_t*)0x2000000068ac = 0x10001; *(uint32_t*)0x2000000068b0 = 6; *(uint32_t*)0x2000000068b4 = 0; *(uint64_t*)0x2000000068b8 = 0; *(uint64_t*)0x2000000068c0 = 6; *(uint32_t*)0x2000000068c8 = 5; *(uint32_t*)0x2000000068cc = 6; memset((void*)0x2000000068d0, 170, 5); *(uint64_t*)0x2000000068d8 = 3; *(uint64_t*)0x2000000068e0 = 1; *(uint64_t*)0x2000000068e8 = 0x8000000000000000; *(uint64_t*)0x2000000068f0 = 0x2e; *(uint32_t*)0x2000000068f8 = 5; *(uint32_t*)0x2000000068fc = 7; *(uint64_t*)0x200000006900 = 6; *(uint64_t*)0x200000006908 = 5; *(uint64_t*)0x200000006910 = 5; *(uint64_t*)0x200000006918 = 0xb; *(uint64_t*)0x200000006920 = 0; *(uint64_t*)0x200000006928 = 2; *(uint32_t*)0x200000006930 = 0xffff; *(uint32_t*)0x200000006934 = 0; *(uint32_t*)0x200000006938 = 8; *(uint32_t*)0x20000000693c = 0x2000; *(uint32_t*)0x200000006940 = 9; *(uint32_t*)0x200000006944 = r[20]; *(uint32_t*)0x200000006948 = r[21]; *(uint32_t*)0x20000000694c = 2; *(uint32_t*)0x200000006950 = 7; *(uint32_t*)0x200000006954 = 0; *(uint64_t*)0x200000006958 = 6; *(uint64_t*)0x200000006960 = 0xfffffffffffffffb; *(uint32_t*)0x200000006968 = 5; *(uint32_t*)0x20000000696c = 6; memset((void*)0x200000006970, 170, 5); *(uint64_t*)0x200000006cf0 = 0x200000006980; *(uint32_t*)0x200000006980 = 0xa0; *(uint32_t*)0x200000006984 = 0; *(uint64_t*)0x200000006988 = 0xd05; *(uint64_t*)0x200000006990 = 5; *(uint64_t*)0x200000006998 = 3; *(uint64_t*)0x2000000069a0 = 0x8000000000000001; *(uint64_t*)0x2000000069a8 = 7; *(uint32_t*)0x2000000069b0 = 5; *(uint32_t*)0x2000000069b4 = 2; *(uint64_t*)0x2000000069b8 = 3; *(uint64_t*)0x2000000069c0 = 4; *(uint64_t*)0x2000000069c8 = 5; *(uint64_t*)0x2000000069d0 = 3; *(uint64_t*)0x2000000069d8 = 8; *(uint64_t*)0x2000000069e0 = 1; *(uint32_t*)0x2000000069e8 = 0x8001; *(uint32_t*)0x2000000069ec = 0; *(uint32_t*)0x2000000069f0 = 0xfff; *(uint32_t*)0x2000000069f4 = 0x8000; *(uint32_t*)0x2000000069f8 = 0x101; *(uint32_t*)0x2000000069fc = r[22]; *(uint32_t*)0x200000006a00 = 0xee00; *(uint32_t*)0x200000006a04 = 7; *(uint32_t*)0x200000006a08 = 0xac; *(uint32_t*)0x200000006a0c = 0; *(uint64_t*)0x200000006a10 = 0; *(uint32_t*)0x200000006a18 = 0x10; *(uint32_t*)0x200000006a1c = 0; *(uint64_t*)0x200000006cf8 = 0x200000006a40; *(uint32_t*)0x200000006a40 = 0x20; *(uint32_t*)0x200000006a44 = 0; *(uint64_t*)0x200000006a48 = 0xffffffff; *(uint32_t*)0x200000006a50 = 4; *(uint32_t*)0x200000006a54 = 0; *(uint32_t*)0x200000006a58 = 9; *(uint32_t*)0x200000006a5c = 0xa; *(uint64_t*)0x200000006d00 = 0x200000006b40; *(uint32_t*)0x200000006b40 = 0x130; *(uint32_t*)0x200000006b44 = 0; *(uint64_t*)0x200000006b48 = 0x1ff; *(uint64_t*)0x200000006b50 = 0x6276287e; *(uint32_t*)0x200000006b58 = 7; *(uint32_t*)0x200000006b5c = 0; memset((void*)0x200000006b60, 0, 16); *(uint32_t*)0x200000006b70 = 0x800; *(uint32_t*)0x200000006b74 = 2; *(uint64_t*)0x200000006b78 = 3; *(uint32_t*)0x200000006b80 = 0x1e; *(uint32_t*)0x200000006b84 = -1; *(uint32_t*)0x200000006b88 = r[24]; *(uint16_t*)0x200000006b8c = 0x4000; memset((void*)0x200000006b8e, 0, 2); *(uint64_t*)0x200000006b90 = 0x800; *(uint64_t*)0x200000006b98 = 9; *(uint64_t*)0x200000006ba0 = 8; *(uint64_t*)0x200000006ba8 = 0x32f3fcde; *(uint64_t*)0x200000006bb0 = 6; *(uint32_t*)0x200000006bb8 = 1; *(uint32_t*)0x200000006bbc = 0; *(uint64_t*)0x200000006bc0 = 4; *(uint32_t*)0x200000006bc8 = 0xe30; *(uint32_t*)0x200000006bcc = 0; *(uint64_t*)0x200000006bd0 = 0x4d; *(uint32_t*)0x200000006bd8 = 3; *(uint32_t*)0x200000006bdc = 0; *(uint64_t*)0x200000006be0 = 6; *(uint32_t*)0x200000006be8 = 8; *(uint32_t*)0x200000006bec = 0; *(uint32_t*)0x200000006bf0 = 6; *(uint32_t*)0x200000006bf4 = 2; *(uint32_t*)0x200000006bf8 = 0xfb; *(uint32_t*)0x200000006bfc = 2; memset((void*)0x200000006c00, 0, 112); syz_fuse_handle_req(/*fd=*/r[9], /*buf=*/0x2000000016c0, /*len=*/0x2000, /*res=*/0x200000006c80); break; case 30: memcpy((void*)0x200000006d40, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000006d40, /*fd=*/r[23]); break; case 31: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 32: *(uint32_t*)0x200000006d84 = 0xd0f0; *(uint32_t*)0x200000006d88 = 0x20; *(uint32_t*)0x200000006d8c = 0; *(uint32_t*)0x200000006d90 = 0x1e5; *(uint32_t*)0x200000006d98 = -1; memset((void*)0x200000006d9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x28c2, /*params=*/0x200000006d80, /*ring_ptr=*/0x200000006e00, /*sqes_ptr=*/0x200000006e40); if (res != -1) r[25] = *(uint64_t*)0x200000006e00; break; case 33: syz_io_uring_complete(/*ring_ptr=*/r[25]); break; case 34: *(uint32_t*)0x200000006e84 = 0x979d; *(uint32_t*)0x200000006e88 = 4; *(uint32_t*)0x200000006e8c = 1; *(uint32_t*)0x200000006e90 = 0x206; *(uint32_t*)0x200000006e98 = r[9]; memset((void*)0x200000006e9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x7c1f, /*params=*/0x200000006e80, /*ring_ptr=*/0x200000006f00, /*sqes_ptr=*/0x200000006f40); if (res != -1) { r[26] = res; r[27] = *(uint64_t*)0x200000006f00; r[28] = *(uint64_t*)0x200000006f40; } break; case 35: res = syscall(__NR_io_uring_register, /*fd=*/r[26], /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul); if (res != -1) r[29] = res; break; case 36: *(uint8_t*)0x200000007000 = 0x1c; *(uint8_t*)0x200000007001 = 0x14; *(uint16_t*)0x200000007002 = 0; *(uint32_t*)0x200000007004 = r[23]; *(uint64_t*)0x200000007008 = 0x200000006f80; *(uint64_t*)0x200000006f80 = 0x818480; *(uint64_t*)0x200000006f88 = 0; *(uint64_t*)0x200000006f90 = 0x35; *(uint64_t*)0x200000007010 = 0x200000006fc0; memcpy((void*)0x200000006fc0, "./file0\000", 8); *(uint32_t*)0x200000007018 = 0x18; *(uint32_t*)0x20000000701c = 0; *(uint64_t*)0x200000007020 = 0x23456; *(uint16_t*)0x200000007028 = 0; *(uint16_t*)0x20000000702a = r[29]; memset((void*)0x20000000702c, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[27], /*sqes_ptr=*/r[28], /*sqe=*/0x200000007000); break; case 37: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[9], /*usermem=*/0x200000bfd000); if (res != -1) r[30] = res; break; case 38: *(uint64_t*)0x200000007400 = 0; *(uint64_t*)0x200000007408 = 0x200000007040; *(uint64_t*)0x200000007040 = 0x65; *(uint64_t*)0x200000007048 = 0x20; *(uint64_t*)0x200000007050 = 0x92e; *(uint64_t*)0x200000007058 = 8; *(uint64_t*)0x200000007060 = 0x130; *(uint64_t*)0x200000007068 = 0x18; *(uint64_t*)0x200000007070 = 1; *(uint64_t*)0x200000007078 = 0x68; *(uint64_t*)0x200000007080 = 0x20; *(uint64_t*)0x200000007088 = 1; *(uint64_t*)0x200000007090 = 0; *(uint64_t*)0x200000007098 = 0x17d; *(uint64_t*)0x2000000070a0 = 0x20; *(uint64_t*)0x2000000070a8 = 0xffffffff; *(uint64_t*)0x2000000070b0 = 0xbd0d; *(uint64_t*)0x2000000070b8 = 0x183; *(uint64_t*)0x2000000070c0 = 0x18; *(uint64_t*)0x2000000070c8 = 1; *(uint64_t*)0x2000000070d0 = 0xa; *(uint64_t*)0x2000000070d8 = 0x6a; memcpy((void*)0x2000000070e0, "\x36\x49\x0f\xc7\xaa\xd6\x61\x97\xc0\x26\x66\x0f\x38\x80\x94\x5e\x00\x80\x00\x00\x0f\x01\xba\x00\x80\x00\x00\x8f\xc9\xb8\x9b\x29\x47\x0f\xc7\xae\x20\x00\x00\x00\x45\x0f\x09\xc4\xe2\xd1\x39\x67\xc4\x36\x0f\x01\x7f\x05\x66\x64\x2e\x64\x3e\xd8\xf1\xc7\x44\x24\x00\x25\xfd\x00\x00\xc7\x44\x24\x02\x54\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x14\x24", 89); *(uint8_t*)0x200000007139 = 0xc3; *(uint64_t*)0x20000000713a = 0x180; *(uint64_t*)0x200000007142 = 0x38; *(uint64_t*)0x20000000714a = 0; *(uint64_t*)0x200000007152 = 0xb5; *(uint64_t*)0x20000000715a = 7; *(uint64_t*)0x200000007162 = 5; *(uint64_t*)0x20000000716a = 0; *(uint64_t*)0x200000007172 = 0x12f; *(uint64_t*)0x20000000717a = 0x18; *(uint64_t*)0x200000007182 = 3; *(uint64_t*)0x20000000718a = 0x12c; *(uint64_t*)0x200000007192 = 0x18; *(uint64_t*)0x20000000719a = 0; *(uint64_t*)0x2000000071a2 = 0x154; *(uint64_t*)0x2000000071aa = 0x38; *(uint64_t*)0x2000000071b2 = 3; *(uint64_t*)0x2000000071ba = 4; *(uint64_t*)0x2000000071c2 = 5; *(uint64_t*)0x2000000071ca = 0x1ff; *(uint64_t*)0x2000000071d2 = 8; *(uint64_t*)0x2000000071da = 0x130; *(uint64_t*)0x2000000071e2 = 0x18; *(uint64_t*)0x2000000071ea = 0; *(uint64_t*)0x2000000071f2 = 0x6a; *(uint64_t*)0x2000000071fa = 0x28; *(uint64_t*)0x200000007202 = 0xc636; *(uint64_t*)0x20000000720a = 5; *(uint64_t*)0x200000007212 = 4; *(uint64_t*)0x20000000721a = 0x12c; *(uint64_t*)0x200000007222 = 0x18; *(uint64_t*)0x20000000722a = 0; *(uint64_t*)0x200000007232 = 0x12f; *(uint64_t*)0x20000000723a = 0x18; *(uint64_t*)0x200000007242 = 1; *(uint64_t*)0x20000000724a = 0x65; *(uint64_t*)0x200000007252 = 0x20; *(uint64_t*)0x20000000725a = 0x8a3; *(uint64_t*)0x200000007262 = 9; *(uint64_t*)0x20000000726a = 0x68; *(uint64_t*)0x200000007272 = 0x20; *(uint64_t*)0x20000000727a = 4; *(uint64_t*)0x200000007282 = 6; *(uint64_t*)0x20000000728a = 0x12f; *(uint64_t*)0x200000007292 = 0x18; *(uint64_t*)0x20000000729a = 3; *(uint64_t*)0x2000000072a2 = 0x12d; *(uint64_t*)0x2000000072aa = 0x18; *(uint64_t*)0x2000000072b2 = 2; *(uint64_t*)0x2000000072ba = 0x17d; *(uint64_t*)0x2000000072c2 = 0x20; *(uint64_t*)0x2000000072ca = 0x8080000; *(uint64_t*)0x2000000072d2 = 0x943e; *(uint64_t*)0x2000000072da = 0x17c; *(uint64_t*)0x2000000072e2 = 0x38; *(uint64_t*)0x2000000072ea = 3; *(uint64_t*)0x2000000072f2 = 0x31; *(uint64_t*)0x2000000072fa = 0xc; *(uint64_t*)0x200000007302 = 6; *(uint64_t*)0x20000000730a = 8; *(uint64_t*)0x200000007312 = 0x180; *(uint64_t*)0x20000000731a = 0x38; *(uint64_t*)0x200000007322 = 2; *(uint64_t*)0x20000000732a = 0x36; *(uint64_t*)0x200000007332 = 1; *(uint64_t*)0x20000000733a = 2; *(uint64_t*)0x200000007342 = 3; *(uint64_t*)0x20000000734a = 0x130; *(uint64_t*)0x200000007352 = 0x18; *(uint64_t*)0x20000000735a = 1; *(uint64_t*)0x200000007362 = 0x130; *(uint64_t*)0x20000000736a = 0x18; *(uint64_t*)0x200000007372 = 0; *(uint64_t*)0x20000000737a = 0x180; *(uint64_t*)0x200000007382 = 0x38; *(uint64_t*)0x20000000738a = 3; *(uint64_t*)0x200000007392 = 0x72; *(uint64_t*)0x20000000739a = 2; *(uint64_t*)0x2000000073a2 = 5; *(uint64_t*)0x2000000073aa = 2; *(uint64_t*)0x2000000073b2 = 0x12f; *(uint64_t*)0x2000000073ba = 0x18; *(uint64_t*)0x2000000073c2 = 2; *(uint64_t*)0x2000000073ca = 0x12f; *(uint64_t*)0x2000000073d2 = 0x18; *(uint64_t*)0x2000000073da = 2; *(uint64_t*)0x200000007410 = 0x3a2; syz_kvm_add_vcpu(/*vm=*/r[30], /*text=*/0x200000007400); break; case 39: res = syscall(__NR_ioctl, /*fd=*/r[9], /*cmd=*/0xae01, /*type=*/5ul); if (res != -1) r[31] = res; break; case 40: *(uint64_t*)0x200000007680 = 0; *(uint64_t*)0x200000007688 = 0x200000007440; memcpy((void*)0x200000007440, "\xcd\xfa\xef\x13\x00\x00\x00\x3e\x00\x00\x10\x62\x04\x00\x10\x7a\x00\x00\x10\x66\xc1\x00\x10\x62\xa6\x03\x00\x7e\xb9\xf0\x00\x3e\xe9\x0e\x10\x62\x04\x00\x10\x7a\xa3\x30\x10\x66\x88\x26\x10\x62\xa6\x03\x00\x7e\x24\x00\x00\x4c\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xf6\x63\x60\xba\xaa\x80\x3c\x42\xab\x84\x60\x04\x00\x84\x78\xa5\xa4\x84\x64\xdb\xea\x84\x60\xc7\xb2\xa0\x3c\x4e\xd4\xa5\x60\x04\x00\xa5\x78\x8e\xd5\xa5\x64\xc9\xc4\xa5\x60\xf6\x27\xc0\x3c\x0e\x37\xc6\x60\x04\x00\xc6\x78\x10\x50\xc6\x64\xf3\x3c\xc6\x60\x64\xae\xe0\x3c\x0f\xe0\xe7\x60\x04\x00\xe7\x78\xf8\x33\xe7\x64\x27\xe1\xe7\x60\xf9\xfe\x00\x3d\x88\x3a\x08\x61\x04\x00\x08\x79\xf6\x6c\x08\x65\xcb\x9b\x08\x61\xe7\x22\x20\x3d\xa3\x5b\x29\x61\x04\x00\x29\x79\xbb\xbc\x29\x65\x5e\x83\x29\x61\xd9\x75\x40\x3d\x52\x94\x4a\x61\x04\x00\x4a\x79\xdb\x25\x4a\x65\xf3\x5e\x4a\x61\x02\x00\x00\x44\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x50\xf3\x63\x60\x42\x00\x00\x44\x0d\x0b\xc0\x3e\xa1\xda\xd6\x62\x04\x00\xd6\x7a\xeb\x5a\xd6\x66\x62\x96\xd6\x62\x9c\xb0\x00\x7c\xec\x06\x00\x7c\xa4\x00\x00\x4c\x3d\x6a\xa0\x3e\x17\x1b\xb5\x62\x04\x00\xb5\x7a\x72\x93\xb5\x66\x34\x54\xb5\x62\xa6\x03\xa0\x7e\xd4\x8d\xa0\x3e\x12\xd2\xb5\x62\x04\x00\xb5\x7a\xf6\xf5\xb5\x66\x15\xe0\xb5\x62\xa6\x03\xa0\x7e\x24\x00\x00\x4c\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x05\xc0\x3f\x00\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x00\xc0\x3f\x21\x8c\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf6\x78\xbd\x63\x00\x00\xc0\x3f\x0a\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xfa\x78\xbd\x63\x97\x4b\xc0\x3f\x5c\x3b\xde\x63\x00\x00\xdd\x93\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x49\x30\x84\x64\xf2\x78\x84\x60\x22\x00\x00\x44\x00\x00\x80\x3f\x00\x00\x9c\x63\x04\x00\x9c\x7b\x00\x00\x9c\x67\x1a\x00\x9c\x63\x24\x01\xc0\x7f", 524); *(uint64_t*)0x200000007690 = 0x20c; *(uint64_t*)0x2000000076c0 = 1; *(uint64_t*)0x2000000076c8 = 6; syz_kvm_setup_cpu(/*fd=*/r[31], /*cpufd=*/r[23], /*usermem=*/0x200000fe5000, /*text=*/0x200000007680, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_IR*/2, /*opts=*/0x2000000076c0, /*nopt=*/1); break; case 41: syz_kvm_setup_syzos_vm(/*fd=*/r[23], /*usermem=*/0x200000c00000); break; case 42: *(uint32_t*)0x200000007700 = 0; syz_memcpy_off(/*ring_ptr=*/0, /*flag_off=SQ_FLAGS_OFFSET*/0x114, /*src=*/0x200000007700, /*src_off=*/0, /*nbytes=*/4); break; case 43: memcpy((void*)0x200000007740, "fuse\000", 5); memcpy((void*)0x200000007780, "./file0\000", 8); memcpy((void*)0x2000000077c0, "fd", 2); *(uint8_t*)0x2000000077c2 = 0x3d; sprintf((char*)0x2000000077c3, "0x%016llx", (long long)r[23]); *(uint8_t*)0x2000000077d5 = 0x2c; memcpy((void*)0x2000000077d6, "rootmode", 8); *(uint8_t*)0x2000000077de = 0x3d; sprintf((char*)0x2000000077df, "%023llo", (long long)0x6000); *(uint8_t*)0x2000000077f6 = 0x2c; memcpy((void*)0x2000000077f7, "user_id", 7); *(uint8_t*)0x2000000077fe = 0x3d; sprintf((char*)0x2000000077ff, "%020llu", (long long)r[22]); *(uint8_t*)0x200000007813 = 0x2c; memcpy((void*)0x200000007814, "group_id", 8); *(uint8_t*)0x20000000781c = 0x3d; sprintf((char*)0x20000000781d, "%020llu", (long long)r[13]); *(uint8_t*)0x200000007831 = 0x2c; memcpy((void*)0x200000007832, "max_read", 8); *(uint8_t*)0x20000000783a = 0x3d; sprintf((char*)0x20000000783b, "0x%016llx", (long long)3); *(uint8_t*)0x20000000784d = 0x2c; memcpy((void*)0x20000000784e, "default_permissions", 19); *(uint8_t*)0x200000007861 = 0x2c; memcpy((void*)0x200000007862, "allow_other", 11); *(uint8_t*)0x20000000786d = 0x2c; memcpy((void*)0x20000000786e, "default_permissions", 19); *(uint8_t*)0x200000007881 = 0x2c; memcpy((void*)0x200000007882, "allow_other", 11); *(uint8_t*)0x20000000788d = 0x2c; memcpy((void*)0x20000000788e, "default_permissions", 19); *(uint8_t*)0x2000000078a1 = 0x2c; memcpy((void*)0x2000000078a2, "default_permissions", 19); *(uint8_t*)0x2000000078b5 = 0x2c; memcpy((void*)0x2000000078b6, "allow_other", 11); *(uint8_t*)0x2000000078c1 = 0x2c; memcpy((void*)0x2000000078c2, "permit_directio", 15); *(uint8_t*)0x2000000078d1 = 0x2c; memcpy((void*)0x2000000078d2, "uid<", 4); sprintf((char*)0x2000000078d6, "%020llu", (long long)r[17]); *(uint8_t*)0x2000000078ea = 0x2c; memcpy((void*)0x2000000078eb, "appraise", 8); *(uint8_t*)0x2000000078f3 = 0x2c; memcpy((void*)0x2000000078f4, "smackfshat", 10); *(uint8_t*)0x2000000078fe = 0x3d; memcpy((void*)0x2000000078ff, "\300\'", 2); *(uint8_t*)0x200000007901 = 0x2c; memcpy((void*)0x200000007902, "appraise", 8); *(uint8_t*)0x20000000790a = 0x2c; *(uint8_t*)0x20000000790b = 0; memcpy((void*)0x200000007940, "\xa4\xb2\x22\xdf\x2b\xa1\x0d\xf2\x4f\x54\x81\xe0\xdc\x5e\x93\xb8\x1b\x1b\x82\xe9\xa2\x14\xca\xbc\xe3\x44\x80\x0a\xd5\x4d\xe6\x10\xfa\x1e\xda\x44\xb9\x04\x05\x26\xf2\xdc\x7c\x73\x1c\x54\x73\xc8\xc6\xdc\x94\x19\x2a\x03\x48\x4e\x6d\x62\xbb\x49\x12\x86\x12\x54\x3a\x9d\x01\x6e\xd9\xa3\x73\x0e\x51\x08\x0f\x5c\x86\x0d\x03\xa7\x7e\xd5\x01\x64\xbc\xf9\x9c\x42\xd3\x56\x8a\x97\x4a\x92\x7a\x87\x9d\xe4\x1e\xdc\x2f\x55\x52\x36\x58\x86\x12\x1a\x31\x09\x5b\x97\xaa\x08\xee\x29\x77\x11\x1f\x7c\xc5\x6a\x77\xc0\xf2\xa1\x6b\x32\xb1\x9d\xf5\x0a\x24\x9c\xd3\x05\x8e\x60\xa6\xae\x8c\x96\x34\x9d\x5e\x5c\x00\x97\x59\x4c\xe0\x1c\x1f\xbe\xe5\xee\x94\x60\x6f\xef\x67\x32\x31\xe6\x57\x00\xbc\x71\x5f\x1f\x01\x19\xc8\x4e\xd2\x7b\x8a\xf3\x8e\xd1\x53\xd3\x94\xd6\xb2\x2c\xca\x54\xdb\x55\xa3\x1b\xc2\x5b\x45\xe8\x1d\xec\xa7\xbe\xdb\x69\x66\x91\xae\x6b\x92\xf0\x9e\xea\x3e\x2b\x5e\x8a\xf2\xf9\x96\x33\x9d\xec\x59\x2e\xde\xc5\x89\x7e\x94\xeb", 228); syz_mount_image(/*fs=*/0x200000007740, /*dir=*/0x200000007780, /*flags=MS_PRIVATE*/0x40000, /*opts=*/0x2000000077c0, /*chdir=*/1, /*size=*/0, /*img=*/0x200000007940); break; case 44: memcpy((void*)0x200000007a40, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000007a40, /*id=*/7, /*flags=*/0); break; case 45: memcpy((void*)0x200000007a80, "net/psched\000", 11); syz_open_procfs(/*pid=*/r[4], /*file=*/0x200000007a80); break; case 46: syz_open_pts(/*fd=*/r[9], /*flags=O_PATH|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|FASYNC|0x402*/0x292c02); break; case 47: syz_pidfd_open(/*pid=*/r[15], /*flags=*/0); break; case 48: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=*/0ul); if (res != -1) r[32] = res; break; case 49: syz_pkey_set(/*key=*/r[32], /*val=PKEY_DISABLE_WRITE|PKEY_DISABLE_ACCESS*/3); break; case 50: syz_socket_connect_nvme_tcp(); break; case 51: *(uint8_t*)0x200000007ac0 = 0x12; *(uint8_t*)0x200000007ac1 = 1; *(uint16_t*)0x200000007ac2 = 0x250; *(uint8_t*)0x200000007ac4 = 0x58; *(uint8_t*)0x200000007ac5 = 6; *(uint8_t*)0x200000007ac6 = 0x54; *(uint8_t*)0x200000007ac7 = 8; *(uint16_t*)0x200000007ac8 = 0x13d3; *(uint16_t*)0x200000007aca = 0x3348; *(uint16_t*)0x200000007acc = 0x15b2; *(uint8_t*)0x200000007ace = 1; *(uint8_t*)0x200000007acf = 2; *(uint8_t*)0x200000007ad0 = 3; *(uint8_t*)0x200000007ad1 = 1; *(uint8_t*)0x200000007ad2 = 9; *(uint8_t*)0x200000007ad3 = 2; *(uint16_t*)0x200000007ad4 = 0x283; *(uint8_t*)0x200000007ad6 = 2; *(uint8_t*)0x200000007ad7 = 9; *(uint8_t*)0x200000007ad8 = 2; *(uint8_t*)0x200000007ad9 = 0x10; *(uint8_t*)0x200000007ada = 8; *(uint8_t*)0x200000007adb = 9; *(uint8_t*)0x200000007adc = 4; *(uint8_t*)0x200000007add = 0x26; *(uint8_t*)0x200000007ade = 0xb; *(uint8_t*)0x200000007adf = 5; *(uint8_t*)0x200000007ae0 = 0x83; *(uint8_t*)0x200000007ae1 = 0x18; *(uint8_t*)0x200000007ae2 = 0x74; *(uint8_t*)0x200000007ae3 = 0xee; *(uint8_t*)0x200000007ae4 = 9; *(uint8_t*)0x200000007ae5 = 5; *(uint8_t*)0x200000007ae6 = 0xb; *(uint8_t*)0x200000007ae7 = 3; *(uint16_t*)0x200000007ae8 = 8; *(uint8_t*)0x200000007aea = 4; *(uint8_t*)0x200000007aeb = 0xfb; *(uint8_t*)0x200000007aec = 0x6a; *(uint8_t*)0x200000007aed = 0xbd; *(uint8_t*)0x200000007aee = 0xc; memcpy((void*)0x200000007aef, "\x8b\x82\xbd\x3f\xc8\x13\x7d\x3d\x25\x9c\xe7\xbc\x14\x0d\xe0\x82\x3d\xe2\x22\x2e\xed\x4c\x57\x0e\xdc\xb8\x45\x53\xcd\x1e\xfd\x64\x9d\xd3\x52\xdd\x37\x5d\x81\xda\x8d\xa8\xe6\x86\x3f\xb4\x82\xec\xb3\xa1\x6f\x12\x22\x10\xbf\xf2\x5c\x59\xa3\xaf\xc6\x54\x28\x48\xc0\x6e\x1b\x98\x3f\xbc\x8d\xd0\xde\x62\x7c\xfd\xdf\x9f\x90\x5f\x5c\xb6\xed\x4a\x25\xec\x59\x47\x59\x9b\x15\xb5\x38\xc7\xbb\x0b\x0d\x65\xd4\xa3\x1b\x31\x9f\x73\x83\x95\x5c\xe7\x66\xef\x4c\x66\xd1\x8b\xc7\x5d\x69\xb2\xdd\x7d\x13\x6c\x78\xea\xec\x1e\x22\x03\xeb\x91\x8d\xd6\x16\x09\xde\x40\xf4\xf6\x93\x91\x7e\xeb\x17\xfc\x38\x7b\xb4\x27\x34\x1f\x64\x16\xe0\xb8\xc4\x6a\x24\x45\xa5\xc4\x9b\xd9\xc8\x6d\xfe\x21\xc5\x98\xac\xf1\x7e\xa9\x8f\xfe\xce\x20\x2a\x21\xdc\x93\xa0\xb8\x30\xd2\x9a\xf8\x7c", 187); *(uint8_t*)0x200000007baa = 0xc7; *(uint8_t*)0x200000007bab = 6; memcpy((void*)0x200000007bac, "\xf5\x45\x9e\x11\x78\x00\xd2\x2a\x25\xa4\x86\xd1\x44\x2f\x5c\xbd\x4d\x3d\x77\x6c\xd0\x61\xd2\xc1\x85\xf9\x92\x4e\xae\x6a\x4d\x7b\x14\xc5\x8b\x59\x98\x63\xd3\x21\xe3\xea\x80\xa2\x5f\x6d\x8b\xe5\x1d\x5c\xa7\x0c\x27\x6c\xe0\xe6\xd9\x03\x8f\x88\x77\x6b\x96\x14\x28\x7d\xb7\xee\x21\x13\xf0\xe7\xe1\xf0\x18\x73\xb6\x13\xd7\x63\xda\x5f\x87\xf8\x6c\xd1\x86\x0b\xd6\x23\x46\x3f\xc6\xd9\x3d\x9f\x94\x8d\x0d\x4d\x70\xd7\x2a\x8a\xc1\xde\xc1\xad\xce\xb8\x71\x67\x29\x90\x64\x28\xd5\xb6\xe2\x4b\x01\x49\x9b\xfa\x6a\x0a\xa0\x48\x2e\xed\x8c\x77\x51\xa1\xc7\xec\x94\x4d\xb1\x92\x54\xa7\x4b\x61\x14\x2e\x72\x5a\x7a\x29\x0c\x41\x42\x87\x5d\x34\x7b\x3e\x48\x3f\x4e\x2d\xb8\x37\x3e\xf8\xfe\xad\x81\x18\xce\x07\xd8\x12\x33\x2b\x21\x1d\xa9\x73\x3d\x44\x4f\x7d\x70\x6a\x64\x39\xc2\x9a\xea\xed\xd0\x30\x00\xa2\xa8", 197); *(uint8_t*)0x200000007c71 = 9; *(uint8_t*)0x200000007c72 = 5; *(uint8_t*)0x200000007c73 = 0xa; *(uint8_t*)0x200000007c74 = 0xc; *(uint16_t*)0x200000007c75 = 0x400; *(uint8_t*)0x200000007c77 = 0xc; *(uint8_t*)0x200000007c78 = 0; *(uint8_t*)0x200000007c79 = 0xb5; *(uint8_t*)0x200000007c7a = 7; *(uint8_t*)0x200000007c7b = 0x25; *(uint8_t*)0x200000007c7c = 1; *(uint8_t*)0x200000007c7d = 1; *(uint8_t*)0x200000007c7e = 0xb; *(uint16_t*)0x200000007c7f = 7; *(uint8_t*)0x200000007c81 = 9; *(uint8_t*)0x200000007c82 = 5; *(uint8_t*)0x200000007c83 = 2; *(uint8_t*)0x200000007c84 = 0x10; *(uint16_t*)0x200000007c85 = 0x20; *(uint8_t*)0x200000007c87 = 7; *(uint8_t*)0x200000007c88 = 5; *(uint8_t*)0x200000007c89 = 5; *(uint8_t*)0x200000007c8a = 0x24; *(uint8_t*)0x200000007c8b = 7; memcpy((void*)0x200000007c8c, "\xad\x98\x31\x4a\x82\xd7\xae\xbb\xfc\xe8\x51\x78\x75\x22\x71\xb1\x58\xc0\x5d\xea\x1b\xf5\xa2\x45\x9c\x43\x1d\xf1\x80\xc1\xf3\xb2\xbe\x3b", 34); *(uint8_t*)0x200000007cae = 9; *(uint8_t*)0x200000007caf = 5; *(uint8_t*)0x200000007cb0 = 3; *(uint8_t*)0x200000007cb1 = 2; *(uint16_t*)0x200000007cb2 = 8; *(uint8_t*)0x200000007cb4 = 7; *(uint8_t*)0x200000007cb5 = 0xf3; *(uint8_t*)0x200000007cb6 = 4; *(uint8_t*)0x200000007cb7 = 9; *(uint8_t*)0x200000007cb8 = 5; *(uint8_t*)0x200000007cb9 = 5; *(uint8_t*)0x200000007cba = 0; *(uint16_t*)0x200000007cbb = 0x40; *(uint8_t*)0x200000007cbd = 2; *(uint8_t*)0x200000007cbe = 3; *(uint8_t*)0x200000007cbf = 2; *(uint8_t*)0x200000007cc0 = 0x6a; *(uint8_t*)0x200000007cc1 = 0xa; memcpy((void*)0x200000007cc2, "\xf7\xdd\x67\x50\x5d\x35\x3d\x93\xb6\xe1\xf3\xac\x2d\x8f\x9f\x76\x60\x12\xd2\x04\xe5\x58\xa7\x07\x6c\x6a\x1d\xd6\x64\x8b\x29\x28\xac\xaf\x80\x17\x10\xc8\x55\x50\x67\xe0\x71\x5e\x60\x77\x2d\x9a\x84\xc7\x14\xf6\x3d\x52\x7b\x9f\x15\x32\xa5\xac\x65\x11\x62\x7f\x9e\x84\x00\xe6\x2a\xd6\xbd\x25\xec\x51\xec\x63\x0a\xfc\x10\xe1\xf0\xf2\xfe\x01\xc9\x58\x8e\x28\x97\xef\x26\xd5\xea\x8b\xcf\x97\x0e\x51\xfc\x28\xd8\x4a\x62\x8c", 104); *(uint8_t*)0x200000007d2a = 9; *(uint8_t*)0x200000007d2b = 4; *(uint8_t*)0x200000007d2c = 0x48; *(uint8_t*)0x200000007d2d = 0xe; *(uint8_t*)0x200000007d2e = 3; *(uint8_t*)0x200000007d2f = 0xca; *(uint8_t*)0x200000007d30 = 0x1e; *(uint8_t*)0x200000007d31 = 0x4a; *(uint8_t*)0x200000007d32 = 0xf5; *(uint8_t*)0x200000007d33 = 9; *(uint8_t*)0x200000007d34 = 5; *(uint8_t*)0x200000007d35 = 0xb; *(uint8_t*)0x200000007d36 = 4; *(uint16_t*)0x200000007d37 = 0x400; *(uint8_t*)0x200000007d39 = 5; *(uint8_t*)0x200000007d3a = 0xf7; *(uint8_t*)0x200000007d3b = 0xf6; *(uint8_t*)0x200000007d3c = 9; *(uint8_t*)0x200000007d3d = 5; *(uint8_t*)0x200000007d3e = 0xe; *(uint8_t*)0x200000007d3f = 0x10; *(uint16_t*)0x200000007d40 = 0x3ff; *(uint8_t*)0x200000007d42 = 1; *(uint8_t*)0x200000007d43 = 0xd; *(uint8_t*)0x200000007d44 = 0x80; *(uint8_t*)0x200000007d45 = 9; *(uint8_t*)0x200000007d46 = 5; *(uint8_t*)0x200000007d47 = 5; *(uint8_t*)0x200000007d48 = 0x10; *(uint16_t*)0x200000007d49 = 0x10; *(uint8_t*)0x200000007d4b = 0x95; *(uint8_t*)0x200000007d4c = 3; *(uint8_t*)0x200000007d4d = 0; *(uint8_t*)0x200000007d4e = 7; *(uint8_t*)0x200000007d4f = 0x25; *(uint8_t*)0x200000007d50 = 1; *(uint8_t*)0x200000007d51 = 0x82; *(uint8_t*)0x200000007d52 = 0xae; *(uint16_t*)0x200000007d53 = 0x12; *(uint32_t*)0x200000007ec0 = 0xa; *(uint64_t*)0x200000007ec4 = 0x200000007d80; *(uint8_t*)0x200000007d80 = 0xa; *(uint8_t*)0x200000007d81 = 6; *(uint16_t*)0x200000007d82 = 0x110; *(uint8_t*)0x200000007d84 = 4; *(uint8_t*)0x200000007d85 = 1; *(uint8_t*)0x200000007d86 = 6; *(uint8_t*)0x200000007d87 = 8; *(uint8_t*)0x200000007d88 = 0xe; *(uint8_t*)0x200000007d89 = 0; *(uint32_t*)0x200000007ecc = 0x3b; *(uint64_t*)0x200000007ed0 = 0x200000007dc0; *(uint8_t*)0x200000007dc0 = 5; *(uint8_t*)0x200000007dc1 = 0xf; *(uint16_t*)0x200000007dc2 = 0x3b; *(uint8_t*)0x200000007dc4 = 4; *(uint8_t*)0x200000007dc5 = 0x14; *(uint8_t*)0x200000007dc6 = 0x10; *(uint8_t*)0x200000007dc7 = 4; *(uint8_t*)0x200000007dc8 = 6; memcpy((void*)0x200000007dc9, "\xfd\xf4\x04\x3a\xe7\xf5\x9e\x3e\x81\xfe\x30\x3d\x4d\xe3\xea\x16", 16); *(uint8_t*)0x200000007dd9 = 7; *(uint8_t*)0x200000007dda = 0x10; *(uint8_t*)0x200000007ddb = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007ddc, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007dde, 6, 0, 16); *(uint8_t*)0x200000007de0 = 7; *(uint8_t*)0x200000007de1 = 0x10; *(uint8_t*)0x200000007de2 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007de3, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 7, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 0xd, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de5, 0x95d7, 0, 16); *(uint8_t*)0x200000007de7 = 0x14; *(uint8_t*)0x200000007de8 = 0x10; *(uint8_t*)0x200000007de9 = 4; *(uint8_t*)0x200000007dea = 3; memcpy((void*)0x200000007deb, "\xbc\x6a\x92\x66\xbf\x50\x6e\x90\x62\x0d\x9c\x90\x0e\x18\x01\x43", 16); *(uint32_t*)0x200000007ed8 = 1; *(uint32_t*)0x200000007edc = 0x98; *(uint64_t*)0x200000007ee0 = 0x200000007e00; *(uint8_t*)0x200000007e00 = 0x98; *(uint8_t*)0x200000007e01 = 3; memcpy((void*)0x200000007e02, "\xd9\x5f\x3f\xca\xaa\x58\xf9\xd3\x6d\x03\xe3\xa2\xd5\x56\x6a\x51\x91\xf7\x42\xf7\x23\xfa\x49\xe3\x64\xe0\x3b\x0d\x28\x8a\x7f\xcb\x45\x79\xb5\x8c\x56\xd8\x24\xbe\x57\xf9\xad\x0f\x87\x03\xd3\x01\x1c\xac\x46\x84\x33\xfa\x22\xc2\x3b\xfa\xf1\x5d\xad\x54\x1e\xfb\x01\x38\xc4\x6b\xb8\xf8\x86\x92\x15\x15\x5c\x26\x85\xd6\x9b\x75\xff\xe6\x8c\x0c\xbd\x6e\x71\x74\x3a\xbd\x43\x55\xe1\x2d\x9d\xcb\x7d\xff\x16\xbb\x07\x5d\xa5\x53\xc1\x78\x13\x9e\xde\x2c\x28\x5a\x4a\x28\x45\xe8\x88\x9c\x23\x45\x04\xd9\x68\xd8\x70\xb6\x08\x4a\x7b\x4a\xb0\xdc\xdb\x83\xd4\x3b\xb2\xf4\xe7\xa0\x15\x6b\x80\xa6\x89\x19\xcb\xb7\xda\x84", 150); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0x295, /*dev=*/0x200000007ac0, /*conn_descs=*/0x200000007ec0); if (res != -1) r[33] = res; break; case 52: *(uint8_t*)0x200000007f00 = 0x12; *(uint8_t*)0x200000007f01 = 1; *(uint16_t*)0x200000007f02 = 0x200; *(uint8_t*)0x200000007f04 = -1; *(uint8_t*)0x200000007f05 = -1; *(uint8_t*)0x200000007f06 = -1; *(uint8_t*)0x200000007f07 = 0x40; *(uint16_t*)0x200000007f08 = 0xcf3; *(uint16_t*)0x200000007f0a = 0x9271; *(uint16_t*)0x200000007f0c = 0x108; *(uint8_t*)0x200000007f0e = 1; *(uint8_t*)0x200000007f0f = 2; *(uint8_t*)0x200000007f10 = 3; *(uint8_t*)0x200000007f11 = 1; *(uint8_t*)0x200000007f12 = 9; *(uint8_t*)0x200000007f13 = 2; *(uint16_t*)0x200000007f14 = 0x48; *(uint8_t*)0x200000007f16 = 1; *(uint8_t*)0x200000007f17 = 1; *(uint8_t*)0x200000007f18 = 0; *(uint8_t*)0x200000007f19 = 0x80; *(uint8_t*)0x200000007f1a = 0xfa; *(uint8_t*)0x200000007f1b = 9; *(uint8_t*)0x200000007f1c = 4; *(uint8_t*)0x200000007f1d = 0; *(uint8_t*)0x200000007f1e = 0; *(uint8_t*)0x200000007f1f = 6; *(uint8_t*)0x200000007f20 = -1; *(uint8_t*)0x200000007f21 = 0; *(uint8_t*)0x200000007f22 = 0; *(uint8_t*)0x200000007f23 = 0; *(uint8_t*)0x200000007f24 = 9; *(uint8_t*)0x200000007f25 = 5; *(uint8_t*)0x200000007f26 = 1; *(uint8_t*)0x200000007f27 = 2; *(uint16_t*)0x200000007f28 = 0x200; *(uint8_t*)0x200000007f2a = 0; *(uint8_t*)0x200000007f2b = 0; *(uint8_t*)0x200000007f2c = 0; *(uint8_t*)0x200000007f2d = 9; *(uint8_t*)0x200000007f2e = 5; *(uint8_t*)0x200000007f2f = 0x82; *(uint8_t*)0x200000007f30 = 2; *(uint16_t*)0x200000007f31 = 0x200; *(uint8_t*)0x200000007f33 = 0; *(uint8_t*)0x200000007f34 = 0; *(uint8_t*)0x200000007f35 = 0; *(uint8_t*)0x200000007f36 = 9; *(uint8_t*)0x200000007f37 = 5; *(uint8_t*)0x200000007f38 = 0x83; *(uint8_t*)0x200000007f39 = 3; *(uint16_t*)0x200000007f3a = 0x40; *(uint8_t*)0x200000007f3c = 1; *(uint8_t*)0x200000007f3d = 0; *(uint8_t*)0x200000007f3e = 0; *(uint8_t*)0x200000007f3f = 9; *(uint8_t*)0x200000007f40 = 5; *(uint8_t*)0x200000007f41 = 4; *(uint8_t*)0x200000007f42 = 3; *(uint16_t*)0x200000007f43 = 0x40; *(uint8_t*)0x200000007f45 = 1; *(uint8_t*)0x200000007f46 = 0; *(uint8_t*)0x200000007f47 = 0; *(uint8_t*)0x200000007f48 = 9; *(uint8_t*)0x200000007f49 = 5; *(uint8_t*)0x200000007f4a = 5; *(uint8_t*)0x200000007f4b = 2; *(uint16_t*)0x200000007f4c = 0x200; *(uint8_t*)0x200000007f4e = 0; *(uint8_t*)0x200000007f4f = 0; *(uint8_t*)0x200000007f50 = 0; *(uint8_t*)0x200000007f51 = 9; *(uint8_t*)0x200000007f52 = 5; *(uint8_t*)0x200000007f53 = 6; *(uint8_t*)0x200000007f54 = 2; *(uint16_t*)0x200000007f55 = 0x200; *(uint8_t*)0x200000007f57 = 0; *(uint8_t*)0x200000007f58 = 0; *(uint8_t*)0x200000007f59 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000007f00, /*conn_descs=*/0); if (res != -1) r[34] = res; break; case 53: *(uint8_t*)0x200000007f80 = 0x12; *(uint8_t*)0x200000007f81 = 1; *(uint16_t*)0x200000007f82 = 0x110; *(uint8_t*)0x200000007f84 = 0; *(uint8_t*)0x200000007f85 = 0; *(uint8_t*)0x200000007f86 = 0; *(uint8_t*)0x200000007f87 = 0x40; *(uint16_t*)0x200000007f88 = 0x1d6b; *(uint16_t*)0x200000007f8a = 0x101; *(uint16_t*)0x200000007f8c = 0x40; *(uint8_t*)0x200000007f8e = 1; *(uint8_t*)0x200000007f8f = 2; *(uint8_t*)0x200000007f90 = 3; *(uint8_t*)0x200000007f91 = 1; *(uint8_t*)0x200000007f92 = 9; *(uint8_t*)0x200000007f93 = 2; *(uint16_t*)0x200000007f94 = 0xd3; *(uint8_t*)0x200000007f96 = 3; *(uint8_t*)0x200000007f97 = 1; *(uint8_t*)0x200000007f98 = 1; *(uint8_t*)0x200000007f99 = 0x80; *(uint8_t*)0x200000007f9a = 0x80; *(uint8_t*)0x200000007f9b = 9; *(uint8_t*)0x200000007f9c = 4; *(uint8_t*)0x200000007f9d = 0; *(uint8_t*)0x200000007f9e = 0; *(uint8_t*)0x200000007f9f = 0; *(uint8_t*)0x200000007fa0 = 1; *(uint8_t*)0x200000007fa1 = 1; *(uint8_t*)0x200000007fa2 = 0; *(uint8_t*)0x200000007fa3 = 0; *(uint8_t*)0x200000007fa4 = 0xa; *(uint8_t*)0x200000007fa5 = 0x24; *(uint8_t*)0x200000007fa6 = 1; *(uint16_t*)0x200000007fa7 = 0; *(uint8_t*)0x200000007fa9 = 0x7c; *(uint8_t*)0x200000007faa = 2; *(uint8_t*)0x200000007fab = 1; *(uint8_t*)0x200000007fac = 2; *(uint8_t*)0x200000007fad = 0xd; *(uint8_t*)0x200000007fae = 0x24; *(uint8_t*)0x200000007faf = 8; *(uint8_t*)0x200000007fb0 = 2; *(uint16_t*)0x200000007fb1 = 8; *(uint8_t*)0x200000007fb3 = 9; memcpy((void*)0x200000007fb4, "\x0c\xff\xda\x3f\x22\x7b", 6); *(uint8_t*)0x200000007fba = 9; *(uint8_t*)0x200000007fbb = 4; *(uint8_t*)0x200000007fbc = 1; *(uint8_t*)0x200000007fbd = 0; *(uint8_t*)0x200000007fbe = 0; *(uint8_t*)0x200000007fbf = 1; *(uint8_t*)0x200000007fc0 = 2; *(uint8_t*)0x200000007fc1 = 0; *(uint8_t*)0x200000007fc2 = 0; *(uint8_t*)0x200000007fc3 = 9; *(uint8_t*)0x200000007fc4 = 4; *(uint8_t*)0x200000007fc5 = 1; *(uint8_t*)0x200000007fc6 = 1; *(uint8_t*)0x200000007fc7 = 1; *(uint8_t*)0x200000007fc8 = 1; *(uint8_t*)0x200000007fc9 = 2; *(uint8_t*)0x200000007fca = 0; *(uint8_t*)0x200000007fcb = 0; *(uint8_t*)0x200000007fcc = 0x12; *(uint8_t*)0x200000007fcd = 0x24; *(uint8_t*)0x200000007fce = 2; *(uint8_t*)0x200000007fcf = 2; *(uint16_t*)0x200000007fd0 = 6; *(uint16_t*)0x200000007fd2 = 0x9a; *(uint8_t*)0x200000007fd4 = 0x20; memcpy((void*)0x200000007fd5, "\x2d\xa5\xee\x78\xa2\x8e\x1f\x1a\x41", 9); *(uint8_t*)0x200000007fde = 0xd; *(uint8_t*)0x200000007fdf = 0x24; *(uint8_t*)0x200000007fe0 = 2; *(uint8_t*)0x200000007fe1 = 1; *(uint8_t*)0x200000007fe2 = 0xf8; *(uint8_t*)0x200000007fe3 = 3; *(uint8_t*)0x200000007fe4 = 0x69; *(uint8_t*)0x200000007fe5 = 0x6d; memcpy((void*)0x200000007fe6, "e)", 2); memcpy((void*)0x200000007fe8, "\xbf\x07\x94", 3); *(uint8_t*)0x200000007feb = 0xb; *(uint8_t*)0x200000007fec = 0x24; *(uint8_t*)0x200000007fed = 2; *(uint8_t*)0x200000007fee = 1; *(uint8_t*)0x200000007fef = 5; *(uint8_t*)0x200000007ff0 = 4; *(uint8_t*)0x200000007ff1 = 0x5b; *(uint8_t*)0x200000007ff2 = 3; memset((void*)0x200000007ff3, 68, 1); memcpy((void*)0x200000007ff4, "\x26\x18", 2); *(uint8_t*)0x200000007ff6 = 9; *(uint8_t*)0x200000007ff7 = 0x24; *(uint8_t*)0x200000007ff8 = 2; *(uint8_t*)0x200000007ff9 = 2; *(uint16_t*)0x200000007ffa = 0x7b4; *(uint16_t*)0x200000007ffc = 8; *(uint8_t*)0x200000007ffe = 4; *(uint8_t*)0x200000007fff = 0xc; *(uint8_t*)0x200000008000 = 0x24; *(uint8_t*)0x200000008001 = 2; *(uint8_t*)0x200000008002 = 1; *(uint8_t*)0x200000008003 = 0; *(uint8_t*)0x200000008004 = 3; *(uint8_t*)0x200000008005 = 8; *(uint8_t*)0x200000008006 = 8; memset((void*)0x200000008007, 170, 1); memcpy((void*)0x200000008008, "\xe8\xe5\xb4", 3); *(uint8_t*)0x20000000800b = 9; *(uint8_t*)0x20000000800c = 5; *(uint8_t*)0x20000000800d = 1; *(uint8_t*)0x20000000800e = 9; *(uint16_t*)0x20000000800f = 0x40; *(uint8_t*)0x200000008011 = 6; *(uint8_t*)0x200000008012 = 5; *(uint8_t*)0x200000008013 = 0; *(uint8_t*)0x200000008014 = 7; *(uint8_t*)0x200000008015 = 0x25; *(uint8_t*)0x200000008016 = 1; *(uint8_t*)0x200000008017 = 0x80; *(uint8_t*)0x200000008018 = 1; *(uint16_t*)0x200000008019 = 4; *(uint8_t*)0x20000000801b = 9; *(uint8_t*)0x20000000801c = 4; *(uint8_t*)0x20000000801d = 2; *(uint8_t*)0x20000000801e = 0; *(uint8_t*)0x20000000801f = 0; *(uint8_t*)0x200000008020 = 1; *(uint8_t*)0x200000008021 = 2; *(uint8_t*)0x200000008022 = 0; *(uint8_t*)0x200000008023 = 0; *(uint8_t*)0x200000008024 = 9; *(uint8_t*)0x200000008025 = 4; *(uint8_t*)0x200000008026 = 2; *(uint8_t*)0x200000008027 = 1; *(uint8_t*)0x200000008028 = 1; *(uint8_t*)0x200000008029 = 1; *(uint8_t*)0x20000000802a = 2; *(uint8_t*)0x20000000802b = 0; *(uint8_t*)0x20000000802c = 0; *(uint8_t*)0x20000000802d = 7; *(uint8_t*)0x20000000802e = 0x24; *(uint8_t*)0x20000000802f = 1; *(uint8_t*)0x200000008030 = 3; *(uint8_t*)0x200000008031 = 0x1e; *(uint16_t*)0x200000008032 = 4; *(uint8_t*)0x200000008034 = 7; *(uint8_t*)0x200000008035 = 0x24; *(uint8_t*)0x200000008036 = 1; *(uint8_t*)0x200000008037 = 0x6f; *(uint8_t*)0x200000008038 = 7; *(uint16_t*)0x200000008039 = 0; *(uint8_t*)0x20000000803b = 0xa; *(uint8_t*)0x20000000803c = 0x24; *(uint8_t*)0x20000000803d = 2; *(uint8_t*)0x20000000803e = 2; *(uint16_t*)0x20000000803f = 8; *(uint16_t*)0x200000008041 = 2; *(uint8_t*)0x200000008043 = 8; memset((void*)0x200000008044, 102, 1); *(uint8_t*)0x200000008045 = 0x10; *(uint8_t*)0x200000008046 = 0x24; *(uint8_t*)0x200000008047 = 2; *(uint8_t*)0x200000008048 = 2; *(uint16_t*)0x200000008049 = 9; *(uint16_t*)0x20000000804b = 0x401; *(uint8_t*)0x20000000804d = 5; memcpy((void*)0x20000000804e, "\x53\xb1\x1d\xbc\x8c\xd3\x10", 7); *(uint8_t*)0x200000008055 = 9; *(uint8_t*)0x200000008056 = 5; *(uint8_t*)0x200000008057 = 0x82; *(uint8_t*)0x200000008058 = 9; *(uint16_t*)0x200000008059 = 8; *(uint8_t*)0x20000000805b = 0; *(uint8_t*)0x20000000805c = 0x28; *(uint8_t*)0x20000000805d = 6; *(uint8_t*)0x20000000805e = 7; *(uint8_t*)0x20000000805f = 0x25; *(uint8_t*)0x200000008060 = 1; *(uint8_t*)0x200000008061 = 0x80; *(uint8_t*)0x200000008062 = 5; *(uint16_t*)0x200000008063 = 0xd; *(uint32_t*)0x2000000081c0 = 0xa; *(uint64_t*)0x2000000081c4 = 0x200000008080; *(uint8_t*)0x200000008080 = 0xa; *(uint8_t*)0x200000008081 = 6; *(uint16_t*)0x200000008082 = 0x110; *(uint8_t*)0x200000008084 = 0x59; *(uint8_t*)0x200000008085 = 0xa5; *(uint8_t*)0x200000008086 = 5; *(uint8_t*)0x200000008087 = 0x10; *(uint8_t*)0x200000008088 = 1; *(uint8_t*)0x200000008089 = 0; *(uint32_t*)0x2000000081cc = 0x39; *(uint64_t*)0x2000000081d0 = 0x2000000080c0; *(uint8_t*)0x2000000080c0 = 5; *(uint8_t*)0x2000000080c1 = 0xf; *(uint16_t*)0x2000000080c2 = 0x39; *(uint8_t*)0x2000000080c4 = 5; *(uint8_t*)0x2000000080c5 = 0xb; *(uint8_t*)0x2000000080c6 = 0x10; *(uint8_t*)0x2000000080c7 = 1; *(uint8_t*)0x2000000080c8 = 4; *(uint16_t*)0x2000000080c9 = 8; *(uint8_t*)0x2000000080cb = 3; *(uint8_t*)0x2000000080cc = 0xb8; *(uint16_t*)0x2000000080cd = 9; *(uint8_t*)0x2000000080cf = 4; *(uint8_t*)0x2000000080d0 = 0x14; *(uint8_t*)0x2000000080d1 = 0x10; *(uint8_t*)0x2000000080d2 = 4; *(uint8_t*)0x2000000080d3 = 2; memcpy((void*)0x2000000080d4, "\x9d\x9a\xb0\x97\x8e\x2a\xac\xe2\x6d\xe6\x63\x06\xe6\xe2\x96\x3d", 16); *(uint8_t*)0x2000000080e4 = 0xb; *(uint8_t*)0x2000000080e5 = 0x10; *(uint8_t*)0x2000000080e6 = 1; *(uint8_t*)0x2000000080e7 = 4; *(uint16_t*)0x2000000080e8 = 0; *(uint8_t*)0x2000000080ea = 6; *(uint8_t*)0x2000000080eb = 4; *(uint16_t*)0x2000000080ec = 1; *(uint8_t*)0x2000000080ee = 5; *(uint8_t*)0x2000000080ef = 3; *(uint8_t*)0x2000000080f0 = 0x10; *(uint8_t*)0x2000000080f1 = 0xb; *(uint8_t*)0x2000000080f2 = 7; *(uint8_t*)0x2000000080f3 = 0x10; *(uint8_t*)0x2000000080f4 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000080f5, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f7, 0xfff2, 0, 16); *(uint32_t*)0x2000000081d8 = 1; *(uint32_t*)0x2000000081dc = 0x84; *(uint64_t*)0x2000000081e0 = 0x200000008100; *(uint8_t*)0x200000008100 = 0x84; *(uint8_t*)0x200000008101 = 3; memcpy((void*)0x200000008102, "\x00\x0a\x6c\x9f\x4a\x15\xea\xbc\x97\xa9\x2a\xb6\x65\x23\x1b\x2c\xf9\x05\x73\x21\xeb\x43\x0c\x65\x21\xf4\x97\xa8\xc3\xce\x81\x62\x68\xcb\x33\x7f\xa4\x8d\xee\xcf\xeb\x28\xb2\x30\x5f\xcf\x2d\x2e\x98\x8c\xc8\xb8\xb9\x80\xa1\x33\x2d\xc4\x06\xbc\x34\x69\x5f\xa2\x4d\xc3\x60\x9f\x61\x9d\x7a\xc2\x84\xcc\x3a\xe7\xf0\xaf\xe4\x44\xd5\x78\xc9\x51\xd9\xae\xdc\x4c\x68\x2e\x10\x0c\xfe\xb6\x61\x9b\x98\xa9\x6b\x19\x78\xd8\xed\xe7\x57\x4e\x96\x9f\x8a\xe8\xe3\xdf\xb8\x35\xbd\xe5\xcc\xd9\x22\x13\x3e\x53\x03\x6f\xf4\x4e\xda\x52\xa0\xa9", 130); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0xe5, /*dev=*/0x200000007f80, /*conn_descs=*/0x2000000081c0); if (res != -1) r[35] = res; break; case 54: *(uint32_t*)0x200000008380 = 0x2c; *(uint64_t*)0x200000008384 = 0x200000008200; *(uint8_t*)0x200000008200 = 0x40; *(uint8_t*)0x200000008201 = 0x22; *(uint32_t*)0x200000008202 = 0x31; *(uint8_t*)0x200000008206 = 0x31; *(uint8_t*)0x200000008207 = 5; memcpy((void*)0x200000008208, "\x74\xe8\x3d\xcf\x53\xdd\x2d\x0e\xca\xc0\xaa\x34\x67\xb1\x8d\xfa\x71\xb2\x6c\xdd\x40\x3d\x95\x5c\x0f\xfe\x22\x81\x7b\x01\xfe\x57\x95\xd5\x1c\xf2\x4a\x6a\xe3\xb8\xe3\x2f\x1b\x7a\xc5\xf8\xca", 47); *(uint64_t*)0x20000000838c = 0x200000008240; *(uint8_t*)0x200000008240 = 0; *(uint8_t*)0x200000008241 = 3; *(uint32_t*)0x200000008242 = 0x1e; *(uint8_t*)0x200000008246 = 0x1e; *(uint8_t*)0x200000008247 = 3; memcpy((void*)0x200000008248, "\x89\x57\xa5\x01\xd8\x3c\x69\xe5\x4f\x70\xf6\x2f\x93\x2a\x50\xb6\x55\x06\xc3\x88\xc1\x28\x23\x9d\x36\x22\x9e\xe2", 28); *(uint64_t*)0x200000008394 = 0x200000008280; *(uint8_t*)0x200000008280 = 0; *(uint8_t*)0x200000008281 = 0xf; *(uint32_t*)0x200000008282 = 0x4f; *(uint8_t*)0x200000008286 = 5; *(uint8_t*)0x200000008287 = 0xf; *(uint16_t*)0x200000008288 = 0x4f; *(uint8_t*)0x20000000828a = 6; *(uint8_t*)0x20000000828b = 0x1c; *(uint8_t*)0x20000000828c = 0x10; *(uint8_t*)0x20000000828d = 0xa; *(uint8_t*)0x20000000828e = 0; STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 5, 5, 27); *(uint16_t*)0x200000008293 = 0xf000; *(uint16_t*)0x200000008295 = 0x409; *(uint32_t*)0x200000008297 = 0xc000; *(uint32_t*)0x20000000829b = 0x17f; *(uint32_t*)0x20000000829f = 0xff3f30; *(uint32_t*)0x2000000082a3 = 0xffffaf; *(uint8_t*)0x2000000082a7 = 0x10; *(uint8_t*)0x2000000082a8 = 0x10; *(uint8_t*)0x2000000082a9 = 0xa; *(uint8_t*)0x2000000082aa = 9; STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 4, 5, 27); *(uint16_t*)0x2000000082af = 0xff0f; *(uint16_t*)0x2000000082b1 = 0xf87; *(uint32_t*)0x2000000082b3 = 0xc030; *(uint8_t*)0x2000000082b7 = 7; *(uint8_t*)0x2000000082b8 = 0x10; *(uint8_t*)0x2000000082b9 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000082ba, 4, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bc, 5, 0, 16); *(uint8_t*)0x2000000082be = 0xa; *(uint8_t*)0x2000000082bf = 0x10; *(uint8_t*)0x2000000082c0 = 3; *(uint8_t*)0x2000000082c1 = 0; *(uint16_t*)0x2000000082c2 = 4; *(uint8_t*)0x2000000082c4 = 0xd2; *(uint8_t*)0x2000000082c5 = 3; *(uint16_t*)0x2000000082c6 = 5; *(uint8_t*)0x2000000082c8 = 0xa; *(uint8_t*)0x2000000082c9 = 0x10; *(uint8_t*)0x2000000082ca = 3; *(uint8_t*)0x2000000082cb = 0; *(uint16_t*)0x2000000082cc = 0; *(uint8_t*)0x2000000082ce = 1; *(uint8_t*)0x2000000082cf = 7; *(uint16_t*)0x2000000082d0 = 2; *(uint8_t*)0x2000000082d2 = 3; *(uint8_t*)0x2000000082d3 = 0x10; *(uint8_t*)0x2000000082d4 = 0xb; *(uint64_t*)0x20000000839c = 0x200000008300; *(uint8_t*)0x200000008300 = 0x20; *(uint8_t*)0x200000008301 = 0x29; *(uint32_t*)0x200000008302 = 0xf; *(uint8_t*)0x200000008306 = 0xf; *(uint8_t*)0x200000008307 = 0x29; *(uint8_t*)0x200000008308 = 8; *(uint16_t*)0x200000008309 = 1; *(uint8_t*)0x20000000830b = 7; *(uint8_t*)0x20000000830c = 4; memcpy((void*)0x20000000830d, "\b\r$}", 4); memcpy((void*)0x200000008311, "\x67\x01\x6d\xee", 4); *(uint64_t*)0x2000000083a4 = 0x200000008340; *(uint8_t*)0x200000008340 = 0x20; *(uint8_t*)0x200000008341 = 0x2a; *(uint32_t*)0x200000008342 = 0xc; *(uint8_t*)0x200000008346 = 0xc; *(uint8_t*)0x200000008347 = 0x2a; *(uint8_t*)0x200000008348 = 0x16; *(uint16_t*)0x200000008349 = 0x80; *(uint8_t*)0x20000000834b = 9; *(uint8_t*)0x20000000834c = 3; *(uint8_t*)0x20000000834d = 3; *(uint16_t*)0x20000000834e = 2; *(uint16_t*)0x200000008350 = 0xf000; *(uint32_t*)0x2000000087c0 = 0x84; *(uint64_t*)0x2000000087c4 = 0x2000000083c0; *(uint8_t*)0x2000000083c0 = 0; *(uint8_t*)0x2000000083c1 = 0x11; *(uint32_t*)0x2000000083c2 = 0x1f; memcpy((void*)0x2000000083c6, "\x16\xd6\x0d\x77\x43\x50\x14\x52\xff\xd5\x73\x04\x24\xbc\x4a\x97\x0c\xc6\x49\x0b\xb9\xcc\x85\x93\x86\x99\xed\xf2\x7a\x0c\x7d", 31); *(uint64_t*)0x2000000087cc = 0x200000008400; *(uint8_t*)0x200000008400 = 0; *(uint8_t*)0x200000008401 = 0xa; *(uint32_t*)0x200000008402 = 1; *(uint8_t*)0x200000008406 = 9; *(uint64_t*)0x2000000087d4 = 0x200000008440; *(uint8_t*)0x200000008440 = 0; *(uint8_t*)0x200000008441 = 8; *(uint32_t*)0x200000008442 = 1; *(uint8_t*)0x200000008446 = 4; *(uint64_t*)0x2000000087dc = 0x200000008480; *(uint8_t*)0x200000008480 = 0x20; *(uint8_t*)0x200000008481 = 0; *(uint32_t*)0x200000008482 = 4; *(uint16_t*)0x200000008486 = 0xe554; *(uint16_t*)0x200000008488 = 1; *(uint64_t*)0x2000000087e4 = 0x2000000084c0; *(uint8_t*)0x2000000084c0 = 0x20; *(uint8_t*)0x2000000084c1 = 0; *(uint32_t*)0x2000000084c2 = 4; *(uint16_t*)0x2000000084c6 = 0x200; *(uint16_t*)0x2000000084c8 = 0x2b; *(uint64_t*)0x2000000087ec = 0x200000008500; *(uint8_t*)0x200000008500 = 0x40; *(uint8_t*)0x200000008501 = 7; *(uint32_t*)0x200000008502 = 2; *(uint16_t*)0x200000008506 = 0xfd37; *(uint64_t*)0x2000000087f4 = 0x200000008540; *(uint8_t*)0x200000008540 = 0x40; *(uint8_t*)0x200000008541 = 9; *(uint32_t*)0x200000008542 = 1; *(uint8_t*)0x200000008546 = 0; *(uint64_t*)0x2000000087fc = 0x200000008580; *(uint8_t*)0x200000008580 = 0x40; *(uint8_t*)0x200000008581 = 0xb; *(uint32_t*)0x200000008582 = 2; memcpy((void*)0x200000008586, "E\"", 2); *(uint64_t*)0x200000008804 = 0x2000000085c0; *(uint8_t*)0x2000000085c0 = 0x40; *(uint8_t*)0x2000000085c1 = 0xf; *(uint32_t*)0x2000000085c2 = 2; *(uint16_t*)0x2000000085c6 = 2; *(uint64_t*)0x20000000880c = 0x200000008600; *(uint8_t*)0x200000008600 = 0x40; *(uint8_t*)0x200000008601 = 0x13; *(uint32_t*)0x200000008602 = 6; memcpy((void*)0x200000008606, "\x2f\xa6\xdd\xe0\x3a\x0f", 6); *(uint64_t*)0x200000008814 = 0x200000008640; *(uint8_t*)0x200000008640 = 0x40; *(uint8_t*)0x200000008641 = 0x17; *(uint32_t*)0x200000008642 = 6; memcpy((void*)0x200000008646, "\xde\x1c\x10\x2b\x02\x7e", 6); *(uint64_t*)0x20000000881c = 0x200000008680; *(uint8_t*)0x200000008680 = 0x40; *(uint8_t*)0x200000008681 = 0x19; *(uint32_t*)0x200000008682 = 2; memcpy((void*)0x200000008686, "\x0d\x97", 2); *(uint64_t*)0x200000008824 = 0x2000000086c0; *(uint8_t*)0x2000000086c0 = 0x40; *(uint8_t*)0x2000000086c1 = 0x1a; *(uint32_t*)0x2000000086c2 = 2; *(uint16_t*)0x2000000086c6 = 2; *(uint64_t*)0x20000000882c = 0x200000008700; *(uint8_t*)0x200000008700 = 0x40; *(uint8_t*)0x200000008701 = 0x1c; *(uint32_t*)0x200000008702 = 1; *(uint8_t*)0x200000008706 = 0xfd; *(uint64_t*)0x200000008834 = 0x200000008740; *(uint8_t*)0x200000008740 = 0x40; *(uint8_t*)0x200000008741 = 0x1e; *(uint32_t*)0x200000008742 = 1; *(uint8_t*)0x200000008746 = 0xfd; *(uint64_t*)0x20000000883c = 0x200000008780; *(uint8_t*)0x200000008780 = 0x40; *(uint8_t*)0x200000008781 = 0x21; *(uint32_t*)0x200000008782 = 1; *(uint8_t*)0x200000008786 = 0xc9; syz_usb_control_io(/*fd=*/r[35], /*descs=*/0x200000008380, /*resps=*/0x2000000087c0); break; case 55: syz_usb_disconnect(/*fd=*/r[33]); break; case 56: syz_usb_ep_read(/*fd=*/r[34], /*ep=*/7, /*len=*/0xfc, /*data=*/0x200000008880); break; case 57: *(uint8_t*)0x200000008980 = 0x12; *(uint8_t*)0x200000008981 = 1; *(uint16_t*)0x200000008982 = 0x200; *(uint8_t*)0x200000008984 = 7; *(uint8_t*)0x200000008985 = 1; *(uint8_t*)0x200000008986 = 1; *(uint8_t*)0x200000008987 = 0x20; *(uint16_t*)0x200000008988 = 0x525; *(uint16_t*)0x20000000898a = 0xa4a8; *(uint16_t*)0x20000000898c = 0x40; *(uint8_t*)0x20000000898e = 1; *(uint8_t*)0x20000000898f = 2; *(uint8_t*)0x200000008990 = 3; *(uint8_t*)0x200000008991 = 1; *(uint8_t*)0x200000008992 = 9; *(uint8_t*)0x200000008993 = 2; *(uint16_t*)0x200000008994 = 0x24; *(uint8_t*)0x200000008996 = 1; *(uint8_t*)0x200000008997 = 1; *(uint8_t*)0x200000008998 = 0xf4; *(uint8_t*)0x200000008999 = 0x60; *(uint8_t*)0x20000000899a = 4; *(uint8_t*)0x20000000899b = 9; *(uint8_t*)0x20000000899c = 4; *(uint8_t*)0x20000000899d = 0; *(uint8_t*)0x20000000899e = 3; *(uint8_t*)0x20000000899f = 2; *(uint8_t*)0x2000000089a0 = 0; *(uint8_t*)0x2000000089a1 = 0; *(uint8_t*)0x2000000089a2 = 0; *(uint8_t*)0x2000000089a3 = 0x81; *(uint8_t*)0x2000000089a4 = 9; *(uint8_t*)0x2000000089a5 = 5; *(uint8_t*)0x2000000089a6 = 1; *(uint8_t*)0x2000000089a7 = 2; *(uint16_t*)0x2000000089a8 = 0x400; *(uint8_t*)0x2000000089aa = 0; *(uint8_t*)0x2000000089ab = 8; *(uint8_t*)0x2000000089ac = 2; *(uint8_t*)0x2000000089ad = 9; *(uint8_t*)0x2000000089ae = 5; *(uint8_t*)0x2000000089af = 0x82; *(uint8_t*)0x2000000089b0 = 2; *(uint16_t*)0x2000000089b1 = 0x3ff; *(uint8_t*)0x2000000089b3 = 4; *(uint8_t*)0x2000000089b4 = 0x48; *(uint8_t*)0x2000000089b5 = 8; *(uint32_t*)0x200000008f00 = 0xa; *(uint64_t*)0x200000008f04 = 0x2000000089c0; *(uint8_t*)0x2000000089c0 = 0xa; *(uint8_t*)0x2000000089c1 = 6; *(uint16_t*)0x2000000089c2 = 0x250; *(uint8_t*)0x2000000089c4 = 0x7d; *(uint8_t*)0x2000000089c5 = 0xdd; *(uint8_t*)0x2000000089c6 = 3; *(uint8_t*)0x2000000089c7 = 0x20; *(uint8_t*)0x2000000089c8 = 0xfa; *(uint8_t*)0x2000000089c9 = 0; *(uint32_t*)0x200000008f0c = 0x154; *(uint64_t*)0x200000008f10 = 0x200000008a00; *(uint8_t*)0x200000008a00 = 5; *(uint8_t*)0x200000008a01 = 0xf; *(uint16_t*)0x200000008a02 = 0x154; *(uint8_t*)0x200000008a04 = 6; *(uint8_t*)0x200000008a05 = 0xe8; *(uint8_t*)0x200000008a06 = 0x10; *(uint8_t*)0x200000008a07 = 1; memcpy((void*)0x200000008a08, "\xd0\x31\xa9\x16\x5b\x9e\x27\x3f\xf6\xff\xe5\x55\x84\x9a\xf6\xdc\xa6\x6e\x17\xa6\x8e\xe5\xac\x78\x4d\xca\x23\xe4\xa5\x6d\x46\x16\x9a\xd0\x6e\xad\x2b\x8b\xcd\x99\x7e\xac\x2e\xcb\x8b\x2a\x25\x26\xaa\x20\x0d\xb5\x57\x58\xd0\x86\x59\x46\x92\x83\xd6\xec\xfb\xa9\x82\xc3\x00\xae\x82\xcc\xf4\xa8\xbf\x07\x3d\xbd\xe4\x53\x76\xb4\xf6\xfc\x55\x9b\xe5\x19\xf8\x2e\x8e\x5b\x2c\xf5\x9c\x3a\x3a\xf4\xf2\x90\x70\x7e\x76\x7a\x4e\x27\x68\x51\x09\x0d\x90\xbe\x0a\xb6\x6f\x78\x8e\x77\x60\xcd\x71\xab\x86\x5e\xa8\xb6\xbc\xc5\xf3\x5f\x60\x53\x81\x54\xa0\x99\xc3\x54\xa3\x59\x34\x17\x68\x2f\xc3\x9d\x2a\x6a\x25\x5e\xf4\xbb\x65\xf8\xd9\x7a\xf2\x9b\xeb\x0f\x87\x34\xa6\x8e\xd8\x4e\xf0\x8d\xf6\x9e\x9b\x35\xfa\x2e\x3f\xe6\x5e\x99\x38\xff\x44\x1d\xc3\xe7\x98\x2a\x81\xcc\xca\xf9\x62\x1d\x5d\xbc\x66\x3b\x80\xab\x44\x8c\x97\x5c\xbc\x19\xbb\x6c\x39\x01\xa0\x2c\x16\xb3\x2d\xfa\xf9\xf5\xc2\x20\xfa\x21\x43\x49\x37\xb4\x62\x03\x81\x05\xe6\xd0\x86", 229); *(uint8_t*)0x200000008aed = 0x4b; *(uint8_t*)0x200000008aee = 0x10; *(uint8_t*)0x200000008aef = 3; memcpy((void*)0x200000008af0, "\x10\xbe\xd1\x91\x2f\x7d\xc9\x4a\xc6\xd8\x7c\xbc\x68\x96\x2c\x89\xe7\x77\xcc\x51\xa2\x57\xd0\xca\xd3\x3c\xdc\xf3\x36\xa3\x1a\xc3\x9b\x86\x71\x44\xc2\xc9\x6b\xe4\x0f\xcc\xac\x19\x63\x3a\x54\x77\x87\xbc\x6e\x4f\xe9\x1e\x91\xfa\x47\x59\xdb\x2a\x86\x7d\x85\x9c\xd5\xa6\x0c\x84\xc1\xa3\x8e\x09", 72); *(uint8_t*)0x200000008b38 = 0xb; *(uint8_t*)0x200000008b39 = 0x10; *(uint8_t*)0x200000008b3a = 1; *(uint8_t*)0x200000008b3b = 2; *(uint16_t*)0x200000008b3c = 9; *(uint8_t*)0x200000008b3e = 0x77; *(uint8_t*)0x200000008b3f = 9; *(uint16_t*)0x200000008b40 = 0x2cf; *(uint8_t*)0x200000008b42 = 0; *(uint8_t*)0x200000008b43 = 0xb; *(uint8_t*)0x200000008b44 = 0x10; *(uint8_t*)0x200000008b45 = 1; *(uint8_t*)0x200000008b46 = 0xc; *(uint16_t*)0x200000008b47 = 5; *(uint8_t*)0x200000008b49 = 8; *(uint8_t*)0x200000008b4a = 5; *(uint16_t*)0x200000008b4b = 9; *(uint8_t*)0x200000008b4d = 0x16; *(uint8_t*)0x200000008b4e = 3; *(uint8_t*)0x200000008b4f = 0x10; *(uint8_t*)0x200000008b50 = 0xb; *(uint8_t*)0x200000008b51 = 3; *(uint8_t*)0x200000008b52 = 0x10; *(uint8_t*)0x200000008b53 = 0xb; *(uint32_t*)0x200000008f18 = 0xa; *(uint32_t*)0x200000008f1c = 4; *(uint64_t*)0x200000008f20 = 0x200000008b80; *(uint8_t*)0x200000008b80 = 4; *(uint8_t*)0x200000008b81 = 3; *(uint16_t*)0x200000008b82 = 0x40e; *(uint32_t*)0x200000008f28 = 4; *(uint64_t*)0x200000008f2c = 0x200000008bc0; *(uint8_t*)0x200000008bc0 = 4; *(uint8_t*)0x200000008bc1 = 3; *(uint16_t*)0x200000008bc2 = 0x427; *(uint32_t*)0x200000008f34 = 4; *(uint64_t*)0x200000008f38 = 0x200000008c00; *(uint8_t*)0x200000008c00 = 4; *(uint8_t*)0x200000008c01 = 3; *(uint16_t*)0x200000008c02 = 0x415; *(uint32_t*)0x200000008f40 = 4; *(uint64_t*)0x200000008f44 = 0x200000008c40; *(uint8_t*)0x200000008c40 = 4; *(uint8_t*)0x200000008c41 = 3; *(uint16_t*)0x200000008c42 = 0x1c0a; *(uint32_t*)0x200000008f4c = 4; *(uint64_t*)0x200000008f50 = 0x200000008c80; *(uint8_t*)0x200000008c80 = 4; *(uint8_t*)0x200000008c81 = 3; *(uint16_t*)0x200000008c82 = 0x83e; *(uint32_t*)0x200000008f58 = 4; *(uint64_t*)0x200000008f5c = 0x200000008cc0; *(uint8_t*)0x200000008cc0 = 4; *(uint8_t*)0x200000008cc1 = 3; *(uint16_t*)0x200000008cc2 = 0x300a; *(uint32_t*)0x200000008f64 = 4; *(uint64_t*)0x200000008f68 = 0x200000008d00; *(uint8_t*)0x200000008d00 = 4; *(uint8_t*)0x200000008d01 = 3; *(uint16_t*)0x200000008d02 = 0x300a; *(uint32_t*)0x200000008f70 = 4; *(uint64_t*)0x200000008f74 = 0x200000008d40; *(uint8_t*)0x200000008d40 = 4; *(uint8_t*)0x200000008d41 = 3; *(uint16_t*)0x200000008d42 = 0x423; *(uint32_t*)0x200000008f7c = 0x9f; *(uint64_t*)0x200000008f80 = 0x200000008d80; *(uint8_t*)0x200000008d80 = 0x9f; *(uint8_t*)0x200000008d81 = 3; memcpy((void*)0x200000008d82, "\xd4\x8e\x87\x24\x64\x9a\x28\x41\x92\x3d\x48\xb8\xb2\x35\xfd\xc4\x31\x5e\x0d\xfb\xe1\xb8\xa8\xa0\x83\x53\xaf\x5b\x63\x0b\xeb\x6e\xca\x1d\x6b\xe0\x3d\x88\xd5\x58\x79\x33\xd6\xad\xe1\x22\xb2\xad\x4c\x55\x80\x40\xe7\xf2\x03\xd8\xc7\xaf\x79\x0a\xf8\x5d\xe3\x6e\x84\x1e\xb9\x48\x0a\xfa\x1a\xaf\x9a\x22\x6f\x4d\xe2\x8c\xd4\x44\x15\x57\x41\x1c\x77\x37\xf7\x4d\x7d\x60\x31\x3c\xd3\xd0\x51\x28\x4f\xce\xb5\xb3\x27\x83\x73\xf6\x3c\x72\xa8\x4e\x8d\xe4\xe2\x3b\xf6\x4e\x2a\x69\xc0\x57\x91\x06\xc9\x33\x18\x03\xe2\xef\x32\xfd\x09\x88\x9a\xdc\xe7\xbc\xd7\xeb\x61\x34\xc4\x65\xed\x17\x38\x6d\x3f\x97\xa4\xe8\xa4\xe9\xc4\x19\xf9\xc6\xeb\x2d\x32", 157); *(uint32_t*)0x200000008f88 = 0xa4; *(uint64_t*)0x200000008f8c = 0x200000008e40; *(uint8_t*)0x200000008e40 = 0xa4; *(uint8_t*)0x200000008e41 = 3; memcpy((void*)0x200000008e42, "\x81\x10\x3e\x0d\x22\x88\x43\x34\x4b\x9a\x28\x85\x67\x53\x24\xf5\x79\xdf\x27\x8e\x6d\x25\x06\x59\x98\xbd\xbb\x69\xb8\xee\xd0\xe1\xdb\x8d\xf1\x6b\x19\x64\x6d\x92\xc5\xd0\x35\x21\xf7\x73\xc1\x6c\x24\xde\xea\xe5\x56\xbe\x69\xb0\x4e\x1e\x96\x6f\xeb\xfb\xf3\x7f\x3b\xbc\x6d\xd6\x4c\x83\xf4\xc2\xa8\x7d\xaf\x95\xfb\x91\xe1\x0a\x36\xc0\x06\x9f\x4d\x51\x7b\xf3\x96\x21\x11\xd8\xf9\xc8\x45\x32\x3c\x0b\x91\xe6\x8d\xea\x34\xb2\x77\xb4\x10\x72\x0b\xdf\x4a\x58\x64\xfe\x06\x9b\xde\xe8\x4f\xa9\xe4\x46\x55\x49\x71\x3f\xb3\x33\xaa\xed\x85\x5b\xaf\x29\x53\x27\xe1\xfb\x65\x17\x29\xfe\x4a\xcf\x1d\x9e\xbf\x80\xd6\x4c\x29\xfc\xd3\x68\xee\x16\x11\xe5\x50\xd7\xb6\x7a", 162); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_SUPER*/5, /*dev_len=*/0x36, /*dev=*/0x200000008980, /*conn_descs=*/0x200000008f00); if (res != -1) r[36] = res; break; case 58: memcpy((void*)0x200000008fc0, "\x18\x15\x12\xf6\x08\x38\x97\xf1\xb9\x4a\xd0\x1c\x9d\x8c\xc9\xeb\x6d\x7c\x14\x9c\x5e\xdf\x5e\xcf\x21\xcf\x4a\x2b\x2a\x9f\xf0\x2e\x0d\x8f\x8a\x4f\x60\xf7\xb3\x1a\xd0\xb2\x55\x2e\x14\x87\x8f\x84\x0f\x51\xa9\x7c\x25\x63\xb6\x19\xb1\x01\xea\x77\x61\x3b\x97\x52\x36\x7f\x0f\x6e\x6a\x62\x37\x81\xa3\x83\xe4\x99\xdc\x26\xfe\xd6\x0a\xfe\x6f\x15\x6d\x32\x6b\xc1\x41\xd6\x61\x5d\x18\xb6\x1a\x5c\x06\xcb\x49\xd9\xe0\x08\xe0\x5f\x65\x37\x6a\xef\xb5\xec\x21\xed\xc4\x68\xb8\x43\x4a\x0c\x9e\x39\xd1\x20\xbc\xd3\x11\x32\xf0\x75\x5c\x1f\xca\xf9\x1f\xec\xb2\x73\x3f\x98\x18\x42\x56\xd2\xf7\x9e\x80\x45\x2d\xc8\x6c\xf3\x19\x85\x08\x2e\x38\x60\x17\xeb\xe8\x21\x25\xc7\x8b\xee\x42\xf9\x49\xca\x67\x98\x67\x34\x33\xfb\x0a\x20\xd9\x16\x1b\x69\x8f\x04\x66\xb0\xea\x53\x58\x7a\x3f\x08\xcc\x34\x35\xbb\x7c\x19\x3f\x4a\xdc\xd2\xe5\xe1\x04\xf3\x3e\x3e\x1c\xdd\x33\xba\x95\x1f\xc9\xf7\x6b\x10\x8a\x40\x74\xc8\x07\x2b\x16\x46\x59\x62\xeb\x28\xe1\x38\xc9\x18\x8c\x3e\x54\xa0\x0a\xfb\x4f\xb1\x71\x0a\x27\x3a\x1f\x1c\x53\x0a\xda\x0d\x50", 251); syz_usb_ep_write(/*fd=*/r[36], /*ep=*/0xf9, /*len=*/0xfb, /*data=*/0x200000008fc0); break; case 59: syz_usbip_server_init(/*speed=USB_SPEED_FULL*/2); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :6717:17: error: '__NR_socketcall' undeclared (first use in this function) :6717:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor999536239 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/11 (0.95s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:-9223372036854775808 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$IMCTRLREQ(0xffffffffffffffff, 0x80044945, &(0x7f0000000000)={0x4006, 0xd, 0x2, 0x8}) (fail_nth: 1) ioctl$SNDRV_TIMER_IOCTL_GINFO(0xffffffffffffffff, 0xc0f85403, &(0x7f0000000040)={{0x0, 0x1, 0x4, 0x2, 0x5}, 0x81, 0x0, 'id1\x00', 'timer0\x00', 0x0, 0x6, 0x3, 0x70a, 0x9}) (async) r0 = syz_open_dev$ircomm(&(0x7f0000000140), 0x0, 0x0) (rerun: 4) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTA3D_RGXCREATERENDERCONTEXT(0xffffffffffffffff, 0xc0206440, &(0x7f0000000340)={0x82, 0x8, &(0x7f0000000280)={0x1, 0x0, 0xc0, &(0x7f0000000180)="5b58ac0ed1d27b217d3fdc6299cdde4d85321f7bbaa064d361519cdde43b225cf00658ddbfbd914cf79eceb348f18692315c3c69ec148e2dd928ac7ee62f5111b9dccaca88524912341955f79b0f2206b80e6e5a7e681a629694a34f9b0e39877eefde60a068cdc44545d6fe45d0000c9961a1ff168747447e346b16460875c691de1183b2d7b032cfae85497d0d8848d4baa9adc6caaccd9af6019ea2ba6f3b4e6018df94cacabeddec7b600230ea7790019399d0beb61f427df8359cc34893", 0x0, 0x0, &(0x7f0000000240), 0x10000, 0x0, 0x0, 0x81, 0xe}, &(0x7f0000000300)={0x0}, 0x44, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXCMP_RGXGETLASTCOMPUTECONTEXTRESETREASON(r0, 0xc0206440, &(0x7f0000000400)={0x81, 0x4, &(0x7f0000000380)={r1}, &(0x7f00000003c0), 0x8, 0xc}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r0, 0xc08c5335, &(0x7f0000000440)={0x3, 0x6, 0x1, 'queue1\x00', 0xdae}) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000540), r0) sendmsg$TIPC_NL_BEARER_GET(r0, &(0x7f0000000880)={&(0x7f0000000500)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000840)={&(0x7f0000000580)={0x2b4, r2, 0x400, 0x70bd2d, 0x25dfdbfb, {}, [@TIPC_NLA_PUBL={0x44, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3f}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x2}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x4c00000}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x67c}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x7}]}, @TIPC_NLA_LINK={0x3c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_PROP={0x2c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x220a}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9c0}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x101}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x8}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x6}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}]}, @TIPC_NLA_BEARER={0xb8, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_PROP={0x24, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8}]}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz2\x00'}, @TIPC_NLA_BEARER_PROP={0xc, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}]}, @TIPC_NLA_BEARER_PROP={0x1c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}]}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @multicast2}}, {0x14, 0x2, @in={0x2, 0x4e20, @broadcast}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0xb}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz1\x00'}]}, @TIPC_NLA_NET={0x20, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x8}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x6}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x80}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK={0x10c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x187}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x40}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x10}]}, @TIPC_NLA_LINK_PROP={0x24, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xc0fb}, @TIPC_NLA_PROP_TOL={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x18}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x80000000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xfffffff2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xd0}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xf}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x401}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK_PROP={0x54, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0xe6a9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x10000}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x81}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3ff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x79}]}]}, 0x2b4}, 0x1, 0x0, 0x0, 0x4040811}, 0x0) read$snddsp(r0, &(0x7f00000008c0)=""/29, 0x1d) ioctl$KBASE_IOCTL_STICKY_RESOURCE_MAP(0xffffffffffffffff, 0x4010801d, &(0x7f0000000980)={0x6, &(0x7f0000000940)=[0x904e, 0x1, 0x9, 0x6, 0xe, 0x5]}) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@mgmt_frame=@deauth={{{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x4}, @device_a, @broadcast, @from_mac=@device_b, {0x1, 0x7f}}, 0x1f, @val={0x8c, 0x18, {0x5d9, "8e85144c6433", @long="e023fbed513011c5707e452472e2055d"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@random="3a386465f389380e26b0cb13f98a36e2214f099ee0d0b29b754e31d6efc82c04", 0x20, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_path_truncate\x00') r3 = syz_clone(0x4004000, &(0x7f0000000140)="daa4ed40f7cf4da86377e864d8e6c6d4fc5486af4a6f23dea58b3243a291b0180dbaf5c92758af73f9", 0x29, &(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)="40f276856b8191c4f312759d795a22c3c7edc91678794f4eeac45746fcc9930722c8189ba59565f7327cbcd4506164eb9f6ff175f1f08d60247091772c185ac38304e9b5b3") r4 = getpgrp(r3) r5 = syz_clone3(&(0x7f0000000500)={0x800, &(0x7f0000000280)=0xffffffffffffffff, &(0x7f00000002c0)=0x0, &(0x7f0000000300)=0x0, {0x12}, &(0x7f0000000340)=""/102, 0x66, &(0x7f00000003c0)=""/198, &(0x7f00000004c0)=[r3, r3, r3, r4], 0x4}, 0x58) syz_create_resource$binfmt(&(0x7f0000000580)='./file0\x00') syz_emit_ethernet(0x101a, &(0x7f00000005c0)={@remote, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}, @val={@void, {0x8100, 0x7, 0x0, 0x3}}, {@llc_tr={0x11, {@snap={0xab, 0x1fe, "fe", "1622d0", 0x1b, "e65515bded2366eb29e120fec39b24808c92d09c78d7f5b7b11d8a64fe8fb0e0ea7a265610503e40fe69ea35f6a592cca6605cbab30ca2b6e81defbfa8975d3233a7b511fa76cb1b755c8d00c96c16443f2b1682d6f197dea702f3216131e4d76b49c13ecc66674fc2fe47ae163527636f868d604cca513f5112bb56c3ab4ba6aea3059e1a484546566112328bdd5ba37697af7f361913e718bf091a66aed625deb89ea8c63fb756c958819dd3d2467301b0cd35eafbcc0f96ca0aaf82d82c8156f5fa27ea2d1d298f564f94160fd4b81af8f9e62eaffd504a2cd9412d4b6df66b447e1029b1a015a3f9207dbf1957660c19a6e0e73660325510e34133ffc4275e4e1d6d7acab29f9b371d0217382faee8c77911aa3f5378b09a5f6523357d2adec78972e15295abedbaa9969f37f316d474b2347dc11b523a88a0cd5745ae30ad7612f830013d78a6b149f3b332e6e7c5fb13bb95845924c3f180c3c6f347bb328022e5d07f540ec60bdbd9e8352d385e1b943062aa0bf38206a1d95e2f42e15838ade610c0c44e038b790096b521d1112f35c9922cbee2bfb184d6f979a7721cf0e6fd69fa705ae3e253113d2fc772ca741e96db42fc8ca72abd6d3d43c4bb64f13d2e5a5a8c433baf25ce3286c2e2355fc130e86841cde79482c3539d57122eecf25f3e35751e81980de375a713c18f9bcd952bde4bf36610a52ae2317c8b6689deb1810a091169200b2a9eeebeff191dafc5bc32b774cad960c8414ff0eee708563daefbfb26f59f6a8f289ea5fcba17412119f3faf53001a0f5a44f9c6dd6ac8d3380273e07c6ffdba5a224636ded1974137a40175f4944941ede7117cd3ddbb800defc6f8306e3f0435eeb74d44e021c9abdc636052b5170da68981617b28471a581a1eb095c6d3c977ef0fce842b5f260f2b276ac6cf24b2297f3e75479c7412f405e48343f4db14e4210bee79d3273bdef00d8175dd603b442210632bc8cb2ebfc4392bf8aefd9d4a264a63341f15189f8ac9add56f605e8797e2d70863afedb792eaf982ffac60ea0af41ceaadd6b2878511c8edd8bb273914bccf17a2d4393d4e235144be8ae79fd28a47d3c33bfc8ac4d199fdc73cf8e03cb6f15f4134599f2d95c46cb1a6e77d816080ae7e1ef85edab4b4553cee197da9594104139276ad2b9099def507e600efbb6a9877d8d7569e0599318aa400ea4674cc2bc0b86efdd2ddfb3966647ab570d200094b6ec63403274201d65481378db16529bd775feed537223c0d4e710125cafea8b65b9ef669cf32592fc3a93dd2d21a95e54ad2362302b1d5db5e6fe547edbac508c82d6b39a820b25bf1078418accf067c018443c430f9f2338afebe9705a654d50bc1595073615c52bc93703e446fe6befd76149bdfa9d69cff69b9d9b4f3fa0bb04900737116e49b4d0c08848215dbf90dbd523e9abff71319cf0a358be976598c41fd6d16edc3f0856ebbcc1e4086e79621a233991554e01420215c5ada574b6442e0134a744db4eddc1142f2936f7d9412dbb63cacddd60b2563fee5623ab0ece52481dac6fae957b61918a871c32652e0e7f73f2c2b424d4dffd636665e06bd0422195a1aa8cf62e89fb47fc0708ebf49a5f3b586ac088f570b11ed8d069dcf88ef1e849a22560ca8b60aec9859719983916a4a4b9246ea2ddb8409b0ec2d36728647a8f7462f2d4c4706c4b1888098d61d3231d89ee15026e63b55e1af3845bd60a72493af19313188400870de9bff53eb68011928201c34828ffcd88b35e4fca14c06a6790b5f28e8f85f0c906e1ea44ef4f6c50bcfa0213d0462fbf90324dcad6fc0008d575e5df11a98b7b231884c0626890f9cb18dcf85063f426fac0025bc6bd16e74c53eabb81423633df7391be5cb1ccd73ea25c7e7055fed3146202b97fd7f1a85890d444a20ce0d051efa2a3357d32f8585c0f798a3607c350f22ddb5c9912ce3684b2d7aa6c785b792504c31c7edb6dc5fa6d069f0352e3e9f771e146ab80ac39a120d005452e190a9147cb48fa8539f3a3c1d88716575003248e021a7038bd63657d46440402571949c24555432d26dbaa9d2cd2906ce0cf746dcd9348433bef36297b4a7a07faf2688249297c960a0fd8a3257534ea1372a3af5cdba9a6a48fbc95a07549a82bdd6181b1fa3fddc71d77b3460c6a32405589b89edf715a910fcc72449d9c36967fa9768a0ee59b23418561cf4f6b0fd9cbe02d19c7997e55259550dfdd97616015d2224c18c15a80b743ef8857d181d7efe40499f66d20158c0f62e4c692b3bd64ef3825a32bd662d9f580779d60a34669150e7874a45a7101af48cb3a6e3f763db20c5014edef61d07887c79d5711ed11be5306f7c4c2b7bba2bc8236c93a49bd2a252c4510785e0cebf75fbe5c69d928d8e48fe9f56a33ce6e0552630f338ab632320e750c32ede137447aa9aa69e3c3ea8ce4daf6eeb91d0a339974ce9875ccc30fcc08ecb203c3e4a7da99224b71d6ebf77331721fbb6ada6403d43eba812c0bddc6018062ca1231994de110586bff4589e52b8ab440baf13c24b35883ba4ae2ea8cc1fcfb49a7123bd6fafbb7291adb7f81fc58208cb7559ee5cfd779f899c11ee49ad92b0057e8dd79dfaa1f15bf659c360c8228eb36a9d17e0d479a88b9da28f3e962bedc108e22332bf55144f0b2ba0e21a334acd8bed5922128dbc75eeed571e1049e2689dda8992e2f9539373f0dd20e2bd43cb5ba34080ad38bf160a37cb0b7c39c015918202dd8349c4eacc0e4a40436b8d1eee12f9a6b9e2dbac9ca7c190c1bedc390dde78f896bd2837ce30d8ea888db6971930feee72206e308c7ada862b664b4b48b11d39dc7b1816d3da555778998eca5e3b4ac20c83c55021db6406eb6ab125f2bb2ec1a2c8fbda5bb0df736393dc62f9078de52e46872b4c18bde2959b18fea581e0eb42038522fb7af7ed40538ea7fd08e865102f5a9929c24a9fe936230655a7b131ab9eaeb9c491ef98d407dbbbded8852c387d6fd7741179775ea4a4562eaf0dee83f87ef117178086544f4cda982d3c0cf618bd1ed663cc9f4bdc77632398d24fe3002a7a78c079d0a5f5ac3bbdabd85309090aa0b5a8c269468ac8b7fa4428bd98bab7bd5643c721dd7d92810bbfde6bf8bf2013ee5e587d0da9991c66f58ccfa0fe497d0d743f0be668cef72d8a922fec8e10f368934227c98e9abe1f85bac46f80f17a15ccea46d256e1f56710e489cd7106fac936aea65f0e8a5d79d43730989a2642ee7ad9f35d8ea7a80647e15fb4db645efd8ca830469261efe740a2288bcc72b5c40a665d51812ce9a1df192dc4d9604153e84b86b8709fbce27aa27a99c73cc948a10561c1d4fcd0aca5e4f52d43b17f6790f1f79f00b90ed573b6a621bf3d64200274321292a04379e0ea3366bfad2d1fcfe3a05608d9be0e459cebc878ba6ad6de83922154a7ecbd01f5cfc77299c69c670a2763660b2ab98539c3050a64f10a89099a8bc54e234512250d273136455fe5825d5dbb4e9b733ee28dc11d0e2b3f9f4072b048771509c017af5d6d64385a54924f55c8d16cc1a72d8519301194f445c424e51d49f6616016580d2ea70ba1e0c86670926c738779ee67c3926bd2f90376e211ec1d7860737af1136446b2faa01baba239b7a5868f40780cdd13329fd67730bdfd298b20d63f1448e9fcff309e9091c39ccc75aabf18e598ecf0342ba94fc420373aedf83d4cbf0e5f176ea4bca7f0cc72faef9bdb6797be191e1d304704659b6b63b2066358d4eca8ea898cdde509cd2b9145c55adc3c46fbd2989817ad2403d4a0d6b6e6aaad0b2311d43d216e6cc8446b0d946e43916e662c5e687bffee3f3f21d9f34ea1624074d1d90273f0683f202b6cc24300b8f5a6325d6ce06bd69c9a95d6c8af3be8967e3bd49efc3e9c5f27ab9aaddc0ffabf87e7ed08d4253844f1f48f08a9fa268e13e0d73dc6af0abfadc5443a9a1daf12b4dbfd5f7902a5d41313683355d5e716f3a65a315170749bbaf8846dfd332bef6cd1443729abf2147120e53018bf2d062dd07bd5e20e30bf58bb4900db9aaea54a6402cc1ad562e8a59233868f38d666afd7b96aca5f9ec2aa94b4c22f6dd54924a1f5d98eaff57f742b01378d3b1c6322781b99d8774b07fd5b4af2b88bd4915f6eae83e33b469afa153324ee889105a74d3680d39e55a4a39183416961346447fc5a8532832031c52517a3896360d51fe593ef5a639eeee83df74db9e4d3218dd901db76a6130aef73955dbc866778a2c3421d4090b1df7648a42c558af46150e902b3129e5fe1071458ac93abc76d495e744412fb98ae401cbe04427d0f30e314eb6047513adffdd11a566f9734e058fa3bd2d1d6506122ae869725e3a6f4252ee5e971c430cd02cff254759c908943953ba8c978f1cae5ddf28c5d9dc85d27c2d4c19a16e34e094f1ca9172397cd4c5615e384715605452919ad74e70c78c282c0cce1bc618ae012f5283d1081399fd79c95e52a523f3729a180780547f9766507e21109254831787c1131ccd4ce8e5e9f3d24750ed3676fbff23dd4218e05eb68efc0a7be9cef8189c08e186f938ba691172d235fa32ca4b0e30b111189f32d15daf3cfff0a429a446aa68ec18c0c0755efc080733e9c3548f029e8dd634b3b6b69ba749486704d0f9ad702961773251624117f56945c04b8c6f0350a3d99a7b6e033f13ac7c01a1ffcb5a4cd7412bc176f50af905b0b6aa36d67289ceb12a6572c4eb872fb06f96735d31e8a153ff9bde2181e235868ad7dde54705c187130ae0fce01bdf3bf64e6ac86842bec3e0ef09b60a4c691134d89b6c6c6465ca949b58ef63a556918bd5c7f835c0e002f2cb4123d66481c737470f26b590fee1ad40eb641e73ec3501c69ca4fa50b75d9f23ae9e041c88df37a8947bbd0722f22911aba12976db4759af63f2b143ac155bf56333f6f6a69219453b92e5361843581802fb722a2c3ce2dec3e1e278444020ec6ee424ec7fc559d9cfcf68b2010eaaa9b391b071b6d53df5a2788cafe84a081bc3f0810194818039e68fc1b76de13ddba48a741b11bc963b8422a510a1a132d870153c2d01305c767c9d188c64b5d14979e1563aa7fdea0b85ff3de913fae64b3a7ccf087e933ab15ccc0c77fdafe42acd070780f2a7cc15a117a2bdd9576e574b10b56a00e007d69291985b50ef1296f37ec9b74c4623da3f94e0bb69f46e52c8765569b8817af5482532a50232f050635e67e235aec75c8f69efbe25383467cc82f43a214a142a8b76817f22338aeb3d4f0d39fc1dd1023a07b53adbe754884af3b789cb2dd9f386b26378d0d54267c47efa0ea5a7c26cc80d9bf9cf16bd217754a1951e9fd7fbe64335610faa909f0d7f77786f974c1becec9cb49be7f79e7bfbe29ea82cd13c197fbaa48f46019617ce6c6ad08c9a1d41c716baef284a4e4d77c06e4ddc07a46c3534beafd3729088ad142cd22bd5a220e589314c242a304581e88a246b51790d238c131ec7b09de7e1c618708363335fccf56eee3000466ce5fd70c5b3f35884a467469673d2dd5a8a2362e6028206a2ecde709d7cb1888bfe78cf6803f05ab0b11eae6d935ae116b3fd841a2717ed52790dd4f802cdcf72e4409d68c086a542d66eb14538421564ac9ed37617987ef2f4b83f43022394a2479c764b30f56c6ea76c1a056f82ad78ad980d1b5603a0ecbb72437bc2a1838b9ae37cd6ddefd2927e9d9adb7d56a98695c78ecb1f65739fe094edbfafce3f"}}}}}, 0x0) syz_emit_vhci(&(0x7f0000001600)=@HCI_VENDOR_PKT, 0x2) syz_extract_tcp_res(&(0x7f0000001640), 0x401, 0x8001) r9 = socketcall$auto_SYS_ACCEPT(0x5, &(0x7f0000001680)=0x4) shmctl$auto_SHM_UNLOCK(0x6, 0xc, &(0x7f0000004a80)={{0x80000000, 0xee01, 0xee01, 0x5, 0xfffffff8, 0x1, 0x6bc1}, 0x40, 0xffff, 0x2265, 0xfffffffffffffff8, @inferred=r3, @inferred=r8, 0xfffa, 0x0, &(0x7f0000003a40)="8917f96eff001e006491da948f25c3ac3665392d077a2878a0c47186fbb59600e8725c574893c0d645651cd496d4d6c43dd8d9e3ceca2e2a35fd60785cd77ec5c5eed5ea44a853769a52cb3e89d06c0995f77e9b7ecc68fa521ac4b193ee67dccec0a7d13f3c068ee046a9a142011cd4ba8e67f381e16745d81a2b5bf11f4ef0014330c95f0f5bc89d00f16129a9637782e5a6f4d922e0f07457ee515e1bbf5654906d887ba02bee664da72a51b5dcdf4becca2d8067e35753c0312359efb6da86149afc1010d0c6c86cc9c8831ca1276ca968811c87baab121c9d817273196e97ae66f397667e023fc23319c24fa823572226fb748ac54ff528236b0781a20ed52e116927a22b11e0b8aceb36d2cf4a78eb3465fcb9c9493eadd44686766fb26d4d0a54d028273a5c605388534e4937f18ca90532445f946651f3634e9b365bb8ed7242b91231ba06347eab1f320096374fbd8a7a94c2fa7154415c923fd66cd626489e7c79cad39b66b0674b9439b57b79ec7903d35ec314db9d7e415df3c4f75514b1c83e9b6b271dabebd3b793a78ad5baef25393934bc1b4969eb6128d3521490470f25e7a47b13ee0c4772d0473da518441b7bd362bc99b09cf696beb9e5f9d3d5e88e9e960e259e4fe67cfa3b2abde10010f3c6a60d269ad13e59052e8ab951401dde345c4fed4fea6d91b84daeeebf45fa7998ee41da06875e7bc48d9de54de36d9e27495fe7e88e024e7dd3587dcbc71cd433b71a4d972b026559efbf17c2b02b2357b9d913a764c95c5aa7b32fd2c0b62b47f27e4785e76d8562b4e43edc6d610d2b97dd1a1ee65bd1ef89e0110b14c2025b04b8cf16f0c2c1ab89ad30bdbd8b9894278b4be8d08155ec0cd20f544f18a4f26a980decac1ce2942127d8d0350dc4a9a32930af33531822319dd139e27cf769d068879608c2517d59965fbffe9879afd487875ad239586bbecad1b00e1377203abe3fc582faaf4f9e08e57658812209b3a8653bf39e126b79474ced54b74fd477b03a80906e346dfc7f5a86410f6bbc64a7ff88c37aa1d1871331ad2a63fecea9b43d3fad062de70ddd1c773ae62568ff3be804583d3a5a10796813cd4b51f67b09910b427eb92804e7f27adcd8ec9afb24e3151b48a38cc5992799df37e5cf6ad577941ad7e2caf15619236927342e87b5b260473716a9bad70b3951f7265c20c000852667fde0c4b7f27a32b7ee133cbc65ba4dc3910c2375e195ba7654e2d2d45f916e47f107595adc63247840df4ecaeb9640fb661986add0dd02796d5810f51c93fdcf8974da1f1014f2f4adb16f04e733b53ac2e8b4a853e93a935a732028c8e3ec120fc541e5126f2d88dd4bbca06fa610163464cb17f45e7a2be0e51d8e45e37c5091d762ce5bfdb69353bafb955c25544702dcf7d1394aac7a49a0787ff1687425a375249ca378bc4f4aa24abca24a871fd67425b2f66093b5b9872499ec85faeffbf43f0a4d3efb5ceae705a1a8e1f2bf79f553c1c9f38bd09f93a822beb454744dd1177eea67b7bd6c421e58246202ab902f79e0155f1de2bf226f61bb39bfc2fba3479f25eea7f01f70bc08a98e8874e5d1384283b99607eaa52e895490bdb21c81cb3b3791c1dece0ebce67cc45bcba299bb892c9d1950bf335e954fd303c65e1afec48a3d3e10a404352a1302efcebe1254eb2b25d6f450b26a3f1bd7f577e54c95e5661174d32782fe6b11996542fe1b9751396288d27a47e3c98d1cc3f3ab558ba3e82a6c3ed4840f4e3d79369573c37534073e79adfd2323832b65e7a6c45b72579138e226291d2700dac3a1cc916140f54cb28b3470856189812544366f757c0a294ee2b5bf6c308ad4df230d5a743b8cf7a1f64a3061983f223850262c7574ae480a02f68c043ba7aa822ff645d4e4482c14cbb58c15f65c98d1692f939d0d95585045424abe5e58651477f91d0c1dafb3f33af9e69b794e13eb0c429de9b92bbc5f9282a2e6c9119f6fd8603fe11af2d516c9a7ad38e3337b969c3d9593f0d4ac95c44e7f47e810f6970a1a6f18f209fedc35656dc5c536b0396aedaf83ca46655edcc4088c6fcffa689a878309c1767b2187c9b5fa575efd80e0574a577673b45edac8b1c912ce60cd18290d31025c80eba3d997e4792be23a49c0094ee28548fa33275e6c280bb6e0a0aa8e7904c641cbcb3d994946f0e4c6d6b191d3465364793a697f2c25d130923c799a3a8d7169a37ac29bddfb766d5130b5e4bd43978aad3549052cf6f564768052032346aef8f5844b9704842c0f1fa7d26c697188c0e8641658d6d299a61ff140a4b94f04f6ec06ffca6e574bdd600372ed5d166aeeae4f24e1ec3c212f05aa8537f0ab831e472f32164a0887c6f4e42532565f055a8cd435e9cc9108967e422c6d0e740633c9778471efa8a44ab55a06bdb6b817f8a6cc55d52ace6ec438ad4fbee7c64e00fc65c76a3616c35fb71bb6084f44f8083dff56d771e1d323584b82f105e0a211ceae9afc0f5e61a2649476440cf68d9abffb48decd0e8d2ed10907d35e390daa1eef83dac8ab44e2ac5886f6235f6bd7b69ff3c098b558894908d4cd28247fb6ec4bb5b163f6b2eef386e7ce26de759bd6e24e46aa2b38f0a4e6a4785af14bd6035a326c29af215a4c1c45ae767bd7e6db1bae69be045ef0b1eb3934ac5ebe3a4c1dd59bb96053beeb5561b521c47852d9a2c66cfaf82c2a016e5de729ea0e0ce4f98085792b5e5a802cd7fbac9ef38e203ebb3651f1b30af6ea29fa179f8b192641604be02929daffadd6c97ba4cd56790cc243d0470eb8c1ae7812da666b0b329fb3f04f78e25ad17b4b39781382ad937e08ad3448b63238185b982242190fd1e4ad8fbba55d6abf96e016e1d98d37d51c2ee1e41f54f8ac7e038e3616f569d024690ea303bec698beb98b9ea49f6b87e3f7104997a6ad7d33db8fb79ada8c5f7f54ee17f7b3d86aa1532b439cd8de90b5fd7fc3325680061d9319d1835e603faf7933bfd60d733965f0f25adf3945092bb99e95346602faf6aabeb33cbca3b219b4f8afafe825c6627c0c7b00c33875b69d01c08b90e6fa64f09b42932e1ccc9b3da36771667d5bb7531a2ac174bc412dffad7c6f8fd4dad330fb415a97e8136cd5c0bb7d00d2b2c956936c9f5f747e3c9a361d79d048cb3f528f187f9bba5d78d7309b1b256fbb349cd52945541a5a57809f2d71a8e80557b23be4fb31caddc59553b6bc0faa165e4ab1f8279ca6e307ce7920c43bdbadec04ef8be70d57af598d1d8a896a0952b23cba464e0e9b3625f993dc12c8f774e87da051eca49bd14e4e2e270cf75dc8343b2ad4b0a2178cb557c6d0eb1a0b23ed92580ce5ada78c2bb10ddd25d4bb147d61a00f5e1d1d5c888d47424c04de7d41384e2c688a57358d05814ad917135a80eccd1d1f147242a5da4dad0838322e9a2fa531fbb6b0832b6700f87279846ce2331679b82f04fe1be1e8ce9f610b63ff30ad0b76977817739a295c9ec9dcf11f81a67619407304c1d594c5196db1bdebfe03f22adaac9253d753967138bc9d2cf4735491d2745c23e5d229c74627dd191bc6c038513914dbdcfacb8bcb2814dc525edad889520999fce64469c60694405961518441c3e84453afa3499e3a8983b57f94593e8664719d5e6598422bb8cbc51620b259413bea16490bbe6c9a72bf21f6b4d499371ad9fc8277dd3f2f7523cc5e6ceebf74fc3944136b2d56daa2040374319a1c83c3bb0c962d321d8039170b98b604c8ed42c596314a01139c9d36ccd6f2cbd3113b2c9d4e19f08694463610a368f8ac74f29794f14560e0a3d481c673410ad9466581aa2a334ff380a100fb049ad8196eb4784ea1bedc139a7054f18a8d44bca0a3d0122f5dc3a1c4d29bde35e332bdf28cb9b98543ad3e33143af87903b5624f62305598de275833208ec8370682ad9f0f9ac64c439044a2de3033468734f49266138859695b60a6fb45d794b871c19cbedf59b764453b78cfead4c501b1f8c0ff827b70297392697adb13ceff2f139bff3ba238798a07fe5f55a0ef5b75ccb498bb8943bab4a671f125fb06f2e59f77fdb02cb23e8687568dc0d5c4860994a37ccab365d7a70803c6a6f48f5b3ff1cbdd51d8961f973c703375d252e6c5a0ff133b59724313f988841bd61ec29767a4608a5bc45b104e4fc98261e4540a10382a495d64dd5f6c039066d9d358efb16671178e884f070a07fd02a00b63b7f575f642bf91eec3bb90dba9a21df3179cf12ea9525d0974d6fc44bf69fc54f8a5ff986706678d7ce06cce44df2974b966e67aca314e0b58acc41554a442ef3587abbaf18295eca59ca8a10edd3fbd1fac0b06013de5f7333751c57deb4daef9e4c55e93741ed1d2f7f963cdedc6efdb5d8b14d7d612e2612f30966f4e6760d1a46fbee50dccffc0b2e5177b1c6027adaee09075b655cf85ddbb4e4483d5de7b38a910f996711c058c1b97e6212748c8cc7de8cf7a56af75e291867c2688e999c6553d7aaf3d2f62c2f53bf88cf2044007dbe929856531b0ad6b48a6118bf35cce827e5d0cd2a19b3fc37395e1ced2137f0c726f5cc991333a0f0794da0b6d757374217eaebcbb6d87431f089a57102ca5373b8d730a92026059c6a88094e9c629d81eccf86b4e8f091d325563d1f4016c97972c584bc76d1fb4ed94b721344d00cc6724f5649dfed84dc511583e1a08a43c2409934172ff3f0dfc93996b8479c050dc19309aa998f709eda3b3cf806bec717e1718b8cc10060b335c46f17c522ac0bb696fb4393a9450be5fa755ea0d71b30a8431515c446390154bc2a4951b3f15f419ce20b0302bd90025d83c47a018f6886ab1fbb7577d5c066bab23d84189ccff6340a3ca41df5c6d994b26b8fc34c690dfb229c83760224bdce8e867d1f5a097736d3f19d8229f9143ac037093d4cc32ab104b5828f1cc84495a68d767b7fbd725d434719a3601b5fb23364a5e4151c6f915ce53f7debbb9f15b811cb02bb87394ffb61e8b8ae5749dc7432b516b8a627990537b9cdfd2a09439b7dc043997e0f59036ab3470af1bc7671011e5b472e3f6ad456ba706d550661cbcf6107e9b7ee49a82052d901bb79fb18d82216aeefa2e76390f80943cc856a008c7256b84d8857fa634ad7dd4501386bbabe238a58aecb77a0de5ffaaa563a1968b72b92ba58d1a1ef6f9ed049ff38b7fc34227461631fec653e781f157ec7386362b66778afc8982cdae50e129f4329bfe35cd9da3d5752204fa7275ccbc01abf85c6cf3ab9eabb2ea7a1c779e673d0f9516b185154dc83cc5f69370e314198b7fa83ce5c5c91c2c50e54489b3a670a330a4e49fca517c83a9532cbc7edc840cd010b37ecc7537453016ed1ab445e45fc1238b14e2f8f93166cbf7d38b8528baa0fad3e9e76f4b32eebb60526881620bca5b11ac063dbe2169e5437843f6d2d486855ad5f192b268b2f3eb25deeabd2de89c48ba28f1ee2c84658656c337339b53acf988baf29ac5c9199ec7912b28940934bc02b131d1461354626b690835ba09abafa0ca7f515579e533c4bbfda2bc9f2faedd3538ce8c1e3606ea98395e0ff88492045f47cca85f4af16f950abbf3f2229de58ea2b45692d4ba843e70e5aeed29f68807138aaf5c994b30d47311ebb969107677dcf007f64d0b32c3600cd32bd42ca69ee46d786cf0cf9496bc51602c989fc54f76c4d383ce414af45fc948e5b971e3020af447c589b09956c9033d0904d6445d7e9fff7c903939f79c2d4c30b6", &(0x7f0000004a40)="884f381309896a88173889994e74c60694f7baa45be088e59bc3e939728257e8d2db71"}) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000004c40)={{{@in, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast1}, 0x0, @in=@remote}}, &(0x7f0000004d40)=0xe8) shmctl$auto(0x5, 0x2, &(0x7f0000004e00)={{0x7, 0xee00, 0xffffffffffffffff, 0x8, 0x80, 0x5, 0xfffc}, 0x1, 0x7, 0x5, 0xbed1, @inferred=r5, @inferred=r7, 0x1, 0x0, &(0x7f0000004d80), &(0x7f0000004dc0)="05c9215687a3ff1747cae5c18cb186ed5c62984337f90f0ab5948e21c63d1686f1da1459a89718a9f84930b892c2ad4de61f714ab8"}) msgctl$auto_IPC_RMID(0x4, 0x0, &(0x7f0000004f00)={{0x7, 0xffffffffffffffff, 0xffffffffffffffff, 0x1, 0x0, 0x98, 0x4}, &(0x7f0000004e80)=0x6, &(0x7f0000004ec0)=0x5, 0xc, 0x1ff800000, 0x8, 0x7f, 0x3, 0x101, 0x8, 0x1000, @inferred=r5, @inferred=r8}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000004f80)={{{@in6=@mcast1, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@multicast2}}, &(0x7f0000005080)=0xe8) shmctl$auto(0x2, 0x5, &(0x7f00000052c0)={{0x8, 0x0, 0x0, 0x7f, 0x5, 0x80000001, 0x43}, 0x7, 0x2, 0x0, 0xffffffffffffffff, @raw=0xf, @inferred=r7, 0x2, 0x0, &(0x7f00000050c0)="bcc4b5d86e91b02b73e16c4665dc3088f7cc9826da7807f9a8300d9d8980de67a1a2a153e95466e76d2c38c41558c08efe37ee81d9904674ced86dda9b2b6cc7c97b199758bef8d92dd20e0e69864d6fcd03a80ca012019cf41e5166475038fcd360338436e7827ef730469187e6a495f5bf018ee7caa71c804a386756c3242b30eca0b841166d7839e94a5639d08fbc06dac1f861494456d8d153de7fc30387d452304e7c3069bbfb424391d04fab12037c6d6ae6025df869fa3a45e03148c2dd052c", &(0x7f00000051c0)="0b7d67852a6f3d8968f476adad1672e6dcfcebe8e6249d8cc72d1a05c28acd3deda6431481c88ee1c2c09944ee7333d9d16b3f9bd186be36210e7e52fdac24099773c07af6f1a940e4baec3ada4766e38014ad527a5df77c9061c5a4caccc48bcf1562207f8db04d608a823c71979bdaf702b9a6ec8f62f23d316b69a8e40f1cd792585f34d8ff6c705641dbc09a0245efad326ca84d8ca39d29cc33a4a3fbe76c240d055e261e16d6bb5d9c231fe3c9e84fe59565befc53fe9d119eb50ce04e6e3c1df216ae69c313d80bb6a77e219b94516572eeaa398bfea649335ae8114cb0574236f4613167d9758b53b66cb6ba75d75af92f3c6e638b82"}) stat$auto(&(0x7f0000005340)='./file0\x00', &(0x7f0000005380)={0x355, 0x100000001, 0x5, 0x7, 0xffffffffffffffff, 0xee01, 0x0, 0x7, 0x2, 0x2, 0x6, 0xfffffffffffffff7, 0x7, 0x4, 0xfff, 0x17b, 0xffffffffffff27a1}) shmctl$auto(0x8001, 0xfffffee8, &(0x7f0000006480)={{0x7, 0xee00, 0x0, 0x0, 0x7, 0x8, 0x3ff}, 0x10, 0x2, 0x8, 0x7fffffff, @inferred=r8, @raw=0xffff, 0xffff, 0x0, &(0x7f0000005440)="4cf77c89a8a36d9b71d16c43ca99caec6590564d8951864cccc348102a7779cd97d951003ae876a9a0301c11867ff6432c9c54bd04ee433fce5f5db9eb71b76221d284c78dc7db27840ca0b1e9a5a119f0d74ff6485b52a986a6717f3cfd726d0a6a038bed2189344a3d14c2f119bf2e543fe4e716bc4c5bec83767da2f97d1cce4b2696bc5f9989fd42dc97a0c16cdc2fa967adaaa2bac730e2cbda744dc3121e3f015b66eae89156b262639f95bb014aba78bf2a4801499bf38268d77d99494aef486b9b388a1ebacb4b771a52bfa29990e93618af03762f953e3480fe01dde92ca7835ccd5e8864dbc9100d25c4fa632c9febddfdb1e77f1bcd7679ea4689d2c8504e50af6952c889d328c12c66c90d8ead369270d94e5aa342fb2387dc7cfe6ede705464985f301feb34b002ccefb80fde10d9fc1cb39b5f877524986dd12447a7c96f63507cb4d88068edfd7748fb2b667ae1aedbb416377574d70a3f6de46e4a3e5c149a64a4364666bd99fdb0e413a1335ba932575d1e9228508d614b663ab17acb21b2ac4d3618a65943804d5ba52cbb043a9619861202b505140e4844b8ceb6faf5024223d9636cb0be384a4cc1dd3d4f357629521a07698418dd1a97c39417196f861afb05bd702f4ccdc3d44b5a4193378b936f53c5c4b09c9858be95e349baeb7eb4da309400a4dbb08a24d0bb3772bee7a3873cf8d76e06df6f7ce591f40bdc849ea04cade886f075e1458f021f1b730b0cb5c328b911412aee9616ab5fdc831e34cea69de1a40806aafd4e64d3cd70c1a6c6f636d3bb94c995977c594f0f4e90d7aec43fec4c8aa707d00dfa26ff9db8a45e6ac65b5e5ceac43f78b50f1e4f494c85827b3f0ea1f7a4fe3bbbd390e3616628ed4770dd366694893513dc1cd252d3887a2f19a846d18ee7baf8b5680e61800baaf0041810a5a21fe06cba83e0621b2626c3ec5ba62dfe1f94ae16114c9f89e89458a069222b43b4504dca5fd969c06666dcf982434631597babaad465cb739e72835f69ad699b0efbe216a12cc188d54beb66861c78c80225438deb75b3af96a60a084e68edceca252c22225b4f3e56e99f976c2a082a29f4a5bc3d0c251f9122b584661f39bfd18dfb9d57a591c6d7013b420bd1e4c47e804cc40edffa4dc90cda1de0a6e5f0d7a4d1c0a02bf92582900643f97f8f2cc13768374cc13610f27c3ab9d6931479d0215c4ad669ef802e32928788c525f752edae477ff89ea3f0c87d9ec7eb1ef512dcab1037284291861322f872aa261fa46746edd83985ee320fef53b11518f5d58f846819b88b16588c13dd019058a1ce865b4e685e9478539b9b9af69a13126d6ad30b2bacb144c02ffb153966d20f565684a8749131c7def88f2c87e48eac6c0af576cc861118a9b718dca2eafbc5413bb6e7513746479bd801f07b9465bd80d0dc3d83eeb7d688f913bbc787b23a90a8637c579884a1585d5323b04a449feebd0cbe2bc32721244e92e5d033e20d0b2ccf8ed5e23900199dc5ecdea429a25961c907af8d93d57d5d0d7ff990310ac092dc447e88cf81617b67754ad8ee0b12532c7313d15fd65c9f65c0a94b755a09d24078bde275a44457eca4c8b2b3bc0dfd4c8acb9d2c6c4a8daa22a6cd961b4476b07880f8cf0988bce7dd8d3c3fbd9cfdb6563b681034b272fb3cde591de803d0b68405d25dea801ee8713aeb5498198395799db2ab19fbcedbaa3ced3e124d293d63ee8c12d931079fd94ca0fb5c456932a07ac665b9410d1237735872766764c05e852e061dc399bb31ed488d1ba5aef53ac7b4536c6e5fc45c96a99385512fe6ee8a2278a06be19a7cddf3ca678bdd73c255c159ea073557d666f67b9d1b9968e023f636c693a8adfc923acff108ed4370bb966b0f4c05034b08576c2bc89ceeb57c633d2a7c87665be7e75ffb30edb5fe9fcdc7256a0112d49f52031800b70f698038f0f1f81223cbe0e30b47e80570971d4fa84da58099f875ac76323c5ac25b69c5eaf67825ab8ac98cbd6dc0163751a47a1e52998e00e05c1c6901f504340318727902b1ed2bd2cff2d2ed09601a8cedf4528c1c13a670375fe3a685c7cb14723b559ce2786ca2955ae351eff839758c311e99ed53ff128372bf9fc38c570bd900b497c93161c34d8b4e4806ebccda1611445ea9d676bdc146ea5ba100fc5d995b2ca60709fabbf6aabb01ef243a129a3c6738cf66f6d3e3b00320be0f85e754878937e39762debbf5a3e7a811103566340fdf7dac8450e68eff102cbfd495a801de06e74df57fe06e15edfba4da71a43339c5248f422ee29a22efa493690d97246e2083be24c21ee4f2f1d60d753b2da75a15408af7f4ffc3f11673b89345795750c2ea6b6c789c9e4ed093056171e9fd9a675486a4a51afa967e009c5ab5da74fb7fcd00044ab94b287b54217848d47848d6a116aed41d454cdcbf4ad8d86e629997e308b86e23ea1bf1a4d25296b19fa79f2a8c9b13702b7628c89f71ba6d5c3aa656d4318c4ec3305b9d7ae29374e9356709c46d401c6b745118bc70d1ac74fbc57d9248b1a915de03df367a9a1044752775e3b336a935bc082a2c88299fad16993f6e3f4373de0c488af1af00adb940cb45f5cfd5372d6c0a4c696f96636d52d27939de729974a9a5be21f99b49fc6d4c65aca98c2874f3671de29264941cd4a4a6be0b2021ac02adcd1756bfcff10e7655db958bb999810d8b3fee9832646dedbeee86892eceb4fa04b7284fdce5669dc7eeb775d009ca176d82bbddd4262716efbbe18c8c79f6c76cb59bfa82a19a6681e0d5a49dbd642933648af881c56940e8c5e18fb8288c35e130e1f62817af3f187d002d1b9a1d584b662ebc5c9c9520c4d516649f2d99363efff116348caed43556b58ea9b7c4255fd27efb05edece75535963d32ef597eb133495dc6ff0117d923027f108dbc64cbaa4bedd565e057a0e28649908d87ab0164a1155abe4603ec3f81c3b5327ed0d5e1fc890162510afca7b91d61857573f6184386a7a7cbfba8eff79fb883d04aa6bb7f93f776a375565f67a037e475e28b57f42ca0fc54a30b9d91eed124cdc1bc53feaa475828f20db8ba50815c812a1e9c7454cd4144eb9a423e6d172edee0bad94cd150bbeb4deabc6e98e3e5f7c6bb47f35f110eec4ba632e9c426af699a5bd6c2331ef0c11d24a5a3f3888fae3a36a89fb8a0dbdba9cadfb9e052a93f00ed75755b4d78d99aaa84f69dcc6a6ab05eadd817b9f704e9a7697a315f36ac99d299b5cb8a2f0c7cd53aa16fdad2331947d81a52734dc38efd0309b4837fcc18c88a0cb8bf5f96e4209192266a2c7f60371d41fc8c7d050ae43bf5f67407b54f4b731e0f7195659cd71ecccf87e68e1b4bb874707336ca5bce6ae7d588d6d68e2f66eaf0faa26d488ef0a1a0b59686af8120558fd76c9d19590a9611d5f3eca00e148194d9b69594124be005cdde6d57b26c53ac6488236de7dc8ef17eee67cd948e32d8c11f14bd2478b5d7e2c1d39d02b47595cebe0851f99448960dd64c14a84dac887ce5b39309b1530b71295c36b1b19592242d6617f9ba315c8d0a9d39792541d11c0ec999975169e8af06a444b716c45240b315a08961fac6a69681d832198aad3de10ef3a488f507ab56fd194f6d94376d24968d5caadf3f2c3efb667dd1d19b18dc8dab53df92c2dc0fb4ad49aa8034cf6f9eae6220beaec08784cac765da9e98219ecae0fba094240d3df34f3c89539b206a9af38dac75874b0beeedc9b3795d5f1d1f9065a81ac5e15588c179c4b0effcba466b9170b12e72fb525acc0e2bf5b8c43efbdf53279e5c9fee04b029db5220ba82d4930e96374baf4338aef5550fb5922015a1f9f076f3615ee6d814da808d1bbcad1b176d5bb20b795882476c0c72345eb16134807a82b9d86c9d7a4d84d189be309ba025303eea1889b05cdcea4c2073cfb30bb3b90f35bcd6ee790f1360f963dcd6be81168de75e1d04e8150d2c00005df7fadeac9e5c3d2026799cbb2a2db4268e4d1cb614f158ef12a0b2282e42ba33ff9d67ceda79320f1d897277f486588a0dc0e46c1c0fa223be06cdaca909483358be8b182b37e3789f7c93959c0b45335b2c00cad1a70f8d04081383a79c3fd595fc8647bb6552c6081c26c720ed1b229a192b9a91fa1e12cd31840f86e0dad7feb7dadeadd232709bc99aa8fbc3a87af0d5c82e53aceb6122bf9b71b7bc92a0a063957cc666fafbad1f688bd911608bfc7681c64d8191c5d0c80f7dedd5a9ad4ebccd04e2618d9aad121fd9aa8b8d6848720a736722c7eced31540419659c0911a06e039e959c84dd5cc1640eba08505ea489a121ddca4a09c63b2e271d1edb91aea042e92bea12939ab6d4157efa94a68d07b5f9b2058bccaef5826ebd37657a99be45134aa30a84a4c4e08e463b75645c2b726c14f35750efa680408d1ea9f3f56feb1060c7b8e8114681c24992aa2e1e65219a036afc034dba75a390afce2963d756c7eaf67d213c75371935f9eab4d428c54322e32498a4340254cc41fbb55cf63b4f3f43c8930101f3ae3542fb96ac776263789a984a3a62bb46c5a4a41b85f9d66b47fb28ea765bbcdb52b01f4c15ebe188b454c3ae277dc8a9f8a1c634163c631bd5430a8a80b80b3733413a1e00eb3fff34bc5aa8d907d79de8866cbc6f10661356277716c88474be9b393018a7d8b9b3e1ce4b7a326b77f62fcfa9494e1b7c0280c3a25ee346c94ae4cb3af3fe09534e63836d5a00a62808742f5cc926088a6ed11ea2051a33c60b2dedd2069fc9fc2f2cd45366618e11000216ef8017163aa828eae1d15f02067aa46af467750cfdd36f7ecba0fd1f7382c2a78aa40ccb037ed72490759f08e4a257b73e1b4519ec4720d9081dd464a47ad468f8881ca3023e753100ae0a1b2989ac574ebb9ac9134bf16202ce61aeaafdf7689bb921c4a39a46f03a14decffec78cf9ffd01b4fca7d7bd40030fefa02591a28451bd35da746db7b5cdfd5ee9eb6c51b3be05fb0cd5d39e8103b0e903eec110b3ff1f9df981232a558234281039b46637641849d6412feb74a37b1393c31513cd994ad239e20addc7b6be2be448857bacb20cb1469fe9446946b6d60349ff39219f7c002ecb4dbfd317f79d950b395dd77cfd49a6fad36be0bd4591e4d2ca837fe7374a36792ccb0b2b027c69dcb0852749309b937177272f4a80d8e2a24997ffca208b7f528be82116556d235f17d574d17acc1c4b58363f03f6b2177a2d9bd31d7da8b2d37ea2a5eace2b4f3eab549cc55b38e0f1731cc82ef548a5cb6a7564b442a86da7312a94a1315e270f390a197b91e435fa70443f387cf53738f775a2362a87217b574f8f63ca63613375205dc194498a0c929ff130014d7426af7c0d098d69aff0da1027b123c023e732e0ca1eb695b4210adcaef9285fec8c83fea7efb3b5a09ab0e26a2c0926e158ee17089ef7f8eab5375718ba2e8ab683d2a1eefe25c2e303f419ed01423799867e02eb01ae20002207136a60a875077393a019ae7df3aadc5d4aed4d459cedde966d84fa64c2e564860172be41b9fbdcc9bb29cc2af86bcb8da14d1d7efd6d90fefd473fbac5b0559ac2bdc110c7fdaa921d920731f362f95d426680b73312da58facc4d0a1d7ba590b3e91c03bf3b5f500a5cae46bed373702129ee2f25b0500219bbec050285949f2de4948328964329b1a46a38421c137cb95b99290b4f6cb46b576697c95b9378e7c15caa04ab0e8a04b8df8bc46d615fa29", &(0x7f0000006440)="1c3d61efc1467b6b61e9e5f06fa3d1dcc0e70035dcc9c6c3b00df58900"}) r21 = getgid() r22 = geteuid() ioctl$auto_XFS_IOC_SWAPEXT(0xffffffffffffffff, 0xc0c0586d, &(0x7f0000006a80)={0xfff, @raw=0xd, @inferred=r6, 0x7, 0x2, '\x00', {0xf, 0x0, 0x46, 0xffffffffffffffff, 0x0, 0xfffffffd, 0xf7, 0x7f, {0x8, 0x9}, {0x3, 0x200}, {0x4, 0x5}, 0x62, 0x5, 0xff, 0x6cbf, 0x48, 0x0, 0x8001, 0x7f, 0x6, 0x8, '\x00', 0x40, 0xffff, 0xa, 0xb04b}}) syz_fuse_handle_req(r9, &(0x7f00000016c0)="27fe2ffe47404c4ac0a1ecab30bbcb864ead78fed0c0e175ac9994f22c05a47188988b3ff7cddec1f6f39e606160f4f199d3745e26e2748d68e35a99f1bc4ac32084634f2c0ba5d1e0000e2d5bee777a2ab509e7c94c43f297b825934378ffa3bb7942256fc52a69e23820cd520e7559ed9a31a954df955de5bc7c1855d974b95ff00a84dc2d9ad67964334434d528bce5934808b48f8e251a179eb47dee2a108b50092f559816136cffe9bd6e0a34004e62d50f73c14b23ce17518f954c4bc61e6175756c1204e2f27c182b9e3a7e3b823dc2d210e5232c7ad0e8d8e049f0e92060b620499b0b8f4b4b971d29a97ae94ce3cea6fb4e4296f72e3deabff562e79243933cfc5300e3c41c6ab9c0559ae24b21ce45bc69b7a1eb56c08b822ba10fbcb0bd238f6fcd60ed24092b3f47f1900e3d3373379649daa3959bcb319d7a74ab3e62bb5fbdfa42f9d3b3e7340efd12d9db738b9a7a581d914f4deb34005aacaee865dd595ad5f007c48b5168e699e52decc666509f0bac516d5d8b1ecc1c99e601b8f85af1c67623fd2cff7b883841aecddf3a85239980d3ea2ae6378d59cc242b2abcda91e918487cfea037839017eefbed85e0de24148b3c67ecadc8bbe51ffdd0696a55d8ff21523178a6829ec4d3f25977433b85e9238fe5d8b1437c54a93382fa152549cfca4e4700705f3ce5a260a4b943dd3e532cc196c8129518225566e93e29a8c6f02f054a94ee5fe21e5ad5bf55dd7fde9ac641f347a992e8197fe5fc4b9c65ef4d687921dff0f6cb82a3a96f6df1cfaedffced7cb06b21de9b83cde5f96bdad6ee4c617b9da766cc443712f84ef7c38708070bd19db90abe251009d9bbcce7c419bf7efa7ea70086a95a27e7359d3bcf81899bb6b7560c58227db92bbe342e60019ff0cdbeec13bdb56c5b5fdfdbce7e2f5a7d971dbbc64c59c5111d0b452af57980e21785d5af0884822d12f4081e8381d16e0f411936274b9030215c4b0b47074dab09b9fa2322a88050a62448ffb2bdbb9d6b87521b3bfeb5de7736a4de11ff4e56d41aaed90061e8f13c3789a44a63e76902c4ee9b6fc735ab8ff9525af0ab52167e04d3479667852b755d0074cc95078094dfe03926007fcf4b2b68e262d117df6c918127cd6a5642b80c30bf916a1e51520229e1e0ece35ac9b909fd5ff92b930aa55ae60a2a7f5274e047ae70cd1d894c3a93094d5e88ca4ff4a1f7a74c2572c591f254ec0946de4f96248388b06f7f0a7daa490f4359184a76a56a9bbca593c6f6fe479c675fb02c63547d0804963bbbfe5c668769f3cf16be9cd51178030d64cc2bb9d82634399db8859e4887c8cece4c852f5cb76ce70a6c4edd0e8a465cbf7827b21b5538579771fb56b79974aa36288516bd08a9394900160f75d6bbe89de70f8b5ceacc9419fc5a3d5ee5ea783d0ca808a6248c13ad17c873bc93e0e50a39487fb25ec3233070d7776e7ce8ba022ccd8e2db5645594e0b2d874ede739f93b617ffefaf3d8468e66eecc8561fdb81dd4fe7c779dd93cce317a8f5cb86551c26166c7824c87140d9647508cbbc15c1d3b7208609168909e890e9e9fd2671d3a9a7527a734471f2c7480926d8d18ba6e24da6d6cee422aebfb14d1f12a915ffb7375ccb3ecc9863c45534a97a922433217dde2203545aa983e2a6c546511d8626428aabe7cec1d0e8124de1983d5ab1ed6e9dee82f0df4699f4ab70706c34c754d0cd8b6de541ca8a71d5f9825fc13158480d5980e6415cca05c5757894169223b43cc2963091824cf953fcf54530558ad5ce422fce99f5f2650b7dec702fe12bbb08c28519f08b6354cf58d01f027237070cb438fe4807b7b1f7ebc27f274fd50ef37ad060a7adcdf65962f8a52c04b569d7db3d86a0feb6c78ed1adb361866f7d5606569d910c6727cdd76c6bb2a405ed12dfc2edc81666787f3a3a239c62f65d2d98d8b07c5911355a3a6206646fe74c075a6778072870fd652aa4df9aa3b96f145c3afa74f5aaa8d7ff0427c9389dd5462af0eb6828f3aa54c752bb4c89d1821076172a925f146aef789deb14c6b6cb2873388cbe0be062871048c49679d72c3f325c77ea319ed28fa27861040f6be5d4f32cf29cac11243da042becf2125d21e735493ac7694aa961ee92443fc588c2adc0f97ac7b5fae10d43ddb81f31128582185b9aa124fe6ed780ac954f84421767f90f5c0b569443d63beac0684ed68bc5039a27567bd233b8f2675e1afa140df8e1e64f0a90ec553b52172739d0d6b3884947f2666929cb5dd7931942c06e9df9ec7917f1d93a2f0fbe5cd0f573c0102ff0205e4d59ddd603db5da56694bd92873ee21fe7786a87428bdf19a1a87d72ba697fbe0ed975db5bb3a705177f3a1369e29dec7581d43aea3855943ff4efa4d7af3622c319d78b31083788d20310208299ca0347afffe54ecaf1fbece6e0935abc7aa8f8553f9996ff1d46b88b78df2fe267f1699f2ebf1925b8e50cb46c8a103cfb556510155ddb84276e1e0aef3f411c7af3d20593b6fec7006aa7a4ee33802aad168949dad9fa911888d7f61bf16db2265003416fb576de44f80b9c901ace454d2b04b374f3dcfc38fdd6edcfab24d367aff3f6d8298a4133d081563de1365beaff74da252b248fa61d80e72cbbd58533e7518dbae1a925d9912bfe70fbc64b8c81ce262530bd11ae83f366e38c53bfd5a0dac9785b922bcdd1a3b683f43f8d485dfcc6dd00b6cddea064f846fb2693d48fa97b5263f537eabf6c0e549a78d2bcadb2e8fdb2b1b0f47fd49dc61ca1058bb8882aa1ca2ed341feb737d5eaae0ea08f945a04a38b6e3137f961a7563ad13cec30072b9143e4f9c7824e7cbda2df89b74c142dadaf5ca24b6fe909ce3a1ff37ee5a0b661d30739ef0c372cf7a1b4c6a0e519b48b40dc794cd61356756609f68dd58f724bdd86db7f2649b90e163530ca69f0696addfcef84efc9f9e04d9d6e18ed17f74ff807e92b0f330fb6e06e0e2f193ea03a181c8673950a19eba22fd6b1b56ebb336e0248c64f936cafd3311fd50c50fc916156bb28156d15d7f4d5a798d8626afc6ba7d217d2c9f1a98fede62b1bacfc314dfa89e8cbb8c37bd526dd53ede81b1953cef517703babce446e863bf9d246b03b88502c7fdbac4d87f1eaad86ed170d710d81eaf395aef60dc164d9116601a5a58c79a89275c95d28912e8708fee2472e6b87d2e077d362c0ba8f4bc6a5e38745eae91046bc61e6a040cbfe38204f17e604f0e1405e8ee07d7141b698bc2be7690a8f0bf31d58ae906cb70e4fe5fe035631d76533b7a7b032e1b1eee21428084afbcc930a9f28e9f17e269a6997af838f95e2fb395b540a1d49f3d4290274d2d31f760835ff7351d25b62e135adf59e0118872d17843d99154f4660fa8f48b6c4868b1fbc6b84da61f98123167b067370a54fc6c5a688e31d4201ac4c4d5646f9a4a4a804a175167cf79dda22f4d6867281cb0b3e0999fad7bf26512d131440a8f9ec75fe9df680547855d8c9b3b3f0d514197c2af0d672991373b8d4ac1dd51e1f907450d62101b5e2613ea289c194d0735e1c5e166909eb71ee2a4ee5ff99140c0becca2672faf6944938c61809d8bf2faa561f9b56dab85ded7ee735d300c8da84c57f067b2fe50929cae139875abbab084742c90706bc31fc4c68538889718769d1c6da0ee1826ecde1f60ea66ced44c24fe2875dcbc87a3572af96455edf31e051e5422a8e2910c7d975df6448da0c0f833f61f7150598fb47fae938357a7b645e406df9a4a30cdd1cef6ddb263c9f06b268767a9a0f92c4ea1380e5e36f5f2a3e90bf87d6818c5aefc3439c4f4de2cfb4db145756848b27b618c22feea3f9f4601557f53c2aae71dbc0e9468243f1bf3b086b4dcab2734d6128c5441546903d2fea40c7ca4840ac4b1b3ea8897cf037623e427fb1ef9c0e7deb9eba0f8e5a5b29d422923f2fc8c5dc1369fe526709247c2776f5b7687ccf420b0dc84461105c2a31cce9decca30b746bfe43440d49c4775a2dfc88f049e23a30e2de2ce634549bbc0c263097ebb8044b4b9bb6f5f95a4a499a3dce9c11b99487d996eb57d654090b436dfe0b94796e93feae2b63d01320af7323a8006bc75f95a0c6ce53691802a097108881bda64a2cf8ed8f6752e19815e71e2b8554fac0301875262109331151915f6b19362c2d82c3047478525a649ae4c9a41f756083f138156f6ec4ea04b44f652ab1e66c5c630e6130062a260be553f10b8b700e6c6b089f0b09ce117ca78d45aec4339764dc2e39b5bb955602d57323e40d49ecf8987184a12d21993c03b458fca98c773071c2242d90596599336e1c69ff551af3ef27aaa74c547f231a1ef64a2fbe5498f5bffd9e597b8d871a073e82f13f5bdf2189d361649dbe144e7c2fb26a518884c4f276afa04450b3b1261511a1861507e94be4b0c301e62471bb953363e54a80ac90b2551b012d74a5621e265bf91260a467fe7606e79592272aa208b12935a8991dfb817a5cb05acba79dccb97d0a0f9eb5825e16d124a77224c9a09a5335f1ced785636ae3581598af5c28e54ea8dcc4c722e4a658a33fa7c473f3b5e74ed5625680f07c7d472966ab646ac3ac2d67469c43dbab6b886779def79417698cfed9472fdcab0f8079f221285441881eaae4c211a814e6d4e6c25d49a5706738b03b35c0d284fcd675505b0adc88d04390f3a1b0c82785ba7bf029aa46187131dbdc36aaed980b90888e67e8a8be7c1f7c5e3ad4442e97aa77c7e1d286c29d8b761ec91250529bfffc56ce2d1f4e79cf74237f02050afb6e25d5436545da66622970e89e4cb9e77e0e9a6672feb03328568d75d51465772b5e408e40ebc9676e7e5ee7ab0cbfca5ff0c023b393529464668b774ae1b5cef76d67f1d735b87281555b396c7858701c6d42b0f365b253e7bccb64c2dc39bfed645906ae68bc5ebc3cda73f386b4b97953b3ca6c735f7c47e4762925d3599480e7c17633e5276af75a60332bab2d8c039e4f980a7de81229bd174f6e50e5de20d20b518c418b6eb6a06ee93789fb6f4a6ecb8b01691ad1eb2ae951a42f976e018ac4b585bbc3f42da79e55d1b7f24e909fcee23436b727dd9ce47b41b3bcaa883715d316acdc55e0fcab97ef90da859a80ebebc6dfd0af9524e8a36b3f71ebd703b0afcbd7acc6aa413648ad935e7094a293f1ad659bf55951511b8feaa0390b982c91b1a1bc04cb1e158b132e8ff2fe46667f10312a25468f07324810a97ddfad6df0d61ee5db1929580227ea260682a8937d0379bbcd796aa13fe92f793e958d28d8e4564bfdd4944d7ebadddd673392c6772d0961cebe60a3d9e9f96e4a4ca07e55d31e9d9425e00171aba02f0aef4b8f5e43ec62327a950fe292427d513476c31839a5d11e03f7949cb2d8343ef4b98268797190344a7a6891cddde29faef1333f7fb75069a74e806a4121addf986835281f4868f15c7343e1307d237bb50a7ec6764b9f4325b6e41357edc33d247a583e285735faffc5bebc400476af6c5cdd349137470860d159a976ef3c4761285ebb8c53a7ef569ee2e710d41819eb85cb3e38c6d6ccd03587fb0828f631c19900153a6f1edb812a58ead041c63a6ac6283806d3cfb69b65591a829baba97a367c9b0f2497b44f3ca85a0731e5942b57ecf9c2dee01ef7ea533f8ba317f74c30f49bd69489735361092292205509c574200663f771cf4d1d484fe5a9c4cd3b0cc432e925b302fab0574b53606f2777563d6794fb5fe487d5ce7b5beab399bf7727b67eebf9b9dacf5c5678ec9821a34dc030d036d04d7025ed5b1782965cf262bba0b3de34974d1e77a63e9bb52dc659de690e47b35f4bbca66f8d5e0a271a04a289435f5dc9013c0652633dcce4102fcbe47fb4c5eb9a6eaff5463c73c11e37e8df9dab0932334922fed80d5e3ed125dde3764f48d496f4f3b49f0322a9b9b968ff75efedb369b4b1c9afc5d27e68d76d17c216c4fed82dc2487aabc660bb55b2ee17d68365da8408c45af38783ac2be54772bbea41f5868456ee66a27a36be499a5e5dd3396f4805e22a2cdc229079c2a53c9299559269ed1c512213544f2bf331388e1cb85e5550915f8f27a47ba9fc9a50ce01cd2b53b37f357966f1d00bd340e050c9d84f2914b8abd4294826e7500b0dcae9cd4d284d17345653ccb469c5ee3a31058eae14fed75585cde2fd71b88ebf517359774e9023466ea5a47956b8225671792df45b9f38b10ab03f9ede1ddb2e157d61c095d9b82b977cc09d929745560fe8106503ff7dd228db22b251776897ee15b180b4b4631f85ecf6a6074efd2cdf40a448dad62331c27ed8b3377fde4b1533126a4dc708b77202f6f8c015966ef711c4c496e9034cf15a33bc998a43265edfe436342d7eb4973be8ab0ae6719a1aaa41e0d76d952b06808dff02fd81603429a36ff7440e0b215d9ebc908efc145b6e1b7feb53bd5e175c7d1a7764f9040744b81db86fd22c0a38a2daf7440bbfe8835009d4aebbb11a0e9148bc04951fc06ec1c2a268a05cc2cc76791b82269f963d3d2f564ae03789601940d56f28e5ab0152acf663e481195209efc1a3a1b472536e0acf9ae383b5951dfbb6bd4d1eb5550102c3d7fa2365a36fb7c5949cc727ce57311dec52a4c3b91f0d5ec3677c265d5835535f16006985ce846ef12a46cb8662cff85af2ffd4b3b35085705d45df3e8c60ee4963823cea99dd55c0c33da9de354f709f2a4583561325c4a5954a34e2ab32738c2f3fbfb2786aa57828ef3091122e5932058c12d50d0e89ee5dc1e3ee4135d38c0c984daf3947670272714de8935720c1f3d3dd9fc57529a75013d85946484233ce69257718d3cd667cd0886d1f3c257ccac6b48ee5cdc03eb6c6aa2a78d68e2a9c2253954450915762f3f2fade0ac78593cc38e55cef3bc0bfb938ebd0a61c739c024addaf443406a7b6026360a7fc87c274a9bdcdb2eb5cf470b53f7fc1bd4ed05ceaa66528cef79e9de78da42b167c82cf4dadca5707d0a166b0f41b7f7e3421a8f88f6d88d24cfd9981b50b6c342bb49cce4b823f3cfdb17bba24fdb1601ba060a4792c0909a7c7cebf0c33e8ff27fb6e327c8877fb31efd8bb0b9fca2829cac2c143f4a5bd0afba4324548af32f05f581ae264c9e20d0f1604e112c6e2bc518b78097c145d871a3c0287371b0cf6bdcf17266371c7464d87a55f52e01e297866d6d498868ac01648249c1edd314580bfc35834b15d108ddbaf6ca3536aa43161019c3af0b331d9d071eb0a50442355a2a2e195474e13b7971d956ad54ed590b429d6a1ec7e38d41a27536bbbfadad1b35fc8f827a92e0baffabb811816cfb4cdac4b98c5f6f71cdcf30649536f7800eb6b7cee222d64165e0ca9504693b6d8459bc327e5da2e6f38a4ee2472ca5e6caa0811d042f8fb32a99bd36101cf19acceeed73b44e3deb223cf282ecd4c439f55f5c274e2c756c67c23c00ef7bffa4b6012a1334d0c97f816a6123cbcb77ace8e7be0515269248622028b7a9c0e49f1c8dde866d3bb0c53db9c67b10b20d4bb263f2c5a0185baccfa7b8fe825657078fabab003b9318a84f765daafc37f496efbbce9fa5d2c1f0a4b2ad0cf9269618440713bc3d92985ffbd6cc19afc86703044370eabc4de11f3bcbfb221dddc51bba352dc28fd49c084047fb0ed8b9742a96e53ef4ccb94ce4cad746e9caeeec843f72b779cc58d25fe931c1af8a795e195685c92185803adbec6066cddd87e0b9a5380afcd80798f580859eab317cb2783112af7b362a59ae7a824749440e66661b788b8560549a0b1350dfb7a5e88928d558cbc8a26a0d74e67634ee9ec1c1ca08afc5beb43da65f4ae0ac7eb257442c9990edcf93b1dadfea90bc292bbf1d823c61ee969249f67be07d70df8afc7c3e5bf145f28a2d06c880eff9a181127c13460a06b3664a94c888b07af77e84d60deab764228ffea21633f0204a5d7ec4a0b303fb08fb76728c43d9073800183c8b99e22d605a5e6399c049f7f887cb9d7fba94db323084bf94df544f6ce2dd49a21d2cab54df04397482a64d2900bb40fa87f42ec75d68bab17714a934bcdf36f87074f6028f9d61a00adffc06d624bc64297059682cc8adc7e2fb210bd22fbd4ad3d3515f71b933126759ec4c001ed5cdbace7cce4319b7ab50ffc8f2f8f1bb81ac07f81dfff335450acf08e13912d3c5f3aa12581811ebdb4416eada259651c070b06ea7e18a8f0c400575a0e7fdc4c88645d35c2d36a8ce6a2972f355d1a5d832cd7ef2c611fd11059da390ec8c87491d4964fa40b80839057362e676455c7172a23154efeba6fc9ab4c15a737e299c1f14daa8f3497e3370a523ec15c52bad987109003f8dcee4ac6c90b0f8e4b7491978788a9c1b23a14396b508aa95175fe3bd6a8b4a9c217f4c9842c1c339d4d95db83ce6e7e7ac88eae0413961055220b65693d49a2f696f641421925b42f77b0f9431239527fd6d86d6f9abdf3d27c0a79a6b05a61dd7d993de2d4ee9973b778ff195d1240db1836a5258b4f574497ca2f9b34977800e728297d983e1e585faf45381b476d2531e86cc6e835a972c3a5bbccba7d852edc83bbad4c852064007087bbd36bf8a800f91eea0a72d9a75f5db35b1098686d51340a172c701bc47b140ce52ef47502d0071e545597975a55ca1e91217645e3cfebf4a6201a8481f65113860f592863af1dd473383b1b79ab32cfcd46e6ace2958d42cce5f9b2347681f7707ab4a35f9af521d4c1bad7513033a5f7af2b7a2d3a4914d38462b16b85d69fa60c0c5ef54ba2fb78fb156a947cf80b1daccd589fdd0791b3a9eb835b61534a16f8f4b1cabbd386b4c21ba97de916d2cf48b7208c1bda77ecf81677cbce25582ccab9a65a2b73dd34b002c234948a42b5664d56d824429a78b6970367ec170d1b110b2223175872bdc866318de066fea560151d8825dee82d344b816fb55aaa524e860862ac0c36cb6b6e81f4123da59cb3effe29ce7698e2aa0c6036820c457f404233e32261319a46bc8bd3de3c948dc52e27ca527df7ad68e6c4d4ba8f6b4313a29402981059a148797fa0880257fe0427011928af752f81b8186802108f0590195039c838257202421410b8a359e69ddcd47470f4d05ae289834be304caf49bbbacfdbe927f423be9b87882b0fab4f50bc7cdbff6ef101f33f703556d45b6ace1643cd7e75acf74063e3e34e963db19f0d19f14829c91c450661d0e809d5b7909695ba15446c876a167ecca09fc00e1737cbd4ef4f70a50e3a00fc96f0e1023e5c81e67d247ae0ec7ec267252804a65b301b91a599b8ce37d95a93dd9a911dfb395f361924e82ea281efd7a2e015aadaf6485fceaee0ab905e1396c125603aff4ca165f749c23310250f800b2a87917b9421b0b4cdec9d86414eb822374b0d4325358b2bf43e0e312588879765c25c098d1718653bea52768dd7f100fbd2b6afccf0213469a7fa25b5f77c6b56ca09df886a16ed24f51e21d078f25c48887da12dea57c8f4825f27ae3d9160196eb6be09f7be8b239a05dbf6aaeca9637090d1e6f76eb9369274c3aada336243b8b9c59c3f9c91ab43fc9273bb5bf2b59de8fbc506c9436565e4c9ba29650b3784d87f337a4a4b528ca2a280cedc369b0090c3f69c7604a6df31fba781c07d58dbadd7c85a626f885f09a91224e79bd68793f167ebd8da10e5da78cfa7ebf10a8f2c9003fb1cdd87e469861f3ed23d25bcb14530a8ff8d91e9e0c7c3976c3afc7bd5005ccef59faec52ba35693d0f0dceba843add5a747e0aa72f09f2f45281c9d4c6f1bb78379aec782c64810de323c8abacc9fb7e7dbc1e2913a85df0bdb6ac701a68269e79ab28458c0291e1840b34ace2d0dca9029f6d950e6ef1e5cbb9524db501dc3022733cb10bb74e9e698245a98dffe2378c42548119dd60f2b021953b300f38972661c3ebdf64a3afb3c629cca5ec938c31ee8cb682dd38f3581812f7ba6431c160659039e7cfe7859b1aa8130833f1f63724f863b3e2a18f9ebd1ea614d30d28bd4f5b8c2617becd8a4d8b3a9b42b85d8e80c8faf7d9cf5637dd98826a10b692402933d2ae0ea908ff5d6c22fc335be00614a0f5e7004ebef71fd23d3f90115984f0e46e82ac8b03e5d2bfeaa2192333c1a0a9fb19a75bdc8f9058336e86f3f7b30f0bed24c4b230cdfc92a9885be51c0b851cd7a04a62fb3ce47e765a114ef7686bc7d82ef5e1ca0214b95b64e57f851215ce5a47ddfb91932c854c6525ebe7f6e16845fa225a74093f6a2680085a8fef66541fc3643fc814c5a806415f70688a4be77beaf75d71026e4dff3800124bdec0e065463edc69641f67c7c42b8e025f81406fd4896d5db8e19fec099809ad50a98a83b3caa8fd87310514f4a7afd9a970c456231d916b26d5c62bc4834af9bc2777a7c7d3bbf5f2c6d828935f3b827743c09222328e8e8291bb283eba7d4bc897877f6e50a5fabc77abf31534d700962edecb1df4ee1228a729df7da85771a3f1e30429fac993d9738d9d6728bf492b4791438c3cf6d59af809974aec448098c26cb3791e43724076ef5ca9c70cb3f58accb539943786ce98b092c965a147d1870ad454686ba579c9d10a6131d4d980ff68898fb11a0a9f61e60a86427f60660088984eed16acf6d31430183b81912adcde8084457122ecdd7054cf3dddee25a975fb2448e71a27aedf68685e9e8bf607056d68d720607599cb4997a1d591a1cc174eddc66f39160a2e55eee6c82b218c5b963a0268117fccda9314d7de3b1bfdf1de338310418dbb11f73bfc1a705a7f12560c6a836ebc1c927d1427eb6d7104f942705a25e7a79488768c707cddb059d06f4f55d64114658bb327072a0f248f9191aebf838ccf464e3db38bd015c1fe7e0a1ce8c854e064ad28df20854ecaf442881d5b922db3327a73a8007f84aacb941bc1232742d0ad98eb8f05a812c7957fb4b688522ea6a1d5ef22dabf2537b5f68d81e06b517839b474238564967929fa8231eb8eaa9bf79554917939336f71edad5c011de4a9887c9d8bfe588c1747b47ecae641ae076a53cb661d344659ed82a4f10612ea2ee00a444de7e4b1a0c5614d4a6369b48cfae5316e8389cb720a111171383a78798031af5e4976b89175ac1efa79ca7dd728d21cf2853f69870379dcd691f412b0dabb49f74d48f9313be45895e8d4e78e23e357a9a2294befb173ceccddb7dec84781920e951ecc863bdc843af7535e721a7a7f5bd6e0d37fe9e5b5af3f2aaa62967112c0fe848d3c38a646ded7deba1ab98d40881ba2fc918a8664bbabea14be6f5bb92e254c471b324a026c661de4b97ba0ae1f67063f41a5619da8a49a7ad6cf8153977a4c63171bba20884b7344c405d61b9ce3ce90dd0b6d86be27c028a2a48fe040d6f9d2f5dc2466cb9f745e5a98e5266498b14d16e3fcee12026c0f46b7fd1d30076505cd64c1d60c5cac8cb400ea6b7522c165b0094ff0ff656d081673056b73eee3efcbfba260ff87e4304c8eb14aeadfdaa09570f630646c", 0x2000, &(0x7f0000006c80)={&(0x7f00000036c0)={0x50, 0x0, 0x8, {0x7, 0x2d, 0x7, 0x8000008, 0x7, 0xfc00, 0x3ff, 0x59, 0x0, 0x0, 0xe0, 0x10000}}, &(0x7f0000003740)={0x18, 0x0, 0x6, {0x80000001}}, &(0x7f0000003780)={0x18, 0x0, 0x4, {0x2}}, &(0x7f00000037c0)={0x18, 0xffffffffffffffda, 0x37}, &(0x7f0000003800)={0x18, 0x0, 0x1, {0xff}}, &(0x7f0000003840)={0x28, 0x26, 0x7fffffffffffffff, {{0x7a, 0x8}}}, &(0x7f0000003880)={0x60, 0xfffffffffffffff5, 0x1, {{0x81, 0x6, 0x3ff, 0x2, 0x4, 0x4, 0x8, 0x2}}}, &(0x7f0000003900)={0x18, 0x0, 0x0, {0xb}}, &(0x7f0000003940)={0x12, 0xf92c178daeab5fde, 0x9, {'^\x00'}}, &(0x7f0000003980)={0x20, 0x0, 0x0, {0x0, 0x2}}, &(0x7f00000039c0)={0x78, 0x0, 0xfffffffffffffff7, {0x3, 0x67, 0x0, {0x3, 0x2, 0x5, 0x2, 0x0, 0x5b, 0x200, 0x6, 0xf0b7, 0x1000, 0x1, 0xffffffffffffffff, 0xffffffffffffffff, 0x4, 0x6}}}, &(0x7f0000004b00)={0x90, 0x0, 0x7, {0x1, 0x3, 0x10000, 0x200, 0x8, 0xa87, {0x4, 0x1, 0x7, 0x1, 0xfffffffffffffffd, 0x4, 0x9, 0xffff, 0x10000000, 0x0, 0xf40, 0x0, r10, 0x8001, 0x9}}}, &(0x7f0000004bc0)={0x48, 0x0, 0x5c, [{0x1, 0x4, 0x6, 0x8, '\xff\xff\xff\xff\xff\xff'}, {0x1, 0x8, 0x0, 0xb}]}, &(0x7f0000006500)={0x478, 0x0, 0x2, [{{0x1, 0x1, 0xf, 0x9, 0x7fffffff, 0x3ff, {0x5, 0xb3fc, 0x3, 0xa2d9, 0x3, 0x80000000, 0x4, 0x5, 0x2, 0x6000, 0xfff, 0xffffffffffffffff, 0xee01, 0x5, 0x6}}, {0x5, 0x9, 0x6, 0x6, 'wlan1\x00'}}, {{0x3, 0x1, 0x4, 0xf, 0x1, 0x5, {0x4, 0xffc, 0x2, 0xffffffffffffdbca, 0x35, 0x5fa, 0x8, 0x5, 0x16d, 0x6000, 0x8000, r11, 0xee00, 0x8, 0x2}}, {0x2, 0x3e8, 0x16, 0x5, 'bpf_lsm_path_truncate\x00'}}, {{0x6, 0x3, 0xcff0, 0xfffffffffffffbff, 0x3, 0x3, {0x5, 0x4, 0x8, 0x9, 0x10, 0x5, 0x91, 0xfff, 0xfffffffd, 0xc000, 0x3, r12, 0xee00, 0x80, 0x40}}, {0x0, 0x8, 0x6, 0x80000001, 'wlan1\x00'}}, {{0x3, 0x2, 0x8, 0x9, 0x80000000, 0xd149, {0x3, 0x4, 0x5, 0xe, 0x7a, 0xd52, 0x0, 0x5, 0x6, 0xa000, 0x2, r14, 0x0, 0x7fffffff, 0x5}}, {0x4, 0x7ff, 0x2, 0x78d, '\xc0\''}}, {{0x2, 0x0, 0x6, 0x7fffffff, 0x5, 0x5, {0x2, 0xc, 0xbde5, 0x5, 0x8, 0x10, 0x9, 0x6, 0xe31, 0x2000, 0x5b8, r16, r18, 0x6, 0x8}}, {0x2, 0x80, 0x0, 0xb6}}, {{0x5, 0x2, 0x80000001, 0x2, 0x6, 0xff, {0x3, 0x5, 0x8, 0x3, 0x8001, 0x5, 0x1, 0x7, 0x2, 0x1000, 0x1, 0xee01, r19, 0x10001, 0x6}}, {0x0, 0x6, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}, {{0x3, 0x1, 0x8000000000000000, 0x2e, 0x5, 0x7, {0x6, 0x5, 0x5, 0xb, 0x0, 0x2, 0xffff, 0x0, 0x8, 0x2000, 0x9, r20, r21, 0x2, 0x7}}, {0x6, 0xfffffffffffffffb, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000006980)={0xa0, 0x0, 0xd05, {{0x5, 0x3, 0x8000000000000001, 0x7, 0x5, 0x2, {0x3, 0x4, 0x5, 0x3, 0x8, 0x1, 0x8001, 0x0, 0xfff, 0x8000, 0x101, r22, 0xee00, 0x7, 0xac}}, {0x0, 0x10}}}, &(0x7f0000006a40)={0x20, 0x0, 0xffffffff, {0x4, 0x0, 0x9, 0xa}}, &(0x7f0000006b40)={0x130, 0x0, 0x1ff, {0x6276287e, 0x7, 0x0, '\x00', {0x800, 0x2, 0x3, 0x1e, 0xffffffffffffffff, r24, 0x4000, '\x00', 0x800, 0x9, 0x8, 0x32f3fcde, {0x6, 0x1}, {0x4, 0xe30}, {0x4d, 0x3}, {0x6, 0x8}, 0x6, 0x2, 0xfb, 0x2}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000006d40), r23) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) syz_io_uring_setup(0x28c2, &(0x7f0000006d80)={0x0, 0xd0f0, 0x20, 0x0, 0x1e5}, &(0x7f0000006e00)=0x0, &(0x7f0000006e40)) syz_io_uring_complete(r25) r26 = syz_io_uring_setup(0x7c1f, &(0x7f0000006e80)={0x0, 0x979d, 0x4, 0x1, 0x206, 0x0, r9}, &(0x7f0000006f00)=0x0, &(0x7f0000006f40)=0x0) r29 = io_uring_register$IORING_REGISTER_PERSONALITY(r26, 0x9, 0x0, 0x0) syz_io_uring_submit(r27, r28, &(0x7f0000007000)=@IORING_OP_OPENAT2={0x1c, 0x14, 0x0, r23, &(0x7f0000006f80)={0x818480, 0x0, 0x35}, &(0x7f0000006fc0)='./file0\x00', 0x18, 0x0, 0x23456, {0x0, r29}}) r30 = syz_kvm_setup_syzos_vm$x86(r9, &(0x7f0000bfd000/0x400000)=nil) syz_kvm_add_vcpu$x86(r30, &(0x7f0000007400)={0x0, &(0x7f0000007040)=[@wrmsr={0x65, 0x20, {0x92e, 0x8}}, @nested_vmresume={0x130, 0x18, 0x1}, @wr_drn={0x68, 0x20, {0x1}}, @nested_amd_invlpga={0x17d, 0x20, {0xffffffff, 0xbd0d}}, @nested_amd_vmsave={0x183, 0x18, 0x1}, @code={0xa, 0x6a, {"36490fc7aad66197c026660f3880945e008000000f01ba008000008fc9b89b29470fc7ae20000000450f09c4e2d13967c4360f017f0566642e643ed8f1c744240025fd0000c744240254000000c7442406000000000f011424"}}, @nested_amd_inject_event={0x180, 0x38, {0x0, 0xb5, 0x7, 0x5}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @enable_nested={0x12c, 0x18}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x3, @control16=0x4, 0x5, 0x1ff, 0x8}}, @nested_vmresume={0x130, 0x18}, @out_dx={0x6a, 0x28, {0xc636, 0x5, 0x4}}, @enable_nested={0x12c, 0x18}, @nested_vmlaunch={0x12f, 0x18, 0x1}, @wrmsr={0x65, 0x20, {0x8a3, 0x9}}, @wr_drn={0x68, 0x20, {0x4, 0x6}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @nested_create_vm={0x12d, 0x18, 0x2}, @nested_amd_invlpga={0x17d, 0x20, {0x8080000, 0x943e}}, @nested_amd_vmcb_write_mask={0x17c, 0x38, {0x3, @control_area=0x31, 0xc, 0x6, 0x8}}, @nested_amd_inject_event={0x180, 0x38, {0x2, 0x36, 0x1, 0x2, 0x3}}, @nested_vmresume={0x130, 0x18, 0x1}, @nested_vmresume={0x130, 0x18}, @nested_amd_inject_event={0x180, 0x38, {0x3, 0x72, 0x2, 0x5, 0x2}}, @nested_vmlaunch={0x12f, 0x18, 0x2}, @nested_vmlaunch={0x12f, 0x18, 0x2}], 0x3a2}) r31 = ioctl$KVM_CREATE_VM(r9, 0xae01, 0x5) syz_kvm_setup_cpu$ppc64(r31, r23, &(0x7f0000fe5000/0x18000)=nil, &(0x7f0000007680)=[{0x0, &(0x7f0000007440)="cdfaef130000003e000010620400107a00001066c1001062a603007eb9f0003ee90e10620400107aa330106688261062a603007e2400004c0000603c0000636004006378000063640cf66360baaa803c42ab846004008478a5a48464dbea8460c7b2a03c4ed4a5600400a5788ed5a564c9c4a560f627c03c0e37c6600400c6781050c664f33cc66064aee03c0fe0e7600400e778f833e76427e1e760f9fe003d883a086104000879f66c0865cb9b0861e722203da35b296104002979bbbc29655e832961d975403d52944a6104004a79db254a65f35e4a61020000440000603c00006360040063780000636450f36360420000440d0bc03ea1dad6620400d67aeb5ad6666296d6629cb0007cec06007ca400004c3d6aa03e171bb5620400b57a7293b5663454b562a603a07ed48da03e12d2b5620400b57af6f5b56615e0b562a603a07e2400004c0000a03f0000bd630400bd7b4930bd67f278bd630005c03f0000de630000dd930000a03f0000bd630400bd7b4930bd67f278bd630000c03f218cde630000dd930000a03f0000bd630400bd7b4930bd67f678bd630000c03f0a00de630000dd930000a03f0000bd630400bd7b4930bd67fa78bd63974bc03f5c3bde630000dd930000603c00006360040063780000636400f063600000803c000084600400847849308464f2788460220000440000803f00009c6304009c7b00009c671a009c632401c07f", 0x20c}], 0x1, 0x2, &(0x7f00000076c0)=[@featur2={0x1, 0x6}], 0x1) syz_kvm_setup_syzos_vm$x86(r23, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(0x0, 0x114, &(0x7f0000007700), 0x0, 0x4) syz_mount_image$fuse(&(0x7f0000007740), &(0x7f0000007780)='./file0\x00', 0x40000, &(0x7f00000077c0)={{'fd', 0x3d, r23}, 0x2c, {'rootmode', 0x3d, 0x6000}, 0x2c, {'user_id', 0x3d, r22}, 0x2c, {'group_id', 0x3d, r13}, 0x2c, {[{@max_read={'max_read', 0x3d, 0x3}}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@default_permissions}, {@allow_other}], [{@permit_directio}, {@uid_lt={'uid<', r17}}, {@appraise}, {@smackfshat={'smackfshat', 0x3d, '\xc0\''}}, {@appraise}]}}, 0x1, 0x0, &(0x7f0000007940)="a4b222df2ba10df24f5481e0dc5e93b81b1b82e9a214cabce344800ad54de610fa1eda44b9040526f2dc7c731c5473c8c6dc94192a03484e6d62bb49128612543a9d016ed9a3730e51080f5c860d03a77ed50164bcf99c42d3568a974a927a879de41edc2f5552365886121a31095b97aa08ee2977111f7cc56a77c0f2a16b32b19df50a249cd3058e60a6ae8c96349d5e5c0097594ce01c1fbee5ee94606fef673231e65700bc715f1f0119c84ed27b8af38ed153d394d6b22cca54db55a31bc25b45e81deca7bedb696691ae6b92f09eea3e2b5e8af2f996339dec592edec5897e94eb") syz_open_dev$I2C(&(0x7f0000007a40), 0x7, 0x0) syz_open_procfs(r4, &(0x7f0000007a80)='net/psched\x00') syz_open_pts(r9, 0x292c02) syz_pidfd_open(r15, 0x0) r32 = pkey_alloc(0x0, 0x0) syz_pkey_set(r32, 0x3) syz_socket_connect_nvme_tcp() r33 = syz_usb_connect(0x1, 0x295, &(0x7f0000007ac0)={{0x12, 0x1, 0x250, 0x58, 0x6, 0x54, 0x8, 0x13d3, 0x3348, 0x15b2, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x283, 0x2, 0x9, 0x2, 0x10, 0x8, [{{0x9, 0x4, 0x26, 0xb, 0x5, 0x83, 0x18, 0x74, 0xee, [], [{{0x9, 0x5, 0xb, 0x3, 0x8, 0x4, 0xfb, 0x6a, [@generic={0xbd, 0xc, "8b82bd3fc8137d3d259ce7bc140de0823de2222eed4c570edcb84553cd1efd649dd352dd375d81da8da8e6863fb482ecb3a16f122210bff25c59a3afc6542848c06e1b983fbc8dd0de627cfddf9f905f5cb6ed4a25ec5947599b15b538c7bb0b0d65d4a31b319f7383955ce766ef4c66d18bc75d69b2dd7d136c78eaec1e2203eb918dd61609de40f4f693917eeb17fc387bb427341f6416e0b8c46a2445a5c49bd9c86dfe21c598acf17ea98ffece202a21dc93a0b830d29af87c"}, @generic={0xc7, 0x6, "f5459e117800d22a25a486d1442f5cbd4d3d776cd061d2c185f9924eae6a4d7b14c58b599863d321e3ea80a25f6d8be51d5ca70c276ce0e6d9038f88776b9614287db7ee2113f0e7e1f01873b613d763da5f87f86cd1860bd623463fc6d93d9f948d0d4d70d72a8ac1dec1adceb8716729906428d5b6e24b01499bfa6a0aa0482eed8c7751a1c7ec944db19254a74b61142e725a7a290c4142875d347b3e483f4e2db8373ef8fead8118ce07d812332b211da9733d444f7d706a6439c29aeaedd03000a2a8"}]}}, {{0x9, 0x5, 0xa, 0xc, 0x400, 0xc, 0x0, 0xb5, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0xb, 0x7}]}}, {{0x9, 0x5, 0x2, 0x10, 0x20, 0x7, 0x5, 0x5, [@generic={0x24, 0x7, "ad98314a82d7aebbfce85178752271b158c05dea1bf5a2459c431df180c1f3b2be3b"}]}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x7, 0xf3, 0x4}}, {{0x9, 0x5, 0x5, 0x0, 0x40, 0x2, 0x3, 0x2, [@generic={0x6a, 0xa, "f7dd67505d353d93b6e1f3ac2d8f9f766012d204e558a7076c6a1dd6648b2928acaf801710c8555067e0715e60772d9a84c714f63d527b9f1532a5ac6511627f9e8400e62ad6bd25ec51ec630afc10e1f0f2fe01c9588e2897ef26d5ea8bcf970e51fc28d84a628c"}]}}]}}, {{0x9, 0x4, 0x48, 0xe, 0x3, 0xca, 0x1e, 0x4a, 0xf5, [], [{{0x9, 0x5, 0xb, 0x4, 0x400, 0x5, 0xf7, 0xf6}}, {{0x9, 0x5, 0xe, 0x10, 0x3ff, 0x1, 0xd, 0x80}}, {{0x9, 0x5, 0x5, 0x10, 0x10, 0x95, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xae, 0x12}]}}]}}]}}]}}, &(0x7f0000007ec0)={0xa, &(0x7f0000007d80)={0xa, 0x6, 0x110, 0x4, 0x1, 0x6, 0x8, 0xe}, 0x3b, &(0x7f0000007dc0)={0x5, 0xf, 0x3b, 0x4, [@ss_container_id={0x14, 0x10, 0x4, 0x6, "fdf4043ae7f59e3e81fe303d4de3ea16"}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x8, 0x6, 0x6}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x7, 0xd, 0x95d7}, @ss_container_id={0x14, 0x10, 0x4, 0x3, "bc6a9266bf506e90620d9c900e180143"}]}, 0x1, [{0x98, &(0x7f0000007e00)=@string={0x98, 0x3, "d95f3fcaaa58f9d36d03e3a2d5566a5191f742f723fa49e364e03b0d288a7fcb4579b58c56d824be57f9ad0f8703d3011cac468433fa22c23bfaf15dad541efb0138c46bb8f8869215155c2685d69b75ffe68c0cbd6e71743abd4355e12d9dcb7dff16bb075da553c178139ede2c285a4a2845e8889c234504d968d870b6084a7b4ab0dcdb83d43bb2f4e7a0156b80a68919cbb7da84"}}]}) r34 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007f00)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r35 = syz_usb_connect$uac1(0x3, 0xe5, &(0x7f0000007f80)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xd3, 0x3, 0x1, 0x1, 0x80, 0x80, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x0, 0x7c}, [@extension_unit={0xd, 0x24, 0x8, 0x2, 0x8, 0x9, "0cffda3f227b"}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x6, 0x9a, 0x20, "2da5ee78a28e1f1a41"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0xf8, 0x3, 0x69, 0x6d, 'e)', "bf0794"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x5, 0x4, 0x5b, 0x3, 'D', "2618"}, @format_type_ii_discrete={0x9, 0x24, 0x2, 0x2, 0x7b4, 0x8, 0x4}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x0, 0x3, 0x8, 0x8, "aa", "e8e5b4"}]}, {{0x9, 0x5, 0x1, 0x9, 0x40, 0x6, 0x5, 0x0, {0x7, 0x25, 0x1, 0x80, 0x1, 0x4}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@as_header={0x7, 0x24, 0x1, 0x3, 0x1e, 0x4}, @as_header={0x7, 0x24, 0x1, 0x6f, 0x7}, @format_type_ii_discrete={0xa, 0x24, 0x2, 0x2, 0x8, 0x2, 0x8, 'f'}, @format_type_ii_discrete={0x10, 0x24, 0x2, 0x2, 0x9, 0x401, 0x5, "53b11dbc8cd310"}]}, {{0x9, 0x5, 0x82, 0x9, 0x8, 0x0, 0x28, 0x6, {0x7, 0x25, 0x1, 0x80, 0x5, 0xd}}}}}}}]}}, &(0x7f00000081c0)={0xa, &(0x7f0000008080)={0xa, 0x6, 0x110, 0x59, 0xa5, 0x5, 0x10, 0x1}, 0x39, &(0x7f00000080c0)={0x5, 0xf, 0x39, 0x5, [@wireless={0xb, 0x10, 0x1, 0x4, 0x8, 0x3, 0xb8, 0x9, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0x2, "9d9ab0978e2aace26de66306e6e2963d"}, @wireless={0xb, 0x10, 0x1, 0x4, 0x0, 0x6, 0x4, 0x1, 0x5}, @ptm_cap={0x3}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x5, 0x6, 0xfff2}]}, 0x1, [{0x84, &(0x7f0000008100)=@string={0x84, 0x3, "000a6c9f4a15eabc97a92ab665231b2cf9057321eb430c6521f497a8c3ce816268cb337fa48deecfeb28b2305fcf2d2e988cc8b8b980a1332dc406bc34695fa24dc3609f619d7ac284cc3ae7f0afe444d578c951d9aedc4c682e100cfeb6619b98a96b1978d8ede7574e969f8ae8e3dfb835bde5ccd922133e53036ff44eda52a0a9"}}]}) syz_usb_control_io(r35, &(0x7f0000008380)={0x2c, &(0x7f0000008200)={0x40, 0x22, 0x31, {0x31, 0x5, "74e83dcf53dd2d0ecac0aa3467b18dfa71b26cdd403d955c0ffe22817b01fe5795d51cf24a6ae3b8e32f1b7ac5f8ca"}}, &(0x7f0000008240)={0x0, 0x3, 0x1e, @string={0x1e, 0x3, "8957a501d83c69e54f70f62f932a50b65506c388c128239d36229ee2"}}, &(0x7f0000008280)={0x0, 0xf, 0x4f, {0x5, 0xf, 0x4f, 0x6, [@ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x5, 0xf000, 0x409, [0xc000, 0x17f, 0xff3f30, 0xffffaf]}, @ssp_cap={0x10, 0x10, 0xa, 0x9, 0x1, 0x4, 0xff0f, 0xf87, [0xc030]}, @ext_cap={0x7, 0x10, 0x2, 0x4, 0x1, 0x4, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x4, 0xd2, 0x3, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x1, 0x7, 0x2}, @ptm_cap={0x3}]}}, &(0x7f0000008300)={0x20, 0x29, 0xf, {0xf, 0x29, 0x8, 0x1, 0x7, 0x4, '\b\r$}', "67016dee"}}, &(0x7f0000008340)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x16, 0x80, 0x9, 0x3, 0x3, 0x2, 0xf000}}}, &(0x7f00000087c0)={0x84, &(0x7f00000083c0)={0x0, 0x11, 0x1f, "16d60d7743501452ffd5730424bc4a970cc6490bb9cc85938699edf27a0c7d"}, &(0x7f0000008400)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000008440)={0x0, 0x8, 0x1, 0x4}, &(0x7f0000008480)={0x20, 0x0, 0x4, {0x2f1050d721a8e554, 0x1}}, &(0x7f00000084c0)={0x20, 0x0, 0x4, {0x200, 0x2b}}, &(0x7f0000008500)={0x40, 0x7, 0x2, 0xfd37}, &(0x7f0000008540)={0x40, 0x9, 0x1}, &(0x7f0000008580)={0x40, 0xb, 0x2, 'E\"'}, &(0x7f00000085c0)={0x40, 0xf, 0x2, 0x2}, &(0x7f0000008600)={0x40, 0x13, 0x6, @random="2fa6dde03a0f"}, &(0x7f0000008640)={0x40, 0x17, 0x6, @random="de1c102b027e"}, &(0x7f0000008680)={0x40, 0x19, 0x2, "0d97"}, &(0x7f00000086c0)={0x40, 0x1a, 0x2, 0x2}, &(0x7f0000008700)={0x40, 0x1c, 0x1, 0xfd}, &(0x7f0000008740)={0x40, 0x1e, 0x1, 0xfd}, &(0x7f0000008780)={0x40, 0x21, 0x1, 0xc9}}) syz_usb_disconnect(r33) syz_usb_ep_read(r34, 0x7, 0xfc, &(0x7f0000008880)=""/252) r36 = syz_usb_connect$printer(0x5, 0x36, &(0x7f0000008980)={{0x12, 0x1, 0x200, 0x7, 0x1, 0x1, 0x20, 0x525, 0xa4a8, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0xf4, 0x60, 0x4, [{{0x9, 0x4, 0x0, 0x3, 0x2, 0x0, 0x0, 0x0, 0x81, "", {{{0x9, 0x5, 0x1, 0x2, 0x400, 0x0, 0x8, 0x2}}, [{{0x9, 0x5, 0x82, 0x2, 0x3ff, 0x4, 0x48, 0x8}}]}}}]}}]}}, &(0x7f0000008f00)={0xa, &(0x7f00000089c0)={0xa, 0x6, 0x250, 0x7d, 0xdd, 0x3, 0x20, 0xfa}, 0x154, &(0x7f0000008a00)={0x5, 0xf, 0x154, 0x6, [@generic={0xe8, 0x10, 0x1, "d031a9165b9e273ff6ffe555849af6dca66e17a68ee5ac784dca23e4a56d46169ad06ead2b8bcd997eac2ecb8b2a2526aa200db55758d08659469283d6ecfba982c300ae82ccf4a8bf073dbde45376b4f6fc559be519f82e8e5b2cf59c3a3af4f290707e767a4e276851090d90be0ab66f788e7760cd71ab865ea8b6bcc5f35f60538154a099c354a3593417682fc39d2a6a255ef4bb65f8d97af29beb0f8734a68ed84ef08df69e9b35fa2e3fe65e9938ff441dc3e7982a81cccaf9621d5dbc663b80ab448c975cbc19bb6c3901a02c16b32dfaf9f5c220fa21434937b462038105e6d086"}, @generic={0x4b, 0x10, 0x3, "10bed1912f7dc94ac6d87cbc68962c89e777cc51a257d0cad33cdcf336a31ac39b867144c2c96be40fccac19633a547787bc6e4fe91e91fa4759db2a867d859cd5a60c84c1a38e09"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x9, 0x77, 0x9, 0x2cf}, @wireless={0xb, 0x10, 0x1, 0xc, 0x5, 0x8, 0x5, 0x9, 0x16}, @ptm_cap={0x3}, @ptm_cap={0x3}]}, 0xa, [{0x4, &(0x7f0000008b80)=@lang_id={0x4, 0x3, 0x40e}}, {0x4, &(0x7f0000008bc0)=@lang_id={0x4, 0x3, 0x427}}, {0x4, &(0x7f0000008c00)=@lang_id={0x4, 0x3, 0x415}}, {0x4, &(0x7f0000008c40)=@lang_id={0x4, 0x3, 0x1c0a}}, {0x4, &(0x7f0000008c80)=@lang_id={0x4, 0x3, 0x83e}}, {0x4, &(0x7f0000008cc0)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d00)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d40)=@lang_id={0x4, 0x3, 0x423}}, {0x9f, &(0x7f0000008d80)=@string={0x9f, 0x3, "d48e8724649a2841923d48b8b235fdc4315e0dfbe1b8a8a08353af5b630beb6eca1d6be03d88d5587933d6ade122b2ad4c558040e7f203d8c7af790af85de36e841eb9480afa1aaf9a226f4de28cd4441557411c7737f74d7d60313cd3d051284fceb5b3278373f63c72a84e8de4e23bf64e2a69c0579106c9331803e2ef32fd09889adce7bcd7eb6134c465ed17386d3f97a4e8a4e9c419f9c6eb2d32"}}, {0xa4, &(0x7f0000008e40)=@string={0xa4, 0x3, "81103e0d228843344b9a2885675324f579df278e6d25065998bdbb69b8eed0e1db8df16b19646d92c5d03521f773c16c24deeae556be69b04e1e966febfbf37f3bbc6dd64c83f4c2a87daf95fb91e10a36c0069f4d517bf3962111d8f9c845323c0b91e68dea34b277b410720bdf4a5864fe069bdee84fa9e4465549713fb333aaed855baf295327e1fb651729fe4acf1d9ebf80d64c29fcd368ee1611e550d7b67a"}}]}) syz_usb_ep_write(r36, 0xf9, 0xfb, &(0x7f0000008fc0)="181512f6083897f1b94ad01c9d8cc9eb6d7c149c5edf5ecf21cf4a2b2a9ff02e0d8f8a4f60f7b31ad0b2552e14878f840f51a97c2563b619b101ea77613b9752367f0f6e6a623781a383e499dc26fed60afe6f156d326bc141d6615d18b61a5c06cb49d9e008e05f65376aefb5ec21edc468b8434a0c9e39d120bcd31132f0755c1fcaf91fecb2733f98184256d2f79e80452dc86cf31985082e386017ebe82125c78bee42f949ca6798673433fb0a20d9161b698f0466b0ea53587a3f08cc3435bb7c193f4adcd2e5e104f33e3e1cdd33ba951fc9f76b108a4074c8072b16465962eb28e138c9188c3e54a00afb4fb1710a273a1f1c530ada0d50") syz_usbip_server_init(0x2) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_PT_POOL 0x5000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x70000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x200000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 8) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t size, uint64_t cpu) { uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; if (cmd->call >= SYZOS_API_STOP) return; if (cmd->size > size) return; volatile uint64_t call = cmd->call; if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit((uint64_t)-1); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; *ptr = exit_code; } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_pdpt_addr = l2_pml4_addr + KVM_PAGE_SIZE; uint64_t l2_pd_addr = l2_pml4_addr + 2 * KVM_PAGE_SIZE; uint64_t l2_pt_addr = l2_pml4_addr + 3 * KVM_PAGE_SIZE; volatile uint64_t* pml4 = (volatile uint64_t*)l2_pml4_addr; volatile uint64_t* pdpt = (volatile uint64_t*)l2_pdpt_addr; volatile uint64_t* pd = (volatile uint64_t*)l2_pd_addr; volatile uint64_t* pt = (volatile uint64_t*)l2_pt_addr; guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pdpt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pd_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id), 0, KVM_PAGE_SIZE); uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; pml4[0] = l2_pdpt_addr | flags; pdpt[0] = l2_pd_addr | flags; pd[0] = l2_pt_addr | flags; uint64_t pt_flags = flags; if (vendor == CPU_VENDOR_INTEL) { pt_flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { pt_flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } for (int i = 0; i < 512; i++) pt[i] = (i * KVM_PAGE_SIZE) | pt_flags; } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%rax push %%rbx push %%rcx push %%rdx push %%rsi push %%rdi push %%rbp push %%r8 push %%r9 push %%r10 push %%r11 push %%r12 push %%r13 push %%r14 push %%r15 mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[stack_cleanup_size], %%rsp jmp after_vmentry_label )" : : [stack_cleanup_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, 0); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); uint64_t tmpreg = 0; asm volatile("mov %%rsp, %0" : "=r"(tmpreg)); vmwrite(VMCS_HOST_RSP, tmpreg); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, VMX_AR_TSS_AVAILABLE); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_DEBUGCTL, 0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR6, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR7, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, efer & ~X86_EFER_SCE); vmcb_write64(vmcb_addr, VMCB_GUEST_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_addr, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline __optnone void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { uint64_t vmx_error_code = 0; uint8_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); if (is_launch) { asm volatile(R"( vmlaunch setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } else { asm volatile(R"( vmresume setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } asm volatile(".globl after_vmentry_label\nafter_vmentry_label:"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile uint8_t* vmcb_ptr = (volatile uint8_t*)vmcb_addr; uint8_t fail_flag = 0; asm volatile( "mov %1, %%rax\n\t" "vmrun\n\t" "setc %0\n\t" : "=q"(fail_flag) : "m"(vmcb_addr) : "rax", "cc", "memory"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } uint64_t exit_reason = vmcb_read64(vmcb_ptr, VMCB_EXIT_CODE); nested_vm_exit_handler_amd(exit_reason, cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 48, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, }; struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; }; #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)((uint64_t)vm->host_mem + sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static void map_4k_page(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)(host_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = (uint64_t*)(host_mem + (pml4[pml4_idx] & PAGE_MASK)); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = (uint64_t*)(host_mem + (pdpt[pdpt_idx] & PAGE_MASK)); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = (uint64_t*)(host_mem + (pd[pd_idx] & PAGE_MASK)); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(host_mem, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; uint64_t host_mem = (uint64_t)vm->gpa0_mem; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + 32 * KVM_PAGE_SIZE}; for (uint64_t i = 0; i < (alloc.last_page - alloc.next_page); i += KVM_PAGE_SIZE) memset((void*)(host_mem + alloc.next_page + i), 0, KVM_PAGE_SIZE); for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) total -= map_4k_region(host_mem, &alloc, syzos_mem_regions[i].gpa, syzos_mem_regions[i].pages); map_4k_region(host_mem, &alloc, X86_SYZOS_ADDR_UNUSED, total); } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = 0, .base_mid = 0, .access = 0x89, .limit_high_and_flags = 0x00, .base_high = 0}; } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)((uint64_t)vm->host_mem + sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)((uint64_t)vm->host_mem + X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); setup_pg_table(vm); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, int cpu_id, size_t text_size) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = executor_fn_guest_addr(guest_main); regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = text_size; regs.rsi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd); setup_cpuid(cpufd); reset_cpu_regs(cpufd, cpu_id, text_size); } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; struct addr_size next = alloc_guest_mem(&allocator, r->pages * KVM_PAGE_SIZE); uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); } struct addr_size next = alloc_guest_mem(&allocator, allocator.size); vm_set_user_memory_region(vmfd, slot++, 0, X86_SYZOS_ADDR_UNUSED, next.size, (uintptr_t)next.addr); } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 60; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 51 ? 3000 : 0) + (call == 52 ? 3000 : 0) + (call == 53 ? 3000 : 0) + (call == 54 ? 300 : 0) + (call == 55 ? 300 : 0) + (call == 56 ? 300 : 0) + (call == 57 ? 3000 : 0) + (call == 58 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[37] = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x200000000000 = 0x4006; *(uint32_t*)0x200000000004 = 0xd; *(uint32_t*)0x200000000008 = 2; *(uint32_t*)0x20000000000c = 8; inject_fault(1); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x80044945, /*arg=*/0x200000000000ul); break; case 1: *(uint32_t*)0x200000000040 = 0; *(uint32_t*)0x200000000044 = 1; *(uint32_t*)0x200000000048 = 4; *(uint32_t*)0x20000000004c = 2; *(uint32_t*)0x200000000050 = 5; *(uint32_t*)0x200000000054 = 0x81; *(uint32_t*)0x200000000058 = 0; memcpy((void*)0x20000000005c, "id1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); memcpy((void*)0x20000000009c, "timer0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 80); *(uint64_t*)0x2000000000f0 = 0; *(uint64_t*)0x2000000000f8 = 6; *(uint64_t*)0x200000000100 = 3; *(uint64_t*)0x200000000108 = 0x70a; *(uint32_t*)0x200000000110 = 9; memset((void*)0x200000000114, 0, 32); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0f85403, /*arg=*/0x200000000040ul); break; case 2: memcpy((void*)0x200000000140, "/dev/ircomm#\000", 13); res = -1; res = syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); for (int i = 0; i < 4; i++) { syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); } if (res != -1) r[0] = res; break; case 3: *(uint32_t*)0x200000000340 = 0x82; *(uint32_t*)0x200000000344 = 8; *(uint64_t*)0x200000000348 = 0x200000000280; *(uint32_t*)0x200000000280 = 1; *(uint64_t*)0x200000000284 = 0; *(uint32_t*)0x20000000028c = 0xc0; *(uint64_t*)0x200000000290 = 0x200000000180; memcpy((void*)0x200000000180, "\x5b\x58\xac\x0e\xd1\xd2\x7b\x21\x7d\x3f\xdc\x62\x99\xcd\xde\x4d\x85\x32\x1f\x7b\xba\xa0\x64\xd3\x61\x51\x9c\xdd\xe4\x3b\x22\x5c\xf0\x06\x58\xdd\xbf\xbd\x91\x4c\xf7\x9e\xce\xb3\x48\xf1\x86\x92\x31\x5c\x3c\x69\xec\x14\x8e\x2d\xd9\x28\xac\x7e\xe6\x2f\x51\x11\xb9\xdc\xca\xca\x88\x52\x49\x12\x34\x19\x55\xf7\x9b\x0f\x22\x06\xb8\x0e\x6e\x5a\x7e\x68\x1a\x62\x96\x94\xa3\x4f\x9b\x0e\x39\x87\x7e\xef\xde\x60\xa0\x68\xcd\xc4\x45\x45\xd6\xfe\x45\xd0\x00\x0c\x99\x61\xa1\xff\x16\x87\x47\x44\x7e\x34\x6b\x16\x46\x08\x75\xc6\x91\xde\x11\x83\xb2\xd7\xb0\x32\xcf\xae\x85\x49\x7d\x0d\x88\x48\xd4\xba\xa9\xad\xc6\xca\xac\xcd\x9a\xf6\x01\x9e\xa2\xba\x6f\x3b\x4e\x60\x18\xdf\x94\xca\xca\xbe\xdd\xec\x7b\x60\x02\x30\xea\x77\x90\x01\x93\x99\xd0\xbe\xb6\x1f\x42\x7d\xf8\x35\x9c\xc3\x48\x93", 192); *(uint64_t*)0x200000000298 = 0; *(uint32_t*)0x2000000002a0 = 0; *(uint64_t*)0x2000000002a4 = 0x200000000240; *(uint32_t*)0x2000000002ac = 0x10000; *(uint32_t*)0x2000000002b0 = 0; *(uint64_t*)0x2000000002b4 = 0; *(uint32_t*)0x2000000002bc = 0x81; *(uint32_t*)0x2000000002c0 = 0xe; *(uint64_t*)0x200000000350 = 0x200000000300; *(uint32_t*)0x200000000358 = 0x44; *(uint32_t*)0x20000000035c = 0xc; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0206440, /*arg=*/0x200000000340ul); if (res != -1) r[1] = *(uint64_t*)0x200000000300; break; case 4: *(uint32_t*)0x200000000400 = 0x81; *(uint32_t*)0x200000000404 = 4; *(uint64_t*)0x200000000408 = 0x200000000380; *(uint64_t*)0x200000000380 = r[1]; *(uint64_t*)0x200000000410 = 0x2000000003c0; *(uint32_t*)0x200000000418 = 8; *(uint32_t*)0x20000000041c = 0xc; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000400ul); break; case 5: *(uint32_t*)0x200000000440 = 3; *(uint32_t*)0x200000000444 = 6; STORE_BY_BITMASK(uint32_t, , 0x200000000448, 1, 0, 1); memcpy((void*)0x200000000449, "queue1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); *(uint32_t*)0x20000000048c = 0xdae; memset((void*)0x200000000490, 0, 60); syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc08c5335, /*arg=*/0x200000000440ul); break; case 6: memcpy((void*)0x200000000540, "TIPCv2\000", 7); res = -1; res = syz_genetlink_get_family_id(/*name=*/0x200000000540, /*fd=*/r[0]); if (res != -1) r[2] = res; break; case 7: *(uint64_t*)0x200000000880 = 0x200000000500; *(uint16_t*)0x200000000500 = 0x10; *(uint16_t*)0x200000000502 = 0; *(uint32_t*)0x200000000504 = 0; *(uint32_t*)0x200000000508 = 0x1000000; *(uint32_t*)0x200000000888 = 0xc; *(uint64_t*)0x200000000890 = 0x200000000840; *(uint64_t*)0x200000000840 = 0x200000000580; *(uint32_t*)0x200000000580 = 0x2b4; *(uint16_t*)0x200000000584 = r[2]; *(uint16_t*)0x200000000586 = 0x400; *(uint32_t*)0x200000000588 = 0x70bd2d; *(uint32_t*)0x20000000058c = 0x25dfdbfb; *(uint8_t*)0x200000000590 = 4; *(uint8_t*)0x200000000591 = 0; *(uint16_t*)0x200000000592 = 0; *(uint16_t*)0x200000000594 = 0x44; STORE_BY_BITMASK(uint16_t, , 0x200000000596, 3, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 1, 7, 1); *(uint16_t*)0x200000000598 = 8; *(uint16_t*)0x20000000059a = 1; *(uint32_t*)0x20000000059c = 6; *(uint16_t*)0x2000000005a0 = 8; *(uint16_t*)0x2000000005a2 = 1; *(uint32_t*)0x2000000005a4 = 0x3f; *(uint16_t*)0x2000000005a8 = 8; *(uint16_t*)0x2000000005aa = 1; *(uint32_t*)0x2000000005ac = 2; *(uint16_t*)0x2000000005b0 = 8; *(uint16_t*)0x2000000005b2 = 1; *(uint32_t*)0x2000000005b4 = 0x4c00000; *(uint16_t*)0x2000000005b8 = 8; *(uint16_t*)0x2000000005ba = 1; *(uint32_t*)0x2000000005bc = 3; *(uint16_t*)0x2000000005c0 = 8; *(uint16_t*)0x2000000005c2 = 1; *(uint32_t*)0x2000000005c4 = 6; *(uint16_t*)0x2000000005c8 = 8; *(uint16_t*)0x2000000005ca = 3; *(uint32_t*)0x2000000005cc = 0x67c; *(uint16_t*)0x2000000005d0 = 8; *(uint16_t*)0x2000000005d2 = 1; *(uint32_t*)0x2000000005d4 = 7; *(uint16_t*)0x2000000005d8 = 0x3c; STORE_BY_BITMASK(uint16_t, , 0x2000000005da, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 1, 7, 1); *(uint16_t*)0x2000000005dc = 9; *(uint16_t*)0x2000000005de = 1; memcpy((void*)0x2000000005e0, "syz1\000", 5); *(uint16_t*)0x2000000005e8 = 0x2c; STORE_BY_BITMASK(uint16_t, , 0x2000000005ea, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 1, 7, 1); *(uint16_t*)0x2000000005ec = 8; *(uint16_t*)0x2000000005ee = 3; *(uint32_t*)0x2000000005f0 = 0x220a; *(uint16_t*)0x2000000005f4 = 8; *(uint16_t*)0x2000000005f6 = 4; *(uint32_t*)0x2000000005f8 = 0x9c0; *(uint16_t*)0x2000000005fc = 8; *(uint16_t*)0x2000000005fe = 2; *(uint32_t*)0x200000000600 = 0x101; *(uint16_t*)0x200000000604 = 8; *(uint16_t*)0x200000000606 = 4; *(uint32_t*)0x200000000608 = 3; *(uint16_t*)0x20000000060c = 8; *(uint16_t*)0x20000000060e = 1; *(uint32_t*)0x200000000610 = 8; *(uint16_t*)0x200000000614 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000616, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 1, 7, 1); *(uint16_t*)0x200000000618 = 8; *(uint16_t*)0x20000000061a = 2; *(uint32_t*)0x20000000061c = 6; *(uint16_t*)0x200000000620 = 8; *(uint16_t*)0x200000000622 = 1; *(uint32_t*)0x200000000624 = 1; *(uint16_t*)0x200000000628 = 0xb8; STORE_BY_BITMASK(uint16_t, , 0x20000000062a, 1, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 1, 7, 1); *(uint16_t*)0x20000000062c = 0x24; STORE_BY_BITMASK(uint16_t, , 0x20000000062e, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 1, 7, 1); *(uint16_t*)0x200000000630 = 8; *(uint16_t*)0x200000000632 = 2; *(uint32_t*)0x200000000634 = 9; *(uint16_t*)0x200000000638 = 8; *(uint16_t*)0x20000000063a = 4; *(uint32_t*)0x20000000063c = 7; *(uint16_t*)0x200000000640 = 8; *(uint16_t*)0x200000000642 = 2; *(uint32_t*)0x200000000644 = 5; *(uint16_t*)0x200000000648 = 8; *(uint16_t*)0x20000000064a = 2; *(uint32_t*)0x20000000064c = 2; *(uint16_t*)0x200000000650 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000652, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 1, 7, 1); *(uint16_t*)0x200000000654 = 8; *(uint16_t*)0x200000000656 = 3; *(uint32_t*)0x200000000658 = 6; *(uint16_t*)0x20000000065c = 8; *(uint16_t*)0x20000000065e = 4; *(uint32_t*)0x200000000660 = 0; *(uint16_t*)0x200000000664 = 0xd; *(uint16_t*)0x200000000666 = 1; memcpy((void*)0x200000000668, "udp:syz2\000", 9); *(uint16_t*)0x200000000674 = 0xc; STORE_BY_BITMASK(uint16_t, , 0x200000000676, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 1, 7, 1); *(uint16_t*)0x200000000678 = 8; *(uint16_t*)0x20000000067a = 4; *(uint32_t*)0x20000000067c = 7; *(uint16_t*)0x200000000680 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000682, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 1, 7, 1); *(uint16_t*)0x200000000684 = 8; *(uint16_t*)0x200000000686 = 1; *(uint32_t*)0x200000000688 = 0x17; *(uint16_t*)0x20000000068c = 8; *(uint16_t*)0x20000000068e = 1; *(uint32_t*)0x200000000690 = 0x17; *(uint16_t*)0x200000000694 = 8; *(uint16_t*)0x200000000696 = 1; *(uint32_t*)0x200000000698 = 0x12; *(uint16_t*)0x20000000069c = 0x2c; *(uint16_t*)0x20000000069e = 4; *(uint16_t*)0x2000000006a0 = 0x14; *(uint16_t*)0x2000000006a2 = 1; *(uint16_t*)0x2000000006a4 = 2; *(uint16_t*)0x2000000006a6 = htobe16(0x4e21); *(uint32_t*)0x2000000006a8 = htobe32(0xe0000002); *(uint16_t*)0x2000000006b4 = 0x14; *(uint16_t*)0x2000000006b6 = 2; *(uint16_t*)0x2000000006b8 = 2; *(uint16_t*)0x2000000006ba = htobe16(0x4e20); *(uint32_t*)0x2000000006bc = htobe32(-1); *(uint16_t*)0x2000000006c8 = 8; *(uint16_t*)0x2000000006ca = 3; *(uint32_t*)0x2000000006cc = 0xb; *(uint16_t*)0x2000000006d0 = 0xd; *(uint16_t*)0x2000000006d2 = 1; memcpy((void*)0x2000000006d4, "udp:syz1\000", 9); *(uint16_t*)0x2000000006e0 = 0x20; STORE_BY_BITMASK(uint16_t, , 0x2000000006e2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 1, 7, 1); *(uint16_t*)0x2000000006e4 = 8; *(uint16_t*)0x2000000006e6 = 1; *(uint32_t*)0x2000000006e8 = 8; *(uint16_t*)0x2000000006ec = 0xc; *(uint16_t*)0x2000000006ee = 3; *(uint64_t*)0x2000000006f0 = 6; *(uint16_t*)0x2000000006f8 = 8; *(uint16_t*)0x2000000006fa = 1; *(uint32_t*)0x2000000006fc = 0x80; *(uint16_t*)0x200000000700 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000702, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 1, 7, 1); *(uint16_t*)0x200000000704 = 8; *(uint16_t*)0x200000000706 = 1; *(uint32_t*)0x200000000708 = 2; *(uint16_t*)0x20000000070c = 8; *(uint16_t*)0x20000000070e = 1; *(uint32_t*)0x200000000710 = 9; *(uint16_t*)0x200000000714 = 0x10c; STORE_BY_BITMASK(uint16_t, , 0x200000000716, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 1, 7, 1); *(uint16_t*)0x200000000718 = 9; *(uint16_t*)0x20000000071a = 1; memcpy((void*)0x20000000071c, "syz1\000", 5); *(uint16_t*)0x200000000724 = 0x13; *(uint16_t*)0x200000000726 = 1; memcpy((void*)0x200000000728, "broadcast-link\000", 15); *(uint16_t*)0x200000000738 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000073a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 1, 7, 1); *(uint16_t*)0x20000000073c = 8; *(uint16_t*)0x20000000073e = 2; *(uint32_t*)0x200000000740 = 0x187; *(uint16_t*)0x200000000744 = 8; *(uint16_t*)0x200000000746 = 4; *(uint32_t*)0x200000000748 = 0x40; *(uint16_t*)0x20000000074c = 8; *(uint16_t*)0x20000000074e = 1; *(uint32_t*)0x200000000750 = 0x10; *(uint16_t*)0x200000000754 = 0x24; STORE_BY_BITMASK(uint16_t, , 0x200000000756, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 1, 7, 1); *(uint16_t*)0x200000000758 = 8; *(uint16_t*)0x20000000075a = 2; *(uint32_t*)0x20000000075c = 0xc0fb; *(uint16_t*)0x200000000760 = 8; *(uint16_t*)0x200000000762 = 2; *(uint32_t*)0x200000000764 = 0; *(uint16_t*)0x200000000768 = 8; *(uint16_t*)0x20000000076a = 2; *(uint32_t*)0x20000000076c = 3; *(uint16_t*)0x200000000770 = 8; *(uint16_t*)0x200000000772 = 4; *(uint32_t*)0x200000000774 = 6; *(uint16_t*)0x200000000778 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000077a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 1, 7, 1); *(uint16_t*)0x20000000077c = 8; *(uint16_t*)0x20000000077e = 1; *(uint32_t*)0x200000000780 = 0x18; *(uint16_t*)0x200000000784 = 8; *(uint16_t*)0x200000000786 = 2; *(uint32_t*)0x200000000788 = 0x80000000; *(uint16_t*)0x20000000078c = 8; *(uint16_t*)0x20000000078e = 2; *(uint32_t*)0x200000000790 = 2; *(uint16_t*)0x200000000794 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000796, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 1, 7, 1); *(uint16_t*)0x200000000798 = 8; *(uint16_t*)0x20000000079a = 4; *(uint32_t*)0x20000000079c = 0xfffffff2; *(uint16_t*)0x2000000007a0 = 8; *(uint16_t*)0x2000000007a2 = 3; *(uint32_t*)0x2000000007a4 = 7; *(uint16_t*)0x2000000007a8 = 8; *(uint16_t*)0x2000000007aa = 3; *(uint32_t*)0x2000000007ac = 0xd0; *(uint16_t*)0x2000000007b0 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x2000000007b2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 1, 7, 1); *(uint16_t*)0x2000000007b4 = 8; *(uint16_t*)0x2000000007b6 = 1; *(uint32_t*)0x2000000007b8 = 0xf; *(uint16_t*)0x2000000007bc = 8; *(uint16_t*)0x2000000007be = 4; *(uint32_t*)0x2000000007c0 = 0x401; *(uint16_t*)0x2000000007c4 = 8; *(uint16_t*)0x2000000007c6 = 1; *(uint32_t*)0x2000000007c8 = 9; *(uint16_t*)0x2000000007cc = 0x54; STORE_BY_BITMASK(uint16_t, , 0x2000000007ce, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 1, 7, 1); *(uint16_t*)0x2000000007d0 = 8; *(uint16_t*)0x2000000007d2 = 3; *(uint32_t*)0x2000000007d4 = 0xe6a9; *(uint16_t*)0x2000000007d8 = 8; *(uint16_t*)0x2000000007da = 4; *(uint32_t*)0x2000000007dc = 7; *(uint16_t*)0x2000000007e0 = 8; *(uint16_t*)0x2000000007e2 = 3; *(uint32_t*)0x2000000007e4 = 0x10000; *(uint16_t*)0x2000000007e8 = 8; *(uint16_t*)0x2000000007ea = 3; *(uint32_t*)0x2000000007ec = 0x2000; *(uint16_t*)0x2000000007f0 = 8; *(uint16_t*)0x2000000007f2 = 2; *(uint32_t*)0x2000000007f4 = 9; *(uint16_t*)0x2000000007f8 = 8; *(uint16_t*)0x2000000007fa = 3; *(uint32_t*)0x2000000007fc = 6; *(uint16_t*)0x200000000800 = 8; *(uint16_t*)0x200000000802 = 4; *(uint32_t*)0x200000000804 = 0x81; *(uint16_t*)0x200000000808 = 8; *(uint16_t*)0x20000000080a = 3; *(uint32_t*)0x20000000080c = 0x3ff; *(uint16_t*)0x200000000810 = 8; *(uint16_t*)0x200000000812 = 1; *(uint32_t*)0x200000000814 = 0x19; *(uint16_t*)0x200000000818 = 8; *(uint16_t*)0x20000000081a = 1; *(uint32_t*)0x20000000081c = 0x1a; *(uint16_t*)0x200000000820 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000822, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 1, 7, 1); *(uint16_t*)0x200000000824 = 8; *(uint16_t*)0x200000000826 = 1; *(uint32_t*)0x200000000828 = 1; *(uint16_t*)0x20000000082c = 8; *(uint16_t*)0x20000000082e = 2; *(uint32_t*)0x200000000830 = 0x79; *(uint64_t*)0x200000000848 = 0x2b4; *(uint64_t*)0x200000000898 = 1; *(uint64_t*)0x2000000008a0 = 0; *(uint64_t*)0x2000000008a8 = 0; *(uint32_t*)0x2000000008b0 = 0x4040811; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x200000000880ul, /*f=*/0ul); break; case 8: syscall(__NR_read, /*fd=*/r[0], /*data=*/0x2000000008c0ul, /*len=*/0x1dul); break; case 9: *(uint64_t*)0x200000000980 = 6; *(uint64_t*)0x200000000988 = 0x200000000940; *(uint64_t*)0x200000000940 = 0x904e; *(uint64_t*)0x200000000948 = 1; *(uint64_t*)0x200000000950 = 9; *(uint64_t*)0x200000000958 = 6; *(uint64_t*)0x200000000960 = 0xe; *(uint64_t*)0x200000000968 = 5; syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x4010801d, /*arg=*/0x200000000980ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 4, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 0; memset((void*)0x20000000004a, 255, 6); *(uint8_t*)0x200000000050 = 8; *(uint8_t*)0x200000000051 = 2; *(uint8_t*)0x200000000052 = 0x11; *(uint8_t*)0x200000000053 = 0; *(uint8_t*)0x200000000054 = 0; *(uint8_t*)0x200000000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x200000000056, 1, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 0x7f, 4, 12); *(uint16_t*)0x200000000058 = 0x1f; *(uint8_t*)0x20000000005a = 0x8c; *(uint8_t*)0x20000000005b = 0x18; *(uint16_t*)0x20000000005c = 0x5d9; memcpy((void*)0x20000000005e, "\x8e\x85\x14\x4c\x64\x33", 6); memcpy((void*)0x200000000064, "\xe0\x23\xfb\xed\x51\x30\x11\xc5\x70\x7e\x45\x24\x72\xe2\x05\x5d", 16); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x34); break; case 11: memcpy((void*)0x200000000080, "wlan1\000", 6); memcpy((void*)0x2000000000c0, "\x3a\x38\x64\x65\xf3\x89\x38\x0e\x26\xb0\xcb\x13\xf9\x8a\x36\xe2\x21\x4f\x09\x9e\xe0\xd0\xb2\x9b\x75\x4e\x31\xd6\xef\xc8\x2c\x04", 32); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/0x20, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_path_truncate\000", 22); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\xda\xa4\xed\x40\xf7\xcf\x4d\xa8\x63\x77\xe8\x64\xd8\xe6\xc6\xd4\xfc\x54\x86\xaf\x4a\x6f\x23\xde\xa5\x8b\x32\x43\xa2\x91\xb0\x18\x0d\xba\xf5\xc9\x27\x58\xaf\x73\xf9", 41); memcpy((void*)0x200000000200, "\x40\xf2\x76\x85\x6b\x81\x91\xc4\xf3\x12\x75\x9d\x79\x5a\x22\xc3\xc7\xed\xc9\x16\x78\x79\x4f\x4e\xea\xc4\x57\x46\xfc\xc9\x93\x07\x22\xc8\x18\x9b\xa5\x95\x65\xf7\x32\x7c\xbc\xd4\x50\x61\x64\xeb\x9f\x6f\xf1\x75\xf1\xf0\x8d\x60\x24\x70\x91\x77\x2c\x18\x5a\xc3\x83\x04\xe9\xb5\xb3", 69); res = -1; res = syz_clone(/*flags=CLONE_NEWUTS|CLONE_VFORK*/0x4004000, /*stack=*/0x200000000140, /*stack_len=*/0x29, /*parentid=*/0x200000000180, /*childtid=*/0x2000000001c0, /*tls=*/0x200000000200); if (res != -1) r[3] = res; break; case 14: res = syscall(__NR_getpgrp, /*pid=*/r[3]); if (res != -1) r[4] = res; break; case 15: *(uint64_t*)0x200000000500 = 0x800; *(uint64_t*)0x200000000508 = 0x200000000280; *(uint64_t*)0x200000000510 = 0x2000000002c0; *(uint64_t*)0x200000000518 = 0x200000000300; *(uint32_t*)0x200000000520 = 0x12; *(uint64_t*)0x200000000528 = 0x200000000340; *(uint64_t*)0x200000000530 = 0x66; *(uint64_t*)0x200000000538 = 0x2000000003c0; *(uint64_t*)0x200000000540 = 0x2000000004c0; *(uint32_t*)0x2000000004c0 = r[3]; *(uint32_t*)0x2000000004c4 = r[3]; *(uint32_t*)0x2000000004c8 = r[3]; *(uint32_t*)0x2000000004cc = r[4]; *(uint64_t*)0x200000000548 = 4; *(uint32_t*)0x200000000550 = -1; res = -1; res = syz_clone3(/*args=*/0x200000000500, /*size=*/0x58); if (res != -1) { r[5] = res; r[6] = *(uint32_t*)0x200000000280; r[7] = *(uint32_t*)0x2000000002c0; r[8] = *(uint32_t*)0x200000000300; } break; case 16: memcpy((void*)0x200000000580, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000580); break; case 17: *(uint64_t*)0x200000001680 = 4; res = syscall(__NR_socketcall, /*call=*/5ul, /*args=*/0x200000001680ul); if (res != -1) r[9] = res; break; case 18: *(uint32_t*)0x200000004a80 = 0x80000000; *(uint32_t*)0x200000004a84 = 0xee01; *(uint32_t*)0x200000004a88 = 0xee01; *(uint32_t*)0x200000004a8c = 5; *(uint32_t*)0x200000004a90 = 0xfffffff8; *(uint32_t*)0x200000004a94 = 1; *(uint16_t*)0x200000004a98 = 0x6bc1; *(uint32_t*)0x200000004a9c = 0x40; *(uint64_t*)0x200000004aa0 = 0xffff; *(uint64_t*)0x200000004aa8 = 0x2265; *(uint64_t*)0x200000004ab0 = 0xfffffffffffffff8; *(uint32_t*)0x200000004ab8 = r[3]; *(uint32_t*)0x200000004abc = r[8]; *(uint16_t*)0x200000004ac0 = 0xfffa; *(uint16_t*)0x200000004ac2 = 0; *(uint64_t*)0x200000004ac8 = 0x200000003a40; memcpy((void*)0x200000003a40, "\x89\x17\xf9\x6e\xff\x00\x1e\x00\x64\x91\xda\x94\x8f\x25\xc3\xac\x36\x65\x39\x2d\x07\x7a\x28\x78\xa0\xc4\x71\x86\xfb\xb5\x96\x00\xe8\x72\x5c\x57\x48\x93\xc0\xd6\x45\x65\x1c\xd4\x96\xd4\xd6\xc4\x3d\xd8\xd9\xe3\xce\xca\x2e\x2a\x35\xfd\x60\x78\x5c\xd7\x7e\xc5\xc5\xee\xd5\xea\x44\xa8\x53\x76\x9a\x52\xcb\x3e\x89\xd0\x6c\x09\x95\xf7\x7e\x9b\x7e\xcc\x68\xfa\x52\x1a\xc4\xb1\x93\xee\x67\xdc\xce\xc0\xa7\xd1\x3f\x3c\x06\x8e\xe0\x46\xa9\xa1\x42\x01\x1c\xd4\xba\x8e\x67\xf3\x81\xe1\x67\x45\xd8\x1a\x2b\x5b\xf1\x1f\x4e\xf0\x01\x43\x30\xc9\x5f\x0f\x5b\xc8\x9d\x00\xf1\x61\x29\xa9\x63\x77\x82\xe5\xa6\xf4\xd9\x22\xe0\xf0\x74\x57\xee\x51\x5e\x1b\xbf\x56\x54\x90\x6d\x88\x7b\xa0\x2b\xee\x66\x4d\xa7\x2a\x51\xb5\xdc\xdf\x4b\xec\xca\x2d\x80\x67\xe3\x57\x53\xc0\x31\x23\x59\xef\xb6\xda\x86\x14\x9a\xfc\x10\x10\xd0\xc6\xc8\x6c\xc9\xc8\x83\x1c\xa1\x27\x6c\xa9\x68\x81\x1c\x87\xba\xab\x12\x1c\x9d\x81\x72\x73\x19\x6e\x97\xae\x66\xf3\x97\x66\x7e\x02\x3f\xc2\x33\x19\xc2\x4f\xa8\x23\x57\x22\x26\xfb\x74\x8a\xc5\x4f\xf5\x28\x23\x6b\x07\x81\xa2\x0e\xd5\x2e\x11\x69\x27\xa2\x2b\x11\xe0\xb8\xac\xeb\x36\xd2\xcf\x4a\x78\xeb\x34\x65\xfc\xb9\xc9\x49\x3e\xad\xd4\x46\x86\x76\x6f\xb2\x6d\x4d\x0a\x54\xd0\x28\x27\x3a\x5c\x60\x53\x88\x53\x4e\x49\x37\xf1\x8c\xa9\x05\x32\x44\x5f\x94\x66\x51\xf3\x63\x4e\x9b\x36\x5b\xb8\xed\x72\x42\xb9\x12\x31\xba\x06\x34\x7e\xab\x1f\x32\x00\x96\x37\x4f\xbd\x8a\x7a\x94\xc2\xfa\x71\x54\x41\x5c\x92\x3f\xd6\x6c\xd6\x26\x48\x9e\x7c\x79\xca\xd3\x9b\x66\xb0\x67\x4b\x94\x39\xb5\x7b\x79\xec\x79\x03\xd3\x5e\xc3\x14\xdb\x9d\x7e\x41\x5d\xf3\xc4\xf7\x55\x14\xb1\xc8\x3e\x9b\x6b\x27\x1d\xab\xeb\xd3\xb7\x93\xa7\x8a\xd5\xba\xef\x25\x39\x39\x34\xbc\x1b\x49\x69\xeb\x61\x28\xd3\x52\x14\x90\x47\x0f\x25\xe7\xa4\x7b\x13\xee\x0c\x47\x72\xd0\x47\x3d\xa5\x18\x44\x1b\x7b\xd3\x62\xbc\x99\xb0\x9c\xf6\x96\xbe\xb9\xe5\xf9\xd3\xd5\xe8\x8e\x9e\x96\x0e\x25\x9e\x4f\xe6\x7c\xfa\x3b\x2a\xbd\xe1\x00\x10\xf3\xc6\xa6\x0d\x26\x9a\xd1\x3e\x59\x05\x2e\x8a\xb9\x51\x40\x1d\xde\x34\x5c\x4f\xed\x4f\xea\x6d\x91\xb8\x4d\xae\xee\xbf\x45\xfa\x79\x98\xee\x41\xda\x06\x87\x5e\x7b\xc4\x8d\x9d\xe5\x4d\xe3\x6d\x9e\x27\x49\x5f\xe7\xe8\x8e\x02\x4e\x7d\xd3\x58\x7d\xcb\xc7\x1c\xd4\x33\xb7\x1a\x4d\x97\x2b\x02\x65\x59\xef\xbf\x17\xc2\xb0\x2b\x23\x57\xb9\xd9\x13\xa7\x64\xc9\x5c\x5a\xa7\xb3\x2f\xd2\xc0\xb6\x2b\x47\xf2\x7e\x47\x85\xe7\x6d\x85\x62\xb4\xe4\x3e\xdc\x6d\x61\x0d\x2b\x97\xdd\x1a\x1e\xe6\x5b\xd1\xef\x89\xe0\x11\x0b\x14\xc2\x02\x5b\x04\xb8\xcf\x16\xf0\xc2\xc1\xab\x89\xad\x30\xbd\xbd\x8b\x98\x94\x27\x8b\x4b\xe8\xd0\x81\x55\xec\x0c\xd2\x0f\x54\x4f\x18\xa4\xf2\x6a\x98\x0d\xec\xac\x1c\xe2\x94\x21\x27\xd8\xd0\x35\x0d\xc4\xa9\xa3\x29\x30\xaf\x33\x53\x18\x22\x31\x9d\xd1\x39\xe2\x7c\xf7\x69\xd0\x68\x87\x96\x08\xc2\x51\x7d\x59\x96\x5f\xbf\xfe\x98\x79\xaf\xd4\x87\x87\x5a\xd2\x39\x58\x6b\xbe\xca\xd1\xb0\x0e\x13\x77\x20\x3a\xbe\x3f\xc5\x82\xfa\xaf\x4f\x9e\x08\xe5\x76\x58\x81\x22\x09\xb3\xa8\x65\x3b\xf3\x9e\x12\x6b\x79\x47\x4c\xed\x54\xb7\x4f\xd4\x77\xb0\x3a\x80\x90\x6e\x34\x6d\xfc\x7f\x5a\x86\x41\x0f\x6b\xbc\x64\xa7\xff\x88\xc3\x7a\xa1\xd1\x87\x13\x31\xad\x2a\x63\xfe\xce\xa9\xb4\x3d\x3f\xad\x06\x2d\xe7\x0d\xdd\x1c\x77\x3a\xe6\x25\x68\xff\x3b\xe8\x04\x58\x3d\x3a\x5a\x10\x79\x68\x13\xcd\x4b\x51\xf6\x7b\x09\x91\x0b\x42\x7e\xb9\x28\x04\xe7\xf2\x7a\xdc\xd8\xec\x9a\xfb\x24\xe3\x15\x1b\x48\xa3\x8c\xc5\x99\x27\x99\xdf\x37\xe5\xcf\x6a\xd5\x77\x94\x1a\xd7\xe2\xca\xf1\x56\x19\x23\x69\x27\x34\x2e\x87\xb5\xb2\x60\x47\x37\x16\xa9\xba\xd7\x0b\x39\x51\xf7\x26\x5c\x20\xc0\x00\x85\x26\x67\xfd\xe0\xc4\xb7\xf2\x7a\x32\xb7\xee\x13\x3c\xbc\x65\xba\x4d\xc3\x91\x0c\x23\x75\xe1\x95\xba\x76\x54\xe2\xd2\xd4\x5f\x91\x6e\x47\xf1\x07\x59\x5a\xdc\x63\x24\x78\x40\xdf\x4e\xca\xeb\x96\x40\xfb\x66\x19\x86\xad\xd0\xdd\x02\x79\x6d\x58\x10\xf5\x1c\x93\xfd\xcf\x89\x74\xda\x1f\x10\x14\xf2\xf4\xad\xb1\x6f\x04\xe7\x33\xb5\x3a\xc2\xe8\xb4\xa8\x53\xe9\x3a\x93\x5a\x73\x20\x28\xc8\xe3\xec\x12\x0f\xc5\x41\xe5\x12\x6f\x2d\x88\xdd\x4b\xbc\xa0\x6f\xa6\x10\x16\x34\x64\xcb\x17\xf4\x5e\x7a\x2b\xe0\xe5\x1d\x8e\x45\xe3\x7c\x50\x91\xd7\x62\xce\x5b\xfd\xb6\x93\x53\xba\xfb\x95\x5c\x25\x54\x47\x02\xdc\xf7\xd1\x39\x4a\xac\x7a\x49\xa0\x78\x7f\xf1\x68\x74\x25\xa3\x75\x24\x9c\xa3\x78\xbc\x4f\x4a\xa2\x4a\xbc\xa2\x4a\x87\x1f\xd6\x74\x25\xb2\xf6\x60\x93\xb5\xb9\x87\x24\x99\xec\x85\xfa\xef\xfb\xf4\x3f\x0a\x4d\x3e\xfb\x5c\xea\xe7\x05\xa1\xa8\xe1\xf2\xbf\x79\xf5\x53\xc1\xc9\xf3\x8b\xd0\x9f\x93\xa8\x22\xbe\xb4\x54\x74\x4d\xd1\x17\x7e\xea\x67\xb7\xbd\x6c\x42\x1e\x58\x24\x62\x02\xab\x90\x2f\x79\xe0\x15\x5f\x1d\xe2\xbf\x22\x6f\x61\xbb\x39\xbf\xc2\xfb\xa3\x47\x9f\x25\xee\xa7\xf0\x1f\x70\xbc\x08\xa9\x8e\x88\x74\xe5\xd1\x38\x42\x83\xb9\x96\x07\xea\xa5\x2e\x89\x54\x90\xbd\xb2\x1c\x81\xcb\x3b\x37\x91\xc1\xde\xce\x0e\xbc\xe6\x7c\xc4\x5b\xcb\xa2\x99\xbb\x89\x2c\x9d\x19\x50\xbf\x33\x5e\x95\x4f\xd3\x03\xc6\x5e\x1a\xfe\xc4\x8a\x3d\x3e\x10\xa4\x04\x35\x2a\x13\x02\xef\xce\xbe\x12\x54\xeb\x2b\x25\xd6\xf4\x50\xb2\x6a\x3f\x1b\xd7\xf5\x77\xe5\x4c\x95\xe5\x66\x11\x74\xd3\x27\x82\xfe\x6b\x11\x99\x65\x42\xfe\x1b\x97\x51\x39\x62\x88\xd2\x7a\x47\xe3\xc9\x8d\x1c\xc3\xf3\xab\x55\x8b\xa3\xe8\x2a\x6c\x3e\xd4\x84\x0f\x4e\x3d\x79\x36\x95\x73\xc3\x75\x34\x07\x3e\x79\xad\xfd\x23\x23\x83\x2b\x65\xe7\xa6\xc4\x5b\x72\x57\x91\x38\xe2\x26\x29\x1d\x27\x00\xda\xc3\xa1\xcc\x91\x61\x40\xf5\x4c\xb2\x8b\x34\x70\x85\x61\x89\x81\x25\x44\x36\x6f\x75\x7c\x0a\x29\x4e\xe2\xb5\xbf\x6c\x30\x8a\xd4\xdf\x23\x0d\x5a\x74\x3b\x8c\xf7\xa1\xf6\x4a\x30\x61\x98\x3f\x22\x38\x50\x26\x2c\x75\x74\xae\x48\x0a\x02\xf6\x8c\x04\x3b\xa7\xaa\x82\x2f\xf6\x45\xd4\xe4\x48\x2c\x14\xcb\xb5\x8c\x15\xf6\x5c\x98\xd1\x69\x2f\x93\x9d\x0d\x95\x58\x50\x45\x42\x4a\xbe\x5e\x58\x65\x14\x77\xf9\x1d\x0c\x1d\xaf\xb3\xf3\x3a\xf9\xe6\x9b\x79\x4e\x13\xeb\x0c\x42\x9d\xe9\xb9\x2b\xbc\x5f\x92\x82\xa2\xe6\xc9\x11\x9f\x6f\xd8\x60\x3f\xe1\x1a\xf2\xd5\x16\xc9\xa7\xad\x38\xe3\x33\x7b\x96\x9c\x3d\x95\x93\xf0\xd4\xac\x95\xc4\x4e\x7f\x47\xe8\x10\xf6\x97\x0a\x1a\x6f\x18\xf2\x09\xfe\xdc\x35\x65\x6d\xc5\xc5\x36\xb0\x39\x6a\xed\xaf\x83\xca\x46\x65\x5e\xdc\xc4\x08\x8c\x6f\xcf\xfa\x68\x9a\x87\x83\x09\xc1\x76\x7b\x21\x87\xc9\xb5\xfa\x57\x5e\xfd\x80\xe0\x57\x4a\x57\x76\x73\xb4\x5e\xda\xc8\xb1\xc9\x12\xce\x60\xcd\x18\x29\x0d\x31\x02\x5c\x80\xeb\xa3\xd9\x97\xe4\x79\x2b\xe2\x3a\x49\xc0\x09\x4e\xe2\x85\x48\xfa\x33\x27\x5e\x6c\x28\x0b\xb6\xe0\xa0\xaa\x8e\x79\x04\xc6\x41\xcb\xcb\x3d\x99\x49\x46\xf0\xe4\xc6\xd6\xb1\x91\xd3\x46\x53\x64\x79\x3a\x69\x7f\x2c\x25\xd1\x30\x92\x3c\x79\x9a\x3a\x8d\x71\x69\xa3\x7a\xc2\x9b\xdd\xfb\x76\x6d\x51\x30\xb5\xe4\xbd\x43\x97\x8a\xad\x35\x49\x05\x2c\xf6\xf5\x64\x76\x80\x52\x03\x23\x46\xae\xf8\xf5\x84\x4b\x97\x04\x84\x2c\x0f\x1f\xa7\xd2\x6c\x69\x71\x88\xc0\xe8\x64\x16\x58\xd6\xd2\x99\xa6\x1f\xf1\x40\xa4\xb9\x4f\x04\xf6\xec\x06\xff\xca\x6e\x57\x4b\xdd\x60\x03\x72\xed\x5d\x16\x6a\xee\xae\x4f\x24\xe1\xec\x3c\x21\x2f\x05\xaa\x85\x37\xf0\xab\x83\x1e\x47\x2f\x32\x16\x4a\x08\x87\xc6\xf4\xe4\x25\x32\x56\x5f\x05\x5a\x8c\xd4\x35\xe9\xcc\x91\x08\x96\x7e\x42\x2c\x6d\x0e\x74\x06\x33\xc9\x77\x84\x71\xef\xa8\xa4\x4a\xb5\x5a\x06\xbd\xb6\xb8\x17\xf8\xa6\xcc\x55\xd5\x2a\xce\x6e\xc4\x38\xad\x4f\xbe\xe7\xc6\x4e\x00\xfc\x65\xc7\x6a\x36\x16\xc3\x5f\xb7\x1b\xb6\x08\x4f\x44\xf8\x08\x3d\xff\x56\xd7\x71\xe1\xd3\x23\x58\x4b\x82\xf1\x05\xe0\xa2\x11\xce\xae\x9a\xfc\x0f\x5e\x61\xa2\x64\x94\x76\x44\x0c\xf6\x8d\x9a\xbf\xfb\x48\xde\xcd\x0e\x8d\x2e\xd1\x09\x07\xd3\x5e\x39\x0d\xaa\x1e\xef\x83\xda\xc8\xab\x44\xe2\xac\x58\x86\xf6\x23\x5f\x6b\xd7\xb6\x9f\xf3\xc0\x98\xb5\x58\x89\x49\x08\xd4\xcd\x28\x24\x7f\xb6\xec\x4b\xb5\xb1\x63\xf6\xb2\xee\xf3\x86\xe7\xce\x26\xde\x75\x9b\xd6\xe2\x4e\x46\xaa\x2b\x38\xf0\xa4\xe6\xa4\x78\x5a\xf1\x4b\xd6\x03\x5a\x32\x6c\x29\xaf\x21\x5a\x4c\x1c\x45\xae\x76\x7b\xd7\xe6\xdb\x1b\xae\x69\xbe\x04\x5e\xf0\xb1\xeb\x39\x34\xac\x5e\xbe\x3a\x4c\x1d\xd5\x9b\xb9\x60\x53\xbe\xeb\x55\x61\xb5\x21\xc4\x78\x52\xd9\xa2\xc6\x6c\xfa\xf8\x2c\x2a\x01\x6e\x5d\xe7\x29\xea\x0e\x0c\xe4\xf9\x80\x85\x79\x2b\x5e\x5a\x80\x2c\xd7\xfb\xac\x9e\xf3\x8e\x20\x3e\xbb\x36\x51\xf1\xb3\x0a\xf6\xea\x29\xfa\x17\x9f\x8b\x19\x26\x41\x60\x4b\xe0\x29\x29\xda\xff\xad\xd6\xc9\x7b\xa4\xcd\x56\x79\x0c\xc2\x43\xd0\x47\x0e\xb8\xc1\xae\x78\x12\xda\x66\x6b\x0b\x32\x9f\xb3\xf0\x4f\x78\xe2\x5a\xd1\x7b\x4b\x39\x78\x13\x82\xad\x93\x7e\x08\xad\x34\x48\xb6\x32\x38\x18\x5b\x98\x22\x42\x19\x0f\xd1\xe4\xad\x8f\xbb\xa5\x5d\x6a\xbf\x96\xe0\x16\xe1\xd9\x8d\x37\xd5\x1c\x2e\xe1\xe4\x1f\x54\xf8\xac\x7e\x03\x8e\x36\x16\xf5\x69\xd0\x24\x69\x0e\xa3\x03\xbe\xc6\x98\xbe\xb9\x8b\x9e\xa4\x9f\x6b\x87\xe3\xf7\x10\x49\x97\xa6\xad\x7d\x33\xdb\x8f\xb7\x9a\xda\x8c\x5f\x7f\x54\xee\x17\xf7\xb3\xd8\x6a\xa1\x53\x2b\x43\x9c\xd8\xde\x90\xb5\xfd\x7f\xc3\x32\x56\x80\x06\x1d\x93\x19\xd1\x83\x5e\x60\x3f\xaf\x79\x33\xbf\xd6\x0d\x73\x39\x65\xf0\xf2\x5a\xdf\x39\x45\x09\x2b\xb9\x9e\x95\x34\x66\x02\xfa\xf6\xaa\xbe\xb3\x3c\xbc\xa3\xb2\x19\xb4\xf8\xaf\xaf\xe8\x25\xc6\x62\x7c\x0c\x7b\x00\xc3\x38\x75\xb6\x9d\x01\xc0\x8b\x90\xe6\xfa\x64\xf0\x9b\x42\x93\x2e\x1c\xcc\x9b\x3d\xa3\x67\x71\x66\x7d\x5b\xb7\x53\x1a\x2a\xc1\x74\xbc\x41\x2d\xff\xad\x7c\x6f\x8f\xd4\xda\xd3\x30\xfb\x41\x5a\x97\xe8\x13\x6c\xd5\xc0\xbb\x7d\x00\xd2\xb2\xc9\x56\x93\x6c\x9f\x5f\x74\x7e\x3c\x9a\x36\x1d\x79\xd0\x48\xcb\x3f\x52\x8f\x18\x7f\x9b\xba\x5d\x78\xd7\x30\x9b\x1b\x25\x6f\xbb\x34\x9c\xd5\x29\x45\x54\x1a\x5a\x57\x80\x9f\x2d\x71\xa8\xe8\x05\x57\xb2\x3b\xe4\xfb\x31\xca\xdd\xc5\x95\x53\xb6\xbc\x0f\xaa\x16\x5e\x4a\xb1\xf8\x27\x9c\xa6\xe3\x07\xce\x79\x20\xc4\x3b\xdb\xad\xec\x04\xef\x8b\xe7\x0d\x57\xaf\x59\x8d\x1d\x8a\x89\x6a\x09\x52\xb2\x3c\xba\x46\x4e\x0e\x9b\x36\x25\xf9\x93\xdc\x12\xc8\xf7\x74\xe8\x7d\xa0\x51\xec\xa4\x9b\xd1\x4e\x4e\x2e\x27\x0c\xf7\x5d\xc8\x34\x3b\x2a\xd4\xb0\xa2\x17\x8c\xb5\x57\xc6\xd0\xeb\x1a\x0b\x23\xed\x92\x58\x0c\xe5\xad\xa7\x8c\x2b\xb1\x0d\xdd\x25\xd4\xbb\x14\x7d\x61\xa0\x0f\x5e\x1d\x1d\x5c\x88\x8d\x47\x42\x4c\x04\xde\x7d\x41\x38\x4e\x2c\x68\x8a\x57\x35\x8d\x05\x81\x4a\xd9\x17\x13\x5a\x80\xec\xcd\x1d\x1f\x14\x72\x42\xa5\xda\x4d\xad\x08\x38\x32\x2e\x9a\x2f\xa5\x31\xfb\xb6\xb0\x83\x2b\x67\x00\xf8\x72\x79\x84\x6c\xe2\x33\x16\x79\xb8\x2f\x04\xfe\x1b\xe1\xe8\xce\x9f\x61\x0b\x63\xff\x30\xad\x0b\x76\x97\x78\x17\x73\x9a\x29\x5c\x9e\xc9\xdc\xf1\x1f\x81\xa6\x76\x19\x40\x73\x04\xc1\xd5\x94\xc5\x19\x6d\xb1\xbd\xeb\xfe\x03\xf2\x2a\xda\xac\x92\x53\xd7\x53\x96\x71\x38\xbc\x9d\x2c\xf4\x73\x54\x91\xd2\x74\x5c\x23\xe5\xd2\x29\xc7\x46\x27\xdd\x19\x1b\xc6\xc0\x38\x51\x39\x14\xdb\xdc\xfa\xcb\x8b\xcb\x28\x14\xdc\x52\x5e\xda\xd8\x89\x52\x09\x99\xfc\xe6\x44\x69\xc6\x06\x94\x40\x59\x61\x51\x84\x41\xc3\xe8\x44\x53\xaf\xa3\x49\x9e\x3a\x89\x83\xb5\x7f\x94\x59\x3e\x86\x64\x71\x9d\x5e\x65\x98\x42\x2b\xb8\xcb\xc5\x16\x20\xb2\x59\x41\x3b\xea\x16\x49\x0b\xbe\x6c\x9a\x72\xbf\x21\xf6\xb4\xd4\x99\x37\x1a\xd9\xfc\x82\x77\xdd\x3f\x2f\x75\x23\xcc\x5e\x6c\xee\xbf\x74\xfc\x39\x44\x13\x6b\x2d\x56\xda\xa2\x04\x03\x74\x31\x9a\x1c\x83\xc3\xbb\x0c\x96\x2d\x32\x1d\x80\x39\x17\x0b\x98\xb6\x04\xc8\xed\x42\xc5\x96\x31\x4a\x01\x13\x9c\x9d\x36\xcc\xd6\xf2\xcb\xd3\x11\x3b\x2c\x9d\x4e\x19\xf0\x86\x94\x46\x36\x10\xa3\x68\xf8\xac\x74\xf2\x97\x94\xf1\x45\x60\xe0\xa3\xd4\x81\xc6\x73\x41\x0a\xd9\x46\x65\x81\xaa\x2a\x33\x4f\xf3\x80\xa1\x00\xfb\x04\x9a\xd8\x19\x6e\xb4\x78\x4e\xa1\xbe\xdc\x13\x9a\x70\x54\xf1\x8a\x8d\x44\xbc\xa0\xa3\xd0\x12\x2f\x5d\xc3\xa1\xc4\xd2\x9b\xde\x35\xe3\x32\xbd\xf2\x8c\xb9\xb9\x85\x43\xad\x3e\x33\x14\x3a\xf8\x79\x03\xb5\x62\x4f\x62\x30\x55\x98\xde\x27\x58\x33\x20\x8e\xc8\x37\x06\x82\xad\x9f\x0f\x9a\xc6\x4c\x43\x90\x44\xa2\xde\x30\x33\x46\x87\x34\xf4\x92\x66\x13\x88\x59\x69\x5b\x60\xa6\xfb\x45\xd7\x94\xb8\x71\xc1\x9c\xbe\xdf\x59\xb7\x64\x45\x3b\x78\xcf\xea\xd4\xc5\x01\xb1\xf8\xc0\xff\x82\x7b\x70\x29\x73\x92\x69\x7a\xdb\x13\xce\xff\x2f\x13\x9b\xff\x3b\xa2\x38\x79\x8a\x07\xfe\x5f\x55\xa0\xef\x5b\x75\xcc\xb4\x98\xbb\x89\x43\xba\xb4\xa6\x71\xf1\x25\xfb\x06\xf2\xe5\x9f\x77\xfd\xb0\x2c\xb2\x3e\x86\x87\x56\x8d\xc0\xd5\xc4\x86\x09\x94\xa3\x7c\xca\xb3\x65\xd7\xa7\x08\x03\xc6\xa6\xf4\x8f\x5b\x3f\xf1\xcb\xdd\x51\xd8\x96\x1f\x97\x3c\x70\x33\x75\xd2\x52\xe6\xc5\xa0\xff\x13\x3b\x59\x72\x43\x13\xf9\x88\x84\x1b\xd6\x1e\xc2\x97\x67\xa4\x60\x8a\x5b\xc4\x5b\x10\x4e\x4f\xc9\x82\x61\xe4\x54\x0a\x10\x38\x2a\x49\x5d\x64\xdd\x5f\x6c\x03\x90\x66\xd9\xd3\x58\xef\xb1\x66\x71\x17\x8e\x88\x4f\x07\x0a\x07\xfd\x02\xa0\x0b\x63\xb7\xf5\x75\xf6\x42\xbf\x91\xee\xc3\xbb\x90\xdb\xa9\xa2\x1d\xf3\x17\x9c\xf1\x2e\xa9\x52\x5d\x09\x74\xd6\xfc\x44\xbf\x69\xfc\x54\xf8\xa5\xff\x98\x67\x06\x67\x8d\x7c\xe0\x6c\xce\x44\xdf\x29\x74\xb9\x66\xe6\x7a\xca\x31\x4e\x0b\x58\xac\xc4\x15\x54\xa4\x42\xef\x35\x87\xab\xba\xf1\x82\x95\xec\xa5\x9c\xa8\xa1\x0e\xdd\x3f\xbd\x1f\xac\x0b\x06\x01\x3d\xe5\xf7\x33\x37\x51\xc5\x7d\xeb\x4d\xae\xf9\xe4\xc5\x5e\x93\x74\x1e\xd1\xd2\xf7\xf9\x63\xcd\xed\xc6\xef\xdb\x5d\x8b\x14\xd7\xd6\x12\xe2\x61\x2f\x30\x96\x6f\x4e\x67\x60\xd1\xa4\x6f\xbe\xe5\x0d\xcc\xff\xc0\xb2\xe5\x17\x7b\x1c\x60\x27\xad\xae\xe0\x90\x75\xb6\x55\xcf\x85\xdd\xbb\x4e\x44\x83\xd5\xde\x7b\x38\xa9\x10\xf9\x96\x71\x1c\x05\x8c\x1b\x97\xe6\x21\x27\x48\xc8\xcc\x7d\xe8\xcf\x7a\x56\xaf\x75\xe2\x91\x86\x7c\x26\x88\xe9\x99\xc6\x55\x3d\x7a\xaf\x3d\x2f\x62\xc2\xf5\x3b\xf8\x8c\xf2\x04\x40\x07\xdb\xe9\x29\x85\x65\x31\xb0\xad\x6b\x48\xa6\x11\x8b\xf3\x5c\xce\x82\x7e\x5d\x0c\xd2\xa1\x9b\x3f\xc3\x73\x95\xe1\xce\xd2\x13\x7f\x0c\x72\x6f\x5c\xc9\x91\x33\x3a\x0f\x07\x94\xda\x0b\x6d\x75\x73\x74\x21\x7e\xae\xbc\xbb\x6d\x87\x43\x1f\x08\x9a\x57\x10\x2c\xa5\x37\x3b\x8d\x73\x0a\x92\x02\x60\x59\xc6\xa8\x80\x94\xe9\xc6\x29\xd8\x1e\xcc\xf8\x6b\x4e\x8f\x09\x1d\x32\x55\x63\xd1\xf4\x01\x6c\x97\x97\x2c\x58\x4b\xc7\x6d\x1f\xb4\xed\x94\xb7\x21\x34\x4d\x00\xcc\x67\x24\xf5\x64\x9d\xfe\xd8\x4d\xc5\x11\x58\x3e\x1a\x08\xa4\x3c\x24\x09\x93\x41\x72\xff\x3f\x0d\xfc\x93\x99\x6b\x84\x79\xc0\x50\xdc\x19\x30\x9a\xa9\x98\xf7\x09\xed\xa3\xb3\xcf\x80\x6b\xec\x71\x7e\x17\x18\xb8\xcc\x10\x06\x0b\x33\x5c\x46\xf1\x7c\x52\x2a\xc0\xbb\x69\x6f\xb4\x39\x3a\x94\x50\xbe\x5f\xa7\x55\xea\x0d\x71\xb3\x0a\x84\x31\x51\x5c\x44\x63\x90\x15\x4b\xc2\xa4\x95\x1b\x3f\x15\xf4\x19\xce\x20\xb0\x30\x2b\xd9\x00\x25\xd8\x3c\x47\xa0\x18\xf6\x88\x6a\xb1\xfb\xb7\x57\x7d\x5c\x06\x6b\xab\x23\xd8\x41\x89\xcc\xff\x63\x40\xa3\xca\x41\xdf\x5c\x6d\x99\x4b\x26\xb8\xfc\x34\xc6\x90\xdf\xb2\x29\xc8\x37\x60\x22\x4b\xdc\xe8\xe8\x67\xd1\xf5\xa0\x97\x73\x6d\x3f\x19\xd8\x22\x9f\x91\x43\xac\x03\x70\x93\xd4\xcc\x32\xab\x10\x4b\x58\x28\xf1\xcc\x84\x49\x5a\x68\xd7\x67\xb7\xfb\xd7\x25\xd4\x34\x71\x9a\x36\x01\xb5\xfb\x23\x36\x4a\x5e\x41\x51\xc6\xf9\x15\xce\x53\xf7\xde\xbb\xb9\xf1\x5b\x81\x1c\xb0\x2b\xb8\x73\x94\xff\xb6\x1e\x8b\x8a\xe5\x74\x9d\xc7\x43\x2b\x51\x6b\x8a\x62\x79\x90\x53\x7b\x9c\xdf\xd2\xa0\x94\x39\xb7\xdc\x04\x39\x97\xe0\xf5\x90\x36\xab\x34\x70\xaf\x1b\xc7\x67\x10\x11\xe5\xb4\x72\xe3\xf6\xad\x45\x6b\xa7\x06\xd5\x50\x66\x1c\xbc\xf6\x10\x7e\x9b\x7e\xe4\x9a\x82\x05\x2d\x90\x1b\xb7\x9f\xb1\x8d\x82\x21\x6a\xee\xfa\x2e\x76\x39\x0f\x80\x94\x3c\xc8\x56\xa0\x08\xc7\x25\x6b\x84\xd8\x85\x7f\xa6\x34\xad\x7d\xd4\x50\x13\x86\xbb\xab\xe2\x38\xa5\x8a\xec\xb7\x7a\x0d\xe5\xff\xaa\xa5\x63\xa1\x96\x8b\x72\xb9\x2b\xa5\x8d\x1a\x1e\xf6\xf9\xed\x04\x9f\xf3\x8b\x7f\xc3\x42\x27\x46\x16\x31\xfe\xc6\x53\xe7\x81\xf1\x57\xec\x73\x86\x36\x2b\x66\x77\x8a\xfc\x89\x82\xcd\xae\x50\xe1\x29\xf4\x32\x9b\xfe\x35\xcd\x9d\xa3\xd5\x75\x22\x04\xfa\x72\x75\xcc\xbc\x01\xab\xf8\x5c\x6c\xf3\xab\x9e\xab\xb2\xea\x7a\x1c\x77\x9e\x67\x3d\x0f\x95\x16\xb1\x85\x15\x4d\xc8\x3c\xc5\xf6\x93\x70\xe3\x14\x19\x8b\x7f\xa8\x3c\xe5\xc5\xc9\x1c\x2c\x50\xe5\x44\x89\xb3\xa6\x70\xa3\x30\xa4\xe4\x9f\xca\x51\x7c\x83\xa9\x53\x2c\xbc\x7e\xdc\x84\x0c\xd0\x10\xb3\x7e\xcc\x75\x37\x45\x30\x16\xed\x1a\xb4\x45\xe4\x5f\xc1\x23\x8b\x14\xe2\xf8\xf9\x31\x66\xcb\xf7\xd3\x8b\x85\x28\xba\xa0\xfa\xd3\xe9\xe7\x6f\x4b\x32\xee\xbb\x60\x52\x68\x81\x62\x0b\xca\x5b\x11\xac\x06\x3d\xbe\x21\x69\xe5\x43\x78\x43\xf6\xd2\xd4\x86\x85\x5a\xd5\xf1\x92\xb2\x68\xb2\xf3\xeb\x25\xde\xea\xbd\x2d\xe8\x9c\x48\xba\x28\xf1\xee\x2c\x84\x65\x86\x56\xc3\x37\x33\x9b\x53\xac\xf9\x88\xba\xf2\x9a\xc5\xc9\x19\x9e\xc7\x91\x2b\x28\x94\x09\x34\xbc\x02\xb1\x31\xd1\x46\x13\x54\x62\x6b\x69\x08\x35\xba\x09\xab\xaf\xa0\xca\x7f\x51\x55\x79\xe5\x33\xc4\xbb\xfd\xa2\xbc\x9f\x2f\xae\xdd\x35\x38\xce\x8c\x1e\x36\x06\xea\x98\x39\x5e\x0f\xf8\x84\x92\x04\x5f\x47\xcc\xa8\x5f\x4a\xf1\x6f\x95\x0a\xbb\xf3\xf2\x22\x9d\xe5\x8e\xa2\xb4\x56\x92\xd4\xba\x84\x3e\x70\xe5\xae\xed\x29\xf6\x88\x07\x13\x8a\xaf\x5c\x99\x4b\x30\xd4\x73\x11\xeb\xb9\x69\x10\x76\x77\xdc\xf0\x07\xf6\x4d\x0b\x32\xc3\x60\x0c\xd3\x2b\xd4\x2c\xa6\x9e\xe4\x6d\x78\x6c\xf0\xcf\x94\x96\xbc\x51\x60\x2c\x98\x9f\xc5\x4f\x76\xc4\xd3\x83\xce\x41\x4a\xf4\x5f\xc9\x48\xe5\xb9\x71\xe3\x02\x0a\xf4\x47\xc5\x89\xb0\x99\x56\xc9\x03\x3d\x09\x04\xd6\x44\x5d\x7e\x9f\xff\x7c\x90\x39\x39\xf7\x9c\x2d\x4c\x30\xb6", 4096); *(uint64_t*)0x200000004ad0 = 0x200000004a40; memcpy((void*)0x200000004a40, "\x88\x4f\x38\x13\x09\x89\x6a\x88\x17\x38\x89\x99\x4e\x74\xc6\x06\x94\xf7\xba\xa4\x5b\xe0\x88\xe5\x9b\xc3\xe9\x39\x72\x82\x57\xe8\xd2\xdb\x71", 35); res = syscall(__NR_shmctl, /*shmid=*/6, /*cmd=*/0xcul, /*buf=*/0x200000004a80ul); if (res != -1) r[10] = *(uint32_t*)0x200000004a88; break; case 19: *(uint32_t*)0x200000004d40 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x23, /*optval=*/0x200000004c40ul, /*optlen=*/0x200000004d40ul); if (res != -1) r[11] = *(uint32_t*)0x200000004c74; break; case 20: *(uint32_t*)0x200000004e00 = 7; *(uint32_t*)0x200000004e04 = 0xee00; *(uint32_t*)0x200000004e08 = -1; *(uint32_t*)0x200000004e0c = 8; *(uint32_t*)0x200000004e10 = 0x80; *(uint32_t*)0x200000004e14 = 5; *(uint16_t*)0x200000004e18 = 0xfffc; *(uint32_t*)0x200000004e1c = 1; *(uint64_t*)0x200000004e20 = 7; *(uint64_t*)0x200000004e28 = 5; *(uint64_t*)0x200000004e30 = 0xbed1; *(uint32_t*)0x200000004e38 = r[5]; *(uint32_t*)0x200000004e3c = r[7]; *(uint16_t*)0x200000004e40 = 1; *(uint16_t*)0x200000004e42 = 0; *(uint64_t*)0x200000004e48 = 0x200000004d80; *(uint64_t*)0x200000004e50 = 0x200000004dc0; memcpy((void*)0x200000004dc0, "\x05\xc9\x21\x56\x87\xa3\xff\x17\x47\xca\xe5\xc1\x8c\xb1\x86\xed\x5c\x62\x98\x43\x37\xf9\x0f\x0a\xb5\x94\x8e\x21\xc6\x3d\x16\x86\xf1\xda\x14\x59\xa8\x97\x18\xa9\xf8\x49\x30\xb8\x92\xc2\xad\x4d\xe6\x1f\x71\x4a\xb8", 53); res = syscall(__NR_shmctl, /*shmid=*/5, /*cmd=*/2, /*buf=*/0x200000004e00ul); if (res != -1) { r[12] = *(uint32_t*)0x200000004e04; r[13] = *(uint32_t*)0x200000004e08; } break; case 21: *(uint32_t*)0x200000004f00 = 7; *(uint32_t*)0x200000004f04 = -1; *(uint32_t*)0x200000004f08 = -1; *(uint32_t*)0x200000004f0c = 1; *(uint32_t*)0x200000004f10 = 0; *(uint32_t*)0x200000004f14 = 0x98; *(uint16_t*)0x200000004f18 = 4; *(uint64_t*)0x200000004f20 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 6; *(uint64_t*)0x200000004f28 = 0x200000004ec0; *(uint8_t*)0x200000004ec0 = 5; *(uint64_t*)0x200000004f30 = 0xc; *(uint64_t*)0x200000004f38 = 0x1ff800000; *(uint64_t*)0x200000004f40 = 8; *(uint64_t*)0x200000004f48 = 0x7f; *(uint64_t*)0x200000004f50 = 3; *(uint16_t*)0x200000004f58 = 0x101; *(uint16_t*)0x200000004f5a = 8; *(uint16_t*)0x200000004f5c = 0x1000; *(uint32_t*)0x200000004f60 = r[5]; *(uint32_t*)0x200000004f64 = r[8]; res = syscall(__NR_msgctl, /*msqid=*/4, /*cmd=*/0ul, /*buf=*/0x200000004f00ul); if (res != -1) { r[14] = *(uint32_t*)0x200000004f04; r[15] = *(uint32_t*)0x200000004f60; } break; case 22: *(uint32_t*)0x200000005080 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x22, /*optval=*/0x200000004f80ul, /*optlen=*/0x200000005080ul); if (res != -1) r[16] = *(uint32_t*)0x200000004fb4; break; case 23: *(uint32_t*)0x2000000052c0 = 8; *(uint32_t*)0x2000000052c4 = 0; *(uint32_t*)0x2000000052c8 = 0; *(uint32_t*)0x2000000052cc = 0x7f; *(uint32_t*)0x2000000052d0 = 5; *(uint32_t*)0x2000000052d4 = 0x80000001; *(uint16_t*)0x2000000052d8 = 0x43; *(uint32_t*)0x2000000052dc = 7; *(uint64_t*)0x2000000052e0 = 2; *(uint64_t*)0x2000000052e8 = 0; *(uint64_t*)0x2000000052f0 = -1; *(uint32_t*)0x2000000052f8 = 0xf; *(uint32_t*)0x2000000052fc = r[7]; *(uint16_t*)0x200000005300 = 2; *(uint16_t*)0x200000005302 = 0; *(uint64_t*)0x200000005308 = 0x2000000050c0; memcpy((void*)0x2000000050c0, "\xbc\xc4\xb5\xd8\x6e\x91\xb0\x2b\x73\xe1\x6c\x46\x65\xdc\x30\x88\xf7\xcc\x98\x26\xda\x78\x07\xf9\xa8\x30\x0d\x9d\x89\x80\xde\x67\xa1\xa2\xa1\x53\xe9\x54\x66\xe7\x6d\x2c\x38\xc4\x15\x58\xc0\x8e\xfe\x37\xee\x81\xd9\x90\x46\x74\xce\xd8\x6d\xda\x9b\x2b\x6c\xc7\xc9\x7b\x19\x97\x58\xbe\xf8\xd9\x2d\xd2\x0e\x0e\x69\x86\x4d\x6f\xcd\x03\xa8\x0c\xa0\x12\x01\x9c\xf4\x1e\x51\x66\x47\x50\x38\xfc\xd3\x60\x33\x84\x36\xe7\x82\x7e\xf7\x30\x46\x91\x87\xe6\xa4\x95\xf5\xbf\x01\x8e\xe7\xca\xa7\x1c\x80\x4a\x38\x67\x56\xc3\x24\x2b\x30\xec\xa0\xb8\x41\x16\x6d\x78\x39\xe9\x4a\x56\x39\xd0\x8f\xbc\x06\xda\xc1\xf8\x61\x49\x44\x56\xd8\xd1\x53\xde\x7f\xc3\x03\x87\xd4\x52\x30\x4e\x7c\x30\x69\xbb\xfb\x42\x43\x91\xd0\x4f\xab\x12\x03\x7c\x6d\x6a\xe6\x02\x5d\xf8\x69\xfa\x3a\x45\xe0\x31\x48\xc2\xdd\x05\x2c", 195); *(uint64_t*)0x200000005310 = 0x2000000051c0; memcpy((void*)0x2000000051c0, "\x0b\x7d\x67\x85\x2a\x6f\x3d\x89\x68\xf4\x76\xad\xad\x16\x72\xe6\xdc\xfc\xeb\xe8\xe6\x24\x9d\x8c\xc7\x2d\x1a\x05\xc2\x8a\xcd\x3d\xed\xa6\x43\x14\x81\xc8\x8e\xe1\xc2\xc0\x99\x44\xee\x73\x33\xd9\xd1\x6b\x3f\x9b\xd1\x86\xbe\x36\x21\x0e\x7e\x52\xfd\xac\x24\x09\x97\x73\xc0\x7a\xf6\xf1\xa9\x40\xe4\xba\xec\x3a\xda\x47\x66\xe3\x80\x14\xad\x52\x7a\x5d\xf7\x7c\x90\x61\xc5\xa4\xca\xcc\xc4\x8b\xcf\x15\x62\x20\x7f\x8d\xb0\x4d\x60\x8a\x82\x3c\x71\x97\x9b\xda\xf7\x02\xb9\xa6\xec\x8f\x62\xf2\x3d\x31\x6b\x69\xa8\xe4\x0f\x1c\xd7\x92\x58\x5f\x34\xd8\xff\x6c\x70\x56\x41\xdb\xc0\x9a\x02\x45\xef\xad\x32\x6c\xa8\x4d\x8c\xa3\x9d\x29\xcc\x33\xa4\xa3\xfb\xe7\x6c\x24\x0d\x05\x5e\x26\x1e\x16\xd6\xbb\x5d\x9c\x23\x1f\xe3\xc9\xe8\x4f\xe5\x95\x65\xbe\xfc\x53\xfe\x9d\x11\x9e\xb5\x0c\xe0\x4e\x6e\x3c\x1d\xf2\x16\xae\x69\xc3\x13\xd8\x0b\xb6\xa7\x7e\x21\x9b\x94\x51\x65\x72\xee\xaa\x39\x8b\xfe\xa6\x49\x33\x5a\xe8\x11\x4c\xb0\x57\x42\x36\xf4\x61\x31\x67\xd9\x75\x8b\x53\xb6\x6c\xb6\xba\x75\xd7\x5a\xf9\x2f\x3c\x6e\x63\x8b\x82", 250); res = syscall(__NR_shmctl, /*shmid=*/2, /*cmd=*/5, /*buf=*/0x2000000052c0ul); if (res != -1) { r[17] = *(uint32_t*)0x2000000052c4; r[18] = *(uint32_t*)0x2000000052c8; } break; case 24: memcpy((void*)0x200000005340, "./file0\000", 8); *(uint64_t*)0x200000005380 = 0x355; *(uint64_t*)0x200000005388 = 0x100000001; *(uint64_t*)0x200000005390 = 5; *(uint32_t*)0x200000005398 = 7; *(uint32_t*)0x20000000539c = -1; *(uint32_t*)0x2000000053a0 = 0xee01; *(uint32_t*)0x2000000053a4 = 0; *(uint64_t*)0x2000000053a8 = 7; *(uint64_t*)0x2000000053b0 = 2; *(uint64_t*)0x2000000053b8 = 2; *(uint64_t*)0x2000000053c0 = 6; *(uint64_t*)0x2000000053c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000053d0 = 7; *(uint64_t*)0x2000000053d8 = 4; *(uint64_t*)0x2000000053e0 = 0xfff; *(uint64_t*)0x2000000053e8 = 0x17b; *(uint64_t*)0x2000000053f0 = 0xffffffffffff27a1; memset((void*)0x2000000053f8, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000005340ul, /*statbuf=*/0x200000005380ul); if (res != -1) r[19] = *(uint32_t*)0x2000000053a0; break; case 25: *(uint32_t*)0x200000006480 = 7; *(uint32_t*)0x200000006484 = 0xee00; *(uint32_t*)0x200000006488 = 0; *(uint32_t*)0x20000000648c = 0; *(uint32_t*)0x200000006490 = 7; *(uint32_t*)0x200000006494 = 8; *(uint16_t*)0x200000006498 = 0x3ff; *(uint32_t*)0x20000000649c = 0x10; *(uint64_t*)0x2000000064a0 = 2; *(uint64_t*)0x2000000064a8 = 8; *(uint64_t*)0x2000000064b0 = 0x7fffffff; *(uint32_t*)0x2000000064b8 = r[8]; *(uint32_t*)0x2000000064bc = 0xffff; *(uint16_t*)0x2000000064c0 = -1; *(uint16_t*)0x2000000064c2 = 0; *(uint64_t*)0x2000000064c8 = 0x200000005440; memcpy((void*)0x200000005440, "\x4c\xf7\x7c\x89\xa8\xa3\x6d\x9b\x71\xd1\x6c\x43\xca\x99\xca\xec\x65\x90\x56\x4d\x89\x51\x86\x4c\xcc\xc3\x48\x10\x2a\x77\x79\xcd\x97\xd9\x51\x00\x3a\xe8\x76\xa9\xa0\x30\x1c\x11\x86\x7f\xf6\x43\x2c\x9c\x54\xbd\x04\xee\x43\x3f\xce\x5f\x5d\xb9\xeb\x71\xb7\x62\x21\xd2\x84\xc7\x8d\xc7\xdb\x27\x84\x0c\xa0\xb1\xe9\xa5\xa1\x19\xf0\xd7\x4f\xf6\x48\x5b\x52\xa9\x86\xa6\x71\x7f\x3c\xfd\x72\x6d\x0a\x6a\x03\x8b\xed\x21\x89\x34\x4a\x3d\x14\xc2\xf1\x19\xbf\x2e\x54\x3f\xe4\xe7\x16\xbc\x4c\x5b\xec\x83\x76\x7d\xa2\xf9\x7d\x1c\xce\x4b\x26\x96\xbc\x5f\x99\x89\xfd\x42\xdc\x97\xa0\xc1\x6c\xdc\x2f\xa9\x67\xad\xaa\xa2\xba\xc7\x30\xe2\xcb\xda\x74\x4d\xc3\x12\x1e\x3f\x01\x5b\x66\xea\xe8\x91\x56\xb2\x62\x63\x9f\x95\xbb\x01\x4a\xba\x78\xbf\x2a\x48\x01\x49\x9b\xf3\x82\x68\xd7\x7d\x99\x49\x4a\xef\x48\x6b\x9b\x38\x8a\x1e\xba\xcb\x4b\x77\x1a\x52\xbf\xa2\x99\x90\xe9\x36\x18\xaf\x03\x76\x2f\x95\x3e\x34\x80\xfe\x01\xdd\xe9\x2c\xa7\x83\x5c\xcd\x5e\x88\x64\xdb\xc9\x10\x0d\x25\xc4\xfa\x63\x2c\x9f\xeb\xdd\xfd\xb1\xe7\x7f\x1b\xcd\x76\x79\xea\x46\x89\xd2\xc8\x50\x4e\x50\xaf\x69\x52\xc8\x89\xd3\x28\xc1\x2c\x66\xc9\x0d\x8e\xad\x36\x92\x70\xd9\x4e\x5a\xa3\x42\xfb\x23\x87\xdc\x7c\xfe\x6e\xde\x70\x54\x64\x98\x5f\x30\x1f\xeb\x34\xb0\x02\xcc\xef\xb8\x0f\xde\x10\xd9\xfc\x1c\xb3\x9b\x5f\x87\x75\x24\x98\x6d\xd1\x24\x47\xa7\xc9\x6f\x63\x50\x7c\xb4\xd8\x80\x68\xed\xfd\x77\x48\xfb\x2b\x66\x7a\xe1\xae\xdb\xb4\x16\x37\x75\x74\xd7\x0a\x3f\x6d\xe4\x6e\x4a\x3e\x5c\x14\x9a\x64\xa4\x36\x46\x66\xbd\x99\xfd\xb0\xe4\x13\xa1\x33\x5b\xa9\x32\x57\x5d\x1e\x92\x28\x50\x8d\x61\x4b\x66\x3a\xb1\x7a\xcb\x21\xb2\xac\x4d\x36\x18\xa6\x59\x43\x80\x4d\x5b\xa5\x2c\xbb\x04\x3a\x96\x19\x86\x12\x02\xb5\x05\x14\x0e\x48\x44\xb8\xce\xb6\xfa\xf5\x02\x42\x23\xd9\x63\x6c\xb0\xbe\x38\x4a\x4c\xc1\xdd\x3d\x4f\x35\x76\x29\x52\x1a\x07\x69\x84\x18\xdd\x1a\x97\xc3\x94\x17\x19\x6f\x86\x1a\xfb\x05\xbd\x70\x2f\x4c\xcd\xc3\xd4\x4b\x5a\x41\x93\x37\x8b\x93\x6f\x53\xc5\xc4\xb0\x9c\x98\x58\xbe\x95\xe3\x49\xba\xeb\x7e\xb4\xda\x30\x94\x00\xa4\xdb\xb0\x8a\x24\xd0\xbb\x37\x72\xbe\xe7\xa3\x87\x3c\xf8\xd7\x6e\x06\xdf\x6f\x7c\xe5\x91\xf4\x0b\xdc\x84\x9e\xa0\x4c\xad\xe8\x86\xf0\x75\xe1\x45\x8f\x02\x1f\x1b\x73\x0b\x0c\xb5\xc3\x28\xb9\x11\x41\x2a\xee\x96\x16\xab\x5f\xdc\x83\x1e\x34\xce\xa6\x9d\xe1\xa4\x08\x06\xaa\xfd\x4e\x64\xd3\xcd\x70\xc1\xa6\xc6\xf6\x36\xd3\xbb\x94\xc9\x95\x97\x7c\x59\x4f\x0f\x4e\x90\xd7\xae\xc4\x3f\xec\x4c\x8a\xa7\x07\xd0\x0d\xfa\x26\xff\x9d\xb8\xa4\x5e\x6a\xc6\x5b\x5e\x5c\xea\xc4\x3f\x78\xb5\x0f\x1e\x4f\x49\x4c\x85\x82\x7b\x3f\x0e\xa1\xf7\xa4\xfe\x3b\xbb\xd3\x90\xe3\x61\x66\x28\xed\x47\x70\xdd\x36\x66\x94\x89\x35\x13\xdc\x1c\xd2\x52\xd3\x88\x7a\x2f\x19\xa8\x46\xd1\x8e\xe7\xba\xf8\xb5\x68\x0e\x61\x80\x0b\xaa\xf0\x04\x18\x10\xa5\xa2\x1f\xe0\x6c\xba\x83\xe0\x62\x1b\x26\x26\xc3\xec\x5b\xa6\x2d\xfe\x1f\x94\xae\x16\x11\x4c\x9f\x89\xe8\x94\x58\xa0\x69\x22\x2b\x43\xb4\x50\x4d\xca\x5f\xd9\x69\xc0\x66\x66\xdc\xf9\x82\x43\x46\x31\x59\x7b\xab\xaa\xd4\x65\xcb\x73\x9e\x72\x83\x5f\x69\xad\x69\x9b\x0e\xfb\xe2\x16\xa1\x2c\xc1\x88\xd5\x4b\xeb\x66\x86\x1c\x78\xc8\x02\x25\x43\x8d\xeb\x75\xb3\xaf\x96\xa6\x0a\x08\x4e\x68\xed\xce\xca\x25\x2c\x22\x22\x5b\x4f\x3e\x56\xe9\x9f\x97\x6c\x2a\x08\x2a\x29\xf4\xa5\xbc\x3d\x0c\x25\x1f\x91\x22\xb5\x84\x66\x1f\x39\xbf\xd1\x8d\xfb\x9d\x57\xa5\x91\xc6\xd7\x01\x3b\x42\x0b\xd1\xe4\xc4\x7e\x80\x4c\xc4\x0e\xdf\xfa\x4d\xc9\x0c\xda\x1d\xe0\xa6\xe5\xf0\xd7\xa4\xd1\xc0\xa0\x2b\xf9\x25\x82\x90\x06\x43\xf9\x7f\x8f\x2c\xc1\x37\x68\x37\x4c\xc1\x36\x10\xf2\x7c\x3a\xb9\xd6\x93\x14\x79\xd0\x21\x5c\x4a\xd6\x69\xef\x80\x2e\x32\x92\x87\x88\xc5\x25\xf7\x52\xed\xae\x47\x7f\xf8\x9e\xa3\xf0\xc8\x7d\x9e\xc7\xeb\x1e\xf5\x12\xdc\xab\x10\x37\x28\x42\x91\x86\x13\x22\xf8\x72\xaa\x26\x1f\xa4\x67\x46\xed\xd8\x39\x85\xee\x32\x0f\xef\x53\xb1\x15\x18\xf5\xd5\x8f\x84\x68\x19\xb8\x8b\x16\x58\x8c\x13\xdd\x01\x90\x58\xa1\xce\x86\x5b\x4e\x68\x5e\x94\x78\x53\x9b\x9b\x9a\xf6\x9a\x13\x12\x6d\x6a\xd3\x0b\x2b\xac\xb1\x44\xc0\x2f\xfb\x15\x39\x66\xd2\x0f\x56\x56\x84\xa8\x74\x91\x31\xc7\xde\xf8\x8f\x2c\x87\xe4\x8e\xac\x6c\x0a\xf5\x76\xcc\x86\x11\x18\xa9\xb7\x18\xdc\xa2\xea\xfb\xc5\x41\x3b\xb6\xe7\x51\x37\x46\x47\x9b\xd8\x01\xf0\x7b\x94\x65\xbd\x80\xd0\xdc\x3d\x83\xee\xb7\xd6\x88\xf9\x13\xbb\xc7\x87\xb2\x3a\x90\xa8\x63\x7c\x57\x98\x84\xa1\x58\x5d\x53\x23\xb0\x4a\x44\x9f\xee\xbd\x0c\xbe\x2b\xc3\x27\x21\x24\x4e\x92\xe5\xd0\x33\xe2\x0d\x0b\x2c\xcf\x8e\xd5\xe2\x39\x00\x19\x9d\xc5\xec\xde\xa4\x29\xa2\x59\x61\xc9\x07\xaf\x8d\x93\xd5\x7d\x5d\x0d\x7f\xf9\x90\x31\x0a\xc0\x92\xdc\x44\x7e\x88\xcf\x81\x61\x7b\x67\x75\x4a\xd8\xee\x0b\x12\x53\x2c\x73\x13\xd1\x5f\xd6\x5c\x9f\x65\xc0\xa9\x4b\x75\x5a\x09\xd2\x40\x78\xbd\xe2\x75\xa4\x44\x57\xec\xa4\xc8\xb2\xb3\xbc\x0d\xfd\x4c\x8a\xcb\x9d\x2c\x6c\x4a\x8d\xaa\x22\xa6\xcd\x96\x1b\x44\x76\xb0\x78\x80\xf8\xcf\x09\x88\xbc\xe7\xdd\x8d\x3c\x3f\xbd\x9c\xfd\xb6\x56\x3b\x68\x10\x34\xb2\x72\xfb\x3c\xde\x59\x1d\xe8\x03\xd0\xb6\x84\x05\xd2\x5d\xea\x80\x1e\xe8\x71\x3a\xeb\x54\x98\x19\x83\x95\x79\x9d\xb2\xab\x19\xfb\xce\xdb\xaa\x3c\xed\x3e\x12\x4d\x29\x3d\x63\xee\x8c\x12\xd9\x31\x07\x9f\xd9\x4c\xa0\xfb\x5c\x45\x69\x32\xa0\x7a\xc6\x65\xb9\x41\x0d\x12\x37\x73\x58\x72\x76\x67\x64\xc0\x5e\x85\x2e\x06\x1d\xc3\x99\xbb\x31\xed\x48\x8d\x1b\xa5\xae\xf5\x3a\xc7\xb4\x53\x6c\x6e\x5f\xc4\x5c\x96\xa9\x93\x85\x51\x2f\xe6\xee\x8a\x22\x78\xa0\x6b\xe1\x9a\x7c\xdd\xf3\xca\x67\x8b\xdd\x73\xc2\x55\xc1\x59\xea\x07\x35\x57\xd6\x66\xf6\x7b\x9d\x1b\x99\x68\xe0\x23\xf6\x36\xc6\x93\xa8\xad\xfc\x92\x3a\xcf\xf1\x08\xed\x43\x70\xbb\x96\x6b\x0f\x4c\x05\x03\x4b\x08\x57\x6c\x2b\xc8\x9c\xee\xb5\x7c\x63\x3d\x2a\x7c\x87\x66\x5b\xe7\xe7\x5f\xfb\x30\xed\xb5\xfe\x9f\xcd\xc7\x25\x6a\x01\x12\xd4\x9f\x52\x03\x18\x00\xb7\x0f\x69\x80\x38\xf0\xf1\xf8\x12\x23\xcb\xe0\xe3\x0b\x47\xe8\x05\x70\x97\x1d\x4f\xa8\x4d\xa5\x80\x99\xf8\x75\xac\x76\x32\x3c\x5a\xc2\x5b\x69\xc5\xea\xf6\x78\x25\xab\x8a\xc9\x8c\xbd\x6d\xc0\x16\x37\x51\xa4\x7a\x1e\x52\x99\x8e\x00\xe0\x5c\x1c\x69\x01\xf5\x04\x34\x03\x18\x72\x79\x02\xb1\xed\x2b\xd2\xcf\xf2\xd2\xed\x09\x60\x1a\x8c\xed\xf4\x52\x8c\x1c\x13\xa6\x70\x37\x5f\xe3\xa6\x85\xc7\xcb\x14\x72\x3b\x55\x9c\xe2\x78\x6c\xa2\x95\x5a\xe3\x51\xef\xf8\x39\x75\x8c\x31\x1e\x99\xed\x53\xff\x12\x83\x72\xbf\x9f\xc3\x8c\x57\x0b\xd9\x00\xb4\x97\xc9\x31\x61\xc3\x4d\x8b\x4e\x48\x06\xeb\xcc\xda\x16\x11\x44\x5e\xa9\xd6\x76\xbd\xc1\x46\xea\x5b\xa1\x00\xfc\x5d\x99\x5b\x2c\xa6\x07\x09\xfa\xbb\xf6\xaa\xbb\x01\xef\x24\x3a\x12\x9a\x3c\x67\x38\xcf\x66\xf6\xd3\xe3\xb0\x03\x20\xbe\x0f\x85\xe7\x54\x87\x89\x37\xe3\x97\x62\xde\xbb\xf5\xa3\xe7\xa8\x11\x10\x35\x66\x34\x0f\xdf\x7d\xac\x84\x50\xe6\x8e\xff\x10\x2c\xbf\xd4\x95\xa8\x01\xde\x06\xe7\x4d\xf5\x7f\xe0\x6e\x15\xed\xfb\xa4\xda\x71\xa4\x33\x39\xc5\x24\x8f\x42\x2e\xe2\x9a\x22\xef\xa4\x93\x69\x0d\x97\x24\x6e\x20\x83\xbe\x24\xc2\x1e\xe4\xf2\xf1\xd6\x0d\x75\x3b\x2d\xa7\x5a\x15\x40\x8a\xf7\xf4\xff\xc3\xf1\x16\x73\xb8\x93\x45\x79\x57\x50\xc2\xea\x6b\x6c\x78\x9c\x9e\x4e\xd0\x93\x05\x61\x71\xe9\xfd\x9a\x67\x54\x86\xa4\xa5\x1a\xfa\x96\x7e\x00\x9c\x5a\xb5\xda\x74\xfb\x7f\xcd\x00\x04\x4a\xb9\x4b\x28\x7b\x54\x21\x78\x48\xd4\x78\x48\xd6\xa1\x16\xae\xd4\x1d\x45\x4c\xdc\xbf\x4a\xd8\xd8\x6e\x62\x99\x97\xe3\x08\xb8\x6e\x23\xea\x1b\xf1\xa4\xd2\x52\x96\xb1\x9f\xa7\x9f\x2a\x8c\x9b\x13\x70\x2b\x76\x28\xc8\x9f\x71\xba\x6d\x5c\x3a\xa6\x56\xd4\x31\x8c\x4e\xc3\x30\x5b\x9d\x7a\xe2\x93\x74\xe9\x35\x67\x09\xc4\x6d\x40\x1c\x6b\x74\x51\x18\xbc\x70\xd1\xac\x74\xfb\xc5\x7d\x92\x48\xb1\xa9\x15\xde\x03\xdf\x36\x7a\x9a\x10\x44\x75\x27\x75\xe3\xb3\x36\xa9\x35\xbc\x08\x2a\x2c\x88\x29\x9f\xad\x16\x99\x3f\x6e\x3f\x43\x73\xde\x0c\x48\x8a\xf1\xaf\x00\xad\xb9\x40\xcb\x45\xf5\xcf\xd5\x37\x2d\x6c\x0a\x4c\x69\x6f\x96\x63\x6d\x52\xd2\x79\x39\xde\x72\x99\x74\xa9\xa5\xbe\x21\xf9\x9b\x49\xfc\x6d\x4c\x65\xac\xa9\x8c\x28\x74\xf3\x67\x1d\xe2\x92\x64\x94\x1c\xd4\xa4\xa6\xbe\x0b\x20\x21\xac\x02\xad\xcd\x17\x56\xbf\xcf\xf1\x0e\x76\x55\xdb\x95\x8b\xb9\x99\x81\x0d\x8b\x3f\xee\x98\x32\x64\x6d\xed\xbe\xee\x86\x89\x2e\xce\xb4\xfa\x04\xb7\x28\x4f\xdc\xe5\x66\x9d\xc7\xee\xb7\x75\xd0\x09\xca\x17\x6d\x82\xbb\xdd\xd4\x26\x27\x16\xef\xbb\xe1\x8c\x8c\x79\xf6\xc7\x6c\xb5\x9b\xfa\x82\xa1\x9a\x66\x81\xe0\xd5\xa4\x9d\xbd\x64\x29\x33\x64\x8a\xf8\x81\xc5\x69\x40\xe8\xc5\xe1\x8f\xb8\x28\x8c\x35\xe1\x30\xe1\xf6\x28\x17\xaf\x3f\x18\x7d\x00\x2d\x1b\x9a\x1d\x58\x4b\x66\x2e\xbc\x5c\x9c\x95\x20\xc4\xd5\x16\x64\x9f\x2d\x99\x36\x3e\xff\xf1\x16\x34\x8c\xae\xd4\x35\x56\xb5\x8e\xa9\xb7\xc4\x25\x5f\xd2\x7e\xfb\x05\xed\xec\xe7\x55\x35\x96\x3d\x32\xef\x59\x7e\xb1\x33\x49\x5d\xc6\xff\x01\x17\xd9\x23\x02\x7f\x10\x8d\xbc\x64\xcb\xaa\x4b\xed\xd5\x65\xe0\x57\xa0\xe2\x86\x49\x90\x8d\x87\xab\x01\x64\xa1\x15\x5a\xbe\x46\x03\xec\x3f\x81\xc3\xb5\x32\x7e\xd0\xd5\xe1\xfc\x89\x01\x62\x51\x0a\xfc\xa7\xb9\x1d\x61\x85\x75\x73\xf6\x18\x43\x86\xa7\xa7\xcb\xfb\xa8\xef\xf7\x9f\xb8\x83\xd0\x4a\xa6\xbb\x7f\x93\xf7\x76\xa3\x75\x56\x5f\x67\xa0\x37\xe4\x75\xe2\x8b\x57\xf4\x2c\xa0\xfc\x54\xa3\x0b\x9d\x91\xee\xd1\x24\xcd\xc1\xbc\x53\xfe\xaa\x47\x58\x28\xf2\x0d\xb8\xba\x50\x81\x5c\x81\x2a\x1e\x9c\x74\x54\xcd\x41\x44\xeb\x9a\x42\x3e\x6d\x17\x2e\xde\xe0\xba\xd9\x4c\xd1\x50\xbb\xeb\x4d\xea\xbc\x6e\x98\xe3\xe5\xf7\xc6\xbb\x47\xf3\x5f\x11\x0e\xec\x4b\xa6\x32\xe9\xc4\x26\xaf\x69\x9a\x5b\xd6\xc2\x33\x1e\xf0\xc1\x1d\x24\xa5\xa3\xf3\x88\x8f\xae\x3a\x36\xa8\x9f\xb8\xa0\xdb\xdb\xa9\xca\xdf\xb9\xe0\x52\xa9\x3f\x00\xed\x75\x75\x5b\x4d\x78\xd9\x9a\xaa\x84\xf6\x9d\xcc\x6a\x6a\xb0\x5e\xad\xd8\x17\xb9\xf7\x04\xe9\xa7\x69\x7a\x31\x5f\x36\xac\x99\xd2\x99\xb5\xcb\x8a\x2f\x0c\x7c\xd5\x3a\xa1\x6f\xda\xd2\x33\x19\x47\xd8\x1a\x52\x73\x4d\xc3\x8e\xfd\x03\x09\xb4\x83\x7f\xcc\x18\xc8\x8a\x0c\xb8\xbf\x5f\x96\xe4\x20\x91\x92\x26\x6a\x2c\x7f\x60\x37\x1d\x41\xfc\x8c\x7d\x05\x0a\xe4\x3b\xf5\xf6\x74\x07\xb5\x4f\x4b\x73\x1e\x0f\x71\x95\x65\x9c\xd7\x1e\xcc\xcf\x87\xe6\x8e\x1b\x4b\xb8\x74\x70\x73\x36\xca\x5b\xce\x6a\xe7\xd5\x88\xd6\xd6\x8e\x2f\x66\xea\xf0\xfa\xa2\x6d\x48\x8e\xf0\xa1\xa0\xb5\x96\x86\xaf\x81\x20\x55\x8f\xd7\x6c\x9d\x19\x59\x0a\x96\x11\xd5\xf3\xec\xa0\x0e\x14\x81\x94\xd9\xb6\x95\x94\x12\x4b\xe0\x05\xcd\xde\x6d\x57\xb2\x6c\x53\xac\x64\x88\x23\x6d\xe7\xdc\x8e\xf1\x7e\xee\x67\xcd\x94\x8e\x32\xd8\xc1\x1f\x14\xbd\x24\x78\xb5\xd7\xe2\xc1\xd3\x9d\x02\xb4\x75\x95\xce\xbe\x08\x51\xf9\x94\x48\x96\x0d\xd6\x4c\x14\xa8\x4d\xac\x88\x7c\xe5\xb3\x93\x09\xb1\x53\x0b\x71\x29\x5c\x36\xb1\xb1\x95\x92\x24\x2d\x66\x17\xf9\xba\x31\x5c\x8d\x0a\x9d\x39\x79\x25\x41\xd1\x1c\x0e\xc9\x99\x97\x51\x69\xe8\xaf\x06\xa4\x44\xb7\x16\xc4\x52\x40\xb3\x15\xa0\x89\x61\xfa\xc6\xa6\x96\x81\xd8\x32\x19\x8a\xad\x3d\xe1\x0e\xf3\xa4\x88\xf5\x07\xab\x56\xfd\x19\x4f\x6d\x94\x37\x6d\x24\x96\x8d\x5c\xaa\xdf\x3f\x2c\x3e\xfb\x66\x7d\xd1\xd1\x9b\x18\xdc\x8d\xab\x53\xdf\x92\xc2\xdc\x0f\xb4\xad\x49\xaa\x80\x34\xcf\x6f\x9e\xae\x62\x20\xbe\xae\xc0\x87\x84\xca\xc7\x65\xda\x9e\x98\x21\x9e\xca\xe0\xfb\xa0\x94\x24\x0d\x3d\xf3\x4f\x3c\x89\x53\x9b\x20\x6a\x9a\xf3\x8d\xac\x75\x87\x4b\x0b\xee\xed\xc9\xb3\x79\x5d\x5f\x1d\x1f\x90\x65\xa8\x1a\xc5\xe1\x55\x88\xc1\x79\xc4\xb0\xef\xfc\xba\x46\x6b\x91\x70\xb1\x2e\x72\xfb\x52\x5a\xcc\x0e\x2b\xf5\xb8\xc4\x3e\xfb\xdf\x53\x27\x9e\x5c\x9f\xee\x04\xb0\x29\xdb\x52\x20\xba\x82\xd4\x93\x0e\x96\x37\x4b\xaf\x43\x38\xae\xf5\x55\x0f\xb5\x92\x20\x15\xa1\xf9\xf0\x76\xf3\x61\x5e\xe6\xd8\x14\xda\x80\x8d\x1b\xbc\xad\x1b\x17\x6d\x5b\xb2\x0b\x79\x58\x82\x47\x6c\x0c\x72\x34\x5e\xb1\x61\x34\x80\x7a\x82\xb9\xd8\x6c\x9d\x7a\x4d\x84\xd1\x89\xbe\x30\x9b\xa0\x25\x30\x3e\xea\x18\x89\xb0\x5c\xdc\xea\x4c\x20\x73\xcf\xb3\x0b\xb3\xb9\x0f\x35\xbc\xd6\xee\x79\x0f\x13\x60\xf9\x63\xdc\xd6\xbe\x81\x16\x8d\xe7\x5e\x1d\x04\xe8\x15\x0d\x2c\x00\x00\x5d\xf7\xfa\xde\xac\x9e\x5c\x3d\x20\x26\x79\x9c\xbb\x2a\x2d\xb4\x26\x8e\x4d\x1c\xb6\x14\xf1\x58\xef\x12\xa0\xb2\x28\x2e\x42\xba\x33\xff\x9d\x67\xce\xda\x79\x32\x0f\x1d\x89\x72\x77\xf4\x86\x58\x8a\x0d\xc0\xe4\x6c\x1c\x0f\xa2\x23\xbe\x06\xcd\xac\xa9\x09\x48\x33\x58\xbe\x8b\x18\x2b\x37\xe3\x78\x9f\x7c\x93\x95\x9c\x0b\x45\x33\x5b\x2c\x00\xca\xd1\xa7\x0f\x8d\x04\x08\x13\x83\xa7\x9c\x3f\xd5\x95\xfc\x86\x47\xbb\x65\x52\xc6\x08\x1c\x26\xc7\x20\xed\x1b\x22\x9a\x19\x2b\x9a\x91\xfa\x1e\x12\xcd\x31\x84\x0f\x86\xe0\xda\xd7\xfe\xb7\xda\xde\xad\xd2\x32\x70\x9b\xc9\x9a\xa8\xfb\xc3\xa8\x7a\xf0\xd5\xc8\x2e\x53\xac\xeb\x61\x22\xbf\x9b\x71\xb7\xbc\x92\xa0\xa0\x63\x95\x7c\xc6\x66\xfa\xfb\xad\x1f\x68\x8b\xd9\x11\x60\x8b\xfc\x76\x81\xc6\x4d\x81\x91\xc5\xd0\xc8\x0f\x7d\xed\xd5\xa9\xad\x4e\xbc\xcd\x04\xe2\x61\x8d\x9a\xad\x12\x1f\xd9\xaa\x8b\x8d\x68\x48\x72\x0a\x73\x67\x22\xc7\xec\xed\x31\x54\x04\x19\x65\x9c\x09\x11\xa0\x6e\x03\x9e\x95\x9c\x84\xdd\x5c\xc1\x64\x0e\xba\x08\x50\x5e\xa4\x89\xa1\x21\xdd\xca\x4a\x09\xc6\x3b\x2e\x27\x1d\x1e\xdb\x91\xae\xa0\x42\xe9\x2b\xea\x12\x93\x9a\xb6\xd4\x15\x7e\xfa\x94\xa6\x8d\x07\xb5\xf9\xb2\x05\x8b\xcc\xae\xf5\x82\x6e\xbd\x37\x65\x7a\x99\xbe\x45\x13\x4a\xa3\x0a\x84\xa4\xc4\xe0\x8e\x46\x3b\x75\x64\x5c\x2b\x72\x6c\x14\xf3\x57\x50\xef\xa6\x80\x40\x8d\x1e\xa9\xf3\xf5\x6f\xeb\x10\x60\xc7\xb8\xe8\x11\x46\x81\xc2\x49\x92\xaa\x2e\x1e\x65\x21\x9a\x03\x6a\xfc\x03\x4d\xba\x75\xa3\x90\xaf\xce\x29\x63\xd7\x56\xc7\xea\xf6\x7d\x21\x3c\x75\x37\x19\x35\xf9\xea\xb4\xd4\x28\xc5\x43\x22\xe3\x24\x98\xa4\x34\x02\x54\xcc\x41\xfb\xb5\x5c\xf6\x3b\x4f\x3f\x43\xc8\x93\x01\x01\xf3\xae\x35\x42\xfb\x96\xac\x77\x62\x63\x78\x9a\x98\x4a\x3a\x62\xbb\x46\xc5\xa4\xa4\x1b\x85\xf9\xd6\x6b\x47\xfb\x28\xea\x76\x5b\xbc\xdb\x52\xb0\x1f\x4c\x15\xeb\xe1\x88\xb4\x54\xc3\xae\x27\x7d\xc8\xa9\xf8\xa1\xc6\x34\x16\x3c\x63\x1b\xd5\x43\x0a\x8a\x80\xb8\x0b\x37\x33\x41\x3a\x1e\x00\xeb\x3f\xff\x34\xbc\x5a\xa8\xd9\x07\xd7\x9d\xe8\x86\x6c\xbc\x6f\x10\x66\x13\x56\x27\x77\x16\xc8\x84\x74\xbe\x9b\x39\x30\x18\xa7\xd8\xb9\xb3\xe1\xce\x4b\x7a\x32\x6b\x77\xf6\x2f\xcf\xa9\x49\x4e\x1b\x7c\x02\x80\xc3\xa2\x5e\xe3\x46\xc9\x4a\xe4\xcb\x3a\xf3\xfe\x09\x53\x4e\x63\x83\x6d\x5a\x00\xa6\x28\x08\x74\x2f\x5c\xc9\x26\x08\x8a\x6e\xd1\x1e\xa2\x05\x1a\x33\xc6\x0b\x2d\xed\xd2\x06\x9f\xc9\xfc\x2f\x2c\xd4\x53\x66\x61\x8e\x11\x00\x02\x16\xef\x80\x17\x16\x3a\xa8\x28\xea\xe1\xd1\x5f\x02\x06\x7a\xa4\x6a\xf4\x67\x75\x0c\xfd\xd3\x6f\x7e\xcb\xa0\xfd\x1f\x73\x82\xc2\xa7\x8a\xa4\x0c\xcb\x03\x7e\xd7\x24\x90\x75\x9f\x08\xe4\xa2\x57\xb7\x3e\x1b\x45\x19\xec\x47\x20\xd9\x08\x1d\xd4\x64\xa4\x7a\xd4\x68\xf8\x88\x1c\xa3\x02\x3e\x75\x31\x00\xae\x0a\x1b\x29\x89\xac\x57\x4e\xbb\x9a\xc9\x13\x4b\xf1\x62\x02\xce\x61\xae\xaa\xfd\xf7\x68\x9b\xb9\x21\xc4\xa3\x9a\x46\xf0\x3a\x14\xde\xcf\xfe\xc7\x8c\xf9\xff\xd0\x1b\x4f\xca\x7d\x7b\xd4\x00\x30\xfe\xfa\x02\x59\x1a\x28\x45\x1b\xd3\x5d\xa7\x46\xdb\x7b\x5c\xdf\xd5\xee\x9e\xb6\xc5\x1b\x3b\xe0\x5f\xb0\xcd\x5d\x39\xe8\x10\x3b\x0e\x90\x3e\xec\x11\x0b\x3f\xf1\xf9\xdf\x98\x12\x32\xa5\x58\x23\x42\x81\x03\x9b\x46\x63\x76\x41\x84\x9d\x64\x12\xfe\xb7\x4a\x37\xb1\x39\x3c\x31\x51\x3c\xd9\x94\xad\x23\x9e\x20\xad\xdc\x7b\x6b\xe2\xbe\x44\x88\x57\xba\xcb\x20\xcb\x14\x69\xfe\x94\x46\x94\x6b\x6d\x60\x34\x9f\xf3\x92\x19\xf7\xc0\x02\xec\xb4\xdb\xfd\x31\x7f\x79\xd9\x50\xb3\x95\xdd\x77\xcf\xd4\x9a\x6f\xad\x36\xbe\x0b\xd4\x59\x1e\x4d\x2c\xa8\x37\xfe\x73\x74\xa3\x67\x92\xcc\xb0\xb2\xb0\x27\xc6\x9d\xcb\x08\x52\x74\x93\x09\xb9\x37\x17\x72\x72\xf4\xa8\x0d\x8e\x2a\x24\x99\x7f\xfc\xa2\x08\xb7\xf5\x28\xbe\x82\x11\x65\x56\xd2\x35\xf1\x7d\x57\x4d\x17\xac\xc1\xc4\xb5\x83\x63\xf0\x3f\x6b\x21\x77\xa2\xd9\xbd\x31\xd7\xda\x8b\x2d\x37\xea\x2a\x5e\xac\xe2\xb4\xf3\xea\xb5\x49\xcc\x55\xb3\x8e\x0f\x17\x31\xcc\x82\xef\x54\x8a\x5c\xb6\xa7\x56\x4b\x44\x2a\x86\xda\x73\x12\xa9\x4a\x13\x15\xe2\x70\xf3\x90\xa1\x97\xb9\x1e\x43\x5f\xa7\x04\x43\xf3\x87\xcf\x53\x73\x8f\x77\x5a\x23\x62\xa8\x72\x17\xb5\x74\xf8\xf6\x3c\xa6\x36\x13\x37\x52\x05\xdc\x19\x44\x98\xa0\xc9\x29\xff\x13\x00\x14\xd7\x42\x6a\xf7\xc0\xd0\x98\xd6\x9a\xff\x0d\xa1\x02\x7b\x12\x3c\x02\x3e\x73\x2e\x0c\xa1\xeb\x69\x5b\x42\x10\xad\xca\xef\x92\x85\xfe\xc8\xc8\x3f\xea\x7e\xfb\x3b\x5a\x09\xab\x0e\x26\xa2\xc0\x92\x6e\x15\x8e\xe1\x70\x89\xef\x7f\x8e\xab\x53\x75\x71\x8b\xa2\xe8\xab\x68\x3d\x2a\x1e\xef\xe2\x5c\x2e\x30\x3f\x41\x9e\xd0\x14\x23\x79\x98\x67\xe0\x2e\xb0\x1a\xe2\x00\x02\x20\x71\x36\xa6\x0a\x87\x50\x77\x39\x3a\x01\x9a\xe7\xdf\x3a\xad\xc5\xd4\xae\xd4\xd4\x59\xce\xdd\xe9\x66\xd8\x4f\xa6\x4c\x2e\x56\x48\x60\x17\x2b\xe4\x1b\x9f\xbd\xcc\x9b\xb2\x9c\xc2\xaf\x86\xbc\xb8\xda\x14\xd1\xd7\xef\xd6\xd9\x0f\xef\xd4\x73\xfb\xac\x5b\x05\x59\xac\x2b\xdc\x11\x0c\x7f\xda\xa9\x21\xd9\x20\x73\x1f\x36\x2f\x95\xd4\x26\x68\x0b\x73\x31\x2d\xa5\x8f\xac\xc4\xd0\xa1\xd7\xba\x59\x0b\x3e\x91\xc0\x3b\xf3\xb5\xf5\x00\xa5\xca\xe4\x6b\xed\x37\x37\x02\x12\x9e\xe2\xf2\x5b\x05\x00\x21\x9b\xbe\xc0\x50\x28\x59\x49\xf2\xde\x49\x48\x32\x89\x64\x32\x9b\x1a\x46\xa3\x84\x21\xc1\x37\xcb\x95\xb9\x92\x90\xb4\xf6\xcb\x46\xb5\x76\x69\x7c\x95\xb9\x37\x8e\x7c\x15\xca\xa0\x4a\xb0\xe8\xa0\x4b\x8d\xf8\xbc\x46\xd6\x15\xfa\x29", 4096); *(uint64_t*)0x2000000064d0 = 0x200000006440; memcpy((void*)0x200000006440, "\x1c\x3d\x61\xef\xc1\x46\x7b\x6b\x61\xe9\xe5\xf0\x6f\xa3\xd1\xdc\xc0\xe7\x00\x35\xdc\xc9\xc6\xc3\xb0\x0d\xf5\x89\x00", 29); res = syscall(__NR_shmctl, /*shmid=*/0x8001, /*cmd=*/0xfffffee8, /*buf=*/0x200000006480ul); if (res != -1) r[20] = *(uint32_t*)0x200000006484; break; case 26: res = syscall(__NR_getgid); if (res != -1) r[21] = res; break; case 27: res = syscall(__NR_geteuid); if (res != -1) r[22] = res; break; case 28: *(uint64_t*)0x200000006a80 = 0xfff; *(uint64_t*)0x200000006a88 = 0xd; *(uint32_t*)0x200000006a90 = r[6]; *(uint64_t*)0x200000006a98 = 7; *(uint64_t*)0x200000006aa0 = 2; memset((void*)0x200000006aa8, 0, 16); *(uint64_t*)0x200000006ab8 = 0xf; *(uint16_t*)0x200000006ac0 = 0; *(uint16_t*)0x200000006ac2 = 0x46; *(uint32_t*)0x200000006ac4 = -1; *(uint32_t*)0x200000006ac8 = 0; *(uint32_t*)0x200000006acc = 0xfffffffd; *(uint32_t*)0x200000006ad0 = 0xf7; *(uint64_t*)0x200000006ad8 = 0x7f; *(uint64_t*)0x200000006ae0 = 8; *(uint32_t*)0x200000006ae8 = 9; *(uint64_t*)0x200000006af0 = 3; *(uint32_t*)0x200000006af8 = 0x200; *(uint64_t*)0x200000006b00 = 4; *(uint32_t*)0x200000006b08 = 5; *(uint64_t*)0x200000006b10 = 0x62; *(uint32_t*)0x200000006b18 = 5; *(uint32_t*)0x200000006b1c = 0xff; *(uint32_t*)0x200000006b20 = 0x6cbf; *(uint32_t*)0x200000006b24 = 0x48; *(uint16_t*)0x200000006b28 = 0; *(uint16_t*)0x200000006b2a = 0x8001; *(uint16_t*)0x200000006b2c = 0x7f; *(uint16_t*)0x200000006b2e = 6; *(uint16_t*)0x200000006b30 = 8; memset((void*)0x200000006b32, 0, 2); *(uint32_t*)0x200000006b34 = 0x40; *(uint32_t*)0x200000006b38 = 0xffff; *(uint16_t*)0x200000006b3c = 0xa; *(uint16_t*)0x200000006b3e = 0xb04b; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0c0586d, /*arg=*/0x200000006a80ul); if (res != -1) { r[23] = *(uint32_t*)0x200000006a90; r[24] = *(uint32_t*)0x200000006ac8; } break; case 29: memcpy((void*)0x2000000016c0, "\x27\xfe\x2f\xfe\x47\x40\x4c\x4a\xc0\xa1\xec\xab\x30\xbb\xcb\x86\x4e\xad\x78\xfe\xd0\xc0\xe1\x75\xac\x99\x94\xf2\x2c\x05\xa4\x71\x88\x98\x8b\x3f\xf7\xcd\xde\xc1\xf6\xf3\x9e\x60\x61\x60\xf4\xf1\x99\xd3\x74\x5e\x26\xe2\x74\x8d\x68\xe3\x5a\x99\xf1\xbc\x4a\xc3\x20\x84\x63\x4f\x2c\x0b\xa5\xd1\xe0\x00\x0e\x2d\x5b\xee\x77\x7a\x2a\xb5\x09\xe7\xc9\x4c\x43\xf2\x97\xb8\x25\x93\x43\x78\xff\xa3\xbb\x79\x42\x25\x6f\xc5\x2a\x69\xe2\x38\x20\xcd\x52\x0e\x75\x59\xed\x9a\x31\xa9\x54\xdf\x95\x5d\xe5\xbc\x7c\x18\x55\xd9\x74\xb9\x5f\xf0\x0a\x84\xdc\x2d\x9a\xd6\x79\x64\x33\x44\x34\xd5\x28\xbc\xe5\x93\x48\x08\xb4\x8f\x8e\x25\x1a\x17\x9e\xb4\x7d\xee\x2a\x10\x8b\x50\x09\x2f\x55\x98\x16\x13\x6c\xff\xe9\xbd\x6e\x0a\x34\x00\x4e\x62\xd5\x0f\x73\xc1\x4b\x23\xce\x17\x51\x8f\x95\x4c\x4b\xc6\x1e\x61\x75\x75\x6c\x12\x04\xe2\xf2\x7c\x18\x2b\x9e\x3a\x7e\x3b\x82\x3d\xc2\xd2\x10\xe5\x23\x2c\x7a\xd0\xe8\xd8\xe0\x49\xf0\xe9\x20\x60\xb6\x20\x49\x9b\x0b\x8f\x4b\x4b\x97\x1d\x29\xa9\x7a\xe9\x4c\xe3\xce\xa6\xfb\x4e\x42\x96\xf7\x2e\x3d\xea\xbf\xf5\x62\xe7\x92\x43\x93\x3c\xfc\x53\x00\xe3\xc4\x1c\x6a\xb9\xc0\x55\x9a\xe2\x4b\x21\xce\x45\xbc\x69\xb7\xa1\xeb\x56\xc0\x8b\x82\x2b\xa1\x0f\xbc\xb0\xbd\x23\x8f\x6f\xcd\x60\xed\x24\x09\x2b\x3f\x47\xf1\x90\x0e\x3d\x33\x73\x37\x96\x49\xda\xa3\x95\x9b\xcb\x31\x9d\x7a\x74\xab\x3e\x62\xbb\x5f\xbd\xfa\x42\xf9\xd3\xb3\xe7\x34\x0e\xfd\x12\xd9\xdb\x73\x8b\x9a\x7a\x58\x1d\x91\x4f\x4d\xeb\x34\x00\x5a\xac\xae\xe8\x65\xdd\x59\x5a\xd5\xf0\x07\xc4\x8b\x51\x68\xe6\x99\xe5\x2d\xec\xc6\x66\x50\x9f\x0b\xac\x51\x6d\x5d\x8b\x1e\xcc\x1c\x99\xe6\x01\xb8\xf8\x5a\xf1\xc6\x76\x23\xfd\x2c\xff\x7b\x88\x38\x41\xae\xcd\xdf\x3a\x85\x23\x99\x80\xd3\xea\x2a\xe6\x37\x8d\x59\xcc\x24\x2b\x2a\xbc\xda\x91\xe9\x18\x48\x7c\xfe\xa0\x37\x83\x90\x17\xee\xfb\xed\x85\xe0\xde\x24\x14\x8b\x3c\x67\xec\xad\xc8\xbb\xe5\x1f\xfd\xd0\x69\x6a\x55\xd8\xff\x21\x52\x31\x78\xa6\x82\x9e\xc4\xd3\xf2\x59\x77\x43\x3b\x85\xe9\x23\x8f\xe5\xd8\xb1\x43\x7c\x54\xa9\x33\x82\xfa\x15\x25\x49\xcf\xca\x4e\x47\x00\x70\x5f\x3c\xe5\xa2\x60\xa4\xb9\x43\xdd\x3e\x53\x2c\xc1\x96\xc8\x12\x95\x18\x22\x55\x66\xe9\x3e\x29\xa8\xc6\xf0\x2f\x05\x4a\x94\xee\x5f\xe2\x1e\x5a\xd5\xbf\x55\xdd\x7f\xde\x9a\xc6\x41\xf3\x47\xa9\x92\xe8\x19\x7f\xe5\xfc\x4b\x9c\x65\xef\x4d\x68\x79\x21\xdf\xf0\xf6\xcb\x82\xa3\xa9\x6f\x6d\xf1\xcf\xae\xdf\xfc\xed\x7c\xb0\x6b\x21\xde\x9b\x83\xcd\xe5\xf9\x6b\xda\xd6\xee\x4c\x61\x7b\x9d\xa7\x66\xcc\x44\x37\x12\xf8\x4e\xf7\xc3\x87\x08\x07\x0b\xd1\x9d\xb9\x0a\xbe\x25\x10\x09\xd9\xbb\xcc\xe7\xc4\x19\xbf\x7e\xfa\x7e\xa7\x00\x86\xa9\x5a\x27\xe7\x35\x9d\x3b\xcf\x81\x89\x9b\xb6\xb7\x56\x0c\x58\x22\x7d\xb9\x2b\xbe\x34\x2e\x60\x01\x9f\xf0\xcd\xbe\xec\x13\xbd\xb5\x6c\x5b\x5f\xdf\xdb\xce\x7e\x2f\x5a\x7d\x97\x1d\xbb\xc6\x4c\x59\xc5\x11\x1d\x0b\x45\x2a\xf5\x79\x80\xe2\x17\x85\xd5\xaf\x08\x84\x82\x2d\x12\xf4\x08\x1e\x83\x81\xd1\x6e\x0f\x41\x19\x36\x27\x4b\x90\x30\x21\x5c\x4b\x0b\x47\x07\x4d\xab\x09\xb9\xfa\x23\x22\xa8\x80\x50\xa6\x24\x48\xff\xb2\xbd\xbb\x9d\x6b\x87\x52\x1b\x3b\xfe\xb5\xde\x77\x36\xa4\xde\x11\xff\x4e\x56\xd4\x1a\xae\xd9\x00\x61\xe8\xf1\x3c\x37\x89\xa4\x4a\x63\xe7\x69\x02\xc4\xee\x9b\x6f\xc7\x35\xab\x8f\xf9\x52\x5a\xf0\xab\x52\x16\x7e\x04\xd3\x47\x96\x67\x85\x2b\x75\x5d\x00\x74\xcc\x95\x07\x80\x94\xdf\xe0\x39\x26\x00\x7f\xcf\x4b\x2b\x68\xe2\x62\xd1\x17\xdf\x6c\x91\x81\x27\xcd\x6a\x56\x42\xb8\x0c\x30\xbf\x91\x6a\x1e\x51\x52\x02\x29\xe1\xe0\xec\xe3\x5a\xc9\xb9\x09\xfd\x5f\xf9\x2b\x93\x0a\xa5\x5a\xe6\x0a\x2a\x7f\x52\x74\xe0\x47\xae\x70\xcd\x1d\x89\x4c\x3a\x93\x09\x4d\x5e\x88\xca\x4f\xf4\xa1\xf7\xa7\x4c\x25\x72\xc5\x91\xf2\x54\xec\x09\x46\xde\x4f\x96\x24\x83\x88\xb0\x6f\x7f\x0a\x7d\xaa\x49\x0f\x43\x59\x18\x4a\x76\xa5\x6a\x9b\xbc\xa5\x93\xc6\xf6\xfe\x47\x9c\x67\x5f\xb0\x2c\x63\x54\x7d\x08\x04\x96\x3b\xbb\xfe\x5c\x66\x87\x69\xf3\xcf\x16\xbe\x9c\xd5\x11\x78\x03\x0d\x64\xcc\x2b\xb9\xd8\x26\x34\x39\x9d\xb8\x85\x9e\x48\x87\xc8\xce\xce\x4c\x85\x2f\x5c\xb7\x6c\xe7\x0a\x6c\x4e\xdd\x0e\x8a\x46\x5c\xbf\x78\x27\xb2\x1b\x55\x38\x57\x97\x71\xfb\x56\xb7\x99\x74\xaa\x36\x28\x85\x16\xbd\x08\xa9\x39\x49\x00\x16\x0f\x75\xd6\xbb\xe8\x9d\xe7\x0f\x8b\x5c\xea\xcc\x94\x19\xfc\x5a\x3d\x5e\xe5\xea\x78\x3d\x0c\xa8\x08\xa6\x24\x8c\x13\xad\x17\xc8\x73\xbc\x93\xe0\xe5\x0a\x39\x48\x7f\xb2\x5e\xc3\x23\x30\x70\xd7\x77\x6e\x7c\xe8\xba\x02\x2c\xcd\x8e\x2d\xb5\x64\x55\x94\xe0\xb2\xd8\x74\xed\xe7\x39\xf9\x3b\x61\x7f\xfe\xfa\xf3\xd8\x46\x8e\x66\xee\xcc\x85\x61\xfd\xb8\x1d\xd4\xfe\x7c\x77\x9d\xd9\x3c\xce\x31\x7a\x8f\x5c\xb8\x65\x51\xc2\x61\x66\xc7\x82\x4c\x87\x14\x0d\x96\x47\x50\x8c\xbb\xc1\x5c\x1d\x3b\x72\x08\x60\x91\x68\x90\x9e\x89\x0e\x9e\x9f\xd2\x67\x1d\x3a\x9a\x75\x27\xa7\x34\x47\x1f\x2c\x74\x80\x92\x6d\x8d\x18\xba\x6e\x24\xda\x6d\x6c\xee\x42\x2a\xeb\xfb\x14\xd1\xf1\x2a\x91\x5f\xfb\x73\x75\xcc\xb3\xec\xc9\x86\x3c\x45\x53\x4a\x97\xa9\x22\x43\x32\x17\xdd\xe2\x20\x35\x45\xaa\x98\x3e\x2a\x6c\x54\x65\x11\xd8\x62\x64\x28\xaa\xbe\x7c\xec\x1d\x0e\x81\x24\xde\x19\x83\xd5\xab\x1e\xd6\xe9\xde\xe8\x2f\x0d\xf4\x69\x9f\x4a\xb7\x07\x06\xc3\x4c\x75\x4d\x0c\xd8\xb6\xde\x54\x1c\xa8\xa7\x1d\x5f\x98\x25\xfc\x13\x15\x84\x80\xd5\x98\x0e\x64\x15\xcc\xa0\x5c\x57\x57\x89\x41\x69\x22\x3b\x43\xcc\x29\x63\x09\x18\x24\xcf\x95\x3f\xcf\x54\x53\x05\x58\xad\x5c\xe4\x22\xfc\xe9\x9f\x5f\x26\x50\xb7\xde\xc7\x02\xfe\x12\xbb\xb0\x8c\x28\x51\x9f\x08\xb6\x35\x4c\xf5\x8d\x01\xf0\x27\x23\x70\x70\xcb\x43\x8f\xe4\x80\x7b\x7b\x1f\x7e\xbc\x27\xf2\x74\xfd\x50\xef\x37\xad\x06\x0a\x7a\xdc\xdf\x65\x96\x2f\x8a\x52\xc0\x4b\x56\x9d\x7d\xb3\xd8\x6a\x0f\xeb\x6c\x78\xed\x1a\xdb\x36\x18\x66\xf7\xd5\x60\x65\x69\xd9\x10\xc6\x72\x7c\xdd\x76\xc6\xbb\x2a\x40\x5e\xd1\x2d\xfc\x2e\xdc\x81\x66\x67\x87\xf3\xa3\xa2\x39\xc6\x2f\x65\xd2\xd9\x8d\x8b\x07\xc5\x91\x13\x55\xa3\xa6\x20\x66\x46\xfe\x74\xc0\x75\xa6\x77\x80\x72\x87\x0f\xd6\x52\xaa\x4d\xf9\xaa\x3b\x96\xf1\x45\xc3\xaf\xa7\x4f\x5a\xaa\x8d\x7f\xf0\x42\x7c\x93\x89\xdd\x54\x62\xaf\x0e\xb6\x82\x8f\x3a\xa5\x4c\x75\x2b\xb4\xc8\x9d\x18\x21\x07\x61\x72\xa9\x25\xf1\x46\xae\xf7\x89\xde\xb1\x4c\x6b\x6c\xb2\x87\x33\x88\xcb\xe0\xbe\x06\x28\x71\x04\x8c\x49\x67\x9d\x72\xc3\xf3\x25\xc7\x7e\xa3\x19\xed\x28\xfa\x27\x86\x10\x40\xf6\xbe\x5d\x4f\x32\xcf\x29\xca\xc1\x12\x43\xda\x04\x2b\xec\xf2\x12\x5d\x21\xe7\x35\x49\x3a\xc7\x69\x4a\xa9\x61\xee\x92\x44\x3f\xc5\x88\xc2\xad\xc0\xf9\x7a\xc7\xb5\xfa\xe1\x0d\x43\xdd\xb8\x1f\x31\x12\x85\x82\x18\x5b\x9a\xa1\x24\xfe\x6e\xd7\x80\xac\x95\x4f\x84\x42\x17\x67\xf9\x0f\x5c\x0b\x56\x94\x43\xd6\x3b\xea\xc0\x68\x4e\xd6\x8b\xc5\x03\x9a\x27\x56\x7b\xd2\x33\xb8\xf2\x67\x5e\x1a\xfa\x14\x0d\xf8\xe1\xe6\x4f\x0a\x90\xec\x55\x3b\x52\x17\x27\x39\xd0\xd6\xb3\x88\x49\x47\xf2\x66\x69\x29\xcb\x5d\xd7\x93\x19\x42\xc0\x6e\x9d\xf9\xec\x79\x17\xf1\xd9\x3a\x2f\x0f\xbe\x5c\xd0\xf5\x73\xc0\x10\x2f\xf0\x20\x5e\x4d\x59\xdd\xd6\x03\xdb\x5d\xa5\x66\x94\xbd\x92\x87\x3e\xe2\x1f\xe7\x78\x6a\x87\x42\x8b\xdf\x19\xa1\xa8\x7d\x72\xba\x69\x7f\xbe\x0e\xd9\x75\xdb\x5b\xb3\xa7\x05\x17\x7f\x3a\x13\x69\xe2\x9d\xec\x75\x81\xd4\x3a\xea\x38\x55\x94\x3f\xf4\xef\xa4\xd7\xaf\x36\x22\xc3\x19\xd7\x8b\x31\x08\x37\x88\xd2\x03\x10\x20\x82\x99\xca\x03\x47\xaf\xff\xe5\x4e\xca\xf1\xfb\xec\xe6\xe0\x93\x5a\xbc\x7a\xa8\xf8\x55\x3f\x99\x96\xff\x1d\x46\xb8\x8b\x78\xdf\x2f\xe2\x67\xf1\x69\x9f\x2e\xbf\x19\x25\xb8\xe5\x0c\xb4\x6c\x8a\x10\x3c\xfb\x55\x65\x10\x15\x5d\xdb\x84\x27\x6e\x1e\x0a\xef\x3f\x41\x1c\x7a\xf3\xd2\x05\x93\xb6\xfe\xc7\x00\x6a\xa7\xa4\xee\x33\x80\x2a\xad\x16\x89\x49\xda\xd9\xfa\x91\x18\x88\xd7\xf6\x1b\xf1\x6d\xb2\x26\x50\x03\x41\x6f\xb5\x76\xde\x44\xf8\x0b\x9c\x90\x1a\xce\x45\x4d\x2b\x04\xb3\x74\xf3\xdc\xfc\x38\xfd\xd6\xed\xcf\xab\x24\xd3\x67\xaf\xf3\xf6\xd8\x29\x8a\x41\x33\xd0\x81\x56\x3d\xe1\x36\x5b\xea\xff\x74\xda\x25\x2b\x24\x8f\xa6\x1d\x80\xe7\x2c\xbb\xd5\x85\x33\xe7\x51\x8d\xba\xe1\xa9\x25\xd9\x91\x2b\xfe\x70\xfb\xc6\x4b\x8c\x81\xce\x26\x25\x30\xbd\x11\xae\x83\xf3\x66\xe3\x8c\x53\xbf\xd5\xa0\xda\xc9\x78\x5b\x92\x2b\xcd\xd1\xa3\xb6\x83\xf4\x3f\x8d\x48\x5d\xfc\xc6\xdd\x00\xb6\xcd\xde\xa0\x64\xf8\x46\xfb\x26\x93\xd4\x8f\xa9\x7b\x52\x63\xf5\x37\xea\xbf\x6c\x0e\x54\x9a\x78\xd2\xbc\xad\xb2\xe8\xfd\xb2\xb1\xb0\xf4\x7f\xd4\x9d\xc6\x1c\xa1\x05\x8b\xb8\x88\x2a\xa1\xca\x2e\xd3\x41\xfe\xb7\x37\xd5\xea\xae\x0e\xa0\x8f\x94\x5a\x04\xa3\x8b\x6e\x31\x37\xf9\x61\xa7\x56\x3a\xd1\x3c\xec\x30\x07\x2b\x91\x43\xe4\xf9\xc7\x82\x4e\x7c\xbd\xa2\xdf\x89\xb7\x4c\x14\x2d\xad\xaf\x5c\xa2\x4b\x6f\xe9\x09\xce\x3a\x1f\xf3\x7e\xe5\xa0\xb6\x61\xd3\x07\x39\xef\x0c\x37\x2c\xf7\xa1\xb4\xc6\xa0\xe5\x19\xb4\x8b\x40\xdc\x79\x4c\xd6\x13\x56\x75\x66\x09\xf6\x8d\xd5\x8f\x72\x4b\xdd\x86\xdb\x7f\x26\x49\xb9\x0e\x16\x35\x30\xca\x69\xf0\x69\x6a\xdd\xfc\xef\x84\xef\xc9\xf9\xe0\x4d\x9d\x6e\x18\xed\x17\xf7\x4f\xf8\x07\xe9\x2b\x0f\x33\x0f\xb6\xe0\x6e\x0e\x2f\x19\x3e\xa0\x3a\x18\x1c\x86\x73\x95\x0a\x19\xeb\xa2\x2f\xd6\xb1\xb5\x6e\xbb\x33\x6e\x02\x48\xc6\x4f\x93\x6c\xaf\xd3\x31\x1f\xd5\x0c\x50\xfc\x91\x61\x56\xbb\x28\x15\x6d\x15\xd7\xf4\xd5\xa7\x98\xd8\x62\x6a\xfc\x6b\xa7\xd2\x17\xd2\xc9\xf1\xa9\x8f\xed\xe6\x2b\x1b\xac\xfc\x31\x4d\xfa\x89\xe8\xcb\xb8\xc3\x7b\xd5\x26\xdd\x53\xed\xe8\x1b\x19\x53\xce\xf5\x17\x70\x3b\xab\xce\x44\x6e\x86\x3b\xf9\xd2\x46\xb0\x3b\x88\x50\x2c\x7f\xdb\xac\x4d\x87\xf1\xea\xad\x86\xed\x17\x0d\x71\x0d\x81\xea\xf3\x95\xae\xf6\x0d\xc1\x64\xd9\x11\x66\x01\xa5\xa5\x8c\x79\xa8\x92\x75\xc9\x5d\x28\x91\x2e\x87\x08\xfe\xe2\x47\x2e\x6b\x87\xd2\xe0\x77\xd3\x62\xc0\xba\x8f\x4b\xc6\xa5\xe3\x87\x45\xea\xe9\x10\x46\xbc\x61\xe6\xa0\x40\xcb\xfe\x38\x20\x4f\x17\xe6\x04\xf0\xe1\x40\x5e\x8e\xe0\x7d\x71\x41\xb6\x98\xbc\x2b\xe7\x69\x0a\x8f\x0b\xf3\x1d\x58\xae\x90\x6c\xb7\x0e\x4f\xe5\xfe\x03\x56\x31\xd7\x65\x33\xb7\xa7\xb0\x32\xe1\xb1\xee\xe2\x14\x28\x08\x4a\xfb\xcc\x93\x0a\x9f\x28\xe9\xf1\x7e\x26\x9a\x69\x97\xaf\x83\x8f\x95\xe2\xfb\x39\x5b\x54\x0a\x1d\x49\xf3\xd4\x29\x02\x74\xd2\xd3\x1f\x76\x08\x35\xff\x73\x51\xd2\x5b\x62\xe1\x35\xad\xf5\x9e\x01\x18\x87\x2d\x17\x84\x3d\x99\x15\x4f\x46\x60\xfa\x8f\x48\xb6\xc4\x86\x8b\x1f\xbc\x6b\x84\xda\x61\xf9\x81\x23\x16\x7b\x06\x73\x70\xa5\x4f\xc6\xc5\xa6\x88\xe3\x1d\x42\x01\xac\x4c\x4d\x56\x46\xf9\xa4\xa4\xa8\x04\xa1\x75\x16\x7c\xf7\x9d\xda\x22\xf4\xd6\x86\x72\x81\xcb\x0b\x3e\x09\x99\xfa\xd7\xbf\x26\x51\x2d\x13\x14\x40\xa8\xf9\xec\x75\xfe\x9d\xf6\x80\x54\x78\x55\xd8\xc9\xb3\xb3\xf0\xd5\x14\x19\x7c\x2a\xf0\xd6\x72\x99\x13\x73\xb8\xd4\xac\x1d\xd5\x1e\x1f\x90\x74\x50\xd6\x21\x01\xb5\xe2\x61\x3e\xa2\x89\xc1\x94\xd0\x73\x5e\x1c\x5e\x16\x69\x09\xeb\x71\xee\x2a\x4e\xe5\xff\x99\x14\x0c\x0b\xec\xca\x26\x72\xfa\xf6\x94\x49\x38\xc6\x18\x09\xd8\xbf\x2f\xaa\x56\x1f\x9b\x56\xda\xb8\x5d\xed\x7e\xe7\x35\xd3\x00\xc8\xda\x84\xc5\x7f\x06\x7b\x2f\xe5\x09\x29\xca\xe1\x39\x87\x5a\xbb\xab\x08\x47\x42\xc9\x07\x06\xbc\x31\xfc\x4c\x68\x53\x88\x89\x71\x87\x69\xd1\xc6\xda\x0e\xe1\x82\x6e\xcd\xe1\xf6\x0e\xa6\x6c\xed\x44\xc2\x4f\xe2\x87\x5d\xcb\xc8\x7a\x35\x72\xaf\x96\x45\x5e\xdf\x31\xe0\x51\xe5\x42\x2a\x8e\x29\x10\xc7\xd9\x75\xdf\x64\x48\xda\x0c\x0f\x83\x3f\x61\xf7\x15\x05\x98\xfb\x47\xfa\xe9\x38\x35\x7a\x7b\x64\x5e\x40\x6d\xf9\xa4\xa3\x0c\xdd\x1c\xef\x6d\xdb\x26\x3c\x9f\x06\xb2\x68\x76\x7a\x9a\x0f\x92\xc4\xea\x13\x80\xe5\xe3\x6f\x5f\x2a\x3e\x90\xbf\x87\xd6\x81\x8c\x5a\xef\xc3\x43\x9c\x4f\x4d\xe2\xcf\xb4\xdb\x14\x57\x56\x84\x8b\x27\xb6\x18\xc2\x2f\xee\xa3\xf9\xf4\x60\x15\x57\xf5\x3c\x2a\xae\x71\xdb\xc0\xe9\x46\x82\x43\xf1\xbf\x3b\x08\x6b\x4d\xca\xb2\x73\x4d\x61\x28\xc5\x44\x15\x46\x90\x3d\x2f\xea\x40\xc7\xca\x48\x40\xac\x4b\x1b\x3e\xa8\x89\x7c\xf0\x37\x62\x3e\x42\x7f\xb1\xef\x9c\x0e\x7d\xeb\x9e\xba\x0f\x8e\x5a\x5b\x29\xd4\x22\x92\x3f\x2f\xc8\xc5\xdc\x13\x69\xfe\x52\x67\x09\x24\x7c\x27\x76\xf5\xb7\x68\x7c\xcf\x42\x0b\x0d\xc8\x44\x61\x10\x5c\x2a\x31\xcc\xe9\xde\xcc\xa3\x0b\x74\x6b\xfe\x43\x44\x0d\x49\xc4\x77\x5a\x2d\xfc\x88\xf0\x49\xe2\x3a\x30\xe2\xde\x2c\xe6\x34\x54\x9b\xbc\x0c\x26\x30\x97\xeb\xb8\x04\x4b\x4b\x9b\xb6\xf5\xf9\x5a\x4a\x49\x9a\x3d\xce\x9c\x11\xb9\x94\x87\xd9\x96\xeb\x57\xd6\x54\x09\x0b\x43\x6d\xfe\x0b\x94\x79\x6e\x93\xfe\xae\x2b\x63\xd0\x13\x20\xaf\x73\x23\xa8\x00\x6b\xc7\x5f\x95\xa0\xc6\xce\x53\x69\x18\x02\xa0\x97\x10\x88\x81\xbd\xa6\x4a\x2c\xf8\xed\x8f\x67\x52\xe1\x98\x15\xe7\x1e\x2b\x85\x54\xfa\xc0\x30\x18\x75\x26\x21\x09\x33\x11\x51\x91\x5f\x6b\x19\x36\x2c\x2d\x82\xc3\x04\x74\x78\x52\x5a\x64\x9a\xe4\xc9\xa4\x1f\x75\x60\x83\xf1\x38\x15\x6f\x6e\xc4\xea\x04\xb4\x4f\x65\x2a\xb1\xe6\x6c\x5c\x63\x0e\x61\x30\x06\x2a\x26\x0b\xe5\x53\xf1\x0b\x8b\x70\x0e\x6c\x6b\x08\x9f\x0b\x09\xce\x11\x7c\xa7\x8d\x45\xae\xc4\x33\x97\x64\xdc\x2e\x39\xb5\xbb\x95\x56\x02\xd5\x73\x23\xe4\x0d\x49\xec\xf8\x98\x71\x84\xa1\x2d\x21\x99\x3c\x03\xb4\x58\xfc\xa9\x8c\x77\x30\x71\xc2\x24\x2d\x90\x59\x65\x99\x33\x6e\x1c\x69\xff\x55\x1a\xf3\xef\x27\xaa\xa7\x4c\x54\x7f\x23\x1a\x1e\xf6\x4a\x2f\xbe\x54\x98\xf5\xbf\xfd\x9e\x59\x7b\x8d\x87\x1a\x07\x3e\x82\xf1\x3f\x5b\xdf\x21\x89\xd3\x61\x64\x9d\xbe\x14\x4e\x7c\x2f\xb2\x6a\x51\x88\x84\xc4\xf2\x76\xaf\xa0\x44\x50\xb3\xb1\x26\x15\x11\xa1\x86\x15\x07\xe9\x4b\xe4\xb0\xc3\x01\xe6\x24\x71\xbb\x95\x33\x63\xe5\x4a\x80\xac\x90\xb2\x55\x1b\x01\x2d\x74\xa5\x62\x1e\x26\x5b\xf9\x12\x60\xa4\x67\xfe\x76\x06\xe7\x95\x92\x27\x2a\xa2\x08\xb1\x29\x35\xa8\x99\x1d\xfb\x81\x7a\x5c\xb0\x5a\xcb\xa7\x9d\xcc\xb9\x7d\x0a\x0f\x9e\xb5\x82\x5e\x16\xd1\x24\xa7\x72\x24\xc9\xa0\x9a\x53\x35\xf1\xce\xd7\x85\x63\x6a\xe3\x58\x15\x98\xaf\x5c\x28\xe5\x4e\xa8\xdc\xc4\xc7\x22\xe4\xa6\x58\xa3\x3f\xa7\xc4\x73\xf3\xb5\xe7\x4e\xd5\x62\x56\x80\xf0\x7c\x7d\x47\x29\x66\xab\x64\x6a\xc3\xac\x2d\x67\x46\x9c\x43\xdb\xab\x6b\x88\x67\x79\xde\xf7\x94\x17\x69\x8c\xfe\xd9\x47\x2f\xdc\xab\x0f\x80\x79\xf2\x21\x28\x54\x41\x88\x1e\xaa\xe4\xc2\x11\xa8\x14\xe6\xd4\xe6\xc2\x5d\x49\xa5\x70\x67\x38\xb0\x3b\x35\xc0\xd2\x84\xfc\xd6\x75\x50\x5b\x0a\xdc\x88\xd0\x43\x90\xf3\xa1\xb0\xc8\x27\x85\xba\x7b\xf0\x29\xaa\x46\x18\x71\x31\xdb\xdc\x36\xaa\xed\x98\x0b\x90\x88\x8e\x67\xe8\xa8\xbe\x7c\x1f\x7c\x5e\x3a\xd4\x44\x2e\x97\xaa\x77\xc7\xe1\xd2\x86\xc2\x9d\x8b\x76\x1e\xc9\x12\x50\x52\x9b\xff\xfc\x56\xce\x2d\x1f\x4e\x79\xcf\x74\x23\x7f\x02\x05\x0a\xfb\x6e\x25\xd5\x43\x65\x45\xda\x66\x62\x29\x70\xe8\x9e\x4c\xb9\xe7\x7e\x0e\x9a\x66\x72\xfe\xb0\x33\x28\x56\x8d\x75\xd5\x14\x65\x77\x2b\x5e\x40\x8e\x40\xeb\xc9\x67\x6e\x7e\x5e\xe7\xab\x0c\xbf\xca\x5f\xf0\xc0\x23\xb3\x93\x52\x94\x64\x66\x8b\x77\x4a\xe1\xb5\xce\xf7\x6d\x67\xf1\xd7\x35\xb8\x72\x81\x55\x5b\x39\x6c\x78\x58\x70\x1c\x6d\x42\xb0\xf3\x65\xb2\x53\xe7\xbc\xcb\x64\xc2\xdc\x39\xbf\xed\x64\x59\x06\xae\x68\xbc\x5e\xbc\x3c\xda\x73\xf3\x86\xb4\xb9\x79\x53\xb3\xca\x6c\x73\x5f\x7c\x47\xe4\x76\x29\x25\xd3\x59\x94\x80\xe7\xc1\x76\x33\xe5\x27\x6a\xf7\x5a\x60\x33\x2b\xab\x2d\x8c\x03\x9e\x4f\x98\x0a\x7d\xe8\x12\x29\xbd\x17\x4f\x6e\x50\xe5\xde\x20\xd2\x0b\x51\x8c\x41\x8b\x6e\xb6\xa0\x6e\xe9\x37\x89\xfb\x6f\x4a\x6e\xcb\x8b\x01\x69\x1a\xd1\xeb\x2a\xe9\x51\xa4\x2f\x97\x6e\x01\x8a\xc4\xb5\x85\xbb\xc3\xf4\x2d\xa7\x9e\x55\xd1\xb7\xf2\x4e\x90\x9f\xce\xe2\x34\x36\xb7\x27\xdd\x9c\xe4\x7b\x41\xb3\xbc\xaa\x88\x37\x15\xd3\x16\xac\xdc\x55\xe0\xfc\xab\x97\xef\x90\xda\x85\x9a\x80\xeb\xeb\xc6\xdf\xd0\xaf\x95\x24\xe8\xa3\x6b\x3f\x71\xeb\xd7\x03\xb0\xaf\xcb\xd7\xac\xc6\xaa\x41\x36\x48\xad\x93\x5e\x70\x94\xa2\x93\xf1\xad\x65\x9b\xf5\x59\x51\x51\x1b\x8f\xea\xa0\x39\x0b\x98\x2c\x91\xb1\xa1\xbc\x04\xcb\x1e\x15\x8b\x13\x2e\x8f\xf2\xfe\x46\x66\x7f\x10\x31\x2a\x25\x46\x8f\x07\x32\x48\x10\xa9\x7d\xdf\xad\x6d\xf0\xd6\x1e\xe5\xdb\x19\x29\x58\x02\x27\xea\x26\x06\x82\xa8\x93\x7d\x03\x79\xbb\xcd\x79\x6a\xa1\x3f\xe9\x2f\x79\x3e\x95\x8d\x28\xd8\xe4\x56\x4b\xfd\xd4\x94\x4d\x7e\xba\xdd\xdd\x67\x33\x92\xc6\x77\x2d\x09\x61\xce\xbe\x60\xa3\xd9\xe9\xf9\x6e\x4a\x4c\xa0\x7e\x55\xd3\x1e\x9d\x94\x25\xe0\x01\x71\xab\xa0\x2f\x0a\xef\x4b\x8f\x5e\x43\xec\x62\x32\x7a\x95\x0f\xe2\x92\x42\x7d\x51\x34\x76\xc3\x18\x39\xa5\xd1\x1e\x03\xf7\x94\x9c\xb2\xd8\x34\x3e\xf4\xb9\x82\x68\x79\x71\x90\x34\x4a\x7a\x68\x91\xcd\xdd\xe2\x9f\xae\xf1\x33\x3f\x7f\xb7\x50\x69\xa7\x4e\x80\x6a\x41\x21\xad\xdf\x98\x68\x35\x28\x1f\x48\x68\xf1\x5c\x73\x43\xe1\x30\x7d\x23\x7b\xb5\x0a\x7e\xc6\x76\x4b\x9f\x43\x25\xb6\xe4\x13\x57\xed\xc3\x3d\x24\x7a\x58\x3e\x28\x57\x35\xfa\xff\xc5\xbe\xbc\x40\x04\x76\xaf\x6c\x5c\xdd\x34\x91\x37\x47\x08\x60\xd1\x59\xa9\x76\xef\x3c\x47\x61\x28\x5e\xbb\x8c\x53\xa7\xef\x56\x9e\xe2\xe7\x10\xd4\x18\x19\xeb\x85\xcb\x3e\x38\xc6\xd6\xcc\xd0\x35\x87\xfb\x08\x28\xf6\x31\xc1\x99\x00\x15\x3a\x6f\x1e\xdb\x81\x2a\x58\xea\xd0\x41\xc6\x3a\x6a\xc6\x28\x38\x06\xd3\xcf\xb6\x9b\x65\x59\x1a\x82\x9b\xab\xa9\x7a\x36\x7c\x9b\x0f\x24\x97\xb4\x4f\x3c\xa8\x5a\x07\x31\xe5\x94\x2b\x57\xec\xf9\xc2\xde\xe0\x1e\xf7\xea\x53\x3f\x8b\xa3\x17\xf7\x4c\x30\xf4\x9b\xd6\x94\x89\x73\x53\x61\x09\x22\x92\x20\x55\x09\xc5\x74\x20\x06\x63\xf7\x71\xcf\x4d\x1d\x48\x4f\xe5\xa9\xc4\xcd\x3b\x0c\xc4\x32\xe9\x25\xb3\x02\xfa\xb0\x57\x4b\x53\x60\x6f\x27\x77\x56\x3d\x67\x94\xfb\x5f\xe4\x87\xd5\xce\x7b\x5b\xea\xb3\x99\xbf\x77\x27\xb6\x7e\xeb\xf9\xb9\xda\xcf\x5c\x56\x78\xec\x98\x21\xa3\x4d\xc0\x30\xd0\x36\xd0\x4d\x70\x25\xed\x5b\x17\x82\x96\x5c\xf2\x62\xbb\xa0\xb3\xde\x34\x97\x4d\x1e\x77\xa6\x3e\x9b\xb5\x2d\xc6\x59\xde\x69\x0e\x47\xb3\x5f\x4b\xbc\xa6\x6f\x8d\x5e\x0a\x27\x1a\x04\xa2\x89\x43\x5f\x5d\xc9\x01\x3c\x06\x52\x63\x3d\xcc\xe4\x10\x2f\xcb\xe4\x7f\xb4\xc5\xeb\x9a\x6e\xaf\xf5\x46\x3c\x73\xc1\x1e\x37\xe8\xdf\x9d\xab\x09\x32\x33\x49\x22\xfe\xd8\x0d\x5e\x3e\xd1\x25\xdd\xe3\x76\x4f\x48\xd4\x96\xf4\xf3\xb4\x9f\x03\x22\xa9\xb9\xb9\x68\xff\x75\xef\xed\xb3\x69\xb4\xb1\xc9\xaf\xc5\xd2\x7e\x68\xd7\x6d\x17\xc2\x16\xc4\xfe\xd8\x2d\xc2\x48\x7a\xab\xc6\x60\xbb\x55\xb2\xee\x17\xd6\x83\x65\xda\x84\x08\xc4\x5a\xf3\x87\x83\xac\x2b\xe5\x47\x72\xbb\xea\x41\xf5\x86\x84\x56\xee\x66\xa2\x7a\x36\xbe\x49\x9a\x5e\x5d\xd3\x39\x6f\x48\x05\xe2\x2a\x2c\xdc\x22\x90\x79\xc2\xa5\x3c\x92\x99\x55\x92\x69\xed\x1c\x51\x22\x13\x54\x4f\x2b\xf3\x31\x38\x8e\x1c\xb8\x5e\x55\x50\x91\x5f\x8f\x27\xa4\x7b\xa9\xfc\x9a\x50\xce\x01\xcd\x2b\x53\xb3\x7f\x35\x79\x66\xf1\xd0\x0b\xd3\x40\xe0\x50\xc9\xd8\x4f\x29\x14\xb8\xab\xd4\x29\x48\x26\xe7\x50\x0b\x0d\xca\xe9\xcd\x4d\x28\x4d\x17\x34\x56\x53\xcc\xb4\x69\xc5\xee\x3a\x31\x05\x8e\xae\x14\xfe\xd7\x55\x85\xcd\xe2\xfd\x71\xb8\x8e\xbf\x51\x73\x59\x77\x4e\x90\x23\x46\x6e\xa5\xa4\x79\x56\xb8\x22\x56\x71\x79\x2d\xf4\x5b\x9f\x38\xb1\x0a\xb0\x3f\x9e\xde\x1d\xdb\x2e\x15\x7d\x61\xc0\x95\xd9\xb8\x2b\x97\x7c\xc0\x9d\x92\x97\x45\x56\x0f\xe8\x10\x65\x03\xff\x7d\xd2\x28\xdb\x22\xb2\x51\x77\x68\x97\xee\x15\xb1\x80\xb4\xb4\x63\x1f\x85\xec\xf6\xa6\x07\x4e\xfd\x2c\xdf\x40\xa4\x48\xda\xd6\x23\x31\xc2\x7e\xd8\xb3\x37\x7f\xde\x4b\x15\x33\x12\x6a\x4d\xc7\x08\xb7\x72\x02\xf6\xf8\xc0\x15\x96\x6e\xf7\x11\xc4\xc4\x96\xe9\x03\x4c\xf1\x5a\x33\xbc\x99\x8a\x43\x26\x5e\xdf\xe4\x36\x34\x2d\x7e\xb4\x97\x3b\xe8\xab\x0a\xe6\x71\x9a\x1a\xaa\x41\xe0\xd7\x6d\x95\x2b\x06\x80\x8d\xff\x02\xfd\x81\x60\x34\x29\xa3\x6f\xf7\x44\x0e\x0b\x21\x5d\x9e\xbc\x90\x8e\xfc\x14\x5b\x6e\x1b\x7f\xeb\x53\xbd\x5e\x17\x5c\x7d\x1a\x77\x64\xf9\x04\x07\x44\xb8\x1d\xb8\x6f\xd2\x2c\x0a\x38\xa2\xda\xf7\x44\x0b\xbf\xe8\x83\x50\x09\xd4\xae\xbb\xb1\x1a\x0e\x91\x48\xbc\x04\x95\x1f\xc0\x6e\xc1\xc2\xa2\x68\xa0\x5c\xc2\xcc\x76\x79\x1b\x82\x26\x9f\x96\x3d\x3d\x2f\x56\x4a\xe0\x37\x89\x60\x19\x40\xd5\x6f\x28\xe5\xab\x01\x52\xac\xf6\x63\xe4\x81\x19\x52\x09\xef\xc1\xa3\xa1\xb4\x72\x53\x6e\x0a\xcf\x9a\xe3\x83\xb5\x95\x1d\xfb\xb6\xbd\x4d\x1e\xb5\x55\x01\x02\xc3\xd7\xfa\x23\x65\xa3\x6f\xb7\xc5\x94\x9c\xc7\x27\xce\x57\x31\x1d\xec\x52\xa4\xc3\xb9\x1f\x0d\x5e\xc3\x67\x7c\x26\x5d\x58\x35\x53\x5f\x16\x00\x69\x85\xce\x84\x6e\xf1\x2a\x46\xcb\x86\x62\xcf\xf8\x5a\xf2\xff\xd4\xb3\xb3\x50\x85\x70\x5d\x45\xdf\x3e\x8c\x60\xee\x49\x63\x82\x3c\xea\x99\xdd\x55\xc0\xc3\x3d\xa9\xde\x35\x4f\x70\x9f\x2a\x45\x83\x56\x13\x25\xc4\xa5\x95\x4a\x34\xe2\xab\x32\x73\x8c\x2f\x3f\xbf\xb2\x78\x6a\xa5\x78\x28\xef\x30\x91\x12\x2e\x59\x32\x05\x8c\x12\xd5\x0d\x0e\x89\xee\x5d\xc1\xe3\xee\x41\x35\xd3\x8c\x0c\x98\x4d\xaf\x39\x47\x67\x02\x72\x71\x4d\xe8\x93\x57\x20\xc1\xf3\xd3\xdd\x9f\xc5\x75\x29\xa7\x50\x13\xd8\x59\x46\x48\x42\x33\xce\x69\x25\x77\x18\xd3\xcd\x66\x7c\xd0\x88\x6d\x1f\x3c\x25\x7c\xca\xc6\xb4\x8e\xe5\xcd\xc0\x3e\xb6\xc6\xaa\x2a\x78\xd6\x8e\x2a\x9c\x22\x53\x95\x44\x50\x91\x57\x62\xf3\xf2\xfa\xde\x0a\xc7\x85\x93\xcc\x38\xe5\x5c\xef\x3b\xc0\xbf\xb9\x38\xeb\xd0\xa6\x1c\x73\x9c\x02\x4a\xdd\xaf\x44\x34\x06\xa7\xb6\x02\x63\x60\xa7\xfc\x87\xc2\x74\xa9\xbd\xcd\xb2\xeb\x5c\xf4\x70\xb5\x3f\x7f\xc1\xbd\x4e\xd0\x5c\xea\xa6\x65\x28\xce\xf7\x9e\x9d\xe7\x8d\xa4\x2b\x16\x7c\x82\xcf\x4d\xad\xca\x57\x07\xd0\xa1\x66\xb0\xf4\x1b\x7f\x7e\x34\x21\xa8\xf8\x8f\x6d\x88\xd2\x4c\xfd\x99\x81\xb5\x0b\x6c\x34\x2b\xb4\x9c\xce\x4b\x82\x3f\x3c\xfd\xb1\x7b\xba\x24\xfd\xb1\x60\x1b\xa0\x60\xa4\x79\x2c\x09\x09\xa7\xc7\xce\xbf\x0c\x33\xe8\xff\x27\xfb\x6e\x32\x7c\x88\x77\xfb\x31\xef\xd8\xbb\x0b\x9f\xca\x28\x29\xca\xc2\xc1\x43\xf4\xa5\xbd\x0a\xfb\xa4\x32\x45\x48\xaf\x32\xf0\x5f\x58\x1a\xe2\x64\xc9\xe2\x0d\x0f\x16\x04\xe1\x12\xc6\xe2\xbc\x51\x8b\x78\x09\x7c\x14\x5d\x87\x1a\x3c\x02\x87\x37\x1b\x0c\xf6\xbd\xcf\x17\x26\x63\x71\xc7\x46\x4d\x87\xa5\x5f\x52\xe0\x1e\x29\x78\x66\xd6\xd4\x98\x86\x8a\xc0\x16\x48\x24\x9c\x1e\xdd\x31\x45\x80\xbf\xc3\x58\x34\xb1\x5d\x10\x8d\xdb\xaf\x6c\xa3\x53\x6a\xa4\x31\x61\x01\x9c\x3a\xf0\xb3\x31\xd9\xd0\x71\xeb\x0a\x50\x44\x23\x55\xa2\xa2\xe1\x95\x47\x4e\x13\xb7\x97\x1d\x95\x6a\xd5\x4e\xd5\x90\xb4\x29\xd6\xa1\xec\x7e\x38\xd4\x1a\x27\x53\x6b\xbb\xfa\xda\xd1\xb3\x5f\xc8\xf8\x27\xa9\x2e\x0b\xaf\xfa\xbb\x81\x18\x16\xcf\xb4\xcd\xac\x4b\x98\xc5\xf6\xf7\x1c\xdc\xf3\x06\x49\x53\x6f\x78\x00\xeb\x6b\x7c\xee\x22\x2d\x64\x16\x5e\x0c\xa9\x50\x46\x93\xb6\xd8\x45\x9b\xc3\x27\xe5\xda\x2e\x6f\x38\xa4\xee\x24\x72\xca\x5e\x6c\xaa\x08\x11\xd0\x42\xf8\xfb\x32\xa9\x9b\xd3\x61\x01\xcf\x19\xac\xce\xee\xd7\x3b\x44\xe3\xde\xb2\x23\xcf\x28\x2e\xcd\x4c\x43\x9f\x55\xf5\xc2\x74\xe2\xc7\x56\xc6\x7c\x23\xc0\x0e\xf7\xbf\xfa\x4b\x60\x12\xa1\x33\x4d\x0c\x97\xf8\x16\xa6\x12\x3c\xbc\xb7\x7a\xce\x8e\x7b\xe0\x51\x52\x69\x24\x86\x22\x02\x8b\x7a\x9c\x0e\x49\xf1\xc8\xdd\xe8\x66\xd3\xbb\x0c\x53\xdb\x9c\x67\xb1\x0b\x20\xd4\xbb\x26\x3f\x2c\x5a\x01\x85\xba\xcc\xfa\x7b\x8f\xe8\x25\x65\x70\x78\xfa\xba\xb0\x03\xb9\x31\x8a\x84\xf7\x65\xda\xaf\xc3\x7f\x49\x6e\xfb\xbc\xe9\xfa\x5d\x2c\x1f\x0a\x4b\x2a\xd0\xcf\x92\x69\x61\x84\x40\x71\x3b\xc3\xd9\x29\x85\xff\xbd\x6c\xc1\x9a\xfc\x86\x70\x30\x44\x37\x0e\xab\xc4\xde\x11\xf3\xbc\xbf\xb2\x21\xdd\xdc\x51\xbb\xa3\x52\xdc\x28\xfd\x49\xc0\x84\x04\x7f\xb0\xed\x8b\x97\x42\xa9\x6e\x53\xef\x4c\xcb\x94\xce\x4c\xad\x74\x6e\x9c\xae\xee\xc8\x43\xf7\x2b\x77\x9c\xc5\x8d\x25\xfe\x93\x1c\x1a\xf8\xa7\x95\xe1\x95\x68\x5c\x92\x18\x58\x03\xad\xbe\xc6\x06\x6c\xdd\xd8\x7e\x0b\x9a\x53\x80\xaf\xcd\x80\x79\x8f\x58\x08\x59\xea\xb3\x17\xcb\x27\x83\x11\x2a\xf7\xb3\x62\xa5\x9a\xe7\xa8\x24\x74\x94\x40\xe6\x66\x61\xb7\x88\xb8\x56\x05\x49\xa0\xb1\x35\x0d\xfb\x7a\x5e\x88\x92\x8d\x55\x8c\xbc\x8a\x26\xa0\xd7\x4e\x67\x63\x4e\xe9\xec\x1c\x1c\xa0\x8a\xfc\x5b\xeb\x43\xda\x65\xf4\xae\x0a\xc7\xeb\x25\x74\x42\xc9\x99\x0e\xdc\xf9\x3b\x1d\xad\xfe\xa9\x0b\xc2\x92\xbb\xf1\xd8\x23\xc6\x1e\xe9\x69\x24\x9f\x67\xbe\x07\xd7\x0d\xf8\xaf\xc7\xc3\xe5\xbf\x14\x5f\x28\xa2\xd0\x6c\x88\x0e\xff\x9a\x18\x11\x27\xc1\x34\x60\xa0\x6b\x36\x64\xa9\x4c\x88\x8b\x07\xaf\x77\xe8\x4d\x60\xde\xab\x76\x42\x28\xff\xea\x21\x63\x3f\x02\x04\xa5\xd7\xec\x4a\x0b\x30\x3f\xb0\x8f\xb7\x67\x28\xc4\x3d\x90\x73\x80\x01\x83\xc8\xb9\x9e\x22\xd6\x05\xa5\xe6\x39\x9c\x04\x9f\x7f\x88\x7c\xb9\xd7\xfb\xa9\x4d\xb3\x23\x08\x4b\xf9\x4d\xf5\x44\xf6\xce\x2d\xd4\x9a\x21\xd2\xca\xb5\x4d\xf0\x43\x97\x48\x2a\x64\xd2\x90\x0b\xb4\x0f\xa8\x7f\x42\xec\x75\xd6\x8b\xab\x17\x71\x4a\x93\x4b\xcd\xf3\x6f\x87\x07\x4f\x60\x28\xf9\xd6\x1a\x00\xad\xff\xc0\x6d\x62\x4b\xc6\x42\x97\x05\x96\x82\xcc\x8a\xdc\x7e\x2f\xb2\x10\xbd\x22\xfb\xd4\xad\x3d\x35\x15\xf7\x1b\x93\x31\x26\x75\x9e\xc4\xc0\x01\xed\x5c\xdb\xac\xe7\xcc\xe4\x31\x9b\x7a\xb5\x0f\xfc\x8f\x2f\x8f\x1b\xb8\x1a\xc0\x7f\x81\xdf\xff\x33\x54\x50\xac\xf0\x8e\x13\x91\x2d\x3c\x5f\x3a\xa1\x25\x81\x81\x1e\xbd\xb4\x41\x6e\xad\xa2\x59\x65\x1c\x07\x0b\x06\xea\x7e\x18\xa8\xf0\xc4\x00\x57\x5a\x0e\x7f\xdc\x4c\x88\x64\x5d\x35\xc2\xd3\x6a\x8c\xe6\xa2\x97\x2f\x35\x5d\x1a\x5d\x83\x2c\xd7\xef\x2c\x61\x1f\xd1\x10\x59\xda\x39\x0e\xc8\xc8\x74\x91\xd4\x96\x4f\xa4\x0b\x80\x83\x90\x57\x36\x2e\x67\x64\x55\xc7\x17\x2a\x23\x15\x4e\xfe\xba\x6f\xc9\xab\x4c\x15\xa7\x37\xe2\x99\xc1\xf1\x4d\xaa\x8f\x34\x97\xe3\x37\x0a\x52\x3e\xc1\x5c\x52\xba\xd9\x87\x10\x90\x03\xf8\xdc\xee\x4a\xc6\xc9\x0b\x0f\x8e\x4b\x74\x91\x97\x87\x88\xa9\xc1\xb2\x3a\x14\x39\x6b\x50\x8a\xa9\x51\x75\xfe\x3b\xd6\xa8\xb4\xa9\xc2\x17\xf4\xc9\x84\x2c\x1c\x33\x9d\x4d\x95\xdb\x83\xce\x6e\x7e\x7a\xc8\x8e\xae\x04\x13\x96\x10\x55\x22\x0b\x65\x69\x3d\x49\xa2\xf6\x96\xf6\x41\x42\x19\x25\xb4\x2f\x77\xb0\xf9\x43\x12\x39\x52\x7f\xd6\xd8\x6d\x6f\x9a\xbd\xf3\xd2\x7c\x0a\x79\xa6\xb0\x5a\x61\xdd\x7d\x99\x3d\xe2\xd4\xee\x99\x73\xb7\x78\xff\x19\x5d\x12\x40\xdb\x18\x36\xa5\x25\x8b\x4f\x57\x44\x97\xca\x2f\x9b\x34\x97\x78\x00\xe7\x28\x29\x7d\x98\x3e\x1e\x58\x5f\xaf\x45\x38\x1b\x47\x6d\x25\x31\xe8\x6c\xc6\xe8\x35\xa9\x72\xc3\xa5\xbb\xcc\xba\x7d\x85\x2e\xdc\x83\xbb\xad\x4c\x85\x20\x64\x00\x70\x87\xbb\xd3\x6b\xf8\xa8\x00\xf9\x1e\xea\x0a\x72\xd9\xa7\x5f\x5d\xb3\x5b\x10\x98\x68\x6d\x51\x34\x0a\x17\x2c\x70\x1b\xc4\x7b\x14\x0c\xe5\x2e\xf4\x75\x02\xd0\x07\x1e\x54\x55\x97\x97\x5a\x55\xca\x1e\x91\x21\x76\x45\xe3\xcf\xeb\xf4\xa6\x20\x1a\x84\x81\xf6\x51\x13\x86\x0f\x59\x28\x63\xaf\x1d\xd4\x73\x38\x3b\x1b\x79\xab\x32\xcf\xcd\x46\xe6\xac\xe2\x95\x8d\x42\xcc\xe5\xf9\xb2\x34\x76\x81\xf7\x70\x7a\xb4\xa3\x5f\x9a\xf5\x21\xd4\xc1\xba\xd7\x51\x30\x33\xa5\xf7\xaf\x2b\x7a\x2d\x3a\x49\x14\xd3\x84\x62\xb1\x6b\x85\xd6\x9f\xa6\x0c\x0c\x5e\xf5\x4b\xa2\xfb\x78\xfb\x15\x6a\x94\x7c\xf8\x0b\x1d\xac\xcd\x58\x9f\xdd\x07\x91\xb3\xa9\xeb\x83\x5b\x61\x53\x4a\x16\xf8\xf4\xb1\xca\xbb\xd3\x86\xb4\xc2\x1b\xa9\x7d\xe9\x16\xd2\xcf\x48\xb7\x20\x8c\x1b\xda\x77\xec\xf8\x16\x77\xcb\xce\x25\x58\x2c\xca\xb9\xa6\x5a\x2b\x73\xdd\x34\xb0\x02\xc2\x34\x94\x8a\x42\xb5\x66\x4d\x56\xd8\x24\x42\x9a\x78\xb6\x97\x03\x67\xec\x17\x0d\x1b\x11\x0b\x22\x23\x17\x58\x72\xbd\xc8\x66\x31\x8d\xe0\x66\xfe\xa5\x60\x15\x1d\x88\x25\xde\xe8\x2d\x34\x4b\x81\x6f\xb5\x5a\xaa\x52\x4e\x86\x08\x62\xac\x0c\x36\xcb\x6b\x6e\x81\xf4\x12\x3d\xa5\x9c\xb3\xef\xfe\x29\xce\x76\x98\xe2\xaa\x0c\x60\x36\x82\x0c\x45\x7f\x40\x42\x33\xe3\x22\x61\x31\x9a\x46\xbc\x8b\xd3\xde\x3c\x94\x8d\xc5\x2e\x27\xca\x52\x7d\xf7\xad\x68\xe6\xc4\xd4\xba\x8f\x6b\x43\x13\xa2\x94\x02\x98\x10\x59\xa1\x48\x79\x7f\xa0\x88\x02\x57\xfe\x04\x27\x01\x19\x28\xaf\x75\x2f\x81\xb8\x18\x68\x02\x10\x8f\x05\x90\x19\x50\x39\xc8\x38\x25\x72\x02\x42\x14\x10\xb8\xa3\x59\xe6\x9d\xdc\xd4\x74\x70\xf4\xd0\x5a\xe2\x89\x83\x4b\xe3\x04\xca\xf4\x9b\xbb\xac\xfd\xbe\x92\x7f\x42\x3b\xe9\xb8\x78\x82\xb0\xfa\xb4\xf5\x0b\xc7\xcd\xbf\xf6\xef\x10\x1f\x33\xf7\x03\x55\x6d\x45\xb6\xac\xe1\x64\x3c\xd7\xe7\x5a\xcf\x74\x06\x3e\x3e\x34\xe9\x63\xdb\x19\xf0\xd1\x9f\x14\x82\x9c\x91\xc4\x50\x66\x1d\x0e\x80\x9d\x5b\x79\x09\x69\x5b\xa1\x54\x46\xc8\x76\xa1\x67\xec\xca\x09\xfc\x00\xe1\x73\x7c\xbd\x4e\xf4\xf7\x0a\x50\xe3\xa0\x0f\xc9\x6f\x0e\x10\x23\xe5\xc8\x1e\x67\xd2\x47\xae\x0e\xc7\xec\x26\x72\x52\x80\x4a\x65\xb3\x01\xb9\x1a\x59\x9b\x8c\xe3\x7d\x95\xa9\x3d\xd9\xa9\x11\xdf\xb3\x95\xf3\x61\x92\x4e\x82\xea\x28\x1e\xfd\x7a\x2e\x01\x5a\xad\xaf\x64\x85\xfc\xea\xee\x0a\xb9\x05\xe1\x39\x6c\x12\x56\x03\xaf\xf4\xca\x16\x5f\x74\x9c\x23\x31\x02\x50\xf8\x00\xb2\xa8\x79\x17\xb9\x42\x1b\x0b\x4c\xde\xc9\xd8\x64\x14\xeb\x82\x23\x74\xb0\xd4\x32\x53\x58\xb2\xbf\x43\xe0\xe3\x12\x58\x88\x79\x76\x5c\x25\xc0\x98\xd1\x71\x86\x53\xbe\xa5\x27\x68\xdd\x7f\x10\x0f\xbd\x2b\x6a\xfc\xcf\x02\x13\x46\x9a\x7f\xa2\x5b\x5f\x77\xc6\xb5\x6c\xa0\x9d\xf8\x86\xa1\x6e\xd2\x4f\x51\xe2\x1d\x07\x8f\x25\xc4\x88\x87\xda\x12\xde\xa5\x7c\x8f\x48\x25\xf2\x7a\xe3\xd9\x16\x01\x96\xeb\x6b\xe0\x9f\x7b\xe8\xb2\x39\xa0\x5d\xbf\x6a\xae\xca\x96\x37\x09\x0d\x1e\x6f\x76\xeb\x93\x69\x27\x4c\x3a\xad\xa3\x36\x24\x3b\x8b\x9c\x59\xc3\xf9\xc9\x1a\xb4\x3f\xc9\x27\x3b\xb5\xbf\x2b\x59\xde\x8f\xbc\x50\x6c\x94\x36\x56\x5e\x4c\x9b\xa2\x96\x50\xb3\x78\x4d\x87\xf3\x37\xa4\xa4\xb5\x28\xca\x2a\x28\x0c\xed\xc3\x69\xb0\x09\x0c\x3f\x69\xc7\x60\x4a\x6d\xf3\x1f\xba\x78\x1c\x07\xd5\x8d\xba\xdd\x7c\x85\xa6\x26\xf8\x85\xf0\x9a\x91\x22\x4e\x79\xbd\x68\x79\x3f\x16\x7e\xbd\x8d\xa1\x0e\x5d\xa7\x8c\xfa\x7e\xbf\x10\xa8\xf2\xc9\x00\x3f\xb1\xcd\xd8\x7e\x46\x98\x61\xf3\xed\x23\xd2\x5b\xcb\x14\x53\x0a\x8f\xf8\xd9\x1e\x9e\x0c\x7c\x39\x76\xc3\xaf\xc7\xbd\x50\x05\xcc\xef\x59\xfa\xec\x52\xba\x35\x69\x3d\x0f\x0d\xce\xba\x84\x3a\xdd\x5a\x74\x7e\x0a\xa7\x2f\x09\xf2\xf4\x52\x81\xc9\xd4\xc6\xf1\xbb\x78\x37\x9a\xec\x78\x2c\x64\x81\x0d\xe3\x23\xc8\xab\xac\xc9\xfb\x7e\x7d\xbc\x1e\x29\x13\xa8\x5d\xf0\xbd\xb6\xac\x70\x1a\x68\x26\x9e\x79\xab\x28\x45\x8c\x02\x91\xe1\x84\x0b\x34\xac\xe2\xd0\xdc\xa9\x02\x9f\x6d\x95\x0e\x6e\xf1\xe5\xcb\xb9\x52\x4d\xb5\x01\xdc\x30\x22\x73\x3c\xb1\x0b\xb7\x4e\x9e\x69\x82\x45\xa9\x8d\xff\xe2\x37\x8c\x42\x54\x81\x19\xdd\x60\xf2\xb0\x21\x95\x3b\x30\x0f\x38\x97\x26\x61\xc3\xeb\xdf\x64\xa3\xaf\xb3\xc6\x29\xcc\xa5\xec\x93\x8c\x31\xee\x8c\xb6\x82\xdd\x38\xf3\x58\x18\x12\xf7\xba\x64\x31\xc1\x60\x65\x90\x39\xe7\xcf\xe7\x85\x9b\x1a\xa8\x13\x08\x33\xf1\xf6\x37\x24\xf8\x63\xb3\xe2\xa1\x8f\x9e\xbd\x1e\xa6\x14\xd3\x0d\x28\xbd\x4f\x5b\x8c\x26\x17\xbe\xcd\x8a\x4d\x8b\x3a\x9b\x42\xb8\x5d\x8e\x80\xc8\xfa\xf7\xd9\xcf\x56\x37\xdd\x98\x82\x6a\x10\xb6\x92\x40\x29\x33\xd2\xae\x0e\xa9\x08\xff\x5d\x6c\x22\xfc\x33\x5b\xe0\x06\x14\xa0\xf5\xe7\x00\x4e\xbe\xf7\x1f\xd2\x3d\x3f\x90\x11\x59\x84\xf0\xe4\x6e\x82\xac\x8b\x03\xe5\xd2\xbf\xea\xa2\x19\x23\x33\xc1\xa0\xa9\xfb\x19\xa7\x5b\xdc\x8f\x90\x58\x33\x6e\x86\xf3\xf7\xb3\x0f\x0b\xed\x24\xc4\xb2\x30\xcd\xfc\x92\xa9\x88\x5b\xe5\x1c\x0b\x85\x1c\xd7\xa0\x4a\x62\xfb\x3c\xe4\x7e\x76\x5a\x11\x4e\xf7\x68\x6b\xc7\xd8\x2e\xf5\xe1\xca\x02\x14\xb9\x5b\x64\xe5\x7f\x85\x12\x15\xce\x5a\x47\xdd\xfb\x91\x93\x2c\x85\x4c\x65\x25\xeb\xe7\xf6\xe1\x68\x45\xfa\x22\x5a\x74\x09\x3f\x6a\x26\x80\x08\x5a\x8f\xef\x66\x54\x1f\xc3\x64\x3f\xc8\x14\xc5\xa8\x06\x41\x5f\x70\x68\x8a\x4b\xe7\x7b\xea\xf7\x5d\x71\x02\x6e\x4d\xff\x38\x00\x12\x4b\xde\xc0\xe0\x65\x46\x3e\xdc\x69\x64\x1f\x67\xc7\xc4\x2b\x8e\x02\x5f\x81\x40\x6f\xd4\x89\x6d\x5d\xb8\xe1\x9f\xec\x09\x98\x09\xad\x50\xa9\x8a\x83\xb3\xca\xa8\xfd\x87\x31\x05\x14\xf4\xa7\xaf\xd9\xa9\x70\xc4\x56\x23\x1d\x91\x6b\x26\xd5\xc6\x2b\xc4\x83\x4a\xf9\xbc\x27\x77\xa7\xc7\xd3\xbb\xf5\xf2\xc6\xd8\x28\x93\x5f\x3b\x82\x77\x43\xc0\x92\x22\x32\x8e\x8e\x82\x91\xbb\x28\x3e\xba\x7d\x4b\xc8\x97\x87\x7f\x6e\x50\xa5\xfa\xbc\x77\xab\xf3\x15\x34\xd7\x00\x96\x2e\xde\xcb\x1d\xf4\xee\x12\x28\xa7\x29\xdf\x7d\xa8\x57\x71\xa3\xf1\xe3\x04\x29\xfa\xc9\x93\xd9\x73\x8d\x9d\x67\x28\xbf\x49\x2b\x47\x91\x43\x8c\x3c\xf6\xd5\x9a\xf8\x09\x97\x4a\xec\x44\x80\x98\xc2\x6c\xb3\x79\x1e\x43\x72\x40\x76\xef\x5c\xa9\xc7\x0c\xb3\xf5\x8a\xcc\xb5\x39\x94\x37\x86\xce\x98\xb0\x92\xc9\x65\xa1\x47\xd1\x87\x0a\xd4\x54\x68\x6b\xa5\x79\xc9\xd1\x0a\x61\x31\xd4\xd9\x80\xff\x68\x89\x8f\xb1\x1a\x0a\x9f\x61\xe6\x0a\x86\x42\x7f\x60\x66\x00\x88\x98\x4e\xed\x16\xac\xf6\xd3\x14\x30\x18\x3b\x81\x91\x2a\xdc\xde\x80\x84\x45\x71\x22\xec\xdd\x70\x54\xcf\x3d\xdd\xee\x25\xa9\x75\xfb\x24\x48\xe7\x1a\x27\xae\xdf\x68\x68\x5e\x9e\x8b\xf6\x07\x05\x6d\x68\xd7\x20\x60\x75\x99\xcb\x49\x97\xa1\xd5\x91\xa1\xcc\x17\x4e\xdd\xc6\x6f\x39\x16\x0a\x2e\x55\xee\xe6\xc8\x2b\x21\x8c\x5b\x96\x3a\x02\x68\x11\x7f\xcc\xda\x93\x14\xd7\xde\x3b\x1b\xfd\xf1\xde\x33\x83\x10\x41\x8d\xbb\x11\xf7\x3b\xfc\x1a\x70\x5a\x7f\x12\x56\x0c\x6a\x83\x6e\xbc\x1c\x92\x7d\x14\x27\xeb\x6d\x71\x04\xf9\x42\x70\x5a\x25\xe7\xa7\x94\x88\x76\x8c\x70\x7c\xdd\xb0\x59\xd0\x6f\x4f\x55\xd6\x41\x14\x65\x8b\xb3\x27\x07\x2a\x0f\x24\x8f\x91\x91\xae\xbf\x83\x8c\xcf\x46\x4e\x3d\xb3\x8b\xd0\x15\xc1\xfe\x7e\x0a\x1c\xe8\xc8\x54\xe0\x64\xad\x28\xdf\x20\x85\x4e\xca\xf4\x42\x88\x1d\x5b\x92\x2d\xb3\x32\x7a\x73\xa8\x00\x7f\x84\xaa\xcb\x94\x1b\xc1\x23\x27\x42\xd0\xad\x98\xeb\x8f\x05\xa8\x12\xc7\x95\x7f\xb4\xb6\x88\x52\x2e\xa6\xa1\xd5\xef\x22\xda\xbf\x25\x37\xb5\xf6\x8d\x81\xe0\x6b\x51\x78\x39\xb4\x74\x23\x85\x64\x96\x79\x29\xfa\x82\x31\xeb\x8e\xaa\x9b\xf7\x95\x54\x91\x79\x39\x33\x6f\x71\xed\xad\x5c\x01\x1d\xe4\xa9\x88\x7c\x9d\x8b\xfe\x58\x8c\x17\x47\xb4\x7e\xca\xe6\x41\xae\x07\x6a\x53\xcb\x66\x1d\x34\x46\x59\xed\x82\xa4\xf1\x06\x12\xea\x2e\xe0\x0a\x44\x4d\xe7\xe4\xb1\xa0\xc5\x61\x4d\x4a\x63\x69\xb4\x8c\xfa\xe5\x31\x6e\x83\x89\xcb\x72\x0a\x11\x11\x71\x38\x3a\x78\x79\x80\x31\xaf\x5e\x49\x76\xb8\x91\x75\xac\x1e\xfa\x79\xca\x7d\xd7\x28\xd2\x1c\xf2\x85\x3f\x69\x87\x03\x79\xdc\xd6\x91\xf4\x12\xb0\xda\xbb\x49\xf7\x4d\x48\xf9\x31\x3b\xe4\x58\x95\xe8\xd4\xe7\x8e\x23\xe3\x57\xa9\xa2\x29\x4b\xef\xb1\x73\xce\xcc\xdd\xb7\xde\xc8\x47\x81\x92\x0e\x95\x1e\xcc\x86\x3b\xdc\x84\x3a\xf7\x53\x5e\x72\x1a\x7a\x7f\x5b\xd6\xe0\xd3\x7f\xe9\xe5\xb5\xaf\x3f\x2a\xaa\x62\x96\x71\x12\xc0\xfe\x84\x8d\x3c\x38\xa6\x46\xde\xd7\xde\xba\x1a\xb9\x8d\x40\x88\x1b\xa2\xfc\x91\x8a\x86\x64\xbb\xab\xea\x14\xbe\x6f\x5b\xb9\x2e\x25\x4c\x47\x1b\x32\x4a\x02\x6c\x66\x1d\xe4\xb9\x7b\xa0\xae\x1f\x67\x06\x3f\x41\xa5\x61\x9d\xa8\xa4\x9a\x7a\xd6\xcf\x81\x53\x97\x7a\x4c\x63\x17\x1b\xba\x20\x88\x4b\x73\x44\xc4\x05\xd6\x1b\x9c\xe3\xce\x90\xdd\x0b\x6d\x86\xbe\x27\xc0\x28\xa2\xa4\x8f\xe0\x40\xd6\xf9\xd2\xf5\xdc\x24\x66\xcb\x9f\x74\x5e\x5a\x98\xe5\x26\x64\x98\xb1\x4d\x16\xe3\xfc\xee\x12\x02\x6c\x0f\x46\xb7\xfd\x1d\x30\x07\x65\x05\xcd\x64\xc1\xd6\x0c\x5c\xac\x8c\xb4\x00\xea\x6b\x75\x22\xc1\x65\xb0\x09\x4f\xf0\xff\x65\x6d\x08\x16\x73\x05\x6b\x73\xee\xe3\xef\xcb\xfb\xa2\x60\xff\x87\xe4\x30\x4c\x8e\xb1\x4a\xea\xdf\xda\xa0\x95\x70\xf6\x30\x64\x6c", 8192); *(uint64_t*)0x200000006c80 = 0x2000000036c0; *(uint32_t*)0x2000000036c0 = 0x50; *(uint32_t*)0x2000000036c4 = 0; *(uint64_t*)0x2000000036c8 = 8; *(uint32_t*)0x2000000036d0 = 7; *(uint32_t*)0x2000000036d4 = 0x2d; *(uint32_t*)0x2000000036d8 = 7; *(uint32_t*)0x2000000036dc = 0x8000008; *(uint16_t*)0x2000000036e0 = 7; *(uint16_t*)0x2000000036e2 = 0xfc00; *(uint32_t*)0x2000000036e4 = 0x3ff; *(uint32_t*)0x2000000036e8 = 0x59; *(uint16_t*)0x2000000036ec = 0; *(uint16_t*)0x2000000036ee = 0; *(uint32_t*)0x2000000036f0 = 0xe0; *(uint32_t*)0x2000000036f4 = 0x10000; memset((void*)0x2000000036f8, 0, 24); *(uint64_t*)0x200000006c88 = 0x200000003740; *(uint32_t*)0x200000003740 = 0x18; *(uint32_t*)0x200000003744 = 0; *(uint64_t*)0x200000003748 = 6; *(uint64_t*)0x200000003750 = 0x80000001; *(uint64_t*)0x200000006c90 = 0x200000003780; *(uint32_t*)0x200000003780 = 0x18; *(uint32_t*)0x200000003784 = 0; *(uint64_t*)0x200000003788 = 4; *(uint64_t*)0x200000003790 = 2; *(uint64_t*)0x200000006c98 = 0x2000000037c0; *(uint32_t*)0x2000000037c0 = 0x18; *(uint32_t*)0x2000000037c4 = 0xffffffda; *(uint64_t*)0x2000000037c8 = 0x37; *(uint32_t*)0x2000000037d0 = 0; *(uint32_t*)0x2000000037d4 = 0; *(uint64_t*)0x200000006ca0 = 0x200000003800; *(uint32_t*)0x200000003800 = 0x18; *(uint32_t*)0x200000003804 = 0; *(uint64_t*)0x200000003808 = 1; *(uint32_t*)0x200000003810 = 0xff; *(uint32_t*)0x200000003814 = 0; *(uint64_t*)0x200000006ca8 = 0x200000003840; *(uint32_t*)0x200000003840 = 0x28; *(uint32_t*)0x200000003844 = 0x26; *(uint64_t*)0x200000003848 = 0x7fffffffffffffff; *(uint64_t*)0x200000003850 = 0x7a; *(uint64_t*)0x200000003858 = 8; *(uint32_t*)0x200000003860 = 0; *(uint32_t*)0x200000003864 = 0; *(uint64_t*)0x200000006cb0 = 0x200000003880; *(uint32_t*)0x200000003880 = 0x60; *(uint32_t*)0x200000003884 = 0xfffffff5; *(uint64_t*)0x200000003888 = 1; *(uint64_t*)0x200000003890 = 0x81; *(uint64_t*)0x200000003898 = 6; *(uint64_t*)0x2000000038a0 = 0x3ff; *(uint64_t*)0x2000000038a8 = 2; *(uint64_t*)0x2000000038b0 = 4; *(uint32_t*)0x2000000038b8 = 4; *(uint32_t*)0x2000000038bc = 8; *(uint32_t*)0x2000000038c0 = 2; *(uint32_t*)0x2000000038c4 = 0; memset((void*)0x2000000038c8, 0, 24); *(uint64_t*)0x200000006cb8 = 0x200000003900; *(uint32_t*)0x200000003900 = 0x18; *(uint32_t*)0x200000003904 = 0; *(uint64_t*)0x200000003908 = 0; *(uint32_t*)0x200000003910 = 0xb; *(uint32_t*)0x200000003914 = 0; *(uint64_t*)0x200000006cc0 = 0x200000003940; *(uint32_t*)0x200000003940 = 0x12; *(uint32_t*)0x200000003944 = 0xaeab5fde; *(uint64_t*)0x200000003948 = 9; memcpy((void*)0x200000003950, "^\000", 2); *(uint64_t*)0x200000006cc8 = 0x200000003980; *(uint32_t*)0x200000003980 = 0x20; *(uint32_t*)0x200000003984 = 0; *(uint64_t*)0x200000003988 = 0; *(uint64_t*)0x200000003990 = 0; *(uint32_t*)0x200000003998 = 2; *(uint32_t*)0x20000000399c = 0; *(uint64_t*)0x200000006cd0 = 0x2000000039c0; *(uint32_t*)0x2000000039c0 = 0x78; *(uint32_t*)0x2000000039c4 = 0; *(uint64_t*)0x2000000039c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000039d0 = 3; *(uint32_t*)0x2000000039d8 = 0x67; *(uint32_t*)0x2000000039dc = 0; *(uint64_t*)0x2000000039e0 = 3; *(uint64_t*)0x2000000039e8 = 2; *(uint64_t*)0x2000000039f0 = 5; *(uint64_t*)0x2000000039f8 = 2; *(uint64_t*)0x200000003a00 = 0; *(uint64_t*)0x200000003a08 = 0x5b; *(uint32_t*)0x200000003a10 = 0x200; *(uint32_t*)0x200000003a14 = 6; *(uint32_t*)0x200000003a18 = 0xf0b7; *(uint32_t*)0x200000003a1c = 0x1000; *(uint32_t*)0x200000003a20 = 1; *(uint32_t*)0x200000003a24 = -1; *(uint32_t*)0x200000003a28 = -1; *(uint32_t*)0x200000003a2c = 4; *(uint32_t*)0x200000003a30 = 6; *(uint32_t*)0x200000003a34 = 0; *(uint64_t*)0x200000006cd8 = 0x200000004b00; *(uint32_t*)0x200000004b00 = 0x90; *(uint32_t*)0x200000004b04 = 0; *(uint64_t*)0x200000004b08 = 7; *(uint64_t*)0x200000004b10 = 1; *(uint64_t*)0x200000004b18 = 3; *(uint64_t*)0x200000004b20 = 0x10000; *(uint64_t*)0x200000004b28 = 0x200; *(uint32_t*)0x200000004b30 = 8; *(uint32_t*)0x200000004b34 = 0xa87; *(uint64_t*)0x200000004b38 = 4; *(uint64_t*)0x200000004b40 = 1; *(uint64_t*)0x200000004b48 = 7; *(uint64_t*)0x200000004b50 = 1; *(uint64_t*)0x200000004b58 = 0xfffffffffffffffd; *(uint64_t*)0x200000004b60 = 4; *(uint32_t*)0x200000004b68 = 9; *(uint32_t*)0x200000004b6c = 0xffff; *(uint32_t*)0x200000004b70 = 0x10000000; *(uint32_t*)0x200000004b74 = 0; *(uint32_t*)0x200000004b78 = 0xf40; *(uint32_t*)0x200000004b7c = 0; *(uint32_t*)0x200000004b80 = r[10]; *(uint32_t*)0x200000004b84 = 0x8001; *(uint32_t*)0x200000004b88 = 9; *(uint32_t*)0x200000004b8c = 0; *(uint64_t*)0x200000006ce0 = 0x200000004bc0; *(uint32_t*)0x200000004bc0 = 0x48; *(uint32_t*)0x200000004bc4 = 0; *(uint64_t*)0x200000004bc8 = 0x5c; *(uint64_t*)0x200000004bd0 = 1; *(uint64_t*)0x200000004bd8 = 4; *(uint32_t*)0x200000004be0 = 6; *(uint32_t*)0x200000004be4 = 8; memset((void*)0x200000004be8, 255, 6); *(uint64_t*)0x200000004bf0 = 1; *(uint64_t*)0x200000004bf8 = 8; *(uint32_t*)0x200000004c00 = 0; *(uint32_t*)0x200000004c04 = 0xb; *(uint64_t*)0x200000006ce8 = 0x200000006500; *(uint32_t*)0x200000006500 = 0x478; *(uint32_t*)0x200000006504 = 0; *(uint64_t*)0x200000006508 = 2; *(uint64_t*)0x200000006510 = 1; *(uint64_t*)0x200000006518 = 1; *(uint64_t*)0x200000006520 = 0xf; *(uint64_t*)0x200000006528 = 9; *(uint32_t*)0x200000006530 = 0x7fffffff; *(uint32_t*)0x200000006534 = 0x3ff; *(uint64_t*)0x200000006538 = 5; *(uint64_t*)0x200000006540 = 0xb3fc; *(uint64_t*)0x200000006548 = 3; *(uint64_t*)0x200000006550 = 0xa2d9; *(uint64_t*)0x200000006558 = 3; *(uint64_t*)0x200000006560 = 0x80000000; *(uint32_t*)0x200000006568 = 4; *(uint32_t*)0x20000000656c = 5; *(uint32_t*)0x200000006570 = 2; *(uint32_t*)0x200000006574 = 0x6000; *(uint32_t*)0x200000006578 = 0xfff; *(uint32_t*)0x20000000657c = -1; *(uint32_t*)0x200000006580 = 0xee01; *(uint32_t*)0x200000006584 = 5; *(uint32_t*)0x200000006588 = 6; *(uint32_t*)0x20000000658c = 0; *(uint64_t*)0x200000006590 = 5; *(uint64_t*)0x200000006598 = 9; *(uint32_t*)0x2000000065a0 = 6; *(uint32_t*)0x2000000065a4 = 6; memcpy((void*)0x2000000065a8, "wlan1\000", 6); *(uint64_t*)0x2000000065b0 = 3; *(uint64_t*)0x2000000065b8 = 1; *(uint64_t*)0x2000000065c0 = 4; *(uint64_t*)0x2000000065c8 = 0xf; *(uint32_t*)0x2000000065d0 = 1; *(uint32_t*)0x2000000065d4 = 5; *(uint64_t*)0x2000000065d8 = 4; *(uint64_t*)0x2000000065e0 = 0xffc; *(uint64_t*)0x2000000065e8 = 2; *(uint64_t*)0x2000000065f0 = 0xffffffffffffdbca; *(uint64_t*)0x2000000065f8 = 0x35; *(uint64_t*)0x200000006600 = 0x5fa; *(uint32_t*)0x200000006608 = 8; *(uint32_t*)0x20000000660c = 5; *(uint32_t*)0x200000006610 = 0x16d; *(uint32_t*)0x200000006614 = 0x6000; *(uint32_t*)0x200000006618 = 0x8000; *(uint32_t*)0x20000000661c = r[11]; *(uint32_t*)0x200000006620 = 0xee00; *(uint32_t*)0x200000006624 = 8; *(uint32_t*)0x200000006628 = 2; *(uint32_t*)0x20000000662c = 0; *(uint64_t*)0x200000006630 = 2; *(uint64_t*)0x200000006638 = 0x3e8; *(uint32_t*)0x200000006640 = 0x16; *(uint32_t*)0x200000006644 = 5; memcpy((void*)0x200000006648, "bpf_lsm_path_truncate\000", 22); *(uint64_t*)0x200000006660 = 6; *(uint64_t*)0x200000006668 = 3; *(uint64_t*)0x200000006670 = 0xcff0; *(uint64_t*)0x200000006678 = 0xfffffffffffffbff; *(uint32_t*)0x200000006680 = 3; *(uint32_t*)0x200000006684 = 3; *(uint64_t*)0x200000006688 = 5; *(uint64_t*)0x200000006690 = 4; *(uint64_t*)0x200000006698 = 8; *(uint64_t*)0x2000000066a0 = 9; *(uint64_t*)0x2000000066a8 = 0x10; *(uint64_t*)0x2000000066b0 = 5; *(uint32_t*)0x2000000066b8 = 0x91; *(uint32_t*)0x2000000066bc = 0xfff; *(uint32_t*)0x2000000066c0 = 0xfffffffd; *(uint32_t*)0x2000000066c4 = 0xc000; *(uint32_t*)0x2000000066c8 = 3; *(uint32_t*)0x2000000066cc = r[12]; *(uint32_t*)0x2000000066d0 = 0xee00; *(uint32_t*)0x2000000066d4 = 0x80; *(uint32_t*)0x2000000066d8 = 0x40; *(uint32_t*)0x2000000066dc = 0; *(uint64_t*)0x2000000066e0 = 0; *(uint64_t*)0x2000000066e8 = 8; *(uint32_t*)0x2000000066f0 = 6; *(uint32_t*)0x2000000066f4 = 0x80000001; memcpy((void*)0x2000000066f8, "wlan1\000", 6); *(uint64_t*)0x200000006700 = 3; *(uint64_t*)0x200000006708 = 2; *(uint64_t*)0x200000006710 = 8; *(uint64_t*)0x200000006718 = 9; *(uint32_t*)0x200000006720 = 0x80000000; *(uint32_t*)0x200000006724 = 0xd149; *(uint64_t*)0x200000006728 = 3; *(uint64_t*)0x200000006730 = 4; *(uint64_t*)0x200000006738 = 5; *(uint64_t*)0x200000006740 = 0xe; *(uint64_t*)0x200000006748 = 0x7a; *(uint64_t*)0x200000006750 = 0xd52; *(uint32_t*)0x200000006758 = 0; *(uint32_t*)0x20000000675c = 5; *(uint32_t*)0x200000006760 = 6; *(uint32_t*)0x200000006764 = 0xa000; *(uint32_t*)0x200000006768 = 2; *(uint32_t*)0x20000000676c = r[14]; *(uint32_t*)0x200000006770 = 0; *(uint32_t*)0x200000006774 = 0x7fffffff; *(uint32_t*)0x200000006778 = 5; *(uint32_t*)0x20000000677c = 0; *(uint64_t*)0x200000006780 = 4; *(uint64_t*)0x200000006788 = 0x7ff; *(uint32_t*)0x200000006790 = 2; *(uint32_t*)0x200000006794 = 0x78d; memcpy((void*)0x200000006798, "\300\'", 2); *(uint64_t*)0x2000000067a0 = 2; *(uint64_t*)0x2000000067a8 = 0; *(uint64_t*)0x2000000067b0 = 6; *(uint64_t*)0x2000000067b8 = 0x7fffffff; *(uint32_t*)0x2000000067c0 = 5; *(uint32_t*)0x2000000067c4 = 5; *(uint64_t*)0x2000000067c8 = 2; *(uint64_t*)0x2000000067d0 = 0xc; *(uint64_t*)0x2000000067d8 = 0xbde5; *(uint64_t*)0x2000000067e0 = 5; *(uint64_t*)0x2000000067e8 = 8; *(uint64_t*)0x2000000067f0 = 0x10; *(uint32_t*)0x2000000067f8 = 9; *(uint32_t*)0x2000000067fc = 6; *(uint32_t*)0x200000006800 = 0xe31; *(uint32_t*)0x200000006804 = 0x2000; *(uint32_t*)0x200000006808 = 0x5b8; *(uint32_t*)0x20000000680c = r[16]; *(uint32_t*)0x200000006810 = r[18]; *(uint32_t*)0x200000006814 = 6; *(uint32_t*)0x200000006818 = 8; *(uint32_t*)0x20000000681c = 0; *(uint64_t*)0x200000006820 = 2; *(uint64_t*)0x200000006828 = 0x80; *(uint32_t*)0x200000006830 = 0; *(uint32_t*)0x200000006834 = 0xb6; *(uint64_t*)0x200000006838 = 5; *(uint64_t*)0x200000006840 = 2; *(uint64_t*)0x200000006848 = 0x80000001; *(uint64_t*)0x200000006850 = 2; *(uint32_t*)0x200000006858 = 6; *(uint32_t*)0x20000000685c = 0xff; *(uint64_t*)0x200000006860 = 3; *(uint64_t*)0x200000006868 = 5; *(uint64_t*)0x200000006870 = 8; *(uint64_t*)0x200000006878 = 3; *(uint64_t*)0x200000006880 = 0x8001; *(uint64_t*)0x200000006888 = 5; *(uint32_t*)0x200000006890 = 1; *(uint32_t*)0x200000006894 = 7; *(uint32_t*)0x200000006898 = 2; *(uint32_t*)0x20000000689c = 0x1000; *(uint32_t*)0x2000000068a0 = 1; *(uint32_t*)0x2000000068a4 = 0xee01; *(uint32_t*)0x2000000068a8 = r[19]; *(uint32_t*)0x2000000068ac = 0x10001; *(uint32_t*)0x2000000068b0 = 6; *(uint32_t*)0x2000000068b4 = 0; *(uint64_t*)0x2000000068b8 = 0; *(uint64_t*)0x2000000068c0 = 6; *(uint32_t*)0x2000000068c8 = 5; *(uint32_t*)0x2000000068cc = 6; memset((void*)0x2000000068d0, 170, 5); *(uint64_t*)0x2000000068d8 = 3; *(uint64_t*)0x2000000068e0 = 1; *(uint64_t*)0x2000000068e8 = 0x8000000000000000; *(uint64_t*)0x2000000068f0 = 0x2e; *(uint32_t*)0x2000000068f8 = 5; *(uint32_t*)0x2000000068fc = 7; *(uint64_t*)0x200000006900 = 6; *(uint64_t*)0x200000006908 = 5; *(uint64_t*)0x200000006910 = 5; *(uint64_t*)0x200000006918 = 0xb; *(uint64_t*)0x200000006920 = 0; *(uint64_t*)0x200000006928 = 2; *(uint32_t*)0x200000006930 = 0xffff; *(uint32_t*)0x200000006934 = 0; *(uint32_t*)0x200000006938 = 8; *(uint32_t*)0x20000000693c = 0x2000; *(uint32_t*)0x200000006940 = 9; *(uint32_t*)0x200000006944 = r[20]; *(uint32_t*)0x200000006948 = r[21]; *(uint32_t*)0x20000000694c = 2; *(uint32_t*)0x200000006950 = 7; *(uint32_t*)0x200000006954 = 0; *(uint64_t*)0x200000006958 = 6; *(uint64_t*)0x200000006960 = 0xfffffffffffffffb; *(uint32_t*)0x200000006968 = 5; *(uint32_t*)0x20000000696c = 6; memset((void*)0x200000006970, 170, 5); *(uint64_t*)0x200000006cf0 = 0x200000006980; *(uint32_t*)0x200000006980 = 0xa0; *(uint32_t*)0x200000006984 = 0; *(uint64_t*)0x200000006988 = 0xd05; *(uint64_t*)0x200000006990 = 5; *(uint64_t*)0x200000006998 = 3; *(uint64_t*)0x2000000069a0 = 0x8000000000000001; *(uint64_t*)0x2000000069a8 = 7; *(uint32_t*)0x2000000069b0 = 5; *(uint32_t*)0x2000000069b4 = 2; *(uint64_t*)0x2000000069b8 = 3; *(uint64_t*)0x2000000069c0 = 4; *(uint64_t*)0x2000000069c8 = 5; *(uint64_t*)0x2000000069d0 = 3; *(uint64_t*)0x2000000069d8 = 8; *(uint64_t*)0x2000000069e0 = 1; *(uint32_t*)0x2000000069e8 = 0x8001; *(uint32_t*)0x2000000069ec = 0; *(uint32_t*)0x2000000069f0 = 0xfff; *(uint32_t*)0x2000000069f4 = 0x8000; *(uint32_t*)0x2000000069f8 = 0x101; *(uint32_t*)0x2000000069fc = r[22]; *(uint32_t*)0x200000006a00 = 0xee00; *(uint32_t*)0x200000006a04 = 7; *(uint32_t*)0x200000006a08 = 0xac; *(uint32_t*)0x200000006a0c = 0; *(uint64_t*)0x200000006a10 = 0; *(uint32_t*)0x200000006a18 = 0x10; *(uint32_t*)0x200000006a1c = 0; *(uint64_t*)0x200000006cf8 = 0x200000006a40; *(uint32_t*)0x200000006a40 = 0x20; *(uint32_t*)0x200000006a44 = 0; *(uint64_t*)0x200000006a48 = 0xffffffff; *(uint32_t*)0x200000006a50 = 4; *(uint32_t*)0x200000006a54 = 0; *(uint32_t*)0x200000006a58 = 9; *(uint32_t*)0x200000006a5c = 0xa; *(uint64_t*)0x200000006d00 = 0x200000006b40; *(uint32_t*)0x200000006b40 = 0x130; *(uint32_t*)0x200000006b44 = 0; *(uint64_t*)0x200000006b48 = 0x1ff; *(uint64_t*)0x200000006b50 = 0x6276287e; *(uint32_t*)0x200000006b58 = 7; *(uint32_t*)0x200000006b5c = 0; memset((void*)0x200000006b60, 0, 16); *(uint32_t*)0x200000006b70 = 0x800; *(uint32_t*)0x200000006b74 = 2; *(uint64_t*)0x200000006b78 = 3; *(uint32_t*)0x200000006b80 = 0x1e; *(uint32_t*)0x200000006b84 = -1; *(uint32_t*)0x200000006b88 = r[24]; *(uint16_t*)0x200000006b8c = 0x4000; memset((void*)0x200000006b8e, 0, 2); *(uint64_t*)0x200000006b90 = 0x800; *(uint64_t*)0x200000006b98 = 9; *(uint64_t*)0x200000006ba0 = 8; *(uint64_t*)0x200000006ba8 = 0x32f3fcde; *(uint64_t*)0x200000006bb0 = 6; *(uint32_t*)0x200000006bb8 = 1; *(uint32_t*)0x200000006bbc = 0; *(uint64_t*)0x200000006bc0 = 4; *(uint32_t*)0x200000006bc8 = 0xe30; *(uint32_t*)0x200000006bcc = 0; *(uint64_t*)0x200000006bd0 = 0x4d; *(uint32_t*)0x200000006bd8 = 3; *(uint32_t*)0x200000006bdc = 0; *(uint64_t*)0x200000006be0 = 6; *(uint32_t*)0x200000006be8 = 8; *(uint32_t*)0x200000006bec = 0; *(uint32_t*)0x200000006bf0 = 6; *(uint32_t*)0x200000006bf4 = 2; *(uint32_t*)0x200000006bf8 = 0xfb; *(uint32_t*)0x200000006bfc = 2; memset((void*)0x200000006c00, 0, 112); syz_fuse_handle_req(/*fd=*/r[9], /*buf=*/0x2000000016c0, /*len=*/0x2000, /*res=*/0x200000006c80); break; case 30: memcpy((void*)0x200000006d40, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000006d40, /*fd=*/r[23]); break; case 31: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 32: *(uint32_t*)0x200000006d84 = 0xd0f0; *(uint32_t*)0x200000006d88 = 0x20; *(uint32_t*)0x200000006d8c = 0; *(uint32_t*)0x200000006d90 = 0x1e5; *(uint32_t*)0x200000006d98 = -1; memset((void*)0x200000006d9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x28c2, /*params=*/0x200000006d80, /*ring_ptr=*/0x200000006e00, /*sqes_ptr=*/0x200000006e40); if (res != -1) r[25] = *(uint64_t*)0x200000006e00; break; case 33: syz_io_uring_complete(/*ring_ptr=*/r[25]); break; case 34: *(uint32_t*)0x200000006e84 = 0x979d; *(uint32_t*)0x200000006e88 = 4; *(uint32_t*)0x200000006e8c = 1; *(uint32_t*)0x200000006e90 = 0x206; *(uint32_t*)0x200000006e98 = r[9]; memset((void*)0x200000006e9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x7c1f, /*params=*/0x200000006e80, /*ring_ptr=*/0x200000006f00, /*sqes_ptr=*/0x200000006f40); if (res != -1) { r[26] = res; r[27] = *(uint64_t*)0x200000006f00; r[28] = *(uint64_t*)0x200000006f40; } break; case 35: res = syscall(__NR_io_uring_register, /*fd=*/r[26], /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul); if (res != -1) r[29] = res; break; case 36: *(uint8_t*)0x200000007000 = 0x1c; *(uint8_t*)0x200000007001 = 0x14; *(uint16_t*)0x200000007002 = 0; *(uint32_t*)0x200000007004 = r[23]; *(uint64_t*)0x200000007008 = 0x200000006f80; *(uint64_t*)0x200000006f80 = 0x818480; *(uint64_t*)0x200000006f88 = 0; *(uint64_t*)0x200000006f90 = 0x35; *(uint64_t*)0x200000007010 = 0x200000006fc0; memcpy((void*)0x200000006fc0, "./file0\000", 8); *(uint32_t*)0x200000007018 = 0x18; *(uint32_t*)0x20000000701c = 0; *(uint64_t*)0x200000007020 = 0x23456; *(uint16_t*)0x200000007028 = 0; *(uint16_t*)0x20000000702a = r[29]; memset((void*)0x20000000702c, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[27], /*sqes_ptr=*/r[28], /*sqe=*/0x200000007000); break; case 37: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[9], /*usermem=*/0x200000bfd000); if (res != -1) r[30] = res; break; case 38: *(uint64_t*)0x200000007400 = 0; *(uint64_t*)0x200000007408 = 0x200000007040; *(uint64_t*)0x200000007040 = 0x65; *(uint64_t*)0x200000007048 = 0x20; *(uint64_t*)0x200000007050 = 0x92e; *(uint64_t*)0x200000007058 = 8; *(uint64_t*)0x200000007060 = 0x130; *(uint64_t*)0x200000007068 = 0x18; *(uint64_t*)0x200000007070 = 1; *(uint64_t*)0x200000007078 = 0x68; *(uint64_t*)0x200000007080 = 0x20; *(uint64_t*)0x200000007088 = 1; *(uint64_t*)0x200000007090 = 0; *(uint64_t*)0x200000007098 = 0x17d; *(uint64_t*)0x2000000070a0 = 0x20; *(uint64_t*)0x2000000070a8 = 0xffffffff; *(uint64_t*)0x2000000070b0 = 0xbd0d; *(uint64_t*)0x2000000070b8 = 0x183; *(uint64_t*)0x2000000070c0 = 0x18; *(uint64_t*)0x2000000070c8 = 1; *(uint64_t*)0x2000000070d0 = 0xa; *(uint64_t*)0x2000000070d8 = 0x6a; memcpy((void*)0x2000000070e0, "\x36\x49\x0f\xc7\xaa\xd6\x61\x97\xc0\x26\x66\x0f\x38\x80\x94\x5e\x00\x80\x00\x00\x0f\x01\xba\x00\x80\x00\x00\x8f\xc9\xb8\x9b\x29\x47\x0f\xc7\xae\x20\x00\x00\x00\x45\x0f\x09\xc4\xe2\xd1\x39\x67\xc4\x36\x0f\x01\x7f\x05\x66\x64\x2e\x64\x3e\xd8\xf1\xc7\x44\x24\x00\x25\xfd\x00\x00\xc7\x44\x24\x02\x54\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x14\x24", 89); *(uint8_t*)0x200000007139 = 0xc3; *(uint64_t*)0x20000000713a = 0x180; *(uint64_t*)0x200000007142 = 0x38; *(uint64_t*)0x20000000714a = 0; *(uint64_t*)0x200000007152 = 0xb5; *(uint64_t*)0x20000000715a = 7; *(uint64_t*)0x200000007162 = 5; *(uint64_t*)0x20000000716a = 0; *(uint64_t*)0x200000007172 = 0x12f; *(uint64_t*)0x20000000717a = 0x18; *(uint64_t*)0x200000007182 = 3; *(uint64_t*)0x20000000718a = 0x12c; *(uint64_t*)0x200000007192 = 0x18; *(uint64_t*)0x20000000719a = 0; *(uint64_t*)0x2000000071a2 = 0x154; *(uint64_t*)0x2000000071aa = 0x38; *(uint64_t*)0x2000000071b2 = 3; *(uint64_t*)0x2000000071ba = 4; *(uint64_t*)0x2000000071c2 = 5; *(uint64_t*)0x2000000071ca = 0x1ff; *(uint64_t*)0x2000000071d2 = 8; *(uint64_t*)0x2000000071da = 0x130; *(uint64_t*)0x2000000071e2 = 0x18; *(uint64_t*)0x2000000071ea = 0; *(uint64_t*)0x2000000071f2 = 0x6a; *(uint64_t*)0x2000000071fa = 0x28; *(uint64_t*)0x200000007202 = 0xc636; *(uint64_t*)0x20000000720a = 5; *(uint64_t*)0x200000007212 = 4; *(uint64_t*)0x20000000721a = 0x12c; *(uint64_t*)0x200000007222 = 0x18; *(uint64_t*)0x20000000722a = 0; *(uint64_t*)0x200000007232 = 0x12f; *(uint64_t*)0x20000000723a = 0x18; *(uint64_t*)0x200000007242 = 1; *(uint64_t*)0x20000000724a = 0x65; *(uint64_t*)0x200000007252 = 0x20; *(uint64_t*)0x20000000725a = 0x8a3; *(uint64_t*)0x200000007262 = 9; *(uint64_t*)0x20000000726a = 0x68; *(uint64_t*)0x200000007272 = 0x20; *(uint64_t*)0x20000000727a = 4; *(uint64_t*)0x200000007282 = 6; *(uint64_t*)0x20000000728a = 0x12f; *(uint64_t*)0x200000007292 = 0x18; *(uint64_t*)0x20000000729a = 3; *(uint64_t*)0x2000000072a2 = 0x12d; *(uint64_t*)0x2000000072aa = 0x18; *(uint64_t*)0x2000000072b2 = 2; *(uint64_t*)0x2000000072ba = 0x17d; *(uint64_t*)0x2000000072c2 = 0x20; *(uint64_t*)0x2000000072ca = 0x8080000; *(uint64_t*)0x2000000072d2 = 0x943e; *(uint64_t*)0x2000000072da = 0x17c; *(uint64_t*)0x2000000072e2 = 0x38; *(uint64_t*)0x2000000072ea = 3; *(uint64_t*)0x2000000072f2 = 0x31; *(uint64_t*)0x2000000072fa = 0xc; *(uint64_t*)0x200000007302 = 6; *(uint64_t*)0x20000000730a = 8; *(uint64_t*)0x200000007312 = 0x180; *(uint64_t*)0x20000000731a = 0x38; *(uint64_t*)0x200000007322 = 2; *(uint64_t*)0x20000000732a = 0x36; *(uint64_t*)0x200000007332 = 1; *(uint64_t*)0x20000000733a = 2; *(uint64_t*)0x200000007342 = 3; *(uint64_t*)0x20000000734a = 0x130; *(uint64_t*)0x200000007352 = 0x18; *(uint64_t*)0x20000000735a = 1; *(uint64_t*)0x200000007362 = 0x130; *(uint64_t*)0x20000000736a = 0x18; *(uint64_t*)0x200000007372 = 0; *(uint64_t*)0x20000000737a = 0x180; *(uint64_t*)0x200000007382 = 0x38; *(uint64_t*)0x20000000738a = 3; *(uint64_t*)0x200000007392 = 0x72; *(uint64_t*)0x20000000739a = 2; *(uint64_t*)0x2000000073a2 = 5; *(uint64_t*)0x2000000073aa = 2; *(uint64_t*)0x2000000073b2 = 0x12f; *(uint64_t*)0x2000000073ba = 0x18; *(uint64_t*)0x2000000073c2 = 2; *(uint64_t*)0x2000000073ca = 0x12f; *(uint64_t*)0x2000000073d2 = 0x18; *(uint64_t*)0x2000000073da = 2; *(uint64_t*)0x200000007410 = 0x3a2; syz_kvm_add_vcpu(/*vm=*/r[30], /*text=*/0x200000007400); break; case 39: res = syscall(__NR_ioctl, /*fd=*/r[9], /*cmd=*/0xae01, /*type=*/5ul); if (res != -1) r[31] = res; break; case 40: *(uint64_t*)0x200000007680 = 0; *(uint64_t*)0x200000007688 = 0x200000007440; memcpy((void*)0x200000007440, "\xcd\xfa\xef\x13\x00\x00\x00\x3e\x00\x00\x10\x62\x04\x00\x10\x7a\x00\x00\x10\x66\xc1\x00\x10\x62\xa6\x03\x00\x7e\xb9\xf0\x00\x3e\xe9\x0e\x10\x62\x04\x00\x10\x7a\xa3\x30\x10\x66\x88\x26\x10\x62\xa6\x03\x00\x7e\x24\x00\x00\x4c\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xf6\x63\x60\xba\xaa\x80\x3c\x42\xab\x84\x60\x04\x00\x84\x78\xa5\xa4\x84\x64\xdb\xea\x84\x60\xc7\xb2\xa0\x3c\x4e\xd4\xa5\x60\x04\x00\xa5\x78\x8e\xd5\xa5\x64\xc9\xc4\xa5\x60\xf6\x27\xc0\x3c\x0e\x37\xc6\x60\x04\x00\xc6\x78\x10\x50\xc6\x64\xf3\x3c\xc6\x60\x64\xae\xe0\x3c\x0f\xe0\xe7\x60\x04\x00\xe7\x78\xf8\x33\xe7\x64\x27\xe1\xe7\x60\xf9\xfe\x00\x3d\x88\x3a\x08\x61\x04\x00\x08\x79\xf6\x6c\x08\x65\xcb\x9b\x08\x61\xe7\x22\x20\x3d\xa3\x5b\x29\x61\x04\x00\x29\x79\xbb\xbc\x29\x65\x5e\x83\x29\x61\xd9\x75\x40\x3d\x52\x94\x4a\x61\x04\x00\x4a\x79\xdb\x25\x4a\x65\xf3\x5e\x4a\x61\x02\x00\x00\x44\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x50\xf3\x63\x60\x42\x00\x00\x44\x0d\x0b\xc0\x3e\xa1\xda\xd6\x62\x04\x00\xd6\x7a\xeb\x5a\xd6\x66\x62\x96\xd6\x62\x9c\xb0\x00\x7c\xec\x06\x00\x7c\xa4\x00\x00\x4c\x3d\x6a\xa0\x3e\x17\x1b\xb5\x62\x04\x00\xb5\x7a\x72\x93\xb5\x66\x34\x54\xb5\x62\xa6\x03\xa0\x7e\xd4\x8d\xa0\x3e\x12\xd2\xb5\x62\x04\x00\xb5\x7a\xf6\xf5\xb5\x66\x15\xe0\xb5\x62\xa6\x03\xa0\x7e\x24\x00\x00\x4c\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x05\xc0\x3f\x00\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x00\xc0\x3f\x21\x8c\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf6\x78\xbd\x63\x00\x00\xc0\x3f\x0a\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xfa\x78\xbd\x63\x97\x4b\xc0\x3f\x5c\x3b\xde\x63\x00\x00\xdd\x93\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x49\x30\x84\x64\xf2\x78\x84\x60\x22\x00\x00\x44\x00\x00\x80\x3f\x00\x00\x9c\x63\x04\x00\x9c\x7b\x00\x00\x9c\x67\x1a\x00\x9c\x63\x24\x01\xc0\x7f", 524); *(uint64_t*)0x200000007690 = 0x20c; *(uint64_t*)0x2000000076c0 = 1; *(uint64_t*)0x2000000076c8 = 6; syz_kvm_setup_cpu(/*fd=*/r[31], /*cpufd=*/r[23], /*usermem=*/0x200000fe5000, /*text=*/0x200000007680, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_IR*/2, /*opts=*/0x2000000076c0, /*nopt=*/1); break; case 41: syz_kvm_setup_syzos_vm(/*fd=*/r[23], /*usermem=*/0x200000c00000); break; case 42: *(uint32_t*)0x200000007700 = 0; syz_memcpy_off(/*ring_ptr=*/0, /*flag_off=SQ_FLAGS_OFFSET*/0x114, /*src=*/0x200000007700, /*src_off=*/0, /*nbytes=*/4); break; case 43: memcpy((void*)0x200000007740, "fuse\000", 5); memcpy((void*)0x200000007780, "./file0\000", 8); memcpy((void*)0x2000000077c0, "fd", 2); *(uint8_t*)0x2000000077c2 = 0x3d; sprintf((char*)0x2000000077c3, "0x%016llx", (long long)r[23]); *(uint8_t*)0x2000000077d5 = 0x2c; memcpy((void*)0x2000000077d6, "rootmode", 8); *(uint8_t*)0x2000000077de = 0x3d; sprintf((char*)0x2000000077df, "%023llo", (long long)0x6000); *(uint8_t*)0x2000000077f6 = 0x2c; memcpy((void*)0x2000000077f7, "user_id", 7); *(uint8_t*)0x2000000077fe = 0x3d; sprintf((char*)0x2000000077ff, "%020llu", (long long)r[22]); *(uint8_t*)0x200000007813 = 0x2c; memcpy((void*)0x200000007814, "group_id", 8); *(uint8_t*)0x20000000781c = 0x3d; sprintf((char*)0x20000000781d, "%020llu", (long long)r[13]); *(uint8_t*)0x200000007831 = 0x2c; memcpy((void*)0x200000007832, "max_read", 8); *(uint8_t*)0x20000000783a = 0x3d; sprintf((char*)0x20000000783b, "0x%016llx", (long long)3); *(uint8_t*)0x20000000784d = 0x2c; memcpy((void*)0x20000000784e, "default_permissions", 19); *(uint8_t*)0x200000007861 = 0x2c; memcpy((void*)0x200000007862, "allow_other", 11); *(uint8_t*)0x20000000786d = 0x2c; memcpy((void*)0x20000000786e, "default_permissions", 19); *(uint8_t*)0x200000007881 = 0x2c; memcpy((void*)0x200000007882, "allow_other", 11); *(uint8_t*)0x20000000788d = 0x2c; memcpy((void*)0x20000000788e, "default_permissions", 19); *(uint8_t*)0x2000000078a1 = 0x2c; memcpy((void*)0x2000000078a2, "default_permissions", 19); *(uint8_t*)0x2000000078b5 = 0x2c; memcpy((void*)0x2000000078b6, "allow_other", 11); *(uint8_t*)0x2000000078c1 = 0x2c; memcpy((void*)0x2000000078c2, "permit_directio", 15); *(uint8_t*)0x2000000078d1 = 0x2c; memcpy((void*)0x2000000078d2, "uid<", 4); sprintf((char*)0x2000000078d6, "%020llu", (long long)r[17]); *(uint8_t*)0x2000000078ea = 0x2c; memcpy((void*)0x2000000078eb, "appraise", 8); *(uint8_t*)0x2000000078f3 = 0x2c; memcpy((void*)0x2000000078f4, "smackfshat", 10); *(uint8_t*)0x2000000078fe = 0x3d; memcpy((void*)0x2000000078ff, "\300\'", 2); *(uint8_t*)0x200000007901 = 0x2c; memcpy((void*)0x200000007902, "appraise", 8); *(uint8_t*)0x20000000790a = 0x2c; *(uint8_t*)0x20000000790b = 0; memcpy((void*)0x200000007940, "\xa4\xb2\x22\xdf\x2b\xa1\x0d\xf2\x4f\x54\x81\xe0\xdc\x5e\x93\xb8\x1b\x1b\x82\xe9\xa2\x14\xca\xbc\xe3\x44\x80\x0a\xd5\x4d\xe6\x10\xfa\x1e\xda\x44\xb9\x04\x05\x26\xf2\xdc\x7c\x73\x1c\x54\x73\xc8\xc6\xdc\x94\x19\x2a\x03\x48\x4e\x6d\x62\xbb\x49\x12\x86\x12\x54\x3a\x9d\x01\x6e\xd9\xa3\x73\x0e\x51\x08\x0f\x5c\x86\x0d\x03\xa7\x7e\xd5\x01\x64\xbc\xf9\x9c\x42\xd3\x56\x8a\x97\x4a\x92\x7a\x87\x9d\xe4\x1e\xdc\x2f\x55\x52\x36\x58\x86\x12\x1a\x31\x09\x5b\x97\xaa\x08\xee\x29\x77\x11\x1f\x7c\xc5\x6a\x77\xc0\xf2\xa1\x6b\x32\xb1\x9d\xf5\x0a\x24\x9c\xd3\x05\x8e\x60\xa6\xae\x8c\x96\x34\x9d\x5e\x5c\x00\x97\x59\x4c\xe0\x1c\x1f\xbe\xe5\xee\x94\x60\x6f\xef\x67\x32\x31\xe6\x57\x00\xbc\x71\x5f\x1f\x01\x19\xc8\x4e\xd2\x7b\x8a\xf3\x8e\xd1\x53\xd3\x94\xd6\xb2\x2c\xca\x54\xdb\x55\xa3\x1b\xc2\x5b\x45\xe8\x1d\xec\xa7\xbe\xdb\x69\x66\x91\xae\x6b\x92\xf0\x9e\xea\x3e\x2b\x5e\x8a\xf2\xf9\x96\x33\x9d\xec\x59\x2e\xde\xc5\x89\x7e\x94\xeb", 228); syz_mount_image(/*fs=*/0x200000007740, /*dir=*/0x200000007780, /*flags=MS_PRIVATE*/0x40000, /*opts=*/0x2000000077c0, /*chdir=*/1, /*size=*/0, /*img=*/0x200000007940); break; case 44: memcpy((void*)0x200000007a40, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000007a40, /*id=*/7, /*flags=*/0); break; case 45: memcpy((void*)0x200000007a80, "net/psched\000", 11); syz_open_procfs(/*pid=*/r[4], /*file=*/0x200000007a80); break; case 46: syz_open_pts(/*fd=*/r[9], /*flags=O_PATH|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|FASYNC|0x402*/0x292c02); break; case 47: syz_pidfd_open(/*pid=*/r[15], /*flags=*/0); break; case 48: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=*/0ul); if (res != -1) r[32] = res; break; case 49: syz_pkey_set(/*key=*/r[32], /*val=PKEY_DISABLE_WRITE|PKEY_DISABLE_ACCESS*/3); break; case 50: syz_socket_connect_nvme_tcp(); break; case 51: *(uint8_t*)0x200000007ac0 = 0x12; *(uint8_t*)0x200000007ac1 = 1; *(uint16_t*)0x200000007ac2 = 0x250; *(uint8_t*)0x200000007ac4 = 0x58; *(uint8_t*)0x200000007ac5 = 6; *(uint8_t*)0x200000007ac6 = 0x54; *(uint8_t*)0x200000007ac7 = 8; *(uint16_t*)0x200000007ac8 = 0x13d3; *(uint16_t*)0x200000007aca = 0x3348; *(uint16_t*)0x200000007acc = 0x15b2; *(uint8_t*)0x200000007ace = 1; *(uint8_t*)0x200000007acf = 2; *(uint8_t*)0x200000007ad0 = 3; *(uint8_t*)0x200000007ad1 = 1; *(uint8_t*)0x200000007ad2 = 9; *(uint8_t*)0x200000007ad3 = 2; *(uint16_t*)0x200000007ad4 = 0x283; *(uint8_t*)0x200000007ad6 = 2; *(uint8_t*)0x200000007ad7 = 9; *(uint8_t*)0x200000007ad8 = 2; *(uint8_t*)0x200000007ad9 = 0x10; *(uint8_t*)0x200000007ada = 8; *(uint8_t*)0x200000007adb = 9; *(uint8_t*)0x200000007adc = 4; *(uint8_t*)0x200000007add = 0x26; *(uint8_t*)0x200000007ade = 0xb; *(uint8_t*)0x200000007adf = 5; *(uint8_t*)0x200000007ae0 = 0x83; *(uint8_t*)0x200000007ae1 = 0x18; *(uint8_t*)0x200000007ae2 = 0x74; *(uint8_t*)0x200000007ae3 = 0xee; *(uint8_t*)0x200000007ae4 = 9; *(uint8_t*)0x200000007ae5 = 5; *(uint8_t*)0x200000007ae6 = 0xb; *(uint8_t*)0x200000007ae7 = 3; *(uint16_t*)0x200000007ae8 = 8; *(uint8_t*)0x200000007aea = 4; *(uint8_t*)0x200000007aeb = 0xfb; *(uint8_t*)0x200000007aec = 0x6a; *(uint8_t*)0x200000007aed = 0xbd; *(uint8_t*)0x200000007aee = 0xc; memcpy((void*)0x200000007aef, "\x8b\x82\xbd\x3f\xc8\x13\x7d\x3d\x25\x9c\xe7\xbc\x14\x0d\xe0\x82\x3d\xe2\x22\x2e\xed\x4c\x57\x0e\xdc\xb8\x45\x53\xcd\x1e\xfd\x64\x9d\xd3\x52\xdd\x37\x5d\x81\xda\x8d\xa8\xe6\x86\x3f\xb4\x82\xec\xb3\xa1\x6f\x12\x22\x10\xbf\xf2\x5c\x59\xa3\xaf\xc6\x54\x28\x48\xc0\x6e\x1b\x98\x3f\xbc\x8d\xd0\xde\x62\x7c\xfd\xdf\x9f\x90\x5f\x5c\xb6\xed\x4a\x25\xec\x59\x47\x59\x9b\x15\xb5\x38\xc7\xbb\x0b\x0d\x65\xd4\xa3\x1b\x31\x9f\x73\x83\x95\x5c\xe7\x66\xef\x4c\x66\xd1\x8b\xc7\x5d\x69\xb2\xdd\x7d\x13\x6c\x78\xea\xec\x1e\x22\x03\xeb\x91\x8d\xd6\x16\x09\xde\x40\xf4\xf6\x93\x91\x7e\xeb\x17\xfc\x38\x7b\xb4\x27\x34\x1f\x64\x16\xe0\xb8\xc4\x6a\x24\x45\xa5\xc4\x9b\xd9\xc8\x6d\xfe\x21\xc5\x98\xac\xf1\x7e\xa9\x8f\xfe\xce\x20\x2a\x21\xdc\x93\xa0\xb8\x30\xd2\x9a\xf8\x7c", 187); *(uint8_t*)0x200000007baa = 0xc7; *(uint8_t*)0x200000007bab = 6; memcpy((void*)0x200000007bac, "\xf5\x45\x9e\x11\x78\x00\xd2\x2a\x25\xa4\x86\xd1\x44\x2f\x5c\xbd\x4d\x3d\x77\x6c\xd0\x61\xd2\xc1\x85\xf9\x92\x4e\xae\x6a\x4d\x7b\x14\xc5\x8b\x59\x98\x63\xd3\x21\xe3\xea\x80\xa2\x5f\x6d\x8b\xe5\x1d\x5c\xa7\x0c\x27\x6c\xe0\xe6\xd9\x03\x8f\x88\x77\x6b\x96\x14\x28\x7d\xb7\xee\x21\x13\xf0\xe7\xe1\xf0\x18\x73\xb6\x13\xd7\x63\xda\x5f\x87\xf8\x6c\xd1\x86\x0b\xd6\x23\x46\x3f\xc6\xd9\x3d\x9f\x94\x8d\x0d\x4d\x70\xd7\x2a\x8a\xc1\xde\xc1\xad\xce\xb8\x71\x67\x29\x90\x64\x28\xd5\xb6\xe2\x4b\x01\x49\x9b\xfa\x6a\x0a\xa0\x48\x2e\xed\x8c\x77\x51\xa1\xc7\xec\x94\x4d\xb1\x92\x54\xa7\x4b\x61\x14\x2e\x72\x5a\x7a\x29\x0c\x41\x42\x87\x5d\x34\x7b\x3e\x48\x3f\x4e\x2d\xb8\x37\x3e\xf8\xfe\xad\x81\x18\xce\x07\xd8\x12\x33\x2b\x21\x1d\xa9\x73\x3d\x44\x4f\x7d\x70\x6a\x64\x39\xc2\x9a\xea\xed\xd0\x30\x00\xa2\xa8", 197); *(uint8_t*)0x200000007c71 = 9; *(uint8_t*)0x200000007c72 = 5; *(uint8_t*)0x200000007c73 = 0xa; *(uint8_t*)0x200000007c74 = 0xc; *(uint16_t*)0x200000007c75 = 0x400; *(uint8_t*)0x200000007c77 = 0xc; *(uint8_t*)0x200000007c78 = 0; *(uint8_t*)0x200000007c79 = 0xb5; *(uint8_t*)0x200000007c7a = 7; *(uint8_t*)0x200000007c7b = 0x25; *(uint8_t*)0x200000007c7c = 1; *(uint8_t*)0x200000007c7d = 1; *(uint8_t*)0x200000007c7e = 0xb; *(uint16_t*)0x200000007c7f = 7; *(uint8_t*)0x200000007c81 = 9; *(uint8_t*)0x200000007c82 = 5; *(uint8_t*)0x200000007c83 = 2; *(uint8_t*)0x200000007c84 = 0x10; *(uint16_t*)0x200000007c85 = 0x20; *(uint8_t*)0x200000007c87 = 7; *(uint8_t*)0x200000007c88 = 5; *(uint8_t*)0x200000007c89 = 5; *(uint8_t*)0x200000007c8a = 0x24; *(uint8_t*)0x200000007c8b = 7; memcpy((void*)0x200000007c8c, "\xad\x98\x31\x4a\x82\xd7\xae\xbb\xfc\xe8\x51\x78\x75\x22\x71\xb1\x58\xc0\x5d\xea\x1b\xf5\xa2\x45\x9c\x43\x1d\xf1\x80\xc1\xf3\xb2\xbe\x3b", 34); *(uint8_t*)0x200000007cae = 9; *(uint8_t*)0x200000007caf = 5; *(uint8_t*)0x200000007cb0 = 3; *(uint8_t*)0x200000007cb1 = 2; *(uint16_t*)0x200000007cb2 = 8; *(uint8_t*)0x200000007cb4 = 7; *(uint8_t*)0x200000007cb5 = 0xf3; *(uint8_t*)0x200000007cb6 = 4; *(uint8_t*)0x200000007cb7 = 9; *(uint8_t*)0x200000007cb8 = 5; *(uint8_t*)0x200000007cb9 = 5; *(uint8_t*)0x200000007cba = 0; *(uint16_t*)0x200000007cbb = 0x40; *(uint8_t*)0x200000007cbd = 2; *(uint8_t*)0x200000007cbe = 3; *(uint8_t*)0x200000007cbf = 2; *(uint8_t*)0x200000007cc0 = 0x6a; *(uint8_t*)0x200000007cc1 = 0xa; memcpy((void*)0x200000007cc2, "\xf7\xdd\x67\x50\x5d\x35\x3d\x93\xb6\xe1\xf3\xac\x2d\x8f\x9f\x76\x60\x12\xd2\x04\xe5\x58\xa7\x07\x6c\x6a\x1d\xd6\x64\x8b\x29\x28\xac\xaf\x80\x17\x10\xc8\x55\x50\x67\xe0\x71\x5e\x60\x77\x2d\x9a\x84\xc7\x14\xf6\x3d\x52\x7b\x9f\x15\x32\xa5\xac\x65\x11\x62\x7f\x9e\x84\x00\xe6\x2a\xd6\xbd\x25\xec\x51\xec\x63\x0a\xfc\x10\xe1\xf0\xf2\xfe\x01\xc9\x58\x8e\x28\x97\xef\x26\xd5\xea\x8b\xcf\x97\x0e\x51\xfc\x28\xd8\x4a\x62\x8c", 104); *(uint8_t*)0x200000007d2a = 9; *(uint8_t*)0x200000007d2b = 4; *(uint8_t*)0x200000007d2c = 0x48; *(uint8_t*)0x200000007d2d = 0xe; *(uint8_t*)0x200000007d2e = 3; *(uint8_t*)0x200000007d2f = 0xca; *(uint8_t*)0x200000007d30 = 0x1e; *(uint8_t*)0x200000007d31 = 0x4a; *(uint8_t*)0x200000007d32 = 0xf5; *(uint8_t*)0x200000007d33 = 9; *(uint8_t*)0x200000007d34 = 5; *(uint8_t*)0x200000007d35 = 0xb; *(uint8_t*)0x200000007d36 = 4; *(uint16_t*)0x200000007d37 = 0x400; *(uint8_t*)0x200000007d39 = 5; *(uint8_t*)0x200000007d3a = 0xf7; *(uint8_t*)0x200000007d3b = 0xf6; *(uint8_t*)0x200000007d3c = 9; *(uint8_t*)0x200000007d3d = 5; *(uint8_t*)0x200000007d3e = 0xe; *(uint8_t*)0x200000007d3f = 0x10; *(uint16_t*)0x200000007d40 = 0x3ff; *(uint8_t*)0x200000007d42 = 1; *(uint8_t*)0x200000007d43 = 0xd; *(uint8_t*)0x200000007d44 = 0x80; *(uint8_t*)0x200000007d45 = 9; *(uint8_t*)0x200000007d46 = 5; *(uint8_t*)0x200000007d47 = 5; *(uint8_t*)0x200000007d48 = 0x10; *(uint16_t*)0x200000007d49 = 0x10; *(uint8_t*)0x200000007d4b = 0x95; *(uint8_t*)0x200000007d4c = 3; *(uint8_t*)0x200000007d4d = 0; *(uint8_t*)0x200000007d4e = 7; *(uint8_t*)0x200000007d4f = 0x25; *(uint8_t*)0x200000007d50 = 1; *(uint8_t*)0x200000007d51 = 0x82; *(uint8_t*)0x200000007d52 = 0xae; *(uint16_t*)0x200000007d53 = 0x12; *(uint32_t*)0x200000007ec0 = 0xa; *(uint64_t*)0x200000007ec4 = 0x200000007d80; *(uint8_t*)0x200000007d80 = 0xa; *(uint8_t*)0x200000007d81 = 6; *(uint16_t*)0x200000007d82 = 0x110; *(uint8_t*)0x200000007d84 = 4; *(uint8_t*)0x200000007d85 = 1; *(uint8_t*)0x200000007d86 = 6; *(uint8_t*)0x200000007d87 = 8; *(uint8_t*)0x200000007d88 = 0xe; *(uint8_t*)0x200000007d89 = 0; *(uint32_t*)0x200000007ecc = 0x3b; *(uint64_t*)0x200000007ed0 = 0x200000007dc0; *(uint8_t*)0x200000007dc0 = 5; *(uint8_t*)0x200000007dc1 = 0xf; *(uint16_t*)0x200000007dc2 = 0x3b; *(uint8_t*)0x200000007dc4 = 4; *(uint8_t*)0x200000007dc5 = 0x14; *(uint8_t*)0x200000007dc6 = 0x10; *(uint8_t*)0x200000007dc7 = 4; *(uint8_t*)0x200000007dc8 = 6; memcpy((void*)0x200000007dc9, "\xfd\xf4\x04\x3a\xe7\xf5\x9e\x3e\x81\xfe\x30\x3d\x4d\xe3\xea\x16", 16); *(uint8_t*)0x200000007dd9 = 7; *(uint8_t*)0x200000007dda = 0x10; *(uint8_t*)0x200000007ddb = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007ddc, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007dde, 6, 0, 16); *(uint8_t*)0x200000007de0 = 7; *(uint8_t*)0x200000007de1 = 0x10; *(uint8_t*)0x200000007de2 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007de3, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 7, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 0xd, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de5, 0x95d7, 0, 16); *(uint8_t*)0x200000007de7 = 0x14; *(uint8_t*)0x200000007de8 = 0x10; *(uint8_t*)0x200000007de9 = 4; *(uint8_t*)0x200000007dea = 3; memcpy((void*)0x200000007deb, "\xbc\x6a\x92\x66\xbf\x50\x6e\x90\x62\x0d\x9c\x90\x0e\x18\x01\x43", 16); *(uint32_t*)0x200000007ed8 = 1; *(uint32_t*)0x200000007edc = 0x98; *(uint64_t*)0x200000007ee0 = 0x200000007e00; *(uint8_t*)0x200000007e00 = 0x98; *(uint8_t*)0x200000007e01 = 3; memcpy((void*)0x200000007e02, "\xd9\x5f\x3f\xca\xaa\x58\xf9\xd3\x6d\x03\xe3\xa2\xd5\x56\x6a\x51\x91\xf7\x42\xf7\x23\xfa\x49\xe3\x64\xe0\x3b\x0d\x28\x8a\x7f\xcb\x45\x79\xb5\x8c\x56\xd8\x24\xbe\x57\xf9\xad\x0f\x87\x03\xd3\x01\x1c\xac\x46\x84\x33\xfa\x22\xc2\x3b\xfa\xf1\x5d\xad\x54\x1e\xfb\x01\x38\xc4\x6b\xb8\xf8\x86\x92\x15\x15\x5c\x26\x85\xd6\x9b\x75\xff\xe6\x8c\x0c\xbd\x6e\x71\x74\x3a\xbd\x43\x55\xe1\x2d\x9d\xcb\x7d\xff\x16\xbb\x07\x5d\xa5\x53\xc1\x78\x13\x9e\xde\x2c\x28\x5a\x4a\x28\x45\xe8\x88\x9c\x23\x45\x04\xd9\x68\xd8\x70\xb6\x08\x4a\x7b\x4a\xb0\xdc\xdb\x83\xd4\x3b\xb2\xf4\xe7\xa0\x15\x6b\x80\xa6\x89\x19\xcb\xb7\xda\x84", 150); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0x295, /*dev=*/0x200000007ac0, /*conn_descs=*/0x200000007ec0); if (res != -1) r[33] = res; break; case 52: *(uint8_t*)0x200000007f00 = 0x12; *(uint8_t*)0x200000007f01 = 1; *(uint16_t*)0x200000007f02 = 0x200; *(uint8_t*)0x200000007f04 = -1; *(uint8_t*)0x200000007f05 = -1; *(uint8_t*)0x200000007f06 = -1; *(uint8_t*)0x200000007f07 = 0x40; *(uint16_t*)0x200000007f08 = 0xcf3; *(uint16_t*)0x200000007f0a = 0x9271; *(uint16_t*)0x200000007f0c = 0x108; *(uint8_t*)0x200000007f0e = 1; *(uint8_t*)0x200000007f0f = 2; *(uint8_t*)0x200000007f10 = 3; *(uint8_t*)0x200000007f11 = 1; *(uint8_t*)0x200000007f12 = 9; *(uint8_t*)0x200000007f13 = 2; *(uint16_t*)0x200000007f14 = 0x48; *(uint8_t*)0x200000007f16 = 1; *(uint8_t*)0x200000007f17 = 1; *(uint8_t*)0x200000007f18 = 0; *(uint8_t*)0x200000007f19 = 0x80; *(uint8_t*)0x200000007f1a = 0xfa; *(uint8_t*)0x200000007f1b = 9; *(uint8_t*)0x200000007f1c = 4; *(uint8_t*)0x200000007f1d = 0; *(uint8_t*)0x200000007f1e = 0; *(uint8_t*)0x200000007f1f = 6; *(uint8_t*)0x200000007f20 = -1; *(uint8_t*)0x200000007f21 = 0; *(uint8_t*)0x200000007f22 = 0; *(uint8_t*)0x200000007f23 = 0; *(uint8_t*)0x200000007f24 = 9; *(uint8_t*)0x200000007f25 = 5; *(uint8_t*)0x200000007f26 = 1; *(uint8_t*)0x200000007f27 = 2; *(uint16_t*)0x200000007f28 = 0x200; *(uint8_t*)0x200000007f2a = 0; *(uint8_t*)0x200000007f2b = 0; *(uint8_t*)0x200000007f2c = 0; *(uint8_t*)0x200000007f2d = 9; *(uint8_t*)0x200000007f2e = 5; *(uint8_t*)0x200000007f2f = 0x82; *(uint8_t*)0x200000007f30 = 2; *(uint16_t*)0x200000007f31 = 0x200; *(uint8_t*)0x200000007f33 = 0; *(uint8_t*)0x200000007f34 = 0; *(uint8_t*)0x200000007f35 = 0; *(uint8_t*)0x200000007f36 = 9; *(uint8_t*)0x200000007f37 = 5; *(uint8_t*)0x200000007f38 = 0x83; *(uint8_t*)0x200000007f39 = 3; *(uint16_t*)0x200000007f3a = 0x40; *(uint8_t*)0x200000007f3c = 1; *(uint8_t*)0x200000007f3d = 0; *(uint8_t*)0x200000007f3e = 0; *(uint8_t*)0x200000007f3f = 9; *(uint8_t*)0x200000007f40 = 5; *(uint8_t*)0x200000007f41 = 4; *(uint8_t*)0x200000007f42 = 3; *(uint16_t*)0x200000007f43 = 0x40; *(uint8_t*)0x200000007f45 = 1; *(uint8_t*)0x200000007f46 = 0; *(uint8_t*)0x200000007f47 = 0; *(uint8_t*)0x200000007f48 = 9; *(uint8_t*)0x200000007f49 = 5; *(uint8_t*)0x200000007f4a = 5; *(uint8_t*)0x200000007f4b = 2; *(uint16_t*)0x200000007f4c = 0x200; *(uint8_t*)0x200000007f4e = 0; *(uint8_t*)0x200000007f4f = 0; *(uint8_t*)0x200000007f50 = 0; *(uint8_t*)0x200000007f51 = 9; *(uint8_t*)0x200000007f52 = 5; *(uint8_t*)0x200000007f53 = 6; *(uint8_t*)0x200000007f54 = 2; *(uint16_t*)0x200000007f55 = 0x200; *(uint8_t*)0x200000007f57 = 0; *(uint8_t*)0x200000007f58 = 0; *(uint8_t*)0x200000007f59 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000007f00, /*conn_descs=*/0); if (res != -1) r[34] = res; break; case 53: *(uint8_t*)0x200000007f80 = 0x12; *(uint8_t*)0x200000007f81 = 1; *(uint16_t*)0x200000007f82 = 0x110; *(uint8_t*)0x200000007f84 = 0; *(uint8_t*)0x200000007f85 = 0; *(uint8_t*)0x200000007f86 = 0; *(uint8_t*)0x200000007f87 = 0x40; *(uint16_t*)0x200000007f88 = 0x1d6b; *(uint16_t*)0x200000007f8a = 0x101; *(uint16_t*)0x200000007f8c = 0x40; *(uint8_t*)0x200000007f8e = 1; *(uint8_t*)0x200000007f8f = 2; *(uint8_t*)0x200000007f90 = 3; *(uint8_t*)0x200000007f91 = 1; *(uint8_t*)0x200000007f92 = 9; *(uint8_t*)0x200000007f93 = 2; *(uint16_t*)0x200000007f94 = 0xd3; *(uint8_t*)0x200000007f96 = 3; *(uint8_t*)0x200000007f97 = 1; *(uint8_t*)0x200000007f98 = 1; *(uint8_t*)0x200000007f99 = 0x80; *(uint8_t*)0x200000007f9a = 0x80; *(uint8_t*)0x200000007f9b = 9; *(uint8_t*)0x200000007f9c = 4; *(uint8_t*)0x200000007f9d = 0; *(uint8_t*)0x200000007f9e = 0; *(uint8_t*)0x200000007f9f = 0; *(uint8_t*)0x200000007fa0 = 1; *(uint8_t*)0x200000007fa1 = 1; *(uint8_t*)0x200000007fa2 = 0; *(uint8_t*)0x200000007fa3 = 0; *(uint8_t*)0x200000007fa4 = 0xa; *(uint8_t*)0x200000007fa5 = 0x24; *(uint8_t*)0x200000007fa6 = 1; *(uint16_t*)0x200000007fa7 = 0; *(uint8_t*)0x200000007fa9 = 0x7c; *(uint8_t*)0x200000007faa = 2; *(uint8_t*)0x200000007fab = 1; *(uint8_t*)0x200000007fac = 2; *(uint8_t*)0x200000007fad = 0xd; *(uint8_t*)0x200000007fae = 0x24; *(uint8_t*)0x200000007faf = 8; *(uint8_t*)0x200000007fb0 = 2; *(uint16_t*)0x200000007fb1 = 8; *(uint8_t*)0x200000007fb3 = 9; memcpy((void*)0x200000007fb4, "\x0c\xff\xda\x3f\x22\x7b", 6); *(uint8_t*)0x200000007fba = 9; *(uint8_t*)0x200000007fbb = 4; *(uint8_t*)0x200000007fbc = 1; *(uint8_t*)0x200000007fbd = 0; *(uint8_t*)0x200000007fbe = 0; *(uint8_t*)0x200000007fbf = 1; *(uint8_t*)0x200000007fc0 = 2; *(uint8_t*)0x200000007fc1 = 0; *(uint8_t*)0x200000007fc2 = 0; *(uint8_t*)0x200000007fc3 = 9; *(uint8_t*)0x200000007fc4 = 4; *(uint8_t*)0x200000007fc5 = 1; *(uint8_t*)0x200000007fc6 = 1; *(uint8_t*)0x200000007fc7 = 1; *(uint8_t*)0x200000007fc8 = 1; *(uint8_t*)0x200000007fc9 = 2; *(uint8_t*)0x200000007fca = 0; *(uint8_t*)0x200000007fcb = 0; *(uint8_t*)0x200000007fcc = 0x12; *(uint8_t*)0x200000007fcd = 0x24; *(uint8_t*)0x200000007fce = 2; *(uint8_t*)0x200000007fcf = 2; *(uint16_t*)0x200000007fd0 = 6; *(uint16_t*)0x200000007fd2 = 0x9a; *(uint8_t*)0x200000007fd4 = 0x20; memcpy((void*)0x200000007fd5, "\x2d\xa5\xee\x78\xa2\x8e\x1f\x1a\x41", 9); *(uint8_t*)0x200000007fde = 0xd; *(uint8_t*)0x200000007fdf = 0x24; *(uint8_t*)0x200000007fe0 = 2; *(uint8_t*)0x200000007fe1 = 1; *(uint8_t*)0x200000007fe2 = 0xf8; *(uint8_t*)0x200000007fe3 = 3; *(uint8_t*)0x200000007fe4 = 0x69; *(uint8_t*)0x200000007fe5 = 0x6d; memcpy((void*)0x200000007fe6, "e)", 2); memcpy((void*)0x200000007fe8, "\xbf\x07\x94", 3); *(uint8_t*)0x200000007feb = 0xb; *(uint8_t*)0x200000007fec = 0x24; *(uint8_t*)0x200000007fed = 2; *(uint8_t*)0x200000007fee = 1; *(uint8_t*)0x200000007fef = 5; *(uint8_t*)0x200000007ff0 = 4; *(uint8_t*)0x200000007ff1 = 0x5b; *(uint8_t*)0x200000007ff2 = 3; memset((void*)0x200000007ff3, 68, 1); memcpy((void*)0x200000007ff4, "\x26\x18", 2); *(uint8_t*)0x200000007ff6 = 9; *(uint8_t*)0x200000007ff7 = 0x24; *(uint8_t*)0x200000007ff8 = 2; *(uint8_t*)0x200000007ff9 = 2; *(uint16_t*)0x200000007ffa = 0x7b4; *(uint16_t*)0x200000007ffc = 8; *(uint8_t*)0x200000007ffe = 4; *(uint8_t*)0x200000007fff = 0xc; *(uint8_t*)0x200000008000 = 0x24; *(uint8_t*)0x200000008001 = 2; *(uint8_t*)0x200000008002 = 1; *(uint8_t*)0x200000008003 = 0; *(uint8_t*)0x200000008004 = 3; *(uint8_t*)0x200000008005 = 8; *(uint8_t*)0x200000008006 = 8; memset((void*)0x200000008007, 170, 1); memcpy((void*)0x200000008008, "\xe8\xe5\xb4", 3); *(uint8_t*)0x20000000800b = 9; *(uint8_t*)0x20000000800c = 5; *(uint8_t*)0x20000000800d = 1; *(uint8_t*)0x20000000800e = 9; *(uint16_t*)0x20000000800f = 0x40; *(uint8_t*)0x200000008011 = 6; *(uint8_t*)0x200000008012 = 5; *(uint8_t*)0x200000008013 = 0; *(uint8_t*)0x200000008014 = 7; *(uint8_t*)0x200000008015 = 0x25; *(uint8_t*)0x200000008016 = 1; *(uint8_t*)0x200000008017 = 0x80; *(uint8_t*)0x200000008018 = 1; *(uint16_t*)0x200000008019 = 4; *(uint8_t*)0x20000000801b = 9; *(uint8_t*)0x20000000801c = 4; *(uint8_t*)0x20000000801d = 2; *(uint8_t*)0x20000000801e = 0; *(uint8_t*)0x20000000801f = 0; *(uint8_t*)0x200000008020 = 1; *(uint8_t*)0x200000008021 = 2; *(uint8_t*)0x200000008022 = 0; *(uint8_t*)0x200000008023 = 0; *(uint8_t*)0x200000008024 = 9; *(uint8_t*)0x200000008025 = 4; *(uint8_t*)0x200000008026 = 2; *(uint8_t*)0x200000008027 = 1; *(uint8_t*)0x200000008028 = 1; *(uint8_t*)0x200000008029 = 1; *(uint8_t*)0x20000000802a = 2; *(uint8_t*)0x20000000802b = 0; *(uint8_t*)0x20000000802c = 0; *(uint8_t*)0x20000000802d = 7; *(uint8_t*)0x20000000802e = 0x24; *(uint8_t*)0x20000000802f = 1; *(uint8_t*)0x200000008030 = 3; *(uint8_t*)0x200000008031 = 0x1e; *(uint16_t*)0x200000008032 = 4; *(uint8_t*)0x200000008034 = 7; *(uint8_t*)0x200000008035 = 0x24; *(uint8_t*)0x200000008036 = 1; *(uint8_t*)0x200000008037 = 0x6f; *(uint8_t*)0x200000008038 = 7; *(uint16_t*)0x200000008039 = 0; *(uint8_t*)0x20000000803b = 0xa; *(uint8_t*)0x20000000803c = 0x24; *(uint8_t*)0x20000000803d = 2; *(uint8_t*)0x20000000803e = 2; *(uint16_t*)0x20000000803f = 8; *(uint16_t*)0x200000008041 = 2; *(uint8_t*)0x200000008043 = 8; memset((void*)0x200000008044, 102, 1); *(uint8_t*)0x200000008045 = 0x10; *(uint8_t*)0x200000008046 = 0x24; *(uint8_t*)0x200000008047 = 2; *(uint8_t*)0x200000008048 = 2; *(uint16_t*)0x200000008049 = 9; *(uint16_t*)0x20000000804b = 0x401; *(uint8_t*)0x20000000804d = 5; memcpy((void*)0x20000000804e, "\x53\xb1\x1d\xbc\x8c\xd3\x10", 7); *(uint8_t*)0x200000008055 = 9; *(uint8_t*)0x200000008056 = 5; *(uint8_t*)0x200000008057 = 0x82; *(uint8_t*)0x200000008058 = 9; *(uint16_t*)0x200000008059 = 8; *(uint8_t*)0x20000000805b = 0; *(uint8_t*)0x20000000805c = 0x28; *(uint8_t*)0x20000000805d = 6; *(uint8_t*)0x20000000805e = 7; *(uint8_t*)0x20000000805f = 0x25; *(uint8_t*)0x200000008060 = 1; *(uint8_t*)0x200000008061 = 0x80; *(uint8_t*)0x200000008062 = 5; *(uint16_t*)0x200000008063 = 0xd; *(uint32_t*)0x2000000081c0 = 0xa; *(uint64_t*)0x2000000081c4 = 0x200000008080; *(uint8_t*)0x200000008080 = 0xa; *(uint8_t*)0x200000008081 = 6; *(uint16_t*)0x200000008082 = 0x110; *(uint8_t*)0x200000008084 = 0x59; *(uint8_t*)0x200000008085 = 0xa5; *(uint8_t*)0x200000008086 = 5; *(uint8_t*)0x200000008087 = 0x10; *(uint8_t*)0x200000008088 = 1; *(uint8_t*)0x200000008089 = 0; *(uint32_t*)0x2000000081cc = 0x39; *(uint64_t*)0x2000000081d0 = 0x2000000080c0; *(uint8_t*)0x2000000080c0 = 5; *(uint8_t*)0x2000000080c1 = 0xf; *(uint16_t*)0x2000000080c2 = 0x39; *(uint8_t*)0x2000000080c4 = 5; *(uint8_t*)0x2000000080c5 = 0xb; *(uint8_t*)0x2000000080c6 = 0x10; *(uint8_t*)0x2000000080c7 = 1; *(uint8_t*)0x2000000080c8 = 4; *(uint16_t*)0x2000000080c9 = 8; *(uint8_t*)0x2000000080cb = 3; *(uint8_t*)0x2000000080cc = 0xb8; *(uint16_t*)0x2000000080cd = 9; *(uint8_t*)0x2000000080cf = 4; *(uint8_t*)0x2000000080d0 = 0x14; *(uint8_t*)0x2000000080d1 = 0x10; *(uint8_t*)0x2000000080d2 = 4; *(uint8_t*)0x2000000080d3 = 2; memcpy((void*)0x2000000080d4, "\x9d\x9a\xb0\x97\x8e\x2a\xac\xe2\x6d\xe6\x63\x06\xe6\xe2\x96\x3d", 16); *(uint8_t*)0x2000000080e4 = 0xb; *(uint8_t*)0x2000000080e5 = 0x10; *(uint8_t*)0x2000000080e6 = 1; *(uint8_t*)0x2000000080e7 = 4; *(uint16_t*)0x2000000080e8 = 0; *(uint8_t*)0x2000000080ea = 6; *(uint8_t*)0x2000000080eb = 4; *(uint16_t*)0x2000000080ec = 1; *(uint8_t*)0x2000000080ee = 5; *(uint8_t*)0x2000000080ef = 3; *(uint8_t*)0x2000000080f0 = 0x10; *(uint8_t*)0x2000000080f1 = 0xb; *(uint8_t*)0x2000000080f2 = 7; *(uint8_t*)0x2000000080f3 = 0x10; *(uint8_t*)0x2000000080f4 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000080f5, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f7, 0xfff2, 0, 16); *(uint32_t*)0x2000000081d8 = 1; *(uint32_t*)0x2000000081dc = 0x84; *(uint64_t*)0x2000000081e0 = 0x200000008100; *(uint8_t*)0x200000008100 = 0x84; *(uint8_t*)0x200000008101 = 3; memcpy((void*)0x200000008102, "\x00\x0a\x6c\x9f\x4a\x15\xea\xbc\x97\xa9\x2a\xb6\x65\x23\x1b\x2c\xf9\x05\x73\x21\xeb\x43\x0c\x65\x21\xf4\x97\xa8\xc3\xce\x81\x62\x68\xcb\x33\x7f\xa4\x8d\xee\xcf\xeb\x28\xb2\x30\x5f\xcf\x2d\x2e\x98\x8c\xc8\xb8\xb9\x80\xa1\x33\x2d\xc4\x06\xbc\x34\x69\x5f\xa2\x4d\xc3\x60\x9f\x61\x9d\x7a\xc2\x84\xcc\x3a\xe7\xf0\xaf\xe4\x44\xd5\x78\xc9\x51\xd9\xae\xdc\x4c\x68\x2e\x10\x0c\xfe\xb6\x61\x9b\x98\xa9\x6b\x19\x78\xd8\xed\xe7\x57\x4e\x96\x9f\x8a\xe8\xe3\xdf\xb8\x35\xbd\xe5\xcc\xd9\x22\x13\x3e\x53\x03\x6f\xf4\x4e\xda\x52\xa0\xa9", 130); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0xe5, /*dev=*/0x200000007f80, /*conn_descs=*/0x2000000081c0); if (res != -1) r[35] = res; break; case 54: *(uint32_t*)0x200000008380 = 0x2c; *(uint64_t*)0x200000008384 = 0x200000008200; *(uint8_t*)0x200000008200 = 0x40; *(uint8_t*)0x200000008201 = 0x22; *(uint32_t*)0x200000008202 = 0x31; *(uint8_t*)0x200000008206 = 0x31; *(uint8_t*)0x200000008207 = 5; memcpy((void*)0x200000008208, "\x74\xe8\x3d\xcf\x53\xdd\x2d\x0e\xca\xc0\xaa\x34\x67\xb1\x8d\xfa\x71\xb2\x6c\xdd\x40\x3d\x95\x5c\x0f\xfe\x22\x81\x7b\x01\xfe\x57\x95\xd5\x1c\xf2\x4a\x6a\xe3\xb8\xe3\x2f\x1b\x7a\xc5\xf8\xca", 47); *(uint64_t*)0x20000000838c = 0x200000008240; *(uint8_t*)0x200000008240 = 0; *(uint8_t*)0x200000008241 = 3; *(uint32_t*)0x200000008242 = 0x1e; *(uint8_t*)0x200000008246 = 0x1e; *(uint8_t*)0x200000008247 = 3; memcpy((void*)0x200000008248, "\x89\x57\xa5\x01\xd8\x3c\x69\xe5\x4f\x70\xf6\x2f\x93\x2a\x50\xb6\x55\x06\xc3\x88\xc1\x28\x23\x9d\x36\x22\x9e\xe2", 28); *(uint64_t*)0x200000008394 = 0x200000008280; *(uint8_t*)0x200000008280 = 0; *(uint8_t*)0x200000008281 = 0xf; *(uint32_t*)0x200000008282 = 0x4f; *(uint8_t*)0x200000008286 = 5; *(uint8_t*)0x200000008287 = 0xf; *(uint16_t*)0x200000008288 = 0x4f; *(uint8_t*)0x20000000828a = 6; *(uint8_t*)0x20000000828b = 0x1c; *(uint8_t*)0x20000000828c = 0x10; *(uint8_t*)0x20000000828d = 0xa; *(uint8_t*)0x20000000828e = 0; STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 5, 5, 27); *(uint16_t*)0x200000008293 = 0xf000; *(uint16_t*)0x200000008295 = 0x409; *(uint32_t*)0x200000008297 = 0xc000; *(uint32_t*)0x20000000829b = 0x17f; *(uint32_t*)0x20000000829f = 0xff3f30; *(uint32_t*)0x2000000082a3 = 0xffffaf; *(uint8_t*)0x2000000082a7 = 0x10; *(uint8_t*)0x2000000082a8 = 0x10; *(uint8_t*)0x2000000082a9 = 0xa; *(uint8_t*)0x2000000082aa = 9; STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 4, 5, 27); *(uint16_t*)0x2000000082af = 0xff0f; *(uint16_t*)0x2000000082b1 = 0xf87; *(uint32_t*)0x2000000082b3 = 0xc030; *(uint8_t*)0x2000000082b7 = 7; *(uint8_t*)0x2000000082b8 = 0x10; *(uint8_t*)0x2000000082b9 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000082ba, 4, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bc, 5, 0, 16); *(uint8_t*)0x2000000082be = 0xa; *(uint8_t*)0x2000000082bf = 0x10; *(uint8_t*)0x2000000082c0 = 3; *(uint8_t*)0x2000000082c1 = 0; *(uint16_t*)0x2000000082c2 = 4; *(uint8_t*)0x2000000082c4 = 0xd2; *(uint8_t*)0x2000000082c5 = 3; *(uint16_t*)0x2000000082c6 = 5; *(uint8_t*)0x2000000082c8 = 0xa; *(uint8_t*)0x2000000082c9 = 0x10; *(uint8_t*)0x2000000082ca = 3; *(uint8_t*)0x2000000082cb = 0; *(uint16_t*)0x2000000082cc = 0; *(uint8_t*)0x2000000082ce = 1; *(uint8_t*)0x2000000082cf = 7; *(uint16_t*)0x2000000082d0 = 2; *(uint8_t*)0x2000000082d2 = 3; *(uint8_t*)0x2000000082d3 = 0x10; *(uint8_t*)0x2000000082d4 = 0xb; *(uint64_t*)0x20000000839c = 0x200000008300; *(uint8_t*)0x200000008300 = 0x20; *(uint8_t*)0x200000008301 = 0x29; *(uint32_t*)0x200000008302 = 0xf; *(uint8_t*)0x200000008306 = 0xf; *(uint8_t*)0x200000008307 = 0x29; *(uint8_t*)0x200000008308 = 8; *(uint16_t*)0x200000008309 = 1; *(uint8_t*)0x20000000830b = 7; *(uint8_t*)0x20000000830c = 4; memcpy((void*)0x20000000830d, "\b\r$}", 4); memcpy((void*)0x200000008311, "\x67\x01\x6d\xee", 4); *(uint64_t*)0x2000000083a4 = 0x200000008340; *(uint8_t*)0x200000008340 = 0x20; *(uint8_t*)0x200000008341 = 0x2a; *(uint32_t*)0x200000008342 = 0xc; *(uint8_t*)0x200000008346 = 0xc; *(uint8_t*)0x200000008347 = 0x2a; *(uint8_t*)0x200000008348 = 0x16; *(uint16_t*)0x200000008349 = 0x80; *(uint8_t*)0x20000000834b = 9; *(uint8_t*)0x20000000834c = 3; *(uint8_t*)0x20000000834d = 3; *(uint16_t*)0x20000000834e = 2; *(uint16_t*)0x200000008350 = 0xf000; *(uint32_t*)0x2000000087c0 = 0x84; *(uint64_t*)0x2000000087c4 = 0x2000000083c0; *(uint8_t*)0x2000000083c0 = 0; *(uint8_t*)0x2000000083c1 = 0x11; *(uint32_t*)0x2000000083c2 = 0x1f; memcpy((void*)0x2000000083c6, "\x16\xd6\x0d\x77\x43\x50\x14\x52\xff\xd5\x73\x04\x24\xbc\x4a\x97\x0c\xc6\x49\x0b\xb9\xcc\x85\x93\x86\x99\xed\xf2\x7a\x0c\x7d", 31); *(uint64_t*)0x2000000087cc = 0x200000008400; *(uint8_t*)0x200000008400 = 0; *(uint8_t*)0x200000008401 = 0xa; *(uint32_t*)0x200000008402 = 1; *(uint8_t*)0x200000008406 = 9; *(uint64_t*)0x2000000087d4 = 0x200000008440; *(uint8_t*)0x200000008440 = 0; *(uint8_t*)0x200000008441 = 8; *(uint32_t*)0x200000008442 = 1; *(uint8_t*)0x200000008446 = 4; *(uint64_t*)0x2000000087dc = 0x200000008480; *(uint8_t*)0x200000008480 = 0x20; *(uint8_t*)0x200000008481 = 0; *(uint32_t*)0x200000008482 = 4; *(uint16_t*)0x200000008486 = 0xe554; *(uint16_t*)0x200000008488 = 1; *(uint64_t*)0x2000000087e4 = 0x2000000084c0; *(uint8_t*)0x2000000084c0 = 0x20; *(uint8_t*)0x2000000084c1 = 0; *(uint32_t*)0x2000000084c2 = 4; *(uint16_t*)0x2000000084c6 = 0x200; *(uint16_t*)0x2000000084c8 = 0x2b; *(uint64_t*)0x2000000087ec = 0x200000008500; *(uint8_t*)0x200000008500 = 0x40; *(uint8_t*)0x200000008501 = 7; *(uint32_t*)0x200000008502 = 2; *(uint16_t*)0x200000008506 = 0xfd37; *(uint64_t*)0x2000000087f4 = 0x200000008540; *(uint8_t*)0x200000008540 = 0x40; *(uint8_t*)0x200000008541 = 9; *(uint32_t*)0x200000008542 = 1; *(uint8_t*)0x200000008546 = 0; *(uint64_t*)0x2000000087fc = 0x200000008580; *(uint8_t*)0x200000008580 = 0x40; *(uint8_t*)0x200000008581 = 0xb; *(uint32_t*)0x200000008582 = 2; memcpy((void*)0x200000008586, "E\"", 2); *(uint64_t*)0x200000008804 = 0x2000000085c0; *(uint8_t*)0x2000000085c0 = 0x40; *(uint8_t*)0x2000000085c1 = 0xf; *(uint32_t*)0x2000000085c2 = 2; *(uint16_t*)0x2000000085c6 = 2; *(uint64_t*)0x20000000880c = 0x200000008600; *(uint8_t*)0x200000008600 = 0x40; *(uint8_t*)0x200000008601 = 0x13; *(uint32_t*)0x200000008602 = 6; memcpy((void*)0x200000008606, "\x2f\xa6\xdd\xe0\x3a\x0f", 6); *(uint64_t*)0x200000008814 = 0x200000008640; *(uint8_t*)0x200000008640 = 0x40; *(uint8_t*)0x200000008641 = 0x17; *(uint32_t*)0x200000008642 = 6; memcpy((void*)0x200000008646, "\xde\x1c\x10\x2b\x02\x7e", 6); *(uint64_t*)0x20000000881c = 0x200000008680; *(uint8_t*)0x200000008680 = 0x40; *(uint8_t*)0x200000008681 = 0x19; *(uint32_t*)0x200000008682 = 2; memcpy((void*)0x200000008686, "\x0d\x97", 2); *(uint64_t*)0x200000008824 = 0x2000000086c0; *(uint8_t*)0x2000000086c0 = 0x40; *(uint8_t*)0x2000000086c1 = 0x1a; *(uint32_t*)0x2000000086c2 = 2; *(uint16_t*)0x2000000086c6 = 2; *(uint64_t*)0x20000000882c = 0x200000008700; *(uint8_t*)0x200000008700 = 0x40; *(uint8_t*)0x200000008701 = 0x1c; *(uint32_t*)0x200000008702 = 1; *(uint8_t*)0x200000008706 = 0xfd; *(uint64_t*)0x200000008834 = 0x200000008740; *(uint8_t*)0x200000008740 = 0x40; *(uint8_t*)0x200000008741 = 0x1e; *(uint32_t*)0x200000008742 = 1; *(uint8_t*)0x200000008746 = 0xfd; *(uint64_t*)0x20000000883c = 0x200000008780; *(uint8_t*)0x200000008780 = 0x40; *(uint8_t*)0x200000008781 = 0x21; *(uint32_t*)0x200000008782 = 1; *(uint8_t*)0x200000008786 = 0xc9; syz_usb_control_io(/*fd=*/r[35], /*descs=*/0x200000008380, /*resps=*/0x2000000087c0); break; case 55: syz_usb_disconnect(/*fd=*/r[33]); break; case 56: syz_usb_ep_read(/*fd=*/r[34], /*ep=*/7, /*len=*/0xfc, /*data=*/0x200000008880); break; case 57: *(uint8_t*)0x200000008980 = 0x12; *(uint8_t*)0x200000008981 = 1; *(uint16_t*)0x200000008982 = 0x200; *(uint8_t*)0x200000008984 = 7; *(uint8_t*)0x200000008985 = 1; *(uint8_t*)0x200000008986 = 1; *(uint8_t*)0x200000008987 = 0x20; *(uint16_t*)0x200000008988 = 0x525; *(uint16_t*)0x20000000898a = 0xa4a8; *(uint16_t*)0x20000000898c = 0x40; *(uint8_t*)0x20000000898e = 1; *(uint8_t*)0x20000000898f = 2; *(uint8_t*)0x200000008990 = 3; *(uint8_t*)0x200000008991 = 1; *(uint8_t*)0x200000008992 = 9; *(uint8_t*)0x200000008993 = 2; *(uint16_t*)0x200000008994 = 0x24; *(uint8_t*)0x200000008996 = 1; *(uint8_t*)0x200000008997 = 1; *(uint8_t*)0x200000008998 = 0xf4; *(uint8_t*)0x200000008999 = 0x60; *(uint8_t*)0x20000000899a = 4; *(uint8_t*)0x20000000899b = 9; *(uint8_t*)0x20000000899c = 4; *(uint8_t*)0x20000000899d = 0; *(uint8_t*)0x20000000899e = 3; *(uint8_t*)0x20000000899f = 2; *(uint8_t*)0x2000000089a0 = 0; *(uint8_t*)0x2000000089a1 = 0; *(uint8_t*)0x2000000089a2 = 0; *(uint8_t*)0x2000000089a3 = 0x81; *(uint8_t*)0x2000000089a4 = 9; *(uint8_t*)0x2000000089a5 = 5; *(uint8_t*)0x2000000089a6 = 1; *(uint8_t*)0x2000000089a7 = 2; *(uint16_t*)0x2000000089a8 = 0x400; *(uint8_t*)0x2000000089aa = 0; *(uint8_t*)0x2000000089ab = 8; *(uint8_t*)0x2000000089ac = 2; *(uint8_t*)0x2000000089ad = 9; *(uint8_t*)0x2000000089ae = 5; *(uint8_t*)0x2000000089af = 0x82; *(uint8_t*)0x2000000089b0 = 2; *(uint16_t*)0x2000000089b1 = 0x3ff; *(uint8_t*)0x2000000089b3 = 4; *(uint8_t*)0x2000000089b4 = 0x48; *(uint8_t*)0x2000000089b5 = 8; *(uint32_t*)0x200000008f00 = 0xa; *(uint64_t*)0x200000008f04 = 0x2000000089c0; *(uint8_t*)0x2000000089c0 = 0xa; *(uint8_t*)0x2000000089c1 = 6; *(uint16_t*)0x2000000089c2 = 0x250; *(uint8_t*)0x2000000089c4 = 0x7d; *(uint8_t*)0x2000000089c5 = 0xdd; *(uint8_t*)0x2000000089c6 = 3; *(uint8_t*)0x2000000089c7 = 0x20; *(uint8_t*)0x2000000089c8 = 0xfa; *(uint8_t*)0x2000000089c9 = 0; *(uint32_t*)0x200000008f0c = 0x154; *(uint64_t*)0x200000008f10 = 0x200000008a00; *(uint8_t*)0x200000008a00 = 5; *(uint8_t*)0x200000008a01 = 0xf; *(uint16_t*)0x200000008a02 = 0x154; *(uint8_t*)0x200000008a04 = 6; *(uint8_t*)0x200000008a05 = 0xe8; *(uint8_t*)0x200000008a06 = 0x10; *(uint8_t*)0x200000008a07 = 1; memcpy((void*)0x200000008a08, "\xd0\x31\xa9\x16\x5b\x9e\x27\x3f\xf6\xff\xe5\x55\x84\x9a\xf6\xdc\xa6\x6e\x17\xa6\x8e\xe5\xac\x78\x4d\xca\x23\xe4\xa5\x6d\x46\x16\x9a\xd0\x6e\xad\x2b\x8b\xcd\x99\x7e\xac\x2e\xcb\x8b\x2a\x25\x26\xaa\x20\x0d\xb5\x57\x58\xd0\x86\x59\x46\x92\x83\xd6\xec\xfb\xa9\x82\xc3\x00\xae\x82\xcc\xf4\xa8\xbf\x07\x3d\xbd\xe4\x53\x76\xb4\xf6\xfc\x55\x9b\xe5\x19\xf8\x2e\x8e\x5b\x2c\xf5\x9c\x3a\x3a\xf4\xf2\x90\x70\x7e\x76\x7a\x4e\x27\x68\x51\x09\x0d\x90\xbe\x0a\xb6\x6f\x78\x8e\x77\x60\xcd\x71\xab\x86\x5e\xa8\xb6\xbc\xc5\xf3\x5f\x60\x53\x81\x54\xa0\x99\xc3\x54\xa3\x59\x34\x17\x68\x2f\xc3\x9d\x2a\x6a\x25\x5e\xf4\xbb\x65\xf8\xd9\x7a\xf2\x9b\xeb\x0f\x87\x34\xa6\x8e\xd8\x4e\xf0\x8d\xf6\x9e\x9b\x35\xfa\x2e\x3f\xe6\x5e\x99\x38\xff\x44\x1d\xc3\xe7\x98\x2a\x81\xcc\xca\xf9\x62\x1d\x5d\xbc\x66\x3b\x80\xab\x44\x8c\x97\x5c\xbc\x19\xbb\x6c\x39\x01\xa0\x2c\x16\xb3\x2d\xfa\xf9\xf5\xc2\x20\xfa\x21\x43\x49\x37\xb4\x62\x03\x81\x05\xe6\xd0\x86", 229); *(uint8_t*)0x200000008aed = 0x4b; *(uint8_t*)0x200000008aee = 0x10; *(uint8_t*)0x200000008aef = 3; memcpy((void*)0x200000008af0, "\x10\xbe\xd1\x91\x2f\x7d\xc9\x4a\xc6\xd8\x7c\xbc\x68\x96\x2c\x89\xe7\x77\xcc\x51\xa2\x57\xd0\xca\xd3\x3c\xdc\xf3\x36\xa3\x1a\xc3\x9b\x86\x71\x44\xc2\xc9\x6b\xe4\x0f\xcc\xac\x19\x63\x3a\x54\x77\x87\xbc\x6e\x4f\xe9\x1e\x91\xfa\x47\x59\xdb\x2a\x86\x7d\x85\x9c\xd5\xa6\x0c\x84\xc1\xa3\x8e\x09", 72); *(uint8_t*)0x200000008b38 = 0xb; *(uint8_t*)0x200000008b39 = 0x10; *(uint8_t*)0x200000008b3a = 1; *(uint8_t*)0x200000008b3b = 2; *(uint16_t*)0x200000008b3c = 9; *(uint8_t*)0x200000008b3e = 0x77; *(uint8_t*)0x200000008b3f = 9; *(uint16_t*)0x200000008b40 = 0x2cf; *(uint8_t*)0x200000008b42 = 0; *(uint8_t*)0x200000008b43 = 0xb; *(uint8_t*)0x200000008b44 = 0x10; *(uint8_t*)0x200000008b45 = 1; *(uint8_t*)0x200000008b46 = 0xc; *(uint16_t*)0x200000008b47 = 5; *(uint8_t*)0x200000008b49 = 8; *(uint8_t*)0x200000008b4a = 5; *(uint16_t*)0x200000008b4b = 9; *(uint8_t*)0x200000008b4d = 0x16; *(uint8_t*)0x200000008b4e = 3; *(uint8_t*)0x200000008b4f = 0x10; *(uint8_t*)0x200000008b50 = 0xb; *(uint8_t*)0x200000008b51 = 3; *(uint8_t*)0x200000008b52 = 0x10; *(uint8_t*)0x200000008b53 = 0xb; *(uint32_t*)0x200000008f18 = 0xa; *(uint32_t*)0x200000008f1c = 4; *(uint64_t*)0x200000008f20 = 0x200000008b80; *(uint8_t*)0x200000008b80 = 4; *(uint8_t*)0x200000008b81 = 3; *(uint16_t*)0x200000008b82 = 0x40e; *(uint32_t*)0x200000008f28 = 4; *(uint64_t*)0x200000008f2c = 0x200000008bc0; *(uint8_t*)0x200000008bc0 = 4; *(uint8_t*)0x200000008bc1 = 3; *(uint16_t*)0x200000008bc2 = 0x427; *(uint32_t*)0x200000008f34 = 4; *(uint64_t*)0x200000008f38 = 0x200000008c00; *(uint8_t*)0x200000008c00 = 4; *(uint8_t*)0x200000008c01 = 3; *(uint16_t*)0x200000008c02 = 0x415; *(uint32_t*)0x200000008f40 = 4; *(uint64_t*)0x200000008f44 = 0x200000008c40; *(uint8_t*)0x200000008c40 = 4; *(uint8_t*)0x200000008c41 = 3; *(uint16_t*)0x200000008c42 = 0x1c0a; *(uint32_t*)0x200000008f4c = 4; *(uint64_t*)0x200000008f50 = 0x200000008c80; *(uint8_t*)0x200000008c80 = 4; *(uint8_t*)0x200000008c81 = 3; *(uint16_t*)0x200000008c82 = 0x83e; *(uint32_t*)0x200000008f58 = 4; *(uint64_t*)0x200000008f5c = 0x200000008cc0; *(uint8_t*)0x200000008cc0 = 4; *(uint8_t*)0x200000008cc1 = 3; *(uint16_t*)0x200000008cc2 = 0x300a; *(uint32_t*)0x200000008f64 = 4; *(uint64_t*)0x200000008f68 = 0x200000008d00; *(uint8_t*)0x200000008d00 = 4; *(uint8_t*)0x200000008d01 = 3; *(uint16_t*)0x200000008d02 = 0x300a; *(uint32_t*)0x200000008f70 = 4; *(uint64_t*)0x200000008f74 = 0x200000008d40; *(uint8_t*)0x200000008d40 = 4; *(uint8_t*)0x200000008d41 = 3; *(uint16_t*)0x200000008d42 = 0x423; *(uint32_t*)0x200000008f7c = 0x9f; *(uint64_t*)0x200000008f80 = 0x200000008d80; *(uint8_t*)0x200000008d80 = 0x9f; *(uint8_t*)0x200000008d81 = 3; memcpy((void*)0x200000008d82, "\xd4\x8e\x87\x24\x64\x9a\x28\x41\x92\x3d\x48\xb8\xb2\x35\xfd\xc4\x31\x5e\x0d\xfb\xe1\xb8\xa8\xa0\x83\x53\xaf\x5b\x63\x0b\xeb\x6e\xca\x1d\x6b\xe0\x3d\x88\xd5\x58\x79\x33\xd6\xad\xe1\x22\xb2\xad\x4c\x55\x80\x40\xe7\xf2\x03\xd8\xc7\xaf\x79\x0a\xf8\x5d\xe3\x6e\x84\x1e\xb9\x48\x0a\xfa\x1a\xaf\x9a\x22\x6f\x4d\xe2\x8c\xd4\x44\x15\x57\x41\x1c\x77\x37\xf7\x4d\x7d\x60\x31\x3c\xd3\xd0\x51\x28\x4f\xce\xb5\xb3\x27\x83\x73\xf6\x3c\x72\xa8\x4e\x8d\xe4\xe2\x3b\xf6\x4e\x2a\x69\xc0\x57\x91\x06\xc9\x33\x18\x03\xe2\xef\x32\xfd\x09\x88\x9a\xdc\xe7\xbc\xd7\xeb\x61\x34\xc4\x65\xed\x17\x38\x6d\x3f\x97\xa4\xe8\xa4\xe9\xc4\x19\xf9\xc6\xeb\x2d\x32", 157); *(uint32_t*)0x200000008f88 = 0xa4; *(uint64_t*)0x200000008f8c = 0x200000008e40; *(uint8_t*)0x200000008e40 = 0xa4; *(uint8_t*)0x200000008e41 = 3; memcpy((void*)0x200000008e42, "\x81\x10\x3e\x0d\x22\x88\x43\x34\x4b\x9a\x28\x85\x67\x53\x24\xf5\x79\xdf\x27\x8e\x6d\x25\x06\x59\x98\xbd\xbb\x69\xb8\xee\xd0\xe1\xdb\x8d\xf1\x6b\x19\x64\x6d\x92\xc5\xd0\x35\x21\xf7\x73\xc1\x6c\x24\xde\xea\xe5\x56\xbe\x69\xb0\x4e\x1e\x96\x6f\xeb\xfb\xf3\x7f\x3b\xbc\x6d\xd6\x4c\x83\xf4\xc2\xa8\x7d\xaf\x95\xfb\x91\xe1\x0a\x36\xc0\x06\x9f\x4d\x51\x7b\xf3\x96\x21\x11\xd8\xf9\xc8\x45\x32\x3c\x0b\x91\xe6\x8d\xea\x34\xb2\x77\xb4\x10\x72\x0b\xdf\x4a\x58\x64\xfe\x06\x9b\xde\xe8\x4f\xa9\xe4\x46\x55\x49\x71\x3f\xb3\x33\xaa\xed\x85\x5b\xaf\x29\x53\x27\xe1\xfb\x65\x17\x29\xfe\x4a\xcf\x1d\x9e\xbf\x80\xd6\x4c\x29\xfc\xd3\x68\xee\x16\x11\xe5\x50\xd7\xb6\x7a", 162); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_SUPER*/5, /*dev_len=*/0x36, /*dev=*/0x200000008980, /*conn_descs=*/0x200000008f00); if (res != -1) r[36] = res; break; case 58: memcpy((void*)0x200000008fc0, "\x18\x15\x12\xf6\x08\x38\x97\xf1\xb9\x4a\xd0\x1c\x9d\x8c\xc9\xeb\x6d\x7c\x14\x9c\x5e\xdf\x5e\xcf\x21\xcf\x4a\x2b\x2a\x9f\xf0\x2e\x0d\x8f\x8a\x4f\x60\xf7\xb3\x1a\xd0\xb2\x55\x2e\x14\x87\x8f\x84\x0f\x51\xa9\x7c\x25\x63\xb6\x19\xb1\x01\xea\x77\x61\x3b\x97\x52\x36\x7f\x0f\x6e\x6a\x62\x37\x81\xa3\x83\xe4\x99\xdc\x26\xfe\xd6\x0a\xfe\x6f\x15\x6d\x32\x6b\xc1\x41\xd6\x61\x5d\x18\xb6\x1a\x5c\x06\xcb\x49\xd9\xe0\x08\xe0\x5f\x65\x37\x6a\xef\xb5\xec\x21\xed\xc4\x68\xb8\x43\x4a\x0c\x9e\x39\xd1\x20\xbc\xd3\x11\x32\xf0\x75\x5c\x1f\xca\xf9\x1f\xec\xb2\x73\x3f\x98\x18\x42\x56\xd2\xf7\x9e\x80\x45\x2d\xc8\x6c\xf3\x19\x85\x08\x2e\x38\x60\x17\xeb\xe8\x21\x25\xc7\x8b\xee\x42\xf9\x49\xca\x67\x98\x67\x34\x33\xfb\x0a\x20\xd9\x16\x1b\x69\x8f\x04\x66\xb0\xea\x53\x58\x7a\x3f\x08\xcc\x34\x35\xbb\x7c\x19\x3f\x4a\xdc\xd2\xe5\xe1\x04\xf3\x3e\x3e\x1c\xdd\x33\xba\x95\x1f\xc9\xf7\x6b\x10\x8a\x40\x74\xc8\x07\x2b\x16\x46\x59\x62\xeb\x28\xe1\x38\xc9\x18\x8c\x3e\x54\xa0\x0a\xfb\x4f\xb1\x71\x0a\x27\x3a\x1f\x1c\x53\x0a\xda\x0d\x50", 251); syz_usb_ep_write(/*fd=*/r[36], /*ep=*/0xf9, /*len=*/0xfb, /*data=*/0x200000008fc0); break; case 59: syz_usbip_server_init(/*speed=USB_SPEED_FULL*/2); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :5997:17: error: '__NR_socketcall' undeclared (first use in this function) :5997:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor2710099563 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/27 (0.97s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$IMCTRLREQ(0xffffffffffffffff, 0x80044945, &(0x7f0000000000)={0x4006, 0xd, 0x2, 0x8}) (fail_nth: 1) ioctl$SNDRV_TIMER_IOCTL_GINFO(0xffffffffffffffff, 0xc0f85403, &(0x7f0000000040)={{0x0, 0x1, 0x4, 0x2, 0x5}, 0x81, 0x0, 'id1\x00', 'timer0\x00', 0x0, 0x6, 0x3, 0x70a, 0x9}) (async) r0 = syz_open_dev$ircomm(&(0x7f0000000140), 0x0, 0x0) (rerun: 4) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTA3D_RGXCREATERENDERCONTEXT(0xffffffffffffffff, 0xc0206440, &(0x7f0000000340)={0x82, 0x8, &(0x7f0000000280)={0x1, 0x0, 0xc0, &(0x7f0000000180)="5b58ac0ed1d27b217d3fdc6299cdde4d85321f7bbaa064d361519cdde43b225cf00658ddbfbd914cf79eceb348f18692315c3c69ec148e2dd928ac7ee62f5111b9dccaca88524912341955f79b0f2206b80e6e5a7e681a629694a34f9b0e39877eefde60a068cdc44545d6fe45d0000c9961a1ff168747447e346b16460875c691de1183b2d7b032cfae85497d0d8848d4baa9adc6caaccd9af6019ea2ba6f3b4e6018df94cacabeddec7b600230ea7790019399d0beb61f427df8359cc34893", 0x0, 0x0, &(0x7f0000000240), 0x10000, 0x0, 0x0, 0x81, 0xe}, &(0x7f0000000300)={0x0}, 0x44, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXCMP_RGXGETLASTCOMPUTECONTEXTRESETREASON(r0, 0xc0206440, &(0x7f0000000400)={0x81, 0x4, &(0x7f0000000380)={r1}, &(0x7f00000003c0), 0x8, 0xc}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r0, 0xc08c5335, &(0x7f0000000440)={0x3, 0x6, 0x1, 'queue1\x00', 0xdae}) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000540), r0) sendmsg$TIPC_NL_BEARER_GET(r0, &(0x7f0000000880)={&(0x7f0000000500)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000840)={&(0x7f0000000580)={0x2b4, r2, 0x400, 0x70bd2d, 0x25dfdbfb, {}, [@TIPC_NLA_PUBL={0x44, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3f}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x2}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x4c00000}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x67c}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x7}]}, @TIPC_NLA_LINK={0x3c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_PROP={0x2c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x220a}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9c0}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x101}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x8}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x6}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}]}, @TIPC_NLA_BEARER={0xb8, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_PROP={0x24, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8}]}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz2\x00'}, @TIPC_NLA_BEARER_PROP={0xc, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}]}, @TIPC_NLA_BEARER_PROP={0x1c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}]}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @multicast2}}, {0x14, 0x2, @in={0x2, 0x4e20, @broadcast}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0xb}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz1\x00'}]}, @TIPC_NLA_NET={0x20, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x8}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x6}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x80}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK={0x10c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x187}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x40}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x10}]}, @TIPC_NLA_LINK_PROP={0x24, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xc0fb}, @TIPC_NLA_PROP_TOL={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x18}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x80000000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xfffffff2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xd0}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xf}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x401}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK_PROP={0x54, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0xe6a9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x10000}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x81}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3ff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x79}]}]}, 0x2b4}, 0x1, 0x0, 0x0, 0x4040811}, 0x0) read$snddsp(r0, &(0x7f00000008c0)=""/29, 0x1d) ioctl$KBASE_IOCTL_STICKY_RESOURCE_MAP(0xffffffffffffffff, 0x4010801d, &(0x7f0000000980)={0x6, &(0x7f0000000940)=[0x904e, 0x1, 0x9, 0x6, 0xe, 0x5]}) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@mgmt_frame=@deauth={{{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x4}, @device_a, @broadcast, @from_mac=@device_b, {0x1, 0x7f}}, 0x1f, @val={0x8c, 0x18, {0x5d9, "8e85144c6433", @long="e023fbed513011c5707e452472e2055d"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@random="3a386465f389380e26b0cb13f98a36e2214f099ee0d0b29b754e31d6efc82c04", 0x20, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_path_truncate\x00') r3 = syz_clone(0x4004000, &(0x7f0000000140)="daa4ed40f7cf4da86377e864d8e6c6d4fc5486af4a6f23dea58b3243a291b0180dbaf5c92758af73f9", 0x29, &(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)="40f276856b8191c4f312759d795a22c3c7edc91678794f4eeac45746fcc9930722c8189ba59565f7327cbcd4506164eb9f6ff175f1f08d60247091772c185ac38304e9b5b3") r4 = getpgrp(r3) r5 = syz_clone3(&(0x7f0000000500)={0x800, &(0x7f0000000280)=0xffffffffffffffff, &(0x7f00000002c0)=0x0, &(0x7f0000000300)=0x0, {0x12}, &(0x7f0000000340)=""/102, 0x66, &(0x7f00000003c0)=""/198, &(0x7f00000004c0)=[r3, r3, r3, r4], 0x4}, 0x58) syz_create_resource$binfmt(&(0x7f0000000580)='./file0\x00') syz_emit_ethernet(0x101a, &(0x7f00000005c0)={@remote, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}, @val={@void, {0x8100, 0x7, 0x0, 0x3}}, {@llc_tr={0x11, {@snap={0xab, 0x1fe, "fe", "1622d0", 0x1b, "e65515bded2366eb29e120fec39b24808c92d09c78d7f5b7b11d8a64fe8fb0e0ea7a265610503e40fe69ea35f6a592cca6605cbab30ca2b6e81defbfa8975d3233a7b511fa76cb1b755c8d00c96c16443f2b1682d6f197dea702f3216131e4d76b49c13ecc66674fc2fe47ae163527636f868d604cca513f5112bb56c3ab4ba6aea3059e1a484546566112328bdd5ba37697af7f361913e718bf091a66aed625deb89ea8c63fb756c958819dd3d2467301b0cd35eafbcc0f96ca0aaf82d82c8156f5fa27ea2d1d298f564f94160fd4b81af8f9e62eaffd504a2cd9412d4b6df66b447e1029b1a015a3f9207dbf1957660c19a6e0e73660325510e34133ffc4275e4e1d6d7acab29f9b371d0217382faee8c77911aa3f5378b09a5f6523357d2adec78972e15295abedbaa9969f37f316d474b2347dc11b523a88a0cd5745ae30ad7612f830013d78a6b149f3b332e6e7c5fb13bb95845924c3f180c3c6f347bb328022e5d07f540ec60bdbd9e8352d385e1b943062aa0bf38206a1d95e2f42e15838ade610c0c44e038b790096b521d1112f35c9922cbee2bfb184d6f979a7721cf0e6fd69fa705ae3e253113d2fc772ca741e96db42fc8ca72abd6d3d43c4bb64f13d2e5a5a8c433baf25ce3286c2e2355fc130e86841cde79482c3539d57122eecf25f3e35751e81980de375a713c18f9bcd952bde4bf36610a52ae2317c8b6689deb1810a091169200b2a9eeebeff191dafc5bc32b774cad960c8414ff0eee708563daefbfb26f59f6a8f289ea5fcba17412119f3faf53001a0f5a44f9c6dd6ac8d3380273e07c6ffdba5a224636ded1974137a40175f4944941ede7117cd3ddbb800defc6f8306e3f0435eeb74d44e021c9abdc636052b5170da68981617b28471a581a1eb095c6d3c977ef0fce842b5f260f2b276ac6cf24b2297f3e75479c7412f405e48343f4db14e4210bee79d3273bdef00d8175dd603b442210632bc8cb2ebfc4392bf8aefd9d4a264a63341f15189f8ac9add56f605e8797e2d70863afedb792eaf982ffac60ea0af41ceaadd6b2878511c8edd8bb273914bccf17a2d4393d4e235144be8ae79fd28a47d3c33bfc8ac4d199fdc73cf8e03cb6f15f4134599f2d95c46cb1a6e77d816080ae7e1ef85edab4b4553cee197da9594104139276ad2b9099def507e600efbb6a9877d8d7569e0599318aa400ea4674cc2bc0b86efdd2ddfb3966647ab570d200094b6ec63403274201d65481378db16529bd775feed537223c0d4e710125cafea8b65b9ef669cf32592fc3a93dd2d21a95e54ad2362302b1d5db5e6fe547edbac508c82d6b39a820b25bf1078418accf067c018443c430f9f2338afebe9705a654d50bc1595073615c52bc93703e446fe6befd76149bdfa9d69cff69b9d9b4f3fa0bb04900737116e49b4d0c08848215dbf90dbd523e9abff71319cf0a358be976598c41fd6d16edc3f0856ebbcc1e4086e79621a233991554e01420215c5ada574b6442e0134a744db4eddc1142f2936f7d9412dbb63cacddd60b2563fee5623ab0ece52481dac6fae957b61918a871c32652e0e7f73f2c2b424d4dffd636665e06bd0422195a1aa8cf62e89fb47fc0708ebf49a5f3b586ac088f570b11ed8d069dcf88ef1e849a22560ca8b60aec9859719983916a4a4b9246ea2ddb8409b0ec2d36728647a8f7462f2d4c4706c4b1888098d61d3231d89ee15026e63b55e1af3845bd60a72493af19313188400870de9bff53eb68011928201c34828ffcd88b35e4fca14c06a6790b5f28e8f85f0c906e1ea44ef4f6c50bcfa0213d0462fbf90324dcad6fc0008d575e5df11a98b7b231884c0626890f9cb18dcf85063f426fac0025bc6bd16e74c53eabb81423633df7391be5cb1ccd73ea25c7e7055fed3146202b97fd7f1a85890d444a20ce0d051efa2a3357d32f8585c0f798a3607c350f22ddb5c9912ce3684b2d7aa6c785b792504c31c7edb6dc5fa6d069f0352e3e9f771e146ab80ac39a120d005452e190a9147cb48fa8539f3a3c1d88716575003248e021a7038bd63657d46440402571949c24555432d26dbaa9d2cd2906ce0cf746dcd9348433bef36297b4a7a07faf2688249297c960a0fd8a3257534ea1372a3af5cdba9a6a48fbc95a07549a82bdd6181b1fa3fddc71d77b3460c6a32405589b89edf715a910fcc72449d9c36967fa9768a0ee59b23418561cf4f6b0fd9cbe02d19c7997e55259550dfdd97616015d2224c18c15a80b743ef8857d181d7efe40499f66d20158c0f62e4c692b3bd64ef3825a32bd662d9f580779d60a34669150e7874a45a7101af48cb3a6e3f763db20c5014edef61d07887c79d5711ed11be5306f7c4c2b7bba2bc8236c93a49bd2a252c4510785e0cebf75fbe5c69d928d8e48fe9f56a33ce6e0552630f338ab632320e750c32ede137447aa9aa69e3c3ea8ce4daf6eeb91d0a339974ce9875ccc30fcc08ecb203c3e4a7da99224b71d6ebf77331721fbb6ada6403d43eba812c0bddc6018062ca1231994de110586bff4589e52b8ab440baf13c24b35883ba4ae2ea8cc1fcfb49a7123bd6fafbb7291adb7f81fc58208cb7559ee5cfd779f899c11ee49ad92b0057e8dd79dfaa1f15bf659c360c8228eb36a9d17e0d479a88b9da28f3e962bedc108e22332bf55144f0b2ba0e21a334acd8bed5922128dbc75eeed571e1049e2689dda8992e2f9539373f0dd20e2bd43cb5ba34080ad38bf160a37cb0b7c39c015918202dd8349c4eacc0e4a40436b8d1eee12f9a6b9e2dbac9ca7c190c1bedc390dde78f896bd2837ce30d8ea888db6971930feee72206e308c7ada862b664b4b48b11d39dc7b1816d3da555778998eca5e3b4ac20c83c55021db6406eb6ab125f2bb2ec1a2c8fbda5bb0df736393dc62f9078de52e46872b4c18bde2959b18fea581e0eb42038522fb7af7ed40538ea7fd08e865102f5a9929c24a9fe936230655a7b131ab9eaeb9c491ef98d407dbbbded8852c387d6fd7741179775ea4a4562eaf0dee83f87ef117178086544f4cda982d3c0cf618bd1ed663cc9f4bdc77632398d24fe3002a7a78c079d0a5f5ac3bbdabd85309090aa0b5a8c269468ac8b7fa4428bd98bab7bd5643c721dd7d92810bbfde6bf8bf2013ee5e587d0da9991c66f58ccfa0fe497d0d743f0be668cef72d8a922fec8e10f368934227c98e9abe1f85bac46f80f17a15ccea46d256e1f56710e489cd7106fac936aea65f0e8a5d79d43730989a2642ee7ad9f35d8ea7a80647e15fb4db645efd8ca830469261efe740a2288bcc72b5c40a665d51812ce9a1df192dc4d9604153e84b86b8709fbce27aa27a99c73cc948a10561c1d4fcd0aca5e4f52d43b17f6790f1f79f00b90ed573b6a621bf3d64200274321292a04379e0ea3366bfad2d1fcfe3a05608d9be0e459cebc878ba6ad6de83922154a7ecbd01f5cfc77299c69c670a2763660b2ab98539c3050a64f10a89099a8bc54e234512250d273136455fe5825d5dbb4e9b733ee28dc11d0e2b3f9f4072b048771509c017af5d6d64385a54924f55c8d16cc1a72d8519301194f445c424e51d49f6616016580d2ea70ba1e0c86670926c738779ee67c3926bd2f90376e211ec1d7860737af1136446b2faa01baba239b7a5868f40780cdd13329fd67730bdfd298b20d63f1448e9fcff309e9091c39ccc75aabf18e598ecf0342ba94fc420373aedf83d4cbf0e5f176ea4bca7f0cc72faef9bdb6797be191e1d304704659b6b63b2066358d4eca8ea898cdde509cd2b9145c55adc3c46fbd2989817ad2403d4a0d6b6e6aaad0b2311d43d216e6cc8446b0d946e43916e662c5e687bffee3f3f21d9f34ea1624074d1d90273f0683f202b6cc24300b8f5a6325d6ce06bd69c9a95d6c8af3be8967e3bd49efc3e9c5f27ab9aaddc0ffabf87e7ed08d4253844f1f48f08a9fa268e13e0d73dc6af0abfadc5443a9a1daf12b4dbfd5f7902a5d41313683355d5e716f3a65a315170749bbaf8846dfd332bef6cd1443729abf2147120e53018bf2d062dd07bd5e20e30bf58bb4900db9aaea54a6402cc1ad562e8a59233868f38d666afd7b96aca5f9ec2aa94b4c22f6dd54924a1f5d98eaff57f742b01378d3b1c6322781b99d8774b07fd5b4af2b88bd4915f6eae83e33b469afa153324ee889105a74d3680d39e55a4a39183416961346447fc5a8532832031c52517a3896360d51fe593ef5a639eeee83df74db9e4d3218dd901db76a6130aef73955dbc866778a2c3421d4090b1df7648a42c558af46150e902b3129e5fe1071458ac93abc76d495e744412fb98ae401cbe04427d0f30e314eb6047513adffdd11a566f9734e058fa3bd2d1d6506122ae869725e3a6f4252ee5e971c430cd02cff254759c908943953ba8c978f1cae5ddf28c5d9dc85d27c2d4c19a16e34e094f1ca9172397cd4c5615e384715605452919ad74e70c78c282c0cce1bc618ae012f5283d1081399fd79c95e52a523f3729a180780547f9766507e21109254831787c1131ccd4ce8e5e9f3d24750ed3676fbff23dd4218e05eb68efc0a7be9cef8189c08e186f938ba691172d235fa32ca4b0e30b111189f32d15daf3cfff0a429a446aa68ec18c0c0755efc080733e9c3548f029e8dd634b3b6b69ba749486704d0f9ad702961773251624117f56945c04b8c6f0350a3d99a7b6e033f13ac7c01a1ffcb5a4cd7412bc176f50af905b0b6aa36d67289ceb12a6572c4eb872fb06f96735d31e8a153ff9bde2181e235868ad7dde54705c187130ae0fce01bdf3bf64e6ac86842bec3e0ef09b60a4c691134d89b6c6c6465ca949b58ef63a556918bd5c7f835c0e002f2cb4123d66481c737470f26b590fee1ad40eb641e73ec3501c69ca4fa50b75d9f23ae9e041c88df37a8947bbd0722f22911aba12976db4759af63f2b143ac155bf56333f6f6a69219453b92e5361843581802fb722a2c3ce2dec3e1e278444020ec6ee424ec7fc559d9cfcf68b2010eaaa9b391b071b6d53df5a2788cafe84a081bc3f0810194818039e68fc1b76de13ddba48a741b11bc963b8422a510a1a132d870153c2d01305c767c9d188c64b5d14979e1563aa7fdea0b85ff3de913fae64b3a7ccf087e933ab15ccc0c77fdafe42acd070780f2a7cc15a117a2bdd9576e574b10b56a00e007d69291985b50ef1296f37ec9b74c4623da3f94e0bb69f46e52c8765569b8817af5482532a50232f050635e67e235aec75c8f69efbe25383467cc82f43a214a142a8b76817f22338aeb3d4f0d39fc1dd1023a07b53adbe754884af3b789cb2dd9f386b26378d0d54267c47efa0ea5a7c26cc80d9bf9cf16bd217754a1951e9fd7fbe64335610faa909f0d7f77786f974c1becec9cb49be7f79e7bfbe29ea82cd13c197fbaa48f46019617ce6c6ad08c9a1d41c716baef284a4e4d77c06e4ddc07a46c3534beafd3729088ad142cd22bd5a220e589314c242a304581e88a246b51790d238c131ec7b09de7e1c618708363335fccf56eee3000466ce5fd70c5b3f35884a467469673d2dd5a8a2362e6028206a2ecde709d7cb1888bfe78cf6803f05ab0b11eae6d935ae116b3fd841a2717ed52790dd4f802cdcf72e4409d68c086a542d66eb14538421564ac9ed37617987ef2f4b83f43022394a2479c764b30f56c6ea76c1a056f82ad78ad980d1b5603a0ecbb72437bc2a1838b9ae37cd6ddefd2927e9d9adb7d56a98695c78ecb1f65739fe094edbfafce3f"}}}}}, 0x0) syz_emit_vhci(&(0x7f0000001600)=@HCI_VENDOR_PKT, 0x2) syz_extract_tcp_res(&(0x7f0000001640), 0x401, 0x8001) r9 = socketcall$auto_SYS_ACCEPT(0x5, &(0x7f0000001680)=0x4) shmctl$auto_SHM_UNLOCK(0x6, 0xc, &(0x7f0000004a80)={{0x80000000, 0xee01, 0xee01, 0x5, 0xfffffff8, 0x1, 0x6bc1}, 0x40, 0xffff, 0x2265, 0xfffffffffffffff8, @inferred=r3, @inferred=r8, 0xfffa, 0x0, &(0x7f0000003a40)="8917f96eff001e006491da948f25c3ac3665392d077a2878a0c47186fbb59600e8725c574893c0d645651cd496d4d6c43dd8d9e3ceca2e2a35fd60785cd77ec5c5eed5ea44a853769a52cb3e89d06c0995f77e9b7ecc68fa521ac4b193ee67dccec0a7d13f3c068ee046a9a142011cd4ba8e67f381e16745d81a2b5bf11f4ef0014330c95f0f5bc89d00f16129a9637782e5a6f4d922e0f07457ee515e1bbf5654906d887ba02bee664da72a51b5dcdf4becca2d8067e35753c0312359efb6da86149afc1010d0c6c86cc9c8831ca1276ca968811c87baab121c9d817273196e97ae66f397667e023fc23319c24fa823572226fb748ac54ff528236b0781a20ed52e116927a22b11e0b8aceb36d2cf4a78eb3465fcb9c9493eadd44686766fb26d4d0a54d028273a5c605388534e4937f18ca90532445f946651f3634e9b365bb8ed7242b91231ba06347eab1f320096374fbd8a7a94c2fa7154415c923fd66cd626489e7c79cad39b66b0674b9439b57b79ec7903d35ec314db9d7e415df3c4f75514b1c83e9b6b271dabebd3b793a78ad5baef25393934bc1b4969eb6128d3521490470f25e7a47b13ee0c4772d0473da518441b7bd362bc99b09cf696beb9e5f9d3d5e88e9e960e259e4fe67cfa3b2abde10010f3c6a60d269ad13e59052e8ab951401dde345c4fed4fea6d91b84daeeebf45fa7998ee41da06875e7bc48d9de54de36d9e27495fe7e88e024e7dd3587dcbc71cd433b71a4d972b026559efbf17c2b02b2357b9d913a764c95c5aa7b32fd2c0b62b47f27e4785e76d8562b4e43edc6d610d2b97dd1a1ee65bd1ef89e0110b14c2025b04b8cf16f0c2c1ab89ad30bdbd8b9894278b4be8d08155ec0cd20f544f18a4f26a980decac1ce2942127d8d0350dc4a9a32930af33531822319dd139e27cf769d068879608c2517d59965fbffe9879afd487875ad239586bbecad1b00e1377203abe3fc582faaf4f9e08e57658812209b3a8653bf39e126b79474ced54b74fd477b03a80906e346dfc7f5a86410f6bbc64a7ff88c37aa1d1871331ad2a63fecea9b43d3fad062de70ddd1c773ae62568ff3be804583d3a5a10796813cd4b51f67b09910b427eb92804e7f27adcd8ec9afb24e3151b48a38cc5992799df37e5cf6ad577941ad7e2caf15619236927342e87b5b260473716a9bad70b3951f7265c20c000852667fde0c4b7f27a32b7ee133cbc65ba4dc3910c2375e195ba7654e2d2d45f916e47f107595adc63247840df4ecaeb9640fb661986add0dd02796d5810f51c93fdcf8974da1f1014f2f4adb16f04e733b53ac2e8b4a853e93a935a732028c8e3ec120fc541e5126f2d88dd4bbca06fa610163464cb17f45e7a2be0e51d8e45e37c5091d762ce5bfdb69353bafb955c25544702dcf7d1394aac7a49a0787ff1687425a375249ca378bc4f4aa24abca24a871fd67425b2f66093b5b9872499ec85faeffbf43f0a4d3efb5ceae705a1a8e1f2bf79f553c1c9f38bd09f93a822beb454744dd1177eea67b7bd6c421e58246202ab902f79e0155f1de2bf226f61bb39bfc2fba3479f25eea7f01f70bc08a98e8874e5d1384283b99607eaa52e895490bdb21c81cb3b3791c1dece0ebce67cc45bcba299bb892c9d1950bf335e954fd303c65e1afec48a3d3e10a404352a1302efcebe1254eb2b25d6f450b26a3f1bd7f577e54c95e5661174d32782fe6b11996542fe1b9751396288d27a47e3c98d1cc3f3ab558ba3e82a6c3ed4840f4e3d79369573c37534073e79adfd2323832b65e7a6c45b72579138e226291d2700dac3a1cc916140f54cb28b3470856189812544366f757c0a294ee2b5bf6c308ad4df230d5a743b8cf7a1f64a3061983f223850262c7574ae480a02f68c043ba7aa822ff645d4e4482c14cbb58c15f65c98d1692f939d0d95585045424abe5e58651477f91d0c1dafb3f33af9e69b794e13eb0c429de9b92bbc5f9282a2e6c9119f6fd8603fe11af2d516c9a7ad38e3337b969c3d9593f0d4ac95c44e7f47e810f6970a1a6f18f209fedc35656dc5c536b0396aedaf83ca46655edcc4088c6fcffa689a878309c1767b2187c9b5fa575efd80e0574a577673b45edac8b1c912ce60cd18290d31025c80eba3d997e4792be23a49c0094ee28548fa33275e6c280bb6e0a0aa8e7904c641cbcb3d994946f0e4c6d6b191d3465364793a697f2c25d130923c799a3a8d7169a37ac29bddfb766d5130b5e4bd43978aad3549052cf6f564768052032346aef8f5844b9704842c0f1fa7d26c697188c0e8641658d6d299a61ff140a4b94f04f6ec06ffca6e574bdd600372ed5d166aeeae4f24e1ec3c212f05aa8537f0ab831e472f32164a0887c6f4e42532565f055a8cd435e9cc9108967e422c6d0e740633c9778471efa8a44ab55a06bdb6b817f8a6cc55d52ace6ec438ad4fbee7c64e00fc65c76a3616c35fb71bb6084f44f8083dff56d771e1d323584b82f105e0a211ceae9afc0f5e61a2649476440cf68d9abffb48decd0e8d2ed10907d35e390daa1eef83dac8ab44e2ac5886f6235f6bd7b69ff3c098b558894908d4cd28247fb6ec4bb5b163f6b2eef386e7ce26de759bd6e24e46aa2b38f0a4e6a4785af14bd6035a326c29af215a4c1c45ae767bd7e6db1bae69be045ef0b1eb3934ac5ebe3a4c1dd59bb96053beeb5561b521c47852d9a2c66cfaf82c2a016e5de729ea0e0ce4f98085792b5e5a802cd7fbac9ef38e203ebb3651f1b30af6ea29fa179f8b192641604be02929daffadd6c97ba4cd56790cc243d0470eb8c1ae7812da666b0b329fb3f04f78e25ad17b4b39781382ad937e08ad3448b63238185b982242190fd1e4ad8fbba55d6abf96e016e1d98d37d51c2ee1e41f54f8ac7e038e3616f569d024690ea303bec698beb98b9ea49f6b87e3f7104997a6ad7d33db8fb79ada8c5f7f54ee17f7b3d86aa1532b439cd8de90b5fd7fc3325680061d9319d1835e603faf7933bfd60d733965f0f25adf3945092bb99e95346602faf6aabeb33cbca3b219b4f8afafe825c6627c0c7b00c33875b69d01c08b90e6fa64f09b42932e1ccc9b3da36771667d5bb7531a2ac174bc412dffad7c6f8fd4dad330fb415a97e8136cd5c0bb7d00d2b2c956936c9f5f747e3c9a361d79d048cb3f528f187f9bba5d78d7309b1b256fbb349cd52945541a5a57809f2d71a8e80557b23be4fb31caddc59553b6bc0faa165e4ab1f8279ca6e307ce7920c43bdbadec04ef8be70d57af598d1d8a896a0952b23cba464e0e9b3625f993dc12c8f774e87da051eca49bd14e4e2e270cf75dc8343b2ad4b0a2178cb557c6d0eb1a0b23ed92580ce5ada78c2bb10ddd25d4bb147d61a00f5e1d1d5c888d47424c04de7d41384e2c688a57358d05814ad917135a80eccd1d1f147242a5da4dad0838322e9a2fa531fbb6b0832b6700f87279846ce2331679b82f04fe1be1e8ce9f610b63ff30ad0b76977817739a295c9ec9dcf11f81a67619407304c1d594c5196db1bdebfe03f22adaac9253d753967138bc9d2cf4735491d2745c23e5d229c74627dd191bc6c038513914dbdcfacb8bcb2814dc525edad889520999fce64469c60694405961518441c3e84453afa3499e3a8983b57f94593e8664719d5e6598422bb8cbc51620b259413bea16490bbe6c9a72bf21f6b4d499371ad9fc8277dd3f2f7523cc5e6ceebf74fc3944136b2d56daa2040374319a1c83c3bb0c962d321d8039170b98b604c8ed42c596314a01139c9d36ccd6f2cbd3113b2c9d4e19f08694463610a368f8ac74f29794f14560e0a3d481c673410ad9466581aa2a334ff380a100fb049ad8196eb4784ea1bedc139a7054f18a8d44bca0a3d0122f5dc3a1c4d29bde35e332bdf28cb9b98543ad3e33143af87903b5624f62305598de275833208ec8370682ad9f0f9ac64c439044a2de3033468734f49266138859695b60a6fb45d794b871c19cbedf59b764453b78cfead4c501b1f8c0ff827b70297392697adb13ceff2f139bff3ba238798a07fe5f55a0ef5b75ccb498bb8943bab4a671f125fb06f2e59f77fdb02cb23e8687568dc0d5c4860994a37ccab365d7a70803c6a6f48f5b3ff1cbdd51d8961f973c703375d252e6c5a0ff133b59724313f988841bd61ec29767a4608a5bc45b104e4fc98261e4540a10382a495d64dd5f6c039066d9d358efb16671178e884f070a07fd02a00b63b7f575f642bf91eec3bb90dba9a21df3179cf12ea9525d0974d6fc44bf69fc54f8a5ff986706678d7ce06cce44df2974b966e67aca314e0b58acc41554a442ef3587abbaf18295eca59ca8a10edd3fbd1fac0b06013de5f7333751c57deb4daef9e4c55e93741ed1d2f7f963cdedc6efdb5d8b14d7d612e2612f30966f4e6760d1a46fbee50dccffc0b2e5177b1c6027adaee09075b655cf85ddbb4e4483d5de7b38a910f996711c058c1b97e6212748c8cc7de8cf7a56af75e291867c2688e999c6553d7aaf3d2f62c2f53bf88cf2044007dbe929856531b0ad6b48a6118bf35cce827e5d0cd2a19b3fc37395e1ced2137f0c726f5cc991333a0f0794da0b6d757374217eaebcbb6d87431f089a57102ca5373b8d730a92026059c6a88094e9c629d81eccf86b4e8f091d325563d1f4016c97972c584bc76d1fb4ed94b721344d00cc6724f5649dfed84dc511583e1a08a43c2409934172ff3f0dfc93996b8479c050dc19309aa998f709eda3b3cf806bec717e1718b8cc10060b335c46f17c522ac0bb696fb4393a9450be5fa755ea0d71b30a8431515c446390154bc2a4951b3f15f419ce20b0302bd90025d83c47a018f6886ab1fbb7577d5c066bab23d84189ccff6340a3ca41df5c6d994b26b8fc34c690dfb229c83760224bdce8e867d1f5a097736d3f19d8229f9143ac037093d4cc32ab104b5828f1cc84495a68d767b7fbd725d434719a3601b5fb23364a5e4151c6f915ce53f7debbb9f15b811cb02bb87394ffb61e8b8ae5749dc7432b516b8a627990537b9cdfd2a09439b7dc043997e0f59036ab3470af1bc7671011e5b472e3f6ad456ba706d550661cbcf6107e9b7ee49a82052d901bb79fb18d82216aeefa2e76390f80943cc856a008c7256b84d8857fa634ad7dd4501386bbabe238a58aecb77a0de5ffaaa563a1968b72b92ba58d1a1ef6f9ed049ff38b7fc34227461631fec653e781f157ec7386362b66778afc8982cdae50e129f4329bfe35cd9da3d5752204fa7275ccbc01abf85c6cf3ab9eabb2ea7a1c779e673d0f9516b185154dc83cc5f69370e314198b7fa83ce5c5c91c2c50e54489b3a670a330a4e49fca517c83a9532cbc7edc840cd010b37ecc7537453016ed1ab445e45fc1238b14e2f8f93166cbf7d38b8528baa0fad3e9e76f4b32eebb60526881620bca5b11ac063dbe2169e5437843f6d2d486855ad5f192b268b2f3eb25deeabd2de89c48ba28f1ee2c84658656c337339b53acf988baf29ac5c9199ec7912b28940934bc02b131d1461354626b690835ba09abafa0ca7f515579e533c4bbfda2bc9f2faedd3538ce8c1e3606ea98395e0ff88492045f47cca85f4af16f950abbf3f2229de58ea2b45692d4ba843e70e5aeed29f68807138aaf5c994b30d47311ebb969107677dcf007f64d0b32c3600cd32bd42ca69ee46d786cf0cf9496bc51602c989fc54f76c4d383ce414af45fc948e5b971e3020af447c589b09956c9033d0904d6445d7e9fff7c903939f79c2d4c30b6", &(0x7f0000004a40)="884f381309896a88173889994e74c60694f7baa45be088e59bc3e939728257e8d2db71"}) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000004c40)={{{@in, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast1}, 0x0, @in=@remote}}, &(0x7f0000004d40)=0xe8) shmctl$auto(0x5, 0x2, &(0x7f0000004e00)={{0x7, 0xee00, 0xffffffffffffffff, 0x8, 0x80, 0x5, 0xfffc}, 0x1, 0x7, 0x5, 0xbed1, @inferred=r5, @inferred=r7, 0x1, 0x0, &(0x7f0000004d80), &(0x7f0000004dc0)="05c9215687a3ff1747cae5c18cb186ed5c62984337f90f0ab5948e21c63d1686f1da1459a89718a9f84930b892c2ad4de61f714ab8"}) msgctl$auto_IPC_RMID(0x4, 0x0, &(0x7f0000004f00)={{0x7, 0xffffffffffffffff, 0xffffffffffffffff, 0x1, 0x0, 0x98, 0x4}, &(0x7f0000004e80)=0x6, &(0x7f0000004ec0)=0x5, 0xc, 0x1ff800000, 0x8, 0x7f, 0x3, 0x101, 0x8, 0x1000, @inferred=r5, @inferred=r8}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000004f80)={{{@in6=@mcast1, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@multicast2}}, &(0x7f0000005080)=0xe8) shmctl$auto(0x2, 0x5, &(0x7f00000052c0)={{0x8, 0x0, 0x0, 0x7f, 0x5, 0x80000001, 0x43}, 0x7, 0x2, 0x0, 0xffffffffffffffff, @raw=0xf, @inferred=r7, 0x2, 0x0, &(0x7f00000050c0)="bcc4b5d86e91b02b73e16c4665dc3088f7cc9826da7807f9a8300d9d8980de67a1a2a153e95466e76d2c38c41558c08efe37ee81d9904674ced86dda9b2b6cc7c97b199758bef8d92dd20e0e69864d6fcd03a80ca012019cf41e5166475038fcd360338436e7827ef730469187e6a495f5bf018ee7caa71c804a386756c3242b30eca0b841166d7839e94a5639d08fbc06dac1f861494456d8d153de7fc30387d452304e7c3069bbfb424391d04fab12037c6d6ae6025df869fa3a45e03148c2dd052c", &(0x7f00000051c0)="0b7d67852a6f3d8968f476adad1672e6dcfcebe8e6249d8cc72d1a05c28acd3deda6431481c88ee1c2c09944ee7333d9d16b3f9bd186be36210e7e52fdac24099773c07af6f1a940e4baec3ada4766e38014ad527a5df77c9061c5a4caccc48bcf1562207f8db04d608a823c71979bdaf702b9a6ec8f62f23d316b69a8e40f1cd792585f34d8ff6c705641dbc09a0245efad326ca84d8ca39d29cc33a4a3fbe76c240d055e261e16d6bb5d9c231fe3c9e84fe59565befc53fe9d119eb50ce04e6e3c1df216ae69c313d80bb6a77e219b94516572eeaa398bfea649335ae8114cb0574236f4613167d9758b53b66cb6ba75d75af92f3c6e638b82"}) stat$auto(&(0x7f0000005340)='./file0\x00', &(0x7f0000005380)={0x355, 0x100000001, 0x5, 0x7, 0xffffffffffffffff, 0xee01, 0x0, 0x7, 0x2, 0x2, 0x6, 0xfffffffffffffff7, 0x7, 0x4, 0xfff, 0x17b, 0xffffffffffff27a1}) shmctl$auto(0x8001, 0xfffffee8, &(0x7f0000006480)={{0x7, 0xee00, 0x0, 0x0, 0x7, 0x8, 0x3ff}, 0x10, 0x2, 0x8, 0x7fffffff, @inferred=r8, @raw=0xffff, 0xffff, 0x0, &(0x7f0000005440)="4cf77c89a8a36d9b71d16c43ca99caec6590564d8951864cccc348102a7779cd97d951003ae876a9a0301c11867ff6432c9c54bd04ee433fce5f5db9eb71b76221d284c78dc7db27840ca0b1e9a5a119f0d74ff6485b52a986a6717f3cfd726d0a6a038bed2189344a3d14c2f119bf2e543fe4e716bc4c5bec83767da2f97d1cce4b2696bc5f9989fd42dc97a0c16cdc2fa967adaaa2bac730e2cbda744dc3121e3f015b66eae89156b262639f95bb014aba78bf2a4801499bf38268d77d99494aef486b9b388a1ebacb4b771a52bfa29990e93618af03762f953e3480fe01dde92ca7835ccd5e8864dbc9100d25c4fa632c9febddfdb1e77f1bcd7679ea4689d2c8504e50af6952c889d328c12c66c90d8ead369270d94e5aa342fb2387dc7cfe6ede705464985f301feb34b002ccefb80fde10d9fc1cb39b5f877524986dd12447a7c96f63507cb4d88068edfd7748fb2b667ae1aedbb416377574d70a3f6de46e4a3e5c149a64a4364666bd99fdb0e413a1335ba932575d1e9228508d614b663ab17acb21b2ac4d3618a65943804d5ba52cbb043a9619861202b505140e4844b8ceb6faf5024223d9636cb0be384a4cc1dd3d4f357629521a07698418dd1a97c39417196f861afb05bd702f4ccdc3d44b5a4193378b936f53c5c4b09c9858be95e349baeb7eb4da309400a4dbb08a24d0bb3772bee7a3873cf8d76e06df6f7ce591f40bdc849ea04cade886f075e1458f021f1b730b0cb5c328b911412aee9616ab5fdc831e34cea69de1a40806aafd4e64d3cd70c1a6c6f636d3bb94c995977c594f0f4e90d7aec43fec4c8aa707d00dfa26ff9db8a45e6ac65b5e5ceac43f78b50f1e4f494c85827b3f0ea1f7a4fe3bbbd390e3616628ed4770dd366694893513dc1cd252d3887a2f19a846d18ee7baf8b5680e61800baaf0041810a5a21fe06cba83e0621b2626c3ec5ba62dfe1f94ae16114c9f89e89458a069222b43b4504dca5fd969c06666dcf982434631597babaad465cb739e72835f69ad699b0efbe216a12cc188d54beb66861c78c80225438deb75b3af96a60a084e68edceca252c22225b4f3e56e99f976c2a082a29f4a5bc3d0c251f9122b584661f39bfd18dfb9d57a591c6d7013b420bd1e4c47e804cc40edffa4dc90cda1de0a6e5f0d7a4d1c0a02bf92582900643f97f8f2cc13768374cc13610f27c3ab9d6931479d0215c4ad669ef802e32928788c525f752edae477ff89ea3f0c87d9ec7eb1ef512dcab1037284291861322f872aa261fa46746edd83985ee320fef53b11518f5d58f846819b88b16588c13dd019058a1ce865b4e685e9478539b9b9af69a13126d6ad30b2bacb144c02ffb153966d20f565684a8749131c7def88f2c87e48eac6c0af576cc861118a9b718dca2eafbc5413bb6e7513746479bd801f07b9465bd80d0dc3d83eeb7d688f913bbc787b23a90a8637c579884a1585d5323b04a449feebd0cbe2bc32721244e92e5d033e20d0b2ccf8ed5e23900199dc5ecdea429a25961c907af8d93d57d5d0d7ff990310ac092dc447e88cf81617b67754ad8ee0b12532c7313d15fd65c9f65c0a94b755a09d24078bde275a44457eca4c8b2b3bc0dfd4c8acb9d2c6c4a8daa22a6cd961b4476b07880f8cf0988bce7dd8d3c3fbd9cfdb6563b681034b272fb3cde591de803d0b68405d25dea801ee8713aeb5498198395799db2ab19fbcedbaa3ced3e124d293d63ee8c12d931079fd94ca0fb5c456932a07ac665b9410d1237735872766764c05e852e061dc399bb31ed488d1ba5aef53ac7b4536c6e5fc45c96a99385512fe6ee8a2278a06be19a7cddf3ca678bdd73c255c159ea073557d666f67b9d1b9968e023f636c693a8adfc923acff108ed4370bb966b0f4c05034b08576c2bc89ceeb57c633d2a7c87665be7e75ffb30edb5fe9fcdc7256a0112d49f52031800b70f698038f0f1f81223cbe0e30b47e80570971d4fa84da58099f875ac76323c5ac25b69c5eaf67825ab8ac98cbd6dc0163751a47a1e52998e00e05c1c6901f504340318727902b1ed2bd2cff2d2ed09601a8cedf4528c1c13a670375fe3a685c7cb14723b559ce2786ca2955ae351eff839758c311e99ed53ff128372bf9fc38c570bd900b497c93161c34d8b4e4806ebccda1611445ea9d676bdc146ea5ba100fc5d995b2ca60709fabbf6aabb01ef243a129a3c6738cf66f6d3e3b00320be0f85e754878937e39762debbf5a3e7a811103566340fdf7dac8450e68eff102cbfd495a801de06e74df57fe06e15edfba4da71a43339c5248f422ee29a22efa493690d97246e2083be24c21ee4f2f1d60d753b2da75a15408af7f4ffc3f11673b89345795750c2ea6b6c789c9e4ed093056171e9fd9a675486a4a51afa967e009c5ab5da74fb7fcd00044ab94b287b54217848d47848d6a116aed41d454cdcbf4ad8d86e629997e308b86e23ea1bf1a4d25296b19fa79f2a8c9b13702b7628c89f71ba6d5c3aa656d4318c4ec3305b9d7ae29374e9356709c46d401c6b745118bc70d1ac74fbc57d9248b1a915de03df367a9a1044752775e3b336a935bc082a2c88299fad16993f6e3f4373de0c488af1af00adb940cb45f5cfd5372d6c0a4c696f96636d52d27939de729974a9a5be21f99b49fc6d4c65aca98c2874f3671de29264941cd4a4a6be0b2021ac02adcd1756bfcff10e7655db958bb999810d8b3fee9832646dedbeee86892eceb4fa04b7284fdce5669dc7eeb775d009ca176d82bbddd4262716efbbe18c8c79f6c76cb59bfa82a19a6681e0d5a49dbd642933648af881c56940e8c5e18fb8288c35e130e1f62817af3f187d002d1b9a1d584b662ebc5c9c9520c4d516649f2d99363efff116348caed43556b58ea9b7c4255fd27efb05edece75535963d32ef597eb133495dc6ff0117d923027f108dbc64cbaa4bedd565e057a0e28649908d87ab0164a1155abe4603ec3f81c3b5327ed0d5e1fc890162510afca7b91d61857573f6184386a7a7cbfba8eff79fb883d04aa6bb7f93f776a375565f67a037e475e28b57f42ca0fc54a30b9d91eed124cdc1bc53feaa475828f20db8ba50815c812a1e9c7454cd4144eb9a423e6d172edee0bad94cd150bbeb4deabc6e98e3e5f7c6bb47f35f110eec4ba632e9c426af699a5bd6c2331ef0c11d24a5a3f3888fae3a36a89fb8a0dbdba9cadfb9e052a93f00ed75755b4d78d99aaa84f69dcc6a6ab05eadd817b9f704e9a7697a315f36ac99d299b5cb8a2f0c7cd53aa16fdad2331947d81a52734dc38efd0309b4837fcc18c88a0cb8bf5f96e4209192266a2c7f60371d41fc8c7d050ae43bf5f67407b54f4b731e0f7195659cd71ecccf87e68e1b4bb874707336ca5bce6ae7d588d6d68e2f66eaf0faa26d488ef0a1a0b59686af8120558fd76c9d19590a9611d5f3eca00e148194d9b69594124be005cdde6d57b26c53ac6488236de7dc8ef17eee67cd948e32d8c11f14bd2478b5d7e2c1d39d02b47595cebe0851f99448960dd64c14a84dac887ce5b39309b1530b71295c36b1b19592242d6617f9ba315c8d0a9d39792541d11c0ec999975169e8af06a444b716c45240b315a08961fac6a69681d832198aad3de10ef3a488f507ab56fd194f6d94376d24968d5caadf3f2c3efb667dd1d19b18dc8dab53df92c2dc0fb4ad49aa8034cf6f9eae6220beaec08784cac765da9e98219ecae0fba094240d3df34f3c89539b206a9af38dac75874b0beeedc9b3795d5f1d1f9065a81ac5e15588c179c4b0effcba466b9170b12e72fb525acc0e2bf5b8c43efbdf53279e5c9fee04b029db5220ba82d4930e96374baf4338aef5550fb5922015a1f9f076f3615ee6d814da808d1bbcad1b176d5bb20b795882476c0c72345eb16134807a82b9d86c9d7a4d84d189be309ba025303eea1889b05cdcea4c2073cfb30bb3b90f35bcd6ee790f1360f963dcd6be81168de75e1d04e8150d2c00005df7fadeac9e5c3d2026799cbb2a2db4268e4d1cb614f158ef12a0b2282e42ba33ff9d67ceda79320f1d897277f486588a0dc0e46c1c0fa223be06cdaca909483358be8b182b37e3789f7c93959c0b45335b2c00cad1a70f8d04081383a79c3fd595fc8647bb6552c6081c26c720ed1b229a192b9a91fa1e12cd31840f86e0dad7feb7dadeadd232709bc99aa8fbc3a87af0d5c82e53aceb6122bf9b71b7bc92a0a063957cc666fafbad1f688bd911608bfc7681c64d8191c5d0c80f7dedd5a9ad4ebccd04e2618d9aad121fd9aa8b8d6848720a736722c7eced31540419659c0911a06e039e959c84dd5cc1640eba08505ea489a121ddca4a09c63b2e271d1edb91aea042e92bea12939ab6d4157efa94a68d07b5f9b2058bccaef5826ebd37657a99be45134aa30a84a4c4e08e463b75645c2b726c14f35750efa680408d1ea9f3f56feb1060c7b8e8114681c24992aa2e1e65219a036afc034dba75a390afce2963d756c7eaf67d213c75371935f9eab4d428c54322e32498a4340254cc41fbb55cf63b4f3f43c8930101f3ae3542fb96ac776263789a984a3a62bb46c5a4a41b85f9d66b47fb28ea765bbcdb52b01f4c15ebe188b454c3ae277dc8a9f8a1c634163c631bd5430a8a80b80b3733413a1e00eb3fff34bc5aa8d907d79de8866cbc6f10661356277716c88474be9b393018a7d8b9b3e1ce4b7a326b77f62fcfa9494e1b7c0280c3a25ee346c94ae4cb3af3fe09534e63836d5a00a62808742f5cc926088a6ed11ea2051a33c60b2dedd2069fc9fc2f2cd45366618e11000216ef8017163aa828eae1d15f02067aa46af467750cfdd36f7ecba0fd1f7382c2a78aa40ccb037ed72490759f08e4a257b73e1b4519ec4720d9081dd464a47ad468f8881ca3023e753100ae0a1b2989ac574ebb9ac9134bf16202ce61aeaafdf7689bb921c4a39a46f03a14decffec78cf9ffd01b4fca7d7bd40030fefa02591a28451bd35da746db7b5cdfd5ee9eb6c51b3be05fb0cd5d39e8103b0e903eec110b3ff1f9df981232a558234281039b46637641849d6412feb74a37b1393c31513cd994ad239e20addc7b6be2be448857bacb20cb1469fe9446946b6d60349ff39219f7c002ecb4dbfd317f79d950b395dd77cfd49a6fad36be0bd4591e4d2ca837fe7374a36792ccb0b2b027c69dcb0852749309b937177272f4a80d8e2a24997ffca208b7f528be82116556d235f17d574d17acc1c4b58363f03f6b2177a2d9bd31d7da8b2d37ea2a5eace2b4f3eab549cc55b38e0f1731cc82ef548a5cb6a7564b442a86da7312a94a1315e270f390a197b91e435fa70443f387cf53738f775a2362a87217b574f8f63ca63613375205dc194498a0c929ff130014d7426af7c0d098d69aff0da1027b123c023e732e0ca1eb695b4210adcaef9285fec8c83fea7efb3b5a09ab0e26a2c0926e158ee17089ef7f8eab5375718ba2e8ab683d2a1eefe25c2e303f419ed01423799867e02eb01ae20002207136a60a875077393a019ae7df3aadc5d4aed4d459cedde966d84fa64c2e564860172be41b9fbdcc9bb29cc2af86bcb8da14d1d7efd6d90fefd473fbac5b0559ac2bdc110c7fdaa921d920731f362f95d426680b73312da58facc4d0a1d7ba590b3e91c03bf3b5f500a5cae46bed373702129ee2f25b0500219bbec050285949f2de4948328964329b1a46a38421c137cb95b99290b4f6cb46b576697c95b9378e7c15caa04ab0e8a04b8df8bc46d615fa29", &(0x7f0000006440)="1c3d61efc1467b6b61e9e5f06fa3d1dcc0e70035dcc9c6c3b00df58900"}) r21 = getgid() r22 = geteuid() ioctl$auto_XFS_IOC_SWAPEXT(0xffffffffffffffff, 0xc0c0586d, &(0x7f0000006a80)={0xfff, @raw=0xd, @inferred=r6, 0x7, 0x2, '\x00', {0xf, 0x0, 0x46, 0xffffffffffffffff, 0x0, 0xfffffffd, 0xf7, 0x7f, {0x8, 0x9}, {0x3, 0x200}, {0x4, 0x5}, 0x62, 0x5, 0xff, 0x6cbf, 0x48, 0x0, 0x8001, 0x7f, 0x6, 0x8, '\x00', 0x40, 0xffff, 0xa, 0xb04b}}) syz_fuse_handle_req(r9, &(0x7f00000016c0)="27fe2ffe47404c4ac0a1ecab30bbcb864ead78fed0c0e175ac9994f22c05a47188988b3ff7cddec1f6f39e606160f4f199d3745e26e2748d68e35a99f1bc4ac32084634f2c0ba5d1e0000e2d5bee777a2ab509e7c94c43f297b825934378ffa3bb7942256fc52a69e23820cd520e7559ed9a31a954df955de5bc7c1855d974b95ff00a84dc2d9ad67964334434d528bce5934808b48f8e251a179eb47dee2a108b50092f559816136cffe9bd6e0a34004e62d50f73c14b23ce17518f954c4bc61e6175756c1204e2f27c182b9e3a7e3b823dc2d210e5232c7ad0e8d8e049f0e92060b620499b0b8f4b4b971d29a97ae94ce3cea6fb4e4296f72e3deabff562e79243933cfc5300e3c41c6ab9c0559ae24b21ce45bc69b7a1eb56c08b822ba10fbcb0bd238f6fcd60ed24092b3f47f1900e3d3373379649daa3959bcb319d7a74ab3e62bb5fbdfa42f9d3b3e7340efd12d9db738b9a7a581d914f4deb34005aacaee865dd595ad5f007c48b5168e699e52decc666509f0bac516d5d8b1ecc1c99e601b8f85af1c67623fd2cff7b883841aecddf3a85239980d3ea2ae6378d59cc242b2abcda91e918487cfea037839017eefbed85e0de24148b3c67ecadc8bbe51ffdd0696a55d8ff21523178a6829ec4d3f25977433b85e9238fe5d8b1437c54a93382fa152549cfca4e4700705f3ce5a260a4b943dd3e532cc196c8129518225566e93e29a8c6f02f054a94ee5fe21e5ad5bf55dd7fde9ac641f347a992e8197fe5fc4b9c65ef4d687921dff0f6cb82a3a96f6df1cfaedffced7cb06b21de9b83cde5f96bdad6ee4c617b9da766cc443712f84ef7c38708070bd19db90abe251009d9bbcce7c419bf7efa7ea70086a95a27e7359d3bcf81899bb6b7560c58227db92bbe342e60019ff0cdbeec13bdb56c5b5fdfdbce7e2f5a7d971dbbc64c59c5111d0b452af57980e21785d5af0884822d12f4081e8381d16e0f411936274b9030215c4b0b47074dab09b9fa2322a88050a62448ffb2bdbb9d6b87521b3bfeb5de7736a4de11ff4e56d41aaed90061e8f13c3789a44a63e76902c4ee9b6fc735ab8ff9525af0ab52167e04d3479667852b755d0074cc95078094dfe03926007fcf4b2b68e262d117df6c918127cd6a5642b80c30bf916a1e51520229e1e0ece35ac9b909fd5ff92b930aa55ae60a2a7f5274e047ae70cd1d894c3a93094d5e88ca4ff4a1f7a74c2572c591f254ec0946de4f96248388b06f7f0a7daa490f4359184a76a56a9bbca593c6f6fe479c675fb02c63547d0804963bbbfe5c668769f3cf16be9cd51178030d64cc2bb9d82634399db8859e4887c8cece4c852f5cb76ce70a6c4edd0e8a465cbf7827b21b5538579771fb56b79974aa36288516bd08a9394900160f75d6bbe89de70f8b5ceacc9419fc5a3d5ee5ea783d0ca808a6248c13ad17c873bc93e0e50a39487fb25ec3233070d7776e7ce8ba022ccd8e2db5645594e0b2d874ede739f93b617ffefaf3d8468e66eecc8561fdb81dd4fe7c779dd93cce317a8f5cb86551c26166c7824c87140d9647508cbbc15c1d3b7208609168909e890e9e9fd2671d3a9a7527a734471f2c7480926d8d18ba6e24da6d6cee422aebfb14d1f12a915ffb7375ccb3ecc9863c45534a97a922433217dde2203545aa983e2a6c546511d8626428aabe7cec1d0e8124de1983d5ab1ed6e9dee82f0df4699f4ab70706c34c754d0cd8b6de541ca8a71d5f9825fc13158480d5980e6415cca05c5757894169223b43cc2963091824cf953fcf54530558ad5ce422fce99f5f2650b7dec702fe12bbb08c28519f08b6354cf58d01f027237070cb438fe4807b7b1f7ebc27f274fd50ef37ad060a7adcdf65962f8a52c04b569d7db3d86a0feb6c78ed1adb361866f7d5606569d910c6727cdd76c6bb2a405ed12dfc2edc81666787f3a3a239c62f65d2d98d8b07c5911355a3a6206646fe74c075a6778072870fd652aa4df9aa3b96f145c3afa74f5aaa8d7ff0427c9389dd5462af0eb6828f3aa54c752bb4c89d1821076172a925f146aef789deb14c6b6cb2873388cbe0be062871048c49679d72c3f325c77ea319ed28fa27861040f6be5d4f32cf29cac11243da042becf2125d21e735493ac7694aa961ee92443fc588c2adc0f97ac7b5fae10d43ddb81f31128582185b9aa124fe6ed780ac954f84421767f90f5c0b569443d63beac0684ed68bc5039a27567bd233b8f2675e1afa140df8e1e64f0a90ec553b52172739d0d6b3884947f2666929cb5dd7931942c06e9df9ec7917f1d93a2f0fbe5cd0f573c0102ff0205e4d59ddd603db5da56694bd92873ee21fe7786a87428bdf19a1a87d72ba697fbe0ed975db5bb3a705177f3a1369e29dec7581d43aea3855943ff4efa4d7af3622c319d78b31083788d20310208299ca0347afffe54ecaf1fbece6e0935abc7aa8f8553f9996ff1d46b88b78df2fe267f1699f2ebf1925b8e50cb46c8a103cfb556510155ddb84276e1e0aef3f411c7af3d20593b6fec7006aa7a4ee33802aad168949dad9fa911888d7f61bf16db2265003416fb576de44f80b9c901ace454d2b04b374f3dcfc38fdd6edcfab24d367aff3f6d8298a4133d081563de1365beaff74da252b248fa61d80e72cbbd58533e7518dbae1a925d9912bfe70fbc64b8c81ce262530bd11ae83f366e38c53bfd5a0dac9785b922bcdd1a3b683f43f8d485dfcc6dd00b6cddea064f846fb2693d48fa97b5263f537eabf6c0e549a78d2bcadb2e8fdb2b1b0f47fd49dc61ca1058bb8882aa1ca2ed341feb737d5eaae0ea08f945a04a38b6e3137f961a7563ad13cec30072b9143e4f9c7824e7cbda2df89b74c142dadaf5ca24b6fe909ce3a1ff37ee5a0b661d30739ef0c372cf7a1b4c6a0e519b48b40dc794cd61356756609f68dd58f724bdd86db7f2649b90e163530ca69f0696addfcef84efc9f9e04d9d6e18ed17f74ff807e92b0f330fb6e06e0e2f193ea03a181c8673950a19eba22fd6b1b56ebb336e0248c64f936cafd3311fd50c50fc916156bb28156d15d7f4d5a798d8626afc6ba7d217d2c9f1a98fede62b1bacfc314dfa89e8cbb8c37bd526dd53ede81b1953cef517703babce446e863bf9d246b03b88502c7fdbac4d87f1eaad86ed170d710d81eaf395aef60dc164d9116601a5a58c79a89275c95d28912e8708fee2472e6b87d2e077d362c0ba8f4bc6a5e38745eae91046bc61e6a040cbfe38204f17e604f0e1405e8ee07d7141b698bc2be7690a8f0bf31d58ae906cb70e4fe5fe035631d76533b7a7b032e1b1eee21428084afbcc930a9f28e9f17e269a6997af838f95e2fb395b540a1d49f3d4290274d2d31f760835ff7351d25b62e135adf59e0118872d17843d99154f4660fa8f48b6c4868b1fbc6b84da61f98123167b067370a54fc6c5a688e31d4201ac4c4d5646f9a4a4a804a175167cf79dda22f4d6867281cb0b3e0999fad7bf26512d131440a8f9ec75fe9df680547855d8c9b3b3f0d514197c2af0d672991373b8d4ac1dd51e1f907450d62101b5e2613ea289c194d0735e1c5e166909eb71ee2a4ee5ff99140c0becca2672faf6944938c61809d8bf2faa561f9b56dab85ded7ee735d300c8da84c57f067b2fe50929cae139875abbab084742c90706bc31fc4c68538889718769d1c6da0ee1826ecde1f60ea66ced44c24fe2875dcbc87a3572af96455edf31e051e5422a8e2910c7d975df6448da0c0f833f61f7150598fb47fae938357a7b645e406df9a4a30cdd1cef6ddb263c9f06b268767a9a0f92c4ea1380e5e36f5f2a3e90bf87d6818c5aefc3439c4f4de2cfb4db145756848b27b618c22feea3f9f4601557f53c2aae71dbc0e9468243f1bf3b086b4dcab2734d6128c5441546903d2fea40c7ca4840ac4b1b3ea8897cf037623e427fb1ef9c0e7deb9eba0f8e5a5b29d422923f2fc8c5dc1369fe526709247c2776f5b7687ccf420b0dc84461105c2a31cce9decca30b746bfe43440d49c4775a2dfc88f049e23a30e2de2ce634549bbc0c263097ebb8044b4b9bb6f5f95a4a499a3dce9c11b99487d996eb57d654090b436dfe0b94796e93feae2b63d01320af7323a8006bc75f95a0c6ce53691802a097108881bda64a2cf8ed8f6752e19815e71e2b8554fac0301875262109331151915f6b19362c2d82c3047478525a649ae4c9a41f756083f138156f6ec4ea04b44f652ab1e66c5c630e6130062a260be553f10b8b700e6c6b089f0b09ce117ca78d45aec4339764dc2e39b5bb955602d57323e40d49ecf8987184a12d21993c03b458fca98c773071c2242d90596599336e1c69ff551af3ef27aaa74c547f231a1ef64a2fbe5498f5bffd9e597b8d871a073e82f13f5bdf2189d361649dbe144e7c2fb26a518884c4f276afa04450b3b1261511a1861507e94be4b0c301e62471bb953363e54a80ac90b2551b012d74a5621e265bf91260a467fe7606e79592272aa208b12935a8991dfb817a5cb05acba79dccb97d0a0f9eb5825e16d124a77224c9a09a5335f1ced785636ae3581598af5c28e54ea8dcc4c722e4a658a33fa7c473f3b5e74ed5625680f07c7d472966ab646ac3ac2d67469c43dbab6b886779def79417698cfed9472fdcab0f8079f221285441881eaae4c211a814e6d4e6c25d49a5706738b03b35c0d284fcd675505b0adc88d04390f3a1b0c82785ba7bf029aa46187131dbdc36aaed980b90888e67e8a8be7c1f7c5e3ad4442e97aa77c7e1d286c29d8b761ec91250529bfffc56ce2d1f4e79cf74237f02050afb6e25d5436545da66622970e89e4cb9e77e0e9a6672feb03328568d75d51465772b5e408e40ebc9676e7e5ee7ab0cbfca5ff0c023b393529464668b774ae1b5cef76d67f1d735b87281555b396c7858701c6d42b0f365b253e7bccb64c2dc39bfed645906ae68bc5ebc3cda73f386b4b97953b3ca6c735f7c47e4762925d3599480e7c17633e5276af75a60332bab2d8c039e4f980a7de81229bd174f6e50e5de20d20b518c418b6eb6a06ee93789fb6f4a6ecb8b01691ad1eb2ae951a42f976e018ac4b585bbc3f42da79e55d1b7f24e909fcee23436b727dd9ce47b41b3bcaa883715d316acdc55e0fcab97ef90da859a80ebebc6dfd0af9524e8a36b3f71ebd703b0afcbd7acc6aa413648ad935e7094a293f1ad659bf55951511b8feaa0390b982c91b1a1bc04cb1e158b132e8ff2fe46667f10312a25468f07324810a97ddfad6df0d61ee5db1929580227ea260682a8937d0379bbcd796aa13fe92f793e958d28d8e4564bfdd4944d7ebadddd673392c6772d0961cebe60a3d9e9f96e4a4ca07e55d31e9d9425e00171aba02f0aef4b8f5e43ec62327a950fe292427d513476c31839a5d11e03f7949cb2d8343ef4b98268797190344a7a6891cddde29faef1333f7fb75069a74e806a4121addf986835281f4868f15c7343e1307d237bb50a7ec6764b9f4325b6e41357edc33d247a583e285735faffc5bebc400476af6c5cdd349137470860d159a976ef3c4761285ebb8c53a7ef569ee2e710d41819eb85cb3e38c6d6ccd03587fb0828f631c19900153a6f1edb812a58ead041c63a6ac6283806d3cfb69b65591a829baba97a367c9b0f2497b44f3ca85a0731e5942b57ecf9c2dee01ef7ea533f8ba317f74c30f49bd69489735361092292205509c574200663f771cf4d1d484fe5a9c4cd3b0cc432e925b302fab0574b53606f2777563d6794fb5fe487d5ce7b5beab399bf7727b67eebf9b9dacf5c5678ec9821a34dc030d036d04d7025ed5b1782965cf262bba0b3de34974d1e77a63e9bb52dc659de690e47b35f4bbca66f8d5e0a271a04a289435f5dc9013c0652633dcce4102fcbe47fb4c5eb9a6eaff5463c73c11e37e8df9dab0932334922fed80d5e3ed125dde3764f48d496f4f3b49f0322a9b9b968ff75efedb369b4b1c9afc5d27e68d76d17c216c4fed82dc2487aabc660bb55b2ee17d68365da8408c45af38783ac2be54772bbea41f5868456ee66a27a36be499a5e5dd3396f4805e22a2cdc229079c2a53c9299559269ed1c512213544f2bf331388e1cb85e5550915f8f27a47ba9fc9a50ce01cd2b53b37f357966f1d00bd340e050c9d84f2914b8abd4294826e7500b0dcae9cd4d284d17345653ccb469c5ee3a31058eae14fed75585cde2fd71b88ebf517359774e9023466ea5a47956b8225671792df45b9f38b10ab03f9ede1ddb2e157d61c095d9b82b977cc09d929745560fe8106503ff7dd228db22b251776897ee15b180b4b4631f85ecf6a6074efd2cdf40a448dad62331c27ed8b3377fde4b1533126a4dc708b77202f6f8c015966ef711c4c496e9034cf15a33bc998a43265edfe436342d7eb4973be8ab0ae6719a1aaa41e0d76d952b06808dff02fd81603429a36ff7440e0b215d9ebc908efc145b6e1b7feb53bd5e175c7d1a7764f9040744b81db86fd22c0a38a2daf7440bbfe8835009d4aebbb11a0e9148bc04951fc06ec1c2a268a05cc2cc76791b82269f963d3d2f564ae03789601940d56f28e5ab0152acf663e481195209efc1a3a1b472536e0acf9ae383b5951dfbb6bd4d1eb5550102c3d7fa2365a36fb7c5949cc727ce57311dec52a4c3b91f0d5ec3677c265d5835535f16006985ce846ef12a46cb8662cff85af2ffd4b3b35085705d45df3e8c60ee4963823cea99dd55c0c33da9de354f709f2a4583561325c4a5954a34e2ab32738c2f3fbfb2786aa57828ef3091122e5932058c12d50d0e89ee5dc1e3ee4135d38c0c984daf3947670272714de8935720c1f3d3dd9fc57529a75013d85946484233ce69257718d3cd667cd0886d1f3c257ccac6b48ee5cdc03eb6c6aa2a78d68e2a9c2253954450915762f3f2fade0ac78593cc38e55cef3bc0bfb938ebd0a61c739c024addaf443406a7b6026360a7fc87c274a9bdcdb2eb5cf470b53f7fc1bd4ed05ceaa66528cef79e9de78da42b167c82cf4dadca5707d0a166b0f41b7f7e3421a8f88f6d88d24cfd9981b50b6c342bb49cce4b823f3cfdb17bba24fdb1601ba060a4792c0909a7c7cebf0c33e8ff27fb6e327c8877fb31efd8bb0b9fca2829cac2c143f4a5bd0afba4324548af32f05f581ae264c9e20d0f1604e112c6e2bc518b78097c145d871a3c0287371b0cf6bdcf17266371c7464d87a55f52e01e297866d6d498868ac01648249c1edd314580bfc35834b15d108ddbaf6ca3536aa43161019c3af0b331d9d071eb0a50442355a2a2e195474e13b7971d956ad54ed590b429d6a1ec7e38d41a27536bbbfadad1b35fc8f827a92e0baffabb811816cfb4cdac4b98c5f6f71cdcf30649536f7800eb6b7cee222d64165e0ca9504693b6d8459bc327e5da2e6f38a4ee2472ca5e6caa0811d042f8fb32a99bd36101cf19acceeed73b44e3deb223cf282ecd4c439f55f5c274e2c756c67c23c00ef7bffa4b6012a1334d0c97f816a6123cbcb77ace8e7be0515269248622028b7a9c0e49f1c8dde866d3bb0c53db9c67b10b20d4bb263f2c5a0185baccfa7b8fe825657078fabab003b9318a84f765daafc37f496efbbce9fa5d2c1f0a4b2ad0cf9269618440713bc3d92985ffbd6cc19afc86703044370eabc4de11f3bcbfb221dddc51bba352dc28fd49c084047fb0ed8b9742a96e53ef4ccb94ce4cad746e9caeeec843f72b779cc58d25fe931c1af8a795e195685c92185803adbec6066cddd87e0b9a5380afcd80798f580859eab317cb2783112af7b362a59ae7a824749440e66661b788b8560549a0b1350dfb7a5e88928d558cbc8a26a0d74e67634ee9ec1c1ca08afc5beb43da65f4ae0ac7eb257442c9990edcf93b1dadfea90bc292bbf1d823c61ee969249f67be07d70df8afc7c3e5bf145f28a2d06c880eff9a181127c13460a06b3664a94c888b07af77e84d60deab764228ffea21633f0204a5d7ec4a0b303fb08fb76728c43d9073800183c8b99e22d605a5e6399c049f7f887cb9d7fba94db323084bf94df544f6ce2dd49a21d2cab54df04397482a64d2900bb40fa87f42ec75d68bab17714a934bcdf36f87074f6028f9d61a00adffc06d624bc64297059682cc8adc7e2fb210bd22fbd4ad3d3515f71b933126759ec4c001ed5cdbace7cce4319b7ab50ffc8f2f8f1bb81ac07f81dfff335450acf08e13912d3c5f3aa12581811ebdb4416eada259651c070b06ea7e18a8f0c400575a0e7fdc4c88645d35c2d36a8ce6a2972f355d1a5d832cd7ef2c611fd11059da390ec8c87491d4964fa40b80839057362e676455c7172a23154efeba6fc9ab4c15a737e299c1f14daa8f3497e3370a523ec15c52bad987109003f8dcee4ac6c90b0f8e4b7491978788a9c1b23a14396b508aa95175fe3bd6a8b4a9c217f4c9842c1c339d4d95db83ce6e7e7ac88eae0413961055220b65693d49a2f696f641421925b42f77b0f9431239527fd6d86d6f9abdf3d27c0a79a6b05a61dd7d993de2d4ee9973b778ff195d1240db1836a5258b4f574497ca2f9b34977800e728297d983e1e585faf45381b476d2531e86cc6e835a972c3a5bbccba7d852edc83bbad4c852064007087bbd36bf8a800f91eea0a72d9a75f5db35b1098686d51340a172c701bc47b140ce52ef47502d0071e545597975a55ca1e91217645e3cfebf4a6201a8481f65113860f592863af1dd473383b1b79ab32cfcd46e6ace2958d42cce5f9b2347681f7707ab4a35f9af521d4c1bad7513033a5f7af2b7a2d3a4914d38462b16b85d69fa60c0c5ef54ba2fb78fb156a947cf80b1daccd589fdd0791b3a9eb835b61534a16f8f4b1cabbd386b4c21ba97de916d2cf48b7208c1bda77ecf81677cbce25582ccab9a65a2b73dd34b002c234948a42b5664d56d824429a78b6970367ec170d1b110b2223175872bdc866318de066fea560151d8825dee82d344b816fb55aaa524e860862ac0c36cb6b6e81f4123da59cb3effe29ce7698e2aa0c6036820c457f404233e32261319a46bc8bd3de3c948dc52e27ca527df7ad68e6c4d4ba8f6b4313a29402981059a148797fa0880257fe0427011928af752f81b8186802108f0590195039c838257202421410b8a359e69ddcd47470f4d05ae289834be304caf49bbbacfdbe927f423be9b87882b0fab4f50bc7cdbff6ef101f33f703556d45b6ace1643cd7e75acf74063e3e34e963db19f0d19f14829c91c450661d0e809d5b7909695ba15446c876a167ecca09fc00e1737cbd4ef4f70a50e3a00fc96f0e1023e5c81e67d247ae0ec7ec267252804a65b301b91a599b8ce37d95a93dd9a911dfb395f361924e82ea281efd7a2e015aadaf6485fceaee0ab905e1396c125603aff4ca165f749c23310250f800b2a87917b9421b0b4cdec9d86414eb822374b0d4325358b2bf43e0e312588879765c25c098d1718653bea52768dd7f100fbd2b6afccf0213469a7fa25b5f77c6b56ca09df886a16ed24f51e21d078f25c48887da12dea57c8f4825f27ae3d9160196eb6be09f7be8b239a05dbf6aaeca9637090d1e6f76eb9369274c3aada336243b8b9c59c3f9c91ab43fc9273bb5bf2b59de8fbc506c9436565e4c9ba29650b3784d87f337a4a4b528ca2a280cedc369b0090c3f69c7604a6df31fba781c07d58dbadd7c85a626f885f09a91224e79bd68793f167ebd8da10e5da78cfa7ebf10a8f2c9003fb1cdd87e469861f3ed23d25bcb14530a8ff8d91e9e0c7c3976c3afc7bd5005ccef59faec52ba35693d0f0dceba843add5a747e0aa72f09f2f45281c9d4c6f1bb78379aec782c64810de323c8abacc9fb7e7dbc1e2913a85df0bdb6ac701a68269e79ab28458c0291e1840b34ace2d0dca9029f6d950e6ef1e5cbb9524db501dc3022733cb10bb74e9e698245a98dffe2378c42548119dd60f2b021953b300f38972661c3ebdf64a3afb3c629cca5ec938c31ee8cb682dd38f3581812f7ba6431c160659039e7cfe7859b1aa8130833f1f63724f863b3e2a18f9ebd1ea614d30d28bd4f5b8c2617becd8a4d8b3a9b42b85d8e80c8faf7d9cf5637dd98826a10b692402933d2ae0ea908ff5d6c22fc335be00614a0f5e7004ebef71fd23d3f90115984f0e46e82ac8b03e5d2bfeaa2192333c1a0a9fb19a75bdc8f9058336e86f3f7b30f0bed24c4b230cdfc92a9885be51c0b851cd7a04a62fb3ce47e765a114ef7686bc7d82ef5e1ca0214b95b64e57f851215ce5a47ddfb91932c854c6525ebe7f6e16845fa225a74093f6a2680085a8fef66541fc3643fc814c5a806415f70688a4be77beaf75d71026e4dff3800124bdec0e065463edc69641f67c7c42b8e025f81406fd4896d5db8e19fec099809ad50a98a83b3caa8fd87310514f4a7afd9a970c456231d916b26d5c62bc4834af9bc2777a7c7d3bbf5f2c6d828935f3b827743c09222328e8e8291bb283eba7d4bc897877f6e50a5fabc77abf31534d700962edecb1df4ee1228a729df7da85771a3f1e30429fac993d9738d9d6728bf492b4791438c3cf6d59af809974aec448098c26cb3791e43724076ef5ca9c70cb3f58accb539943786ce98b092c965a147d1870ad454686ba579c9d10a6131d4d980ff68898fb11a0a9f61e60a86427f60660088984eed16acf6d31430183b81912adcde8084457122ecdd7054cf3dddee25a975fb2448e71a27aedf68685e9e8bf607056d68d720607599cb4997a1d591a1cc174eddc66f39160a2e55eee6c82b218c5b963a0268117fccda9314d7de3b1bfdf1de338310418dbb11f73bfc1a705a7f12560c6a836ebc1c927d1427eb6d7104f942705a25e7a79488768c707cddb059d06f4f55d64114658bb327072a0f248f9191aebf838ccf464e3db38bd015c1fe7e0a1ce8c854e064ad28df20854ecaf442881d5b922db3327a73a8007f84aacb941bc1232742d0ad98eb8f05a812c7957fb4b688522ea6a1d5ef22dabf2537b5f68d81e06b517839b474238564967929fa8231eb8eaa9bf79554917939336f71edad5c011de4a9887c9d8bfe588c1747b47ecae641ae076a53cb661d344659ed82a4f10612ea2ee00a444de7e4b1a0c5614d4a6369b48cfae5316e8389cb720a111171383a78798031af5e4976b89175ac1efa79ca7dd728d21cf2853f69870379dcd691f412b0dabb49f74d48f9313be45895e8d4e78e23e357a9a2294befb173ceccddb7dec84781920e951ecc863bdc843af7535e721a7a7f5bd6e0d37fe9e5b5af3f2aaa62967112c0fe848d3c38a646ded7deba1ab98d40881ba2fc918a8664bbabea14be6f5bb92e254c471b324a026c661de4b97ba0ae1f67063f41a5619da8a49a7ad6cf8153977a4c63171bba20884b7344c405d61b9ce3ce90dd0b6d86be27c028a2a48fe040d6f9d2f5dc2466cb9f745e5a98e5266498b14d16e3fcee12026c0f46b7fd1d30076505cd64c1d60c5cac8cb400ea6b7522c165b0094ff0ff656d081673056b73eee3efcbfba260ff87e4304c8eb14aeadfdaa09570f630646c", 0x2000, &(0x7f0000006c80)={&(0x7f00000036c0)={0x50, 0x0, 0x8, {0x7, 0x2d, 0x7, 0x8000008, 0x7, 0xfc00, 0x3ff, 0x59, 0x0, 0x0, 0xe0, 0x10000}}, &(0x7f0000003740)={0x18, 0x0, 0x6, {0x80000001}}, &(0x7f0000003780)={0x18, 0x0, 0x4, {0x2}}, &(0x7f00000037c0)={0x18, 0xffffffffffffffda, 0x37}, &(0x7f0000003800)={0x18, 0x0, 0x1, {0xff}}, &(0x7f0000003840)={0x28, 0x26, 0x7fffffffffffffff, {{0x7a, 0x8}}}, &(0x7f0000003880)={0x60, 0xfffffffffffffff5, 0x1, {{0x81, 0x6, 0x3ff, 0x2, 0x4, 0x4, 0x8, 0x2}}}, &(0x7f0000003900)={0x18, 0x0, 0x0, {0xb}}, &(0x7f0000003940)={0x12, 0xf92c178daeab5fde, 0x9, {'^\x00'}}, &(0x7f0000003980)={0x20, 0x0, 0x0, {0x0, 0x2}}, &(0x7f00000039c0)={0x78, 0x0, 0xfffffffffffffff7, {0x3, 0x67, 0x0, {0x3, 0x2, 0x5, 0x2, 0x0, 0x5b, 0x200, 0x6, 0xf0b7, 0x1000, 0x1, 0xffffffffffffffff, 0xffffffffffffffff, 0x4, 0x6}}}, &(0x7f0000004b00)={0x90, 0x0, 0x7, {0x1, 0x3, 0x10000, 0x200, 0x8, 0xa87, {0x4, 0x1, 0x7, 0x1, 0xfffffffffffffffd, 0x4, 0x9, 0xffff, 0x10000000, 0x0, 0xf40, 0x0, r10, 0x8001, 0x9}}}, &(0x7f0000004bc0)={0x48, 0x0, 0x5c, [{0x1, 0x4, 0x6, 0x8, '\xff\xff\xff\xff\xff\xff'}, {0x1, 0x8, 0x0, 0xb}]}, &(0x7f0000006500)={0x478, 0x0, 0x2, [{{0x1, 0x1, 0xf, 0x9, 0x7fffffff, 0x3ff, {0x5, 0xb3fc, 0x3, 0xa2d9, 0x3, 0x80000000, 0x4, 0x5, 0x2, 0x6000, 0xfff, 0xffffffffffffffff, 0xee01, 0x5, 0x6}}, {0x5, 0x9, 0x6, 0x6, 'wlan1\x00'}}, {{0x3, 0x1, 0x4, 0xf, 0x1, 0x5, {0x4, 0xffc, 0x2, 0xffffffffffffdbca, 0x35, 0x5fa, 0x8, 0x5, 0x16d, 0x6000, 0x8000, r11, 0xee00, 0x8, 0x2}}, {0x2, 0x3e8, 0x16, 0x5, 'bpf_lsm_path_truncate\x00'}}, {{0x6, 0x3, 0xcff0, 0xfffffffffffffbff, 0x3, 0x3, {0x5, 0x4, 0x8, 0x9, 0x10, 0x5, 0x91, 0xfff, 0xfffffffd, 0xc000, 0x3, r12, 0xee00, 0x80, 0x40}}, {0x0, 0x8, 0x6, 0x80000001, 'wlan1\x00'}}, {{0x3, 0x2, 0x8, 0x9, 0x80000000, 0xd149, {0x3, 0x4, 0x5, 0xe, 0x7a, 0xd52, 0x0, 0x5, 0x6, 0xa000, 0x2, r14, 0x0, 0x7fffffff, 0x5}}, {0x4, 0x7ff, 0x2, 0x78d, '\xc0\''}}, {{0x2, 0x0, 0x6, 0x7fffffff, 0x5, 0x5, {0x2, 0xc, 0xbde5, 0x5, 0x8, 0x10, 0x9, 0x6, 0xe31, 0x2000, 0x5b8, r16, r18, 0x6, 0x8}}, {0x2, 0x80, 0x0, 0xb6}}, {{0x5, 0x2, 0x80000001, 0x2, 0x6, 0xff, {0x3, 0x5, 0x8, 0x3, 0x8001, 0x5, 0x1, 0x7, 0x2, 0x1000, 0x1, 0xee01, r19, 0x10001, 0x6}}, {0x0, 0x6, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}, {{0x3, 0x1, 0x8000000000000000, 0x2e, 0x5, 0x7, {0x6, 0x5, 0x5, 0xb, 0x0, 0x2, 0xffff, 0x0, 0x8, 0x2000, 0x9, r20, r21, 0x2, 0x7}}, {0x6, 0xfffffffffffffffb, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000006980)={0xa0, 0x0, 0xd05, {{0x5, 0x3, 0x8000000000000001, 0x7, 0x5, 0x2, {0x3, 0x4, 0x5, 0x3, 0x8, 0x1, 0x8001, 0x0, 0xfff, 0x8000, 0x101, r22, 0xee00, 0x7, 0xac}}, {0x0, 0x10}}}, &(0x7f0000006a40)={0x20, 0x0, 0xffffffff, {0x4, 0x0, 0x9, 0xa}}, &(0x7f0000006b40)={0x130, 0x0, 0x1ff, {0x6276287e, 0x7, 0x0, '\x00', {0x800, 0x2, 0x3, 0x1e, 0xffffffffffffffff, r24, 0x4000, '\x00', 0x800, 0x9, 0x8, 0x32f3fcde, {0x6, 0x1}, {0x4, 0xe30}, {0x4d, 0x3}, {0x6, 0x8}, 0x6, 0x2, 0xfb, 0x2}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000006d40), r23) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) syz_io_uring_setup(0x28c2, &(0x7f0000006d80)={0x0, 0xd0f0, 0x20, 0x0, 0x1e5}, &(0x7f0000006e00)=0x0, &(0x7f0000006e40)) syz_io_uring_complete(r25) r26 = syz_io_uring_setup(0x7c1f, &(0x7f0000006e80)={0x0, 0x979d, 0x4, 0x1, 0x206, 0x0, r9}, &(0x7f0000006f00)=0x0, &(0x7f0000006f40)=0x0) r29 = io_uring_register$IORING_REGISTER_PERSONALITY(r26, 0x9, 0x0, 0x0) syz_io_uring_submit(r27, r28, &(0x7f0000007000)=@IORING_OP_OPENAT2={0x1c, 0x14, 0x0, r23, &(0x7f0000006f80)={0x818480, 0x0, 0x35}, &(0x7f0000006fc0)='./file0\x00', 0x18, 0x0, 0x23456, {0x0, r29}}) r30 = syz_kvm_setup_syzos_vm$x86(r9, &(0x7f0000bfd000/0x400000)=nil) syz_kvm_add_vcpu$x86(r30, &(0x7f0000007400)={0x0, &(0x7f0000007040)=[@wrmsr={0x65, 0x20, {0x92e, 0x8}}, @nested_vmresume={0x130, 0x18, 0x1}, @wr_drn={0x68, 0x20, {0x1}}, @nested_amd_invlpga={0x17d, 0x20, {0xffffffff, 0xbd0d}}, @nested_amd_vmsave={0x183, 0x18, 0x1}, @code={0xa, 0x6a, {"36490fc7aad66197c026660f3880945e008000000f01ba008000008fc9b89b29470fc7ae20000000450f09c4e2d13967c4360f017f0566642e643ed8f1c744240025fd0000c744240254000000c7442406000000000f011424"}}, @nested_amd_inject_event={0x180, 0x38, {0x0, 0xb5, 0x7, 0x5}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @enable_nested={0x12c, 0x18}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x3, @control16=0x4, 0x5, 0x1ff, 0x8}}, @nested_vmresume={0x130, 0x18}, @out_dx={0x6a, 0x28, {0xc636, 0x5, 0x4}}, @enable_nested={0x12c, 0x18}, @nested_vmlaunch={0x12f, 0x18, 0x1}, @wrmsr={0x65, 0x20, {0x8a3, 0x9}}, @wr_drn={0x68, 0x20, {0x4, 0x6}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @nested_create_vm={0x12d, 0x18, 0x2}, @nested_amd_invlpga={0x17d, 0x20, {0x8080000, 0x943e}}, @nested_amd_vmcb_write_mask={0x17c, 0x38, {0x3, @control_area=0x31, 0xc, 0x6, 0x8}}, @nested_amd_inject_event={0x180, 0x38, {0x2, 0x36, 0x1, 0x2, 0x3}}, @nested_vmresume={0x130, 0x18, 0x1}, @nested_vmresume={0x130, 0x18}, @nested_amd_inject_event={0x180, 0x38, {0x3, 0x72, 0x2, 0x5, 0x2}}, @nested_vmlaunch={0x12f, 0x18, 0x2}, @nested_vmlaunch={0x12f, 0x18, 0x2}], 0x3a2}) r31 = ioctl$KVM_CREATE_VM(r9, 0xae01, 0x5) syz_kvm_setup_cpu$ppc64(r31, r23, &(0x7f0000fe5000/0x18000)=nil, &(0x7f0000007680)=[{0x0, &(0x7f0000007440)="cdfaef130000003e000010620400107a00001066c1001062a603007eb9f0003ee90e10620400107aa330106688261062a603007e2400004c0000603c0000636004006378000063640cf66360baaa803c42ab846004008478a5a48464dbea8460c7b2a03c4ed4a5600400a5788ed5a564c9c4a560f627c03c0e37c6600400c6781050c664f33cc66064aee03c0fe0e7600400e778f833e76427e1e760f9fe003d883a086104000879f66c0865cb9b0861e722203da35b296104002979bbbc29655e832961d975403d52944a6104004a79db254a65f35e4a61020000440000603c00006360040063780000636450f36360420000440d0bc03ea1dad6620400d67aeb5ad6666296d6629cb0007cec06007ca400004c3d6aa03e171bb5620400b57a7293b5663454b562a603a07ed48da03e12d2b5620400b57af6f5b56615e0b562a603a07e2400004c0000a03f0000bd630400bd7b4930bd67f278bd630005c03f0000de630000dd930000a03f0000bd630400bd7b4930bd67f278bd630000c03f218cde630000dd930000a03f0000bd630400bd7b4930bd67f678bd630000c03f0a00de630000dd930000a03f0000bd630400bd7b4930bd67fa78bd63974bc03f5c3bde630000dd930000603c00006360040063780000636400f063600000803c000084600400847849308464f2788460220000440000803f00009c6304009c7b00009c671a009c632401c07f", 0x20c}], 0x1, 0x2, &(0x7f00000076c0)=[@featur2={0x1, 0x6}], 0x1) syz_kvm_setup_syzos_vm$x86(r23, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(0x0, 0x114, &(0x7f0000007700), 0x0, 0x4) syz_mount_image$fuse(&(0x7f0000007740), &(0x7f0000007780)='./file0\x00', 0x40000, &(0x7f00000077c0)={{'fd', 0x3d, r23}, 0x2c, {'rootmode', 0x3d, 0x6000}, 0x2c, {'user_id', 0x3d, r22}, 0x2c, {'group_id', 0x3d, r13}, 0x2c, {[{@max_read={'max_read', 0x3d, 0x3}}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@default_permissions}, {@allow_other}], [{@permit_directio}, {@uid_lt={'uid<', r17}}, {@appraise}, {@smackfshat={'smackfshat', 0x3d, '\xc0\''}}, {@appraise}]}}, 0x1, 0x0, &(0x7f0000007940)="a4b222df2ba10df24f5481e0dc5e93b81b1b82e9a214cabce344800ad54de610fa1eda44b9040526f2dc7c731c5473c8c6dc94192a03484e6d62bb49128612543a9d016ed9a3730e51080f5c860d03a77ed50164bcf99c42d3568a974a927a879de41edc2f5552365886121a31095b97aa08ee2977111f7cc56a77c0f2a16b32b19df50a249cd3058e60a6ae8c96349d5e5c0097594ce01c1fbee5ee94606fef673231e65700bc715f1f0119c84ed27b8af38ed153d394d6b22cca54db55a31bc25b45e81deca7bedb696691ae6b92f09eea3e2b5e8af2f996339dec592edec5897e94eb") syz_open_dev$I2C(&(0x7f0000007a40), 0x7, 0x0) syz_open_procfs(r4, &(0x7f0000007a80)='net/psched\x00') syz_open_pts(r9, 0x292c02) syz_pidfd_open(r15, 0x0) r32 = pkey_alloc(0x0, 0x0) syz_pkey_set(r32, 0x3) syz_socket_connect_nvme_tcp() r33 = syz_usb_connect(0x1, 0x295, &(0x7f0000007ac0)={{0x12, 0x1, 0x250, 0x58, 0x6, 0x54, 0x8, 0x13d3, 0x3348, 0x15b2, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x283, 0x2, 0x9, 0x2, 0x10, 0x8, [{{0x9, 0x4, 0x26, 0xb, 0x5, 0x83, 0x18, 0x74, 0xee, [], [{{0x9, 0x5, 0xb, 0x3, 0x8, 0x4, 0xfb, 0x6a, [@generic={0xbd, 0xc, "8b82bd3fc8137d3d259ce7bc140de0823de2222eed4c570edcb84553cd1efd649dd352dd375d81da8da8e6863fb482ecb3a16f122210bff25c59a3afc6542848c06e1b983fbc8dd0de627cfddf9f905f5cb6ed4a25ec5947599b15b538c7bb0b0d65d4a31b319f7383955ce766ef4c66d18bc75d69b2dd7d136c78eaec1e2203eb918dd61609de40f4f693917eeb17fc387bb427341f6416e0b8c46a2445a5c49bd9c86dfe21c598acf17ea98ffece202a21dc93a0b830d29af87c"}, @generic={0xc7, 0x6, "f5459e117800d22a25a486d1442f5cbd4d3d776cd061d2c185f9924eae6a4d7b14c58b599863d321e3ea80a25f6d8be51d5ca70c276ce0e6d9038f88776b9614287db7ee2113f0e7e1f01873b613d763da5f87f86cd1860bd623463fc6d93d9f948d0d4d70d72a8ac1dec1adceb8716729906428d5b6e24b01499bfa6a0aa0482eed8c7751a1c7ec944db19254a74b61142e725a7a290c4142875d347b3e483f4e2db8373ef8fead8118ce07d812332b211da9733d444f7d706a6439c29aeaedd03000a2a8"}]}}, {{0x9, 0x5, 0xa, 0xc, 0x400, 0xc, 0x0, 0xb5, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0xb, 0x7}]}}, {{0x9, 0x5, 0x2, 0x10, 0x20, 0x7, 0x5, 0x5, [@generic={0x24, 0x7, "ad98314a82d7aebbfce85178752271b158c05dea1bf5a2459c431df180c1f3b2be3b"}]}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x7, 0xf3, 0x4}}, {{0x9, 0x5, 0x5, 0x0, 0x40, 0x2, 0x3, 0x2, [@generic={0x6a, 0xa, "f7dd67505d353d93b6e1f3ac2d8f9f766012d204e558a7076c6a1dd6648b2928acaf801710c8555067e0715e60772d9a84c714f63d527b9f1532a5ac6511627f9e8400e62ad6bd25ec51ec630afc10e1f0f2fe01c9588e2897ef26d5ea8bcf970e51fc28d84a628c"}]}}]}}, {{0x9, 0x4, 0x48, 0xe, 0x3, 0xca, 0x1e, 0x4a, 0xf5, [], [{{0x9, 0x5, 0xb, 0x4, 0x400, 0x5, 0xf7, 0xf6}}, {{0x9, 0x5, 0xe, 0x10, 0x3ff, 0x1, 0xd, 0x80}}, {{0x9, 0x5, 0x5, 0x10, 0x10, 0x95, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xae, 0x12}]}}]}}]}}]}}, &(0x7f0000007ec0)={0xa, &(0x7f0000007d80)={0xa, 0x6, 0x110, 0x4, 0x1, 0x6, 0x8, 0xe}, 0x3b, &(0x7f0000007dc0)={0x5, 0xf, 0x3b, 0x4, [@ss_container_id={0x14, 0x10, 0x4, 0x6, "fdf4043ae7f59e3e81fe303d4de3ea16"}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x8, 0x6, 0x6}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x7, 0xd, 0x95d7}, @ss_container_id={0x14, 0x10, 0x4, 0x3, "bc6a9266bf506e90620d9c900e180143"}]}, 0x1, [{0x98, &(0x7f0000007e00)=@string={0x98, 0x3, "d95f3fcaaa58f9d36d03e3a2d5566a5191f742f723fa49e364e03b0d288a7fcb4579b58c56d824be57f9ad0f8703d3011cac468433fa22c23bfaf15dad541efb0138c46bb8f8869215155c2685d69b75ffe68c0cbd6e71743abd4355e12d9dcb7dff16bb075da553c178139ede2c285a4a2845e8889c234504d968d870b6084a7b4ab0dcdb83d43bb2f4e7a0156b80a68919cbb7da84"}}]}) r34 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007f00)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r35 = syz_usb_connect$uac1(0x3, 0xe5, &(0x7f0000007f80)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xd3, 0x3, 0x1, 0x1, 0x80, 0x80, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x0, 0x7c}, [@extension_unit={0xd, 0x24, 0x8, 0x2, 0x8, 0x9, "0cffda3f227b"}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x6, 0x9a, 0x20, "2da5ee78a28e1f1a41"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0xf8, 0x3, 0x69, 0x6d, 'e)', "bf0794"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x5, 0x4, 0x5b, 0x3, 'D', "2618"}, @format_type_ii_discrete={0x9, 0x24, 0x2, 0x2, 0x7b4, 0x8, 0x4}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x0, 0x3, 0x8, 0x8, "aa", "e8e5b4"}]}, {{0x9, 0x5, 0x1, 0x9, 0x40, 0x6, 0x5, 0x0, {0x7, 0x25, 0x1, 0x80, 0x1, 0x4}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@as_header={0x7, 0x24, 0x1, 0x3, 0x1e, 0x4}, @as_header={0x7, 0x24, 0x1, 0x6f, 0x7}, @format_type_ii_discrete={0xa, 0x24, 0x2, 0x2, 0x8, 0x2, 0x8, 'f'}, @format_type_ii_discrete={0x10, 0x24, 0x2, 0x2, 0x9, 0x401, 0x5, "53b11dbc8cd310"}]}, {{0x9, 0x5, 0x82, 0x9, 0x8, 0x0, 0x28, 0x6, {0x7, 0x25, 0x1, 0x80, 0x5, 0xd}}}}}}}]}}, &(0x7f00000081c0)={0xa, &(0x7f0000008080)={0xa, 0x6, 0x110, 0x59, 0xa5, 0x5, 0x10, 0x1}, 0x39, &(0x7f00000080c0)={0x5, 0xf, 0x39, 0x5, [@wireless={0xb, 0x10, 0x1, 0x4, 0x8, 0x3, 0xb8, 0x9, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0x2, "9d9ab0978e2aace26de66306e6e2963d"}, @wireless={0xb, 0x10, 0x1, 0x4, 0x0, 0x6, 0x4, 0x1, 0x5}, @ptm_cap={0x3}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x5, 0x6, 0xfff2}]}, 0x1, [{0x84, &(0x7f0000008100)=@string={0x84, 0x3, "000a6c9f4a15eabc97a92ab665231b2cf9057321eb430c6521f497a8c3ce816268cb337fa48deecfeb28b2305fcf2d2e988cc8b8b980a1332dc406bc34695fa24dc3609f619d7ac284cc3ae7f0afe444d578c951d9aedc4c682e100cfeb6619b98a96b1978d8ede7574e969f8ae8e3dfb835bde5ccd922133e53036ff44eda52a0a9"}}]}) syz_usb_control_io(r35, &(0x7f0000008380)={0x2c, &(0x7f0000008200)={0x40, 0x22, 0x31, {0x31, 0x5, "74e83dcf53dd2d0ecac0aa3467b18dfa71b26cdd403d955c0ffe22817b01fe5795d51cf24a6ae3b8e32f1b7ac5f8ca"}}, &(0x7f0000008240)={0x0, 0x3, 0x1e, @string={0x1e, 0x3, "8957a501d83c69e54f70f62f932a50b65506c388c128239d36229ee2"}}, &(0x7f0000008280)={0x0, 0xf, 0x4f, {0x5, 0xf, 0x4f, 0x6, [@ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x5, 0xf000, 0x409, [0xc000, 0x17f, 0xff3f30, 0xffffaf]}, @ssp_cap={0x10, 0x10, 0xa, 0x9, 0x1, 0x4, 0xff0f, 0xf87, [0xc030]}, @ext_cap={0x7, 0x10, 0x2, 0x4, 0x1, 0x4, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x4, 0xd2, 0x3, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x1, 0x7, 0x2}, @ptm_cap={0x3}]}}, &(0x7f0000008300)={0x20, 0x29, 0xf, {0xf, 0x29, 0x8, 0x1, 0x7, 0x4, '\b\r$}', "67016dee"}}, &(0x7f0000008340)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x16, 0x80, 0x9, 0x3, 0x3, 0x2, 0xf000}}}, &(0x7f00000087c0)={0x84, &(0x7f00000083c0)={0x0, 0x11, 0x1f, "16d60d7743501452ffd5730424bc4a970cc6490bb9cc85938699edf27a0c7d"}, &(0x7f0000008400)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000008440)={0x0, 0x8, 0x1, 0x4}, &(0x7f0000008480)={0x20, 0x0, 0x4, {0x2f1050d721a8e554, 0x1}}, &(0x7f00000084c0)={0x20, 0x0, 0x4, {0x200, 0x2b}}, &(0x7f0000008500)={0x40, 0x7, 0x2, 0xfd37}, &(0x7f0000008540)={0x40, 0x9, 0x1}, &(0x7f0000008580)={0x40, 0xb, 0x2, 'E\"'}, &(0x7f00000085c0)={0x40, 0xf, 0x2, 0x2}, &(0x7f0000008600)={0x40, 0x13, 0x6, @random="2fa6dde03a0f"}, &(0x7f0000008640)={0x40, 0x17, 0x6, @random="de1c102b027e"}, &(0x7f0000008680)={0x40, 0x19, 0x2, "0d97"}, &(0x7f00000086c0)={0x40, 0x1a, 0x2, 0x2}, &(0x7f0000008700)={0x40, 0x1c, 0x1, 0xfd}, &(0x7f0000008740)={0x40, 0x1e, 0x1, 0xfd}, &(0x7f0000008780)={0x40, 0x21, 0x1, 0xc9}}) syz_usb_disconnect(r33) syz_usb_ep_read(r34, 0x7, 0xfc, &(0x7f0000008880)=""/252) r36 = syz_usb_connect$printer(0x5, 0x36, &(0x7f0000008980)={{0x12, 0x1, 0x200, 0x7, 0x1, 0x1, 0x20, 0x525, 0xa4a8, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0xf4, 0x60, 0x4, [{{0x9, 0x4, 0x0, 0x3, 0x2, 0x0, 0x0, 0x0, 0x81, "", {{{0x9, 0x5, 0x1, 0x2, 0x400, 0x0, 0x8, 0x2}}, [{{0x9, 0x5, 0x82, 0x2, 0x3ff, 0x4, 0x48, 0x8}}]}}}]}}]}}, &(0x7f0000008f00)={0xa, &(0x7f00000089c0)={0xa, 0x6, 0x250, 0x7d, 0xdd, 0x3, 0x20, 0xfa}, 0x154, &(0x7f0000008a00)={0x5, 0xf, 0x154, 0x6, [@generic={0xe8, 0x10, 0x1, "d031a9165b9e273ff6ffe555849af6dca66e17a68ee5ac784dca23e4a56d46169ad06ead2b8bcd997eac2ecb8b2a2526aa200db55758d08659469283d6ecfba982c300ae82ccf4a8bf073dbde45376b4f6fc559be519f82e8e5b2cf59c3a3af4f290707e767a4e276851090d90be0ab66f788e7760cd71ab865ea8b6bcc5f35f60538154a099c354a3593417682fc39d2a6a255ef4bb65f8d97af29beb0f8734a68ed84ef08df69e9b35fa2e3fe65e9938ff441dc3e7982a81cccaf9621d5dbc663b80ab448c975cbc19bb6c3901a02c16b32dfaf9f5c220fa21434937b462038105e6d086"}, @generic={0x4b, 0x10, 0x3, "10bed1912f7dc94ac6d87cbc68962c89e777cc51a257d0cad33cdcf336a31ac39b867144c2c96be40fccac19633a547787bc6e4fe91e91fa4759db2a867d859cd5a60c84c1a38e09"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x9, 0x77, 0x9, 0x2cf}, @wireless={0xb, 0x10, 0x1, 0xc, 0x5, 0x8, 0x5, 0x9, 0x16}, @ptm_cap={0x3}, @ptm_cap={0x3}]}, 0xa, [{0x4, &(0x7f0000008b80)=@lang_id={0x4, 0x3, 0x40e}}, {0x4, &(0x7f0000008bc0)=@lang_id={0x4, 0x3, 0x427}}, {0x4, &(0x7f0000008c00)=@lang_id={0x4, 0x3, 0x415}}, {0x4, &(0x7f0000008c40)=@lang_id={0x4, 0x3, 0x1c0a}}, {0x4, &(0x7f0000008c80)=@lang_id={0x4, 0x3, 0x83e}}, {0x4, &(0x7f0000008cc0)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d00)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d40)=@lang_id={0x4, 0x3, 0x423}}, {0x9f, &(0x7f0000008d80)=@string={0x9f, 0x3, "d48e8724649a2841923d48b8b235fdc4315e0dfbe1b8a8a08353af5b630beb6eca1d6be03d88d5587933d6ade122b2ad4c558040e7f203d8c7af790af85de36e841eb9480afa1aaf9a226f4de28cd4441557411c7737f74d7d60313cd3d051284fceb5b3278373f63c72a84e8de4e23bf64e2a69c0579106c9331803e2ef32fd09889adce7bcd7eb6134c465ed17386d3f97a4e8a4e9c419f9c6eb2d32"}}, {0xa4, &(0x7f0000008e40)=@string={0xa4, 0x3, "81103e0d228843344b9a2885675324f579df278e6d25065998bdbb69b8eed0e1db8df16b19646d92c5d03521f773c16c24deeae556be69b04e1e966febfbf37f3bbc6dd64c83f4c2a87daf95fb91e10a36c0069f4d517bf3962111d8f9c845323c0b91e68dea34b277b410720bdf4a5864fe069bdee84fa9e4465549713fb333aaed855baf295327e1fb651729fe4acf1d9ebf80d64c29fcd368ee1611e550d7b67a"}}]}) syz_usb_ep_write(r36, 0xf9, 0xfb, &(0x7f0000008fc0)="181512f6083897f1b94ad01c9d8cc9eb6d7c149c5edf5ecf21cf4a2b2a9ff02e0d8f8a4f60f7b31ad0b2552e14878f840f51a97c2563b619b101ea77613b9752367f0f6e6a623781a383e499dc26fed60afe6f156d326bc141d6615d18b61a5c06cb49d9e008e05f65376aefb5ec21edc468b8434a0c9e39d120bcd31132f0755c1fcaf91fecb2733f98184256d2f79e80452dc86cf31985082e386017ebe82125c78bee42f949ca6798673433fb0a20d9161b698f0466b0ea53587a3f08cc3435bb7c193f4adcd2e5e104f33e3e1cdd33ba951fc9f76b108a4074c8072b16465962eb28e138c9188c3e54a00afb4fb1710a273a1f1c530ada0d50") syz_usbip_server_init(0x2) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_PT_POOL 0x5000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x70000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x200000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 8) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t size, uint64_t cpu) { uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; if (cmd->call >= SYZOS_API_STOP) return; if (cmd->size > size) return; volatile uint64_t call = cmd->call; if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit((uint64_t)-1); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; *ptr = exit_code; } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_pdpt_addr = l2_pml4_addr + KVM_PAGE_SIZE; uint64_t l2_pd_addr = l2_pml4_addr + 2 * KVM_PAGE_SIZE; uint64_t l2_pt_addr = l2_pml4_addr + 3 * KVM_PAGE_SIZE; volatile uint64_t* pml4 = (volatile uint64_t*)l2_pml4_addr; volatile uint64_t* pdpt = (volatile uint64_t*)l2_pdpt_addr; volatile uint64_t* pd = (volatile uint64_t*)l2_pd_addr; volatile uint64_t* pt = (volatile uint64_t*)l2_pt_addr; guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pdpt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pd_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id), 0, KVM_PAGE_SIZE); uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; pml4[0] = l2_pdpt_addr | flags; pdpt[0] = l2_pd_addr | flags; pd[0] = l2_pt_addr | flags; uint64_t pt_flags = flags; if (vendor == CPU_VENDOR_INTEL) { pt_flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { pt_flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } for (int i = 0; i < 512; i++) pt[i] = (i * KVM_PAGE_SIZE) | pt_flags; } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%rax push %%rbx push %%rcx push %%rdx push %%rsi push %%rdi push %%rbp push %%r8 push %%r9 push %%r10 push %%r11 push %%r12 push %%r13 push %%r14 push %%r15 mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[stack_cleanup_size], %%rsp jmp after_vmentry_label )" : : [stack_cleanup_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, 0); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); uint64_t tmpreg = 0; asm volatile("mov %%rsp, %0" : "=r"(tmpreg)); vmwrite(VMCS_HOST_RSP, tmpreg); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, VMX_AR_TSS_AVAILABLE); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_DEBUGCTL, 0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR6, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR7, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, efer & ~X86_EFER_SCE); vmcb_write64(vmcb_addr, VMCB_GUEST_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_addr, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline __optnone void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { uint64_t vmx_error_code = 0; uint8_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); if (is_launch) { asm volatile(R"( vmlaunch setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } else { asm volatile(R"( vmresume setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } asm volatile(".globl after_vmentry_label\nafter_vmentry_label:"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile uint8_t* vmcb_ptr = (volatile uint8_t*)vmcb_addr; uint8_t fail_flag = 0; asm volatile( "mov %1, %%rax\n\t" "vmrun\n\t" "setc %0\n\t" : "=q"(fail_flag) : "m"(vmcb_addr) : "rax", "cc", "memory"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } uint64_t exit_reason = vmcb_read64(vmcb_ptr, VMCB_EXIT_CODE); nested_vm_exit_handler_amd(exit_reason, cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 48, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, }; struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; }; #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)((uint64_t)vm->host_mem + sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static void map_4k_page(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)(host_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = (uint64_t*)(host_mem + (pml4[pml4_idx] & PAGE_MASK)); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = (uint64_t*)(host_mem + (pdpt[pdpt_idx] & PAGE_MASK)); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = (uint64_t*)(host_mem + (pd[pd_idx] & PAGE_MASK)); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(host_mem, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; uint64_t host_mem = (uint64_t)vm->gpa0_mem; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + 32 * KVM_PAGE_SIZE}; for (uint64_t i = 0; i < (alloc.last_page - alloc.next_page); i += KVM_PAGE_SIZE) memset((void*)(host_mem + alloc.next_page + i), 0, KVM_PAGE_SIZE); for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) total -= map_4k_region(host_mem, &alloc, syzos_mem_regions[i].gpa, syzos_mem_regions[i].pages); map_4k_region(host_mem, &alloc, X86_SYZOS_ADDR_UNUSED, total); } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = 0, .base_mid = 0, .access = 0x89, .limit_high_and_flags = 0x00, .base_high = 0}; } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)((uint64_t)vm->host_mem + sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)((uint64_t)vm->host_mem + X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); setup_pg_table(vm); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, int cpu_id, size_t text_size) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = executor_fn_guest_addr(guest_main); regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = text_size; regs.rsi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd); setup_cpuid(cpufd); reset_cpu_regs(cpufd, cpu_id, text_size); } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; struct addr_size next = alloc_guest_mem(&allocator, r->pages * KVM_PAGE_SIZE); uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); } struct addr_size next = alloc_guest_mem(&allocator, allocator.size); vm_set_user_memory_region(vmfd, slot++, 0, X86_SYZOS_ADDR_UNUSED, next.size, (uintptr_t)next.addr); } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } static void setup_sysctl() { int cad_pid = fork(); if (cad_pid < 0) exit(1); if (cad_pid == 0) { for (;;) sleep(100); } char tmppid[32]; snprintf(tmppid, sizeof(tmppid), "%d", cad_pid); struct { const char* name; const char* data; } files[] = { {"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"}, {"/proc/sys/kernel/hung_task_check_interval_secs", "20"}, {"/proc/sys/net/core/bpf_jit_kallsyms", "1"}, {"/proc/sys/net/core/bpf_jit_harden", "0"}, {"/proc/sys/kernel/kptr_restrict", "0"}, {"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"}, {"/proc/sys/fs/mount-max", "100"}, {"/proc/sys/vm/oom_dump_tasks", "0"}, {"/proc/sys/debug/exception-trace", "0"}, {"/proc/sys/kernel/printk", "7 4 1 3"}, {"/proc/sys/kernel/keys/gc_delay", "1"}, {"/proc/sys/vm/oom_kill_allocating_task", "1"}, {"/proc/sys/kernel/ctrl-alt-del", "0"}, {"/proc/sys/kernel/cad_pid", tmppid}, }; for (size_t i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].name, files[i].data)) { } } kill(cad_pid, SIGKILL); while (waitpid(cad_pid, NULL, 0) != cad_pid) ; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 60; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 51 ? 3000 : 0) + (call == 52 ? 3000 : 0) + (call == 53 ? 3000 : 0) + (call == 54 ? 300 : 0) + (call == 55 ? 300 : 0) + (call == 56 ? 300 : 0) + (call == 57 ? 3000 : 0) + (call == 58 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[37] = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x200000000000 = 0x4006; *(uint32_t*)0x200000000004 = 0xd; *(uint32_t*)0x200000000008 = 2; *(uint32_t*)0x20000000000c = 8; inject_fault(1); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x80044945, /*arg=*/0x200000000000ul); break; case 1: *(uint32_t*)0x200000000040 = 0; *(uint32_t*)0x200000000044 = 1; *(uint32_t*)0x200000000048 = 4; *(uint32_t*)0x20000000004c = 2; *(uint32_t*)0x200000000050 = 5; *(uint32_t*)0x200000000054 = 0x81; *(uint32_t*)0x200000000058 = 0; memcpy((void*)0x20000000005c, "id1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); memcpy((void*)0x20000000009c, "timer0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 80); *(uint64_t*)0x2000000000f0 = 0; *(uint64_t*)0x2000000000f8 = 6; *(uint64_t*)0x200000000100 = 3; *(uint64_t*)0x200000000108 = 0x70a; *(uint32_t*)0x200000000110 = 9; memset((void*)0x200000000114, 0, 32); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0f85403, /*arg=*/0x200000000040ul); break; case 2: memcpy((void*)0x200000000140, "/dev/ircomm#\000", 13); res = -1; res = syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); for (int i = 0; i < 4; i++) { syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); } if (res != -1) r[0] = res; break; case 3: *(uint32_t*)0x200000000340 = 0x82; *(uint32_t*)0x200000000344 = 8; *(uint64_t*)0x200000000348 = 0x200000000280; *(uint32_t*)0x200000000280 = 1; *(uint64_t*)0x200000000284 = 0; *(uint32_t*)0x20000000028c = 0xc0; *(uint64_t*)0x200000000290 = 0x200000000180; memcpy((void*)0x200000000180, "\x5b\x58\xac\x0e\xd1\xd2\x7b\x21\x7d\x3f\xdc\x62\x99\xcd\xde\x4d\x85\x32\x1f\x7b\xba\xa0\x64\xd3\x61\x51\x9c\xdd\xe4\x3b\x22\x5c\xf0\x06\x58\xdd\xbf\xbd\x91\x4c\xf7\x9e\xce\xb3\x48\xf1\x86\x92\x31\x5c\x3c\x69\xec\x14\x8e\x2d\xd9\x28\xac\x7e\xe6\x2f\x51\x11\xb9\xdc\xca\xca\x88\x52\x49\x12\x34\x19\x55\xf7\x9b\x0f\x22\x06\xb8\x0e\x6e\x5a\x7e\x68\x1a\x62\x96\x94\xa3\x4f\x9b\x0e\x39\x87\x7e\xef\xde\x60\xa0\x68\xcd\xc4\x45\x45\xd6\xfe\x45\xd0\x00\x0c\x99\x61\xa1\xff\x16\x87\x47\x44\x7e\x34\x6b\x16\x46\x08\x75\xc6\x91\xde\x11\x83\xb2\xd7\xb0\x32\xcf\xae\x85\x49\x7d\x0d\x88\x48\xd4\xba\xa9\xad\xc6\xca\xac\xcd\x9a\xf6\x01\x9e\xa2\xba\x6f\x3b\x4e\x60\x18\xdf\x94\xca\xca\xbe\xdd\xec\x7b\x60\x02\x30\xea\x77\x90\x01\x93\x99\xd0\xbe\xb6\x1f\x42\x7d\xf8\x35\x9c\xc3\x48\x93", 192); *(uint64_t*)0x200000000298 = 0; *(uint32_t*)0x2000000002a0 = 0; *(uint64_t*)0x2000000002a4 = 0x200000000240; *(uint32_t*)0x2000000002ac = 0x10000; *(uint32_t*)0x2000000002b0 = 0; *(uint64_t*)0x2000000002b4 = 0; *(uint32_t*)0x2000000002bc = 0x81; *(uint32_t*)0x2000000002c0 = 0xe; *(uint64_t*)0x200000000350 = 0x200000000300; *(uint32_t*)0x200000000358 = 0x44; *(uint32_t*)0x20000000035c = 0xc; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0206440, /*arg=*/0x200000000340ul); if (res != -1) r[1] = *(uint64_t*)0x200000000300; break; case 4: *(uint32_t*)0x200000000400 = 0x81; *(uint32_t*)0x200000000404 = 4; *(uint64_t*)0x200000000408 = 0x200000000380; *(uint64_t*)0x200000000380 = r[1]; *(uint64_t*)0x200000000410 = 0x2000000003c0; *(uint32_t*)0x200000000418 = 8; *(uint32_t*)0x20000000041c = 0xc; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000400ul); break; case 5: *(uint32_t*)0x200000000440 = 3; *(uint32_t*)0x200000000444 = 6; STORE_BY_BITMASK(uint32_t, , 0x200000000448, 1, 0, 1); memcpy((void*)0x200000000449, "queue1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); *(uint32_t*)0x20000000048c = 0xdae; memset((void*)0x200000000490, 0, 60); syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc08c5335, /*arg=*/0x200000000440ul); break; case 6: memcpy((void*)0x200000000540, "TIPCv2\000", 7); res = -1; res = syz_genetlink_get_family_id(/*name=*/0x200000000540, /*fd=*/r[0]); if (res != -1) r[2] = res; break; case 7: *(uint64_t*)0x200000000880 = 0x200000000500; *(uint16_t*)0x200000000500 = 0x10; *(uint16_t*)0x200000000502 = 0; *(uint32_t*)0x200000000504 = 0; *(uint32_t*)0x200000000508 = 0x1000000; *(uint32_t*)0x200000000888 = 0xc; *(uint64_t*)0x200000000890 = 0x200000000840; *(uint64_t*)0x200000000840 = 0x200000000580; *(uint32_t*)0x200000000580 = 0x2b4; *(uint16_t*)0x200000000584 = r[2]; *(uint16_t*)0x200000000586 = 0x400; *(uint32_t*)0x200000000588 = 0x70bd2d; *(uint32_t*)0x20000000058c = 0x25dfdbfb; *(uint8_t*)0x200000000590 = 4; *(uint8_t*)0x200000000591 = 0; *(uint16_t*)0x200000000592 = 0; *(uint16_t*)0x200000000594 = 0x44; STORE_BY_BITMASK(uint16_t, , 0x200000000596, 3, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 1, 7, 1); *(uint16_t*)0x200000000598 = 8; *(uint16_t*)0x20000000059a = 1; *(uint32_t*)0x20000000059c = 6; *(uint16_t*)0x2000000005a0 = 8; *(uint16_t*)0x2000000005a2 = 1; *(uint32_t*)0x2000000005a4 = 0x3f; *(uint16_t*)0x2000000005a8 = 8; *(uint16_t*)0x2000000005aa = 1; *(uint32_t*)0x2000000005ac = 2; *(uint16_t*)0x2000000005b0 = 8; *(uint16_t*)0x2000000005b2 = 1; *(uint32_t*)0x2000000005b4 = 0x4c00000; *(uint16_t*)0x2000000005b8 = 8; *(uint16_t*)0x2000000005ba = 1; *(uint32_t*)0x2000000005bc = 3; *(uint16_t*)0x2000000005c0 = 8; *(uint16_t*)0x2000000005c2 = 1; *(uint32_t*)0x2000000005c4 = 6; *(uint16_t*)0x2000000005c8 = 8; *(uint16_t*)0x2000000005ca = 3; *(uint32_t*)0x2000000005cc = 0x67c; *(uint16_t*)0x2000000005d0 = 8; *(uint16_t*)0x2000000005d2 = 1; *(uint32_t*)0x2000000005d4 = 7; *(uint16_t*)0x2000000005d8 = 0x3c; STORE_BY_BITMASK(uint16_t, , 0x2000000005da, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 1, 7, 1); *(uint16_t*)0x2000000005dc = 9; *(uint16_t*)0x2000000005de = 1; memcpy((void*)0x2000000005e0, "syz1\000", 5); *(uint16_t*)0x2000000005e8 = 0x2c; STORE_BY_BITMASK(uint16_t, , 0x2000000005ea, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 1, 7, 1); *(uint16_t*)0x2000000005ec = 8; *(uint16_t*)0x2000000005ee = 3; *(uint32_t*)0x2000000005f0 = 0x220a; *(uint16_t*)0x2000000005f4 = 8; *(uint16_t*)0x2000000005f6 = 4; *(uint32_t*)0x2000000005f8 = 0x9c0; *(uint16_t*)0x2000000005fc = 8; *(uint16_t*)0x2000000005fe = 2; *(uint32_t*)0x200000000600 = 0x101; *(uint16_t*)0x200000000604 = 8; *(uint16_t*)0x200000000606 = 4; *(uint32_t*)0x200000000608 = 3; *(uint16_t*)0x20000000060c = 8; *(uint16_t*)0x20000000060e = 1; *(uint32_t*)0x200000000610 = 8; *(uint16_t*)0x200000000614 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000616, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 1, 7, 1); *(uint16_t*)0x200000000618 = 8; *(uint16_t*)0x20000000061a = 2; *(uint32_t*)0x20000000061c = 6; *(uint16_t*)0x200000000620 = 8; *(uint16_t*)0x200000000622 = 1; *(uint32_t*)0x200000000624 = 1; *(uint16_t*)0x200000000628 = 0xb8; STORE_BY_BITMASK(uint16_t, , 0x20000000062a, 1, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 1, 7, 1); *(uint16_t*)0x20000000062c = 0x24; STORE_BY_BITMASK(uint16_t, , 0x20000000062e, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 1, 7, 1); *(uint16_t*)0x200000000630 = 8; *(uint16_t*)0x200000000632 = 2; *(uint32_t*)0x200000000634 = 9; *(uint16_t*)0x200000000638 = 8; *(uint16_t*)0x20000000063a = 4; *(uint32_t*)0x20000000063c = 7; *(uint16_t*)0x200000000640 = 8; *(uint16_t*)0x200000000642 = 2; *(uint32_t*)0x200000000644 = 5; *(uint16_t*)0x200000000648 = 8; *(uint16_t*)0x20000000064a = 2; *(uint32_t*)0x20000000064c = 2; *(uint16_t*)0x200000000650 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000652, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 1, 7, 1); *(uint16_t*)0x200000000654 = 8; *(uint16_t*)0x200000000656 = 3; *(uint32_t*)0x200000000658 = 6; *(uint16_t*)0x20000000065c = 8; *(uint16_t*)0x20000000065e = 4; *(uint32_t*)0x200000000660 = 0; *(uint16_t*)0x200000000664 = 0xd; *(uint16_t*)0x200000000666 = 1; memcpy((void*)0x200000000668, "udp:syz2\000", 9); *(uint16_t*)0x200000000674 = 0xc; STORE_BY_BITMASK(uint16_t, , 0x200000000676, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 1, 7, 1); *(uint16_t*)0x200000000678 = 8; *(uint16_t*)0x20000000067a = 4; *(uint32_t*)0x20000000067c = 7; *(uint16_t*)0x200000000680 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000682, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 1, 7, 1); *(uint16_t*)0x200000000684 = 8; *(uint16_t*)0x200000000686 = 1; *(uint32_t*)0x200000000688 = 0x17; *(uint16_t*)0x20000000068c = 8; *(uint16_t*)0x20000000068e = 1; *(uint32_t*)0x200000000690 = 0x17; *(uint16_t*)0x200000000694 = 8; *(uint16_t*)0x200000000696 = 1; *(uint32_t*)0x200000000698 = 0x12; *(uint16_t*)0x20000000069c = 0x2c; *(uint16_t*)0x20000000069e = 4; *(uint16_t*)0x2000000006a0 = 0x14; *(uint16_t*)0x2000000006a2 = 1; *(uint16_t*)0x2000000006a4 = 2; *(uint16_t*)0x2000000006a6 = htobe16(0x4e21); *(uint32_t*)0x2000000006a8 = htobe32(0xe0000002); *(uint16_t*)0x2000000006b4 = 0x14; *(uint16_t*)0x2000000006b6 = 2; *(uint16_t*)0x2000000006b8 = 2; *(uint16_t*)0x2000000006ba = htobe16(0x4e20); *(uint32_t*)0x2000000006bc = htobe32(-1); *(uint16_t*)0x2000000006c8 = 8; *(uint16_t*)0x2000000006ca = 3; *(uint32_t*)0x2000000006cc = 0xb; *(uint16_t*)0x2000000006d0 = 0xd; *(uint16_t*)0x2000000006d2 = 1; memcpy((void*)0x2000000006d4, "udp:syz1\000", 9); *(uint16_t*)0x2000000006e0 = 0x20; STORE_BY_BITMASK(uint16_t, , 0x2000000006e2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 1, 7, 1); *(uint16_t*)0x2000000006e4 = 8; *(uint16_t*)0x2000000006e6 = 1; *(uint32_t*)0x2000000006e8 = 8; *(uint16_t*)0x2000000006ec = 0xc; *(uint16_t*)0x2000000006ee = 3; *(uint64_t*)0x2000000006f0 = 6; *(uint16_t*)0x2000000006f8 = 8; *(uint16_t*)0x2000000006fa = 1; *(uint32_t*)0x2000000006fc = 0x80; *(uint16_t*)0x200000000700 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000702, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 1, 7, 1); *(uint16_t*)0x200000000704 = 8; *(uint16_t*)0x200000000706 = 1; *(uint32_t*)0x200000000708 = 2; *(uint16_t*)0x20000000070c = 8; *(uint16_t*)0x20000000070e = 1; *(uint32_t*)0x200000000710 = 9; *(uint16_t*)0x200000000714 = 0x10c; STORE_BY_BITMASK(uint16_t, , 0x200000000716, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 1, 7, 1); *(uint16_t*)0x200000000718 = 9; *(uint16_t*)0x20000000071a = 1; memcpy((void*)0x20000000071c, "syz1\000", 5); *(uint16_t*)0x200000000724 = 0x13; *(uint16_t*)0x200000000726 = 1; memcpy((void*)0x200000000728, "broadcast-link\000", 15); *(uint16_t*)0x200000000738 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000073a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 1, 7, 1); *(uint16_t*)0x20000000073c = 8; *(uint16_t*)0x20000000073e = 2; *(uint32_t*)0x200000000740 = 0x187; *(uint16_t*)0x200000000744 = 8; *(uint16_t*)0x200000000746 = 4; *(uint32_t*)0x200000000748 = 0x40; *(uint16_t*)0x20000000074c = 8; *(uint16_t*)0x20000000074e = 1; *(uint32_t*)0x200000000750 = 0x10; *(uint16_t*)0x200000000754 = 0x24; STORE_BY_BITMASK(uint16_t, , 0x200000000756, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 1, 7, 1); *(uint16_t*)0x200000000758 = 8; *(uint16_t*)0x20000000075a = 2; *(uint32_t*)0x20000000075c = 0xc0fb; *(uint16_t*)0x200000000760 = 8; *(uint16_t*)0x200000000762 = 2; *(uint32_t*)0x200000000764 = 0; *(uint16_t*)0x200000000768 = 8; *(uint16_t*)0x20000000076a = 2; *(uint32_t*)0x20000000076c = 3; *(uint16_t*)0x200000000770 = 8; *(uint16_t*)0x200000000772 = 4; *(uint32_t*)0x200000000774 = 6; *(uint16_t*)0x200000000778 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000077a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 1, 7, 1); *(uint16_t*)0x20000000077c = 8; *(uint16_t*)0x20000000077e = 1; *(uint32_t*)0x200000000780 = 0x18; *(uint16_t*)0x200000000784 = 8; *(uint16_t*)0x200000000786 = 2; *(uint32_t*)0x200000000788 = 0x80000000; *(uint16_t*)0x20000000078c = 8; *(uint16_t*)0x20000000078e = 2; *(uint32_t*)0x200000000790 = 2; *(uint16_t*)0x200000000794 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000796, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 1, 7, 1); *(uint16_t*)0x200000000798 = 8; *(uint16_t*)0x20000000079a = 4; *(uint32_t*)0x20000000079c = 0xfffffff2; *(uint16_t*)0x2000000007a0 = 8; *(uint16_t*)0x2000000007a2 = 3; *(uint32_t*)0x2000000007a4 = 7; *(uint16_t*)0x2000000007a8 = 8; *(uint16_t*)0x2000000007aa = 3; *(uint32_t*)0x2000000007ac = 0xd0; *(uint16_t*)0x2000000007b0 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x2000000007b2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 1, 7, 1); *(uint16_t*)0x2000000007b4 = 8; *(uint16_t*)0x2000000007b6 = 1; *(uint32_t*)0x2000000007b8 = 0xf; *(uint16_t*)0x2000000007bc = 8; *(uint16_t*)0x2000000007be = 4; *(uint32_t*)0x2000000007c0 = 0x401; *(uint16_t*)0x2000000007c4 = 8; *(uint16_t*)0x2000000007c6 = 1; *(uint32_t*)0x2000000007c8 = 9; *(uint16_t*)0x2000000007cc = 0x54; STORE_BY_BITMASK(uint16_t, , 0x2000000007ce, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 1, 7, 1); *(uint16_t*)0x2000000007d0 = 8; *(uint16_t*)0x2000000007d2 = 3; *(uint32_t*)0x2000000007d4 = 0xe6a9; *(uint16_t*)0x2000000007d8 = 8; *(uint16_t*)0x2000000007da = 4; *(uint32_t*)0x2000000007dc = 7; *(uint16_t*)0x2000000007e0 = 8; *(uint16_t*)0x2000000007e2 = 3; *(uint32_t*)0x2000000007e4 = 0x10000; *(uint16_t*)0x2000000007e8 = 8; *(uint16_t*)0x2000000007ea = 3; *(uint32_t*)0x2000000007ec = 0x2000; *(uint16_t*)0x2000000007f0 = 8; *(uint16_t*)0x2000000007f2 = 2; *(uint32_t*)0x2000000007f4 = 9; *(uint16_t*)0x2000000007f8 = 8; *(uint16_t*)0x2000000007fa = 3; *(uint32_t*)0x2000000007fc = 6; *(uint16_t*)0x200000000800 = 8; *(uint16_t*)0x200000000802 = 4; *(uint32_t*)0x200000000804 = 0x81; *(uint16_t*)0x200000000808 = 8; *(uint16_t*)0x20000000080a = 3; *(uint32_t*)0x20000000080c = 0x3ff; *(uint16_t*)0x200000000810 = 8; *(uint16_t*)0x200000000812 = 1; *(uint32_t*)0x200000000814 = 0x19; *(uint16_t*)0x200000000818 = 8; *(uint16_t*)0x20000000081a = 1; *(uint32_t*)0x20000000081c = 0x1a; *(uint16_t*)0x200000000820 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000822, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 1, 7, 1); *(uint16_t*)0x200000000824 = 8; *(uint16_t*)0x200000000826 = 1; *(uint32_t*)0x200000000828 = 1; *(uint16_t*)0x20000000082c = 8; *(uint16_t*)0x20000000082e = 2; *(uint32_t*)0x200000000830 = 0x79; *(uint64_t*)0x200000000848 = 0x2b4; *(uint64_t*)0x200000000898 = 1; *(uint64_t*)0x2000000008a0 = 0; *(uint64_t*)0x2000000008a8 = 0; *(uint32_t*)0x2000000008b0 = 0x4040811; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x200000000880ul, /*f=*/0ul); break; case 8: syscall(__NR_read, /*fd=*/r[0], /*data=*/0x2000000008c0ul, /*len=*/0x1dul); break; case 9: *(uint64_t*)0x200000000980 = 6; *(uint64_t*)0x200000000988 = 0x200000000940; *(uint64_t*)0x200000000940 = 0x904e; *(uint64_t*)0x200000000948 = 1; *(uint64_t*)0x200000000950 = 9; *(uint64_t*)0x200000000958 = 6; *(uint64_t*)0x200000000960 = 0xe; *(uint64_t*)0x200000000968 = 5; syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x4010801d, /*arg=*/0x200000000980ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 4, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 0; memset((void*)0x20000000004a, 255, 6); *(uint8_t*)0x200000000050 = 8; *(uint8_t*)0x200000000051 = 2; *(uint8_t*)0x200000000052 = 0x11; *(uint8_t*)0x200000000053 = 0; *(uint8_t*)0x200000000054 = 0; *(uint8_t*)0x200000000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x200000000056, 1, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 0x7f, 4, 12); *(uint16_t*)0x200000000058 = 0x1f; *(uint8_t*)0x20000000005a = 0x8c; *(uint8_t*)0x20000000005b = 0x18; *(uint16_t*)0x20000000005c = 0x5d9; memcpy((void*)0x20000000005e, "\x8e\x85\x14\x4c\x64\x33", 6); memcpy((void*)0x200000000064, "\xe0\x23\xfb\xed\x51\x30\x11\xc5\x70\x7e\x45\x24\x72\xe2\x05\x5d", 16); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x34); break; case 11: memcpy((void*)0x200000000080, "wlan1\000", 6); memcpy((void*)0x2000000000c0, "\x3a\x38\x64\x65\xf3\x89\x38\x0e\x26\xb0\xcb\x13\xf9\x8a\x36\xe2\x21\x4f\x09\x9e\xe0\xd0\xb2\x9b\x75\x4e\x31\xd6\xef\xc8\x2c\x04", 32); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/0x20, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_path_truncate\000", 22); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\xda\xa4\xed\x40\xf7\xcf\x4d\xa8\x63\x77\xe8\x64\xd8\xe6\xc6\xd4\xfc\x54\x86\xaf\x4a\x6f\x23\xde\xa5\x8b\x32\x43\xa2\x91\xb0\x18\x0d\xba\xf5\xc9\x27\x58\xaf\x73\xf9", 41); memcpy((void*)0x200000000200, "\x40\xf2\x76\x85\x6b\x81\x91\xc4\xf3\x12\x75\x9d\x79\x5a\x22\xc3\xc7\xed\xc9\x16\x78\x79\x4f\x4e\xea\xc4\x57\x46\xfc\xc9\x93\x07\x22\xc8\x18\x9b\xa5\x95\x65\xf7\x32\x7c\xbc\xd4\x50\x61\x64\xeb\x9f\x6f\xf1\x75\xf1\xf0\x8d\x60\x24\x70\x91\x77\x2c\x18\x5a\xc3\x83\x04\xe9\xb5\xb3", 69); res = -1; res = syz_clone(/*flags=CLONE_NEWUTS|CLONE_VFORK*/0x4004000, /*stack=*/0x200000000140, /*stack_len=*/0x29, /*parentid=*/0x200000000180, /*childtid=*/0x2000000001c0, /*tls=*/0x200000000200); if (res != -1) r[3] = res; break; case 14: res = syscall(__NR_getpgrp, /*pid=*/r[3]); if (res != -1) r[4] = res; break; case 15: *(uint64_t*)0x200000000500 = 0x800; *(uint64_t*)0x200000000508 = 0x200000000280; *(uint64_t*)0x200000000510 = 0x2000000002c0; *(uint64_t*)0x200000000518 = 0x200000000300; *(uint32_t*)0x200000000520 = 0x12; *(uint64_t*)0x200000000528 = 0x200000000340; *(uint64_t*)0x200000000530 = 0x66; *(uint64_t*)0x200000000538 = 0x2000000003c0; *(uint64_t*)0x200000000540 = 0x2000000004c0; *(uint32_t*)0x2000000004c0 = r[3]; *(uint32_t*)0x2000000004c4 = r[3]; *(uint32_t*)0x2000000004c8 = r[3]; *(uint32_t*)0x2000000004cc = r[4]; *(uint64_t*)0x200000000548 = 4; *(uint32_t*)0x200000000550 = -1; res = -1; res = syz_clone3(/*args=*/0x200000000500, /*size=*/0x58); if (res != -1) { r[5] = res; r[6] = *(uint32_t*)0x200000000280; r[7] = *(uint32_t*)0x2000000002c0; r[8] = *(uint32_t*)0x200000000300; } break; case 16: memcpy((void*)0x200000000580, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000580); break; case 17: *(uint64_t*)0x200000001680 = 4; res = syscall(__NR_socketcall, /*call=*/5ul, /*args=*/0x200000001680ul); if (res != -1) r[9] = res; break; case 18: *(uint32_t*)0x200000004a80 = 0x80000000; *(uint32_t*)0x200000004a84 = 0xee01; *(uint32_t*)0x200000004a88 = 0xee01; *(uint32_t*)0x200000004a8c = 5; *(uint32_t*)0x200000004a90 = 0xfffffff8; *(uint32_t*)0x200000004a94 = 1; *(uint16_t*)0x200000004a98 = 0x6bc1; *(uint32_t*)0x200000004a9c = 0x40; *(uint64_t*)0x200000004aa0 = 0xffff; *(uint64_t*)0x200000004aa8 = 0x2265; *(uint64_t*)0x200000004ab0 = 0xfffffffffffffff8; *(uint32_t*)0x200000004ab8 = r[3]; *(uint32_t*)0x200000004abc = r[8]; *(uint16_t*)0x200000004ac0 = 0xfffa; *(uint16_t*)0x200000004ac2 = 0; *(uint64_t*)0x200000004ac8 = 0x200000003a40; memcpy((void*)0x200000003a40, "\x89\x17\xf9\x6e\xff\x00\x1e\x00\x64\x91\xda\x94\x8f\x25\xc3\xac\x36\x65\x39\x2d\x07\x7a\x28\x78\xa0\xc4\x71\x86\xfb\xb5\x96\x00\xe8\x72\x5c\x57\x48\x93\xc0\xd6\x45\x65\x1c\xd4\x96\xd4\xd6\xc4\x3d\xd8\xd9\xe3\xce\xca\x2e\x2a\x35\xfd\x60\x78\x5c\xd7\x7e\xc5\xc5\xee\xd5\xea\x44\xa8\x53\x76\x9a\x52\xcb\x3e\x89\xd0\x6c\x09\x95\xf7\x7e\x9b\x7e\xcc\x68\xfa\x52\x1a\xc4\xb1\x93\xee\x67\xdc\xce\xc0\xa7\xd1\x3f\x3c\x06\x8e\xe0\x46\xa9\xa1\x42\x01\x1c\xd4\xba\x8e\x67\xf3\x81\xe1\x67\x45\xd8\x1a\x2b\x5b\xf1\x1f\x4e\xf0\x01\x43\x30\xc9\x5f\x0f\x5b\xc8\x9d\x00\xf1\x61\x29\xa9\x63\x77\x82\xe5\xa6\xf4\xd9\x22\xe0\xf0\x74\x57\xee\x51\x5e\x1b\xbf\x56\x54\x90\x6d\x88\x7b\xa0\x2b\xee\x66\x4d\xa7\x2a\x51\xb5\xdc\xdf\x4b\xec\xca\x2d\x80\x67\xe3\x57\x53\xc0\x31\x23\x59\xef\xb6\xda\x86\x14\x9a\xfc\x10\x10\xd0\xc6\xc8\x6c\xc9\xc8\x83\x1c\xa1\x27\x6c\xa9\x68\x81\x1c\x87\xba\xab\x12\x1c\x9d\x81\x72\x73\x19\x6e\x97\xae\x66\xf3\x97\x66\x7e\x02\x3f\xc2\x33\x19\xc2\x4f\xa8\x23\x57\x22\x26\xfb\x74\x8a\xc5\x4f\xf5\x28\x23\x6b\x07\x81\xa2\x0e\xd5\x2e\x11\x69\x27\xa2\x2b\x11\xe0\xb8\xac\xeb\x36\xd2\xcf\x4a\x78\xeb\x34\x65\xfc\xb9\xc9\x49\x3e\xad\xd4\x46\x86\x76\x6f\xb2\x6d\x4d\x0a\x54\xd0\x28\x27\x3a\x5c\x60\x53\x88\x53\x4e\x49\x37\xf1\x8c\xa9\x05\x32\x44\x5f\x94\x66\x51\xf3\x63\x4e\x9b\x36\x5b\xb8\xed\x72\x42\xb9\x12\x31\xba\x06\x34\x7e\xab\x1f\x32\x00\x96\x37\x4f\xbd\x8a\x7a\x94\xc2\xfa\x71\x54\x41\x5c\x92\x3f\xd6\x6c\xd6\x26\x48\x9e\x7c\x79\xca\xd3\x9b\x66\xb0\x67\x4b\x94\x39\xb5\x7b\x79\xec\x79\x03\xd3\x5e\xc3\x14\xdb\x9d\x7e\x41\x5d\xf3\xc4\xf7\x55\x14\xb1\xc8\x3e\x9b\x6b\x27\x1d\xab\xeb\xd3\xb7\x93\xa7\x8a\xd5\xba\xef\x25\x39\x39\x34\xbc\x1b\x49\x69\xeb\x61\x28\xd3\x52\x14\x90\x47\x0f\x25\xe7\xa4\x7b\x13\xee\x0c\x47\x72\xd0\x47\x3d\xa5\x18\x44\x1b\x7b\xd3\x62\xbc\x99\xb0\x9c\xf6\x96\xbe\xb9\xe5\xf9\xd3\xd5\xe8\x8e\x9e\x96\x0e\x25\x9e\x4f\xe6\x7c\xfa\x3b\x2a\xbd\xe1\x00\x10\xf3\xc6\xa6\x0d\x26\x9a\xd1\x3e\x59\x05\x2e\x8a\xb9\x51\x40\x1d\xde\x34\x5c\x4f\xed\x4f\xea\x6d\x91\xb8\x4d\xae\xee\xbf\x45\xfa\x79\x98\xee\x41\xda\x06\x87\x5e\x7b\xc4\x8d\x9d\xe5\x4d\xe3\x6d\x9e\x27\x49\x5f\xe7\xe8\x8e\x02\x4e\x7d\xd3\x58\x7d\xcb\xc7\x1c\xd4\x33\xb7\x1a\x4d\x97\x2b\x02\x65\x59\xef\xbf\x17\xc2\xb0\x2b\x23\x57\xb9\xd9\x13\xa7\x64\xc9\x5c\x5a\xa7\xb3\x2f\xd2\xc0\xb6\x2b\x47\xf2\x7e\x47\x85\xe7\x6d\x85\x62\xb4\xe4\x3e\xdc\x6d\x61\x0d\x2b\x97\xdd\x1a\x1e\xe6\x5b\xd1\xef\x89\xe0\x11\x0b\x14\xc2\x02\x5b\x04\xb8\xcf\x16\xf0\xc2\xc1\xab\x89\xad\x30\xbd\xbd\x8b\x98\x94\x27\x8b\x4b\xe8\xd0\x81\x55\xec\x0c\xd2\x0f\x54\x4f\x18\xa4\xf2\x6a\x98\x0d\xec\xac\x1c\xe2\x94\x21\x27\xd8\xd0\x35\x0d\xc4\xa9\xa3\x29\x30\xaf\x33\x53\x18\x22\x31\x9d\xd1\x39\xe2\x7c\xf7\x69\xd0\x68\x87\x96\x08\xc2\x51\x7d\x59\x96\x5f\xbf\xfe\x98\x79\xaf\xd4\x87\x87\x5a\xd2\x39\x58\x6b\xbe\xca\xd1\xb0\x0e\x13\x77\x20\x3a\xbe\x3f\xc5\x82\xfa\xaf\x4f\x9e\x08\xe5\x76\x58\x81\x22\x09\xb3\xa8\x65\x3b\xf3\x9e\x12\x6b\x79\x47\x4c\xed\x54\xb7\x4f\xd4\x77\xb0\x3a\x80\x90\x6e\x34\x6d\xfc\x7f\x5a\x86\x41\x0f\x6b\xbc\x64\xa7\xff\x88\xc3\x7a\xa1\xd1\x87\x13\x31\xad\x2a\x63\xfe\xce\xa9\xb4\x3d\x3f\xad\x06\x2d\xe7\x0d\xdd\x1c\x77\x3a\xe6\x25\x68\xff\x3b\xe8\x04\x58\x3d\x3a\x5a\x10\x79\x68\x13\xcd\x4b\x51\xf6\x7b\x09\x91\x0b\x42\x7e\xb9\x28\x04\xe7\xf2\x7a\xdc\xd8\xec\x9a\xfb\x24\xe3\x15\x1b\x48\xa3\x8c\xc5\x99\x27\x99\xdf\x37\xe5\xcf\x6a\xd5\x77\x94\x1a\xd7\xe2\xca\xf1\x56\x19\x23\x69\x27\x34\x2e\x87\xb5\xb2\x60\x47\x37\x16\xa9\xba\xd7\x0b\x39\x51\xf7\x26\x5c\x20\xc0\x00\x85\x26\x67\xfd\xe0\xc4\xb7\xf2\x7a\x32\xb7\xee\x13\x3c\xbc\x65\xba\x4d\xc3\x91\x0c\x23\x75\xe1\x95\xba\x76\x54\xe2\xd2\xd4\x5f\x91\x6e\x47\xf1\x07\x59\x5a\xdc\x63\x24\x78\x40\xdf\x4e\xca\xeb\x96\x40\xfb\x66\x19\x86\xad\xd0\xdd\x02\x79\x6d\x58\x10\xf5\x1c\x93\xfd\xcf\x89\x74\xda\x1f\x10\x14\xf2\xf4\xad\xb1\x6f\x04\xe7\x33\xb5\x3a\xc2\xe8\xb4\xa8\x53\xe9\x3a\x93\x5a\x73\x20\x28\xc8\xe3\xec\x12\x0f\xc5\x41\xe5\x12\x6f\x2d\x88\xdd\x4b\xbc\xa0\x6f\xa6\x10\x16\x34\x64\xcb\x17\xf4\x5e\x7a\x2b\xe0\xe5\x1d\x8e\x45\xe3\x7c\x50\x91\xd7\x62\xce\x5b\xfd\xb6\x93\x53\xba\xfb\x95\x5c\x25\x54\x47\x02\xdc\xf7\xd1\x39\x4a\xac\x7a\x49\xa0\x78\x7f\xf1\x68\x74\x25\xa3\x75\x24\x9c\xa3\x78\xbc\x4f\x4a\xa2\x4a\xbc\xa2\x4a\x87\x1f\xd6\x74\x25\xb2\xf6\x60\x93\xb5\xb9\x87\x24\x99\xec\x85\xfa\xef\xfb\xf4\x3f\x0a\x4d\x3e\xfb\x5c\xea\xe7\x05\xa1\xa8\xe1\xf2\xbf\x79\xf5\x53\xc1\xc9\xf3\x8b\xd0\x9f\x93\xa8\x22\xbe\xb4\x54\x74\x4d\xd1\x17\x7e\xea\x67\xb7\xbd\x6c\x42\x1e\x58\x24\x62\x02\xab\x90\x2f\x79\xe0\x15\x5f\x1d\xe2\xbf\x22\x6f\x61\xbb\x39\xbf\xc2\xfb\xa3\x47\x9f\x25\xee\xa7\xf0\x1f\x70\xbc\x08\xa9\x8e\x88\x74\xe5\xd1\x38\x42\x83\xb9\x96\x07\xea\xa5\x2e\x89\x54\x90\xbd\xb2\x1c\x81\xcb\x3b\x37\x91\xc1\xde\xce\x0e\xbc\xe6\x7c\xc4\x5b\xcb\xa2\x99\xbb\x89\x2c\x9d\x19\x50\xbf\x33\x5e\x95\x4f\xd3\x03\xc6\x5e\x1a\xfe\xc4\x8a\x3d\x3e\x10\xa4\x04\x35\x2a\x13\x02\xef\xce\xbe\x12\x54\xeb\x2b\x25\xd6\xf4\x50\xb2\x6a\x3f\x1b\xd7\xf5\x77\xe5\x4c\x95\xe5\x66\x11\x74\xd3\x27\x82\xfe\x6b\x11\x99\x65\x42\xfe\x1b\x97\x51\x39\x62\x88\xd2\x7a\x47\xe3\xc9\x8d\x1c\xc3\xf3\xab\x55\x8b\xa3\xe8\x2a\x6c\x3e\xd4\x84\x0f\x4e\x3d\x79\x36\x95\x73\xc3\x75\x34\x07\x3e\x79\xad\xfd\x23\x23\x83\x2b\x65\xe7\xa6\xc4\x5b\x72\x57\x91\x38\xe2\x26\x29\x1d\x27\x00\xda\xc3\xa1\xcc\x91\x61\x40\xf5\x4c\xb2\x8b\x34\x70\x85\x61\x89\x81\x25\x44\x36\x6f\x75\x7c\x0a\x29\x4e\xe2\xb5\xbf\x6c\x30\x8a\xd4\xdf\x23\x0d\x5a\x74\x3b\x8c\xf7\xa1\xf6\x4a\x30\x61\x98\x3f\x22\x38\x50\x26\x2c\x75\x74\xae\x48\x0a\x02\xf6\x8c\x04\x3b\xa7\xaa\x82\x2f\xf6\x45\xd4\xe4\x48\x2c\x14\xcb\xb5\x8c\x15\xf6\x5c\x98\xd1\x69\x2f\x93\x9d\x0d\x95\x58\x50\x45\x42\x4a\xbe\x5e\x58\x65\x14\x77\xf9\x1d\x0c\x1d\xaf\xb3\xf3\x3a\xf9\xe6\x9b\x79\x4e\x13\xeb\x0c\x42\x9d\xe9\xb9\x2b\xbc\x5f\x92\x82\xa2\xe6\xc9\x11\x9f\x6f\xd8\x60\x3f\xe1\x1a\xf2\xd5\x16\xc9\xa7\xad\x38\xe3\x33\x7b\x96\x9c\x3d\x95\x93\xf0\xd4\xac\x95\xc4\x4e\x7f\x47\xe8\x10\xf6\x97\x0a\x1a\x6f\x18\xf2\x09\xfe\xdc\x35\x65\x6d\xc5\xc5\x36\xb0\x39\x6a\xed\xaf\x83\xca\x46\x65\x5e\xdc\xc4\x08\x8c\x6f\xcf\xfa\x68\x9a\x87\x83\x09\xc1\x76\x7b\x21\x87\xc9\xb5\xfa\x57\x5e\xfd\x80\xe0\x57\x4a\x57\x76\x73\xb4\x5e\xda\xc8\xb1\xc9\x12\xce\x60\xcd\x18\x29\x0d\x31\x02\x5c\x80\xeb\xa3\xd9\x97\xe4\x79\x2b\xe2\x3a\x49\xc0\x09\x4e\xe2\x85\x48\xfa\x33\x27\x5e\x6c\x28\x0b\xb6\xe0\xa0\xaa\x8e\x79\x04\xc6\x41\xcb\xcb\x3d\x99\x49\x46\xf0\xe4\xc6\xd6\xb1\x91\xd3\x46\x53\x64\x79\x3a\x69\x7f\x2c\x25\xd1\x30\x92\x3c\x79\x9a\x3a\x8d\x71\x69\xa3\x7a\xc2\x9b\xdd\xfb\x76\x6d\x51\x30\xb5\xe4\xbd\x43\x97\x8a\xad\x35\x49\x05\x2c\xf6\xf5\x64\x76\x80\x52\x03\x23\x46\xae\xf8\xf5\x84\x4b\x97\x04\x84\x2c\x0f\x1f\xa7\xd2\x6c\x69\x71\x88\xc0\xe8\x64\x16\x58\xd6\xd2\x99\xa6\x1f\xf1\x40\xa4\xb9\x4f\x04\xf6\xec\x06\xff\xca\x6e\x57\x4b\xdd\x60\x03\x72\xed\x5d\x16\x6a\xee\xae\x4f\x24\xe1\xec\x3c\x21\x2f\x05\xaa\x85\x37\xf0\xab\x83\x1e\x47\x2f\x32\x16\x4a\x08\x87\xc6\xf4\xe4\x25\x32\x56\x5f\x05\x5a\x8c\xd4\x35\xe9\xcc\x91\x08\x96\x7e\x42\x2c\x6d\x0e\x74\x06\x33\xc9\x77\x84\x71\xef\xa8\xa4\x4a\xb5\x5a\x06\xbd\xb6\xb8\x17\xf8\xa6\xcc\x55\xd5\x2a\xce\x6e\xc4\x38\xad\x4f\xbe\xe7\xc6\x4e\x00\xfc\x65\xc7\x6a\x36\x16\xc3\x5f\xb7\x1b\xb6\x08\x4f\x44\xf8\x08\x3d\xff\x56\xd7\x71\xe1\xd3\x23\x58\x4b\x82\xf1\x05\xe0\xa2\x11\xce\xae\x9a\xfc\x0f\x5e\x61\xa2\x64\x94\x76\x44\x0c\xf6\x8d\x9a\xbf\xfb\x48\xde\xcd\x0e\x8d\x2e\xd1\x09\x07\xd3\x5e\x39\x0d\xaa\x1e\xef\x83\xda\xc8\xab\x44\xe2\xac\x58\x86\xf6\x23\x5f\x6b\xd7\xb6\x9f\xf3\xc0\x98\xb5\x58\x89\x49\x08\xd4\xcd\x28\x24\x7f\xb6\xec\x4b\xb5\xb1\x63\xf6\xb2\xee\xf3\x86\xe7\xce\x26\xde\x75\x9b\xd6\xe2\x4e\x46\xaa\x2b\x38\xf0\xa4\xe6\xa4\x78\x5a\xf1\x4b\xd6\x03\x5a\x32\x6c\x29\xaf\x21\x5a\x4c\x1c\x45\xae\x76\x7b\xd7\xe6\xdb\x1b\xae\x69\xbe\x04\x5e\xf0\xb1\xeb\x39\x34\xac\x5e\xbe\x3a\x4c\x1d\xd5\x9b\xb9\x60\x53\xbe\xeb\x55\x61\xb5\x21\xc4\x78\x52\xd9\xa2\xc6\x6c\xfa\xf8\x2c\x2a\x01\x6e\x5d\xe7\x29\xea\x0e\x0c\xe4\xf9\x80\x85\x79\x2b\x5e\x5a\x80\x2c\xd7\xfb\xac\x9e\xf3\x8e\x20\x3e\xbb\x36\x51\xf1\xb3\x0a\xf6\xea\x29\xfa\x17\x9f\x8b\x19\x26\x41\x60\x4b\xe0\x29\x29\xda\xff\xad\xd6\xc9\x7b\xa4\xcd\x56\x79\x0c\xc2\x43\xd0\x47\x0e\xb8\xc1\xae\x78\x12\xda\x66\x6b\x0b\x32\x9f\xb3\xf0\x4f\x78\xe2\x5a\xd1\x7b\x4b\x39\x78\x13\x82\xad\x93\x7e\x08\xad\x34\x48\xb6\x32\x38\x18\x5b\x98\x22\x42\x19\x0f\xd1\xe4\xad\x8f\xbb\xa5\x5d\x6a\xbf\x96\xe0\x16\xe1\xd9\x8d\x37\xd5\x1c\x2e\xe1\xe4\x1f\x54\xf8\xac\x7e\x03\x8e\x36\x16\xf5\x69\xd0\x24\x69\x0e\xa3\x03\xbe\xc6\x98\xbe\xb9\x8b\x9e\xa4\x9f\x6b\x87\xe3\xf7\x10\x49\x97\xa6\xad\x7d\x33\xdb\x8f\xb7\x9a\xda\x8c\x5f\x7f\x54\xee\x17\xf7\xb3\xd8\x6a\xa1\x53\x2b\x43\x9c\xd8\xde\x90\xb5\xfd\x7f\xc3\x32\x56\x80\x06\x1d\x93\x19\xd1\x83\x5e\x60\x3f\xaf\x79\x33\xbf\xd6\x0d\x73\x39\x65\xf0\xf2\x5a\xdf\x39\x45\x09\x2b\xb9\x9e\x95\x34\x66\x02\xfa\xf6\xaa\xbe\xb3\x3c\xbc\xa3\xb2\x19\xb4\xf8\xaf\xaf\xe8\x25\xc6\x62\x7c\x0c\x7b\x00\xc3\x38\x75\xb6\x9d\x01\xc0\x8b\x90\xe6\xfa\x64\xf0\x9b\x42\x93\x2e\x1c\xcc\x9b\x3d\xa3\x67\x71\x66\x7d\x5b\xb7\x53\x1a\x2a\xc1\x74\xbc\x41\x2d\xff\xad\x7c\x6f\x8f\xd4\xda\xd3\x30\xfb\x41\x5a\x97\xe8\x13\x6c\xd5\xc0\xbb\x7d\x00\xd2\xb2\xc9\x56\x93\x6c\x9f\x5f\x74\x7e\x3c\x9a\x36\x1d\x79\xd0\x48\xcb\x3f\x52\x8f\x18\x7f\x9b\xba\x5d\x78\xd7\x30\x9b\x1b\x25\x6f\xbb\x34\x9c\xd5\x29\x45\x54\x1a\x5a\x57\x80\x9f\x2d\x71\xa8\xe8\x05\x57\xb2\x3b\xe4\xfb\x31\xca\xdd\xc5\x95\x53\xb6\xbc\x0f\xaa\x16\x5e\x4a\xb1\xf8\x27\x9c\xa6\xe3\x07\xce\x79\x20\xc4\x3b\xdb\xad\xec\x04\xef\x8b\xe7\x0d\x57\xaf\x59\x8d\x1d\x8a\x89\x6a\x09\x52\xb2\x3c\xba\x46\x4e\x0e\x9b\x36\x25\xf9\x93\xdc\x12\xc8\xf7\x74\xe8\x7d\xa0\x51\xec\xa4\x9b\xd1\x4e\x4e\x2e\x27\x0c\xf7\x5d\xc8\x34\x3b\x2a\xd4\xb0\xa2\x17\x8c\xb5\x57\xc6\xd0\xeb\x1a\x0b\x23\xed\x92\x58\x0c\xe5\xad\xa7\x8c\x2b\xb1\x0d\xdd\x25\xd4\xbb\x14\x7d\x61\xa0\x0f\x5e\x1d\x1d\x5c\x88\x8d\x47\x42\x4c\x04\xde\x7d\x41\x38\x4e\x2c\x68\x8a\x57\x35\x8d\x05\x81\x4a\xd9\x17\x13\x5a\x80\xec\xcd\x1d\x1f\x14\x72\x42\xa5\xda\x4d\xad\x08\x38\x32\x2e\x9a\x2f\xa5\x31\xfb\xb6\xb0\x83\x2b\x67\x00\xf8\x72\x79\x84\x6c\xe2\x33\x16\x79\xb8\x2f\x04\xfe\x1b\xe1\xe8\xce\x9f\x61\x0b\x63\xff\x30\xad\x0b\x76\x97\x78\x17\x73\x9a\x29\x5c\x9e\xc9\xdc\xf1\x1f\x81\xa6\x76\x19\x40\x73\x04\xc1\xd5\x94\xc5\x19\x6d\xb1\xbd\xeb\xfe\x03\xf2\x2a\xda\xac\x92\x53\xd7\x53\x96\x71\x38\xbc\x9d\x2c\xf4\x73\x54\x91\xd2\x74\x5c\x23\xe5\xd2\x29\xc7\x46\x27\xdd\x19\x1b\xc6\xc0\x38\x51\x39\x14\xdb\xdc\xfa\xcb\x8b\xcb\x28\x14\xdc\x52\x5e\xda\xd8\x89\x52\x09\x99\xfc\xe6\x44\x69\xc6\x06\x94\x40\x59\x61\x51\x84\x41\xc3\xe8\x44\x53\xaf\xa3\x49\x9e\x3a\x89\x83\xb5\x7f\x94\x59\x3e\x86\x64\x71\x9d\x5e\x65\x98\x42\x2b\xb8\xcb\xc5\x16\x20\xb2\x59\x41\x3b\xea\x16\x49\x0b\xbe\x6c\x9a\x72\xbf\x21\xf6\xb4\xd4\x99\x37\x1a\xd9\xfc\x82\x77\xdd\x3f\x2f\x75\x23\xcc\x5e\x6c\xee\xbf\x74\xfc\x39\x44\x13\x6b\x2d\x56\xda\xa2\x04\x03\x74\x31\x9a\x1c\x83\xc3\xbb\x0c\x96\x2d\x32\x1d\x80\x39\x17\x0b\x98\xb6\x04\xc8\xed\x42\xc5\x96\x31\x4a\x01\x13\x9c\x9d\x36\xcc\xd6\xf2\xcb\xd3\x11\x3b\x2c\x9d\x4e\x19\xf0\x86\x94\x46\x36\x10\xa3\x68\xf8\xac\x74\xf2\x97\x94\xf1\x45\x60\xe0\xa3\xd4\x81\xc6\x73\x41\x0a\xd9\x46\x65\x81\xaa\x2a\x33\x4f\xf3\x80\xa1\x00\xfb\x04\x9a\xd8\x19\x6e\xb4\x78\x4e\xa1\xbe\xdc\x13\x9a\x70\x54\xf1\x8a\x8d\x44\xbc\xa0\xa3\xd0\x12\x2f\x5d\xc3\xa1\xc4\xd2\x9b\xde\x35\xe3\x32\xbd\xf2\x8c\xb9\xb9\x85\x43\xad\x3e\x33\x14\x3a\xf8\x79\x03\xb5\x62\x4f\x62\x30\x55\x98\xde\x27\x58\x33\x20\x8e\xc8\x37\x06\x82\xad\x9f\x0f\x9a\xc6\x4c\x43\x90\x44\xa2\xde\x30\x33\x46\x87\x34\xf4\x92\x66\x13\x88\x59\x69\x5b\x60\xa6\xfb\x45\xd7\x94\xb8\x71\xc1\x9c\xbe\xdf\x59\xb7\x64\x45\x3b\x78\xcf\xea\xd4\xc5\x01\xb1\xf8\xc0\xff\x82\x7b\x70\x29\x73\x92\x69\x7a\xdb\x13\xce\xff\x2f\x13\x9b\xff\x3b\xa2\x38\x79\x8a\x07\xfe\x5f\x55\xa0\xef\x5b\x75\xcc\xb4\x98\xbb\x89\x43\xba\xb4\xa6\x71\xf1\x25\xfb\x06\xf2\xe5\x9f\x77\xfd\xb0\x2c\xb2\x3e\x86\x87\x56\x8d\xc0\xd5\xc4\x86\x09\x94\xa3\x7c\xca\xb3\x65\xd7\xa7\x08\x03\xc6\xa6\xf4\x8f\x5b\x3f\xf1\xcb\xdd\x51\xd8\x96\x1f\x97\x3c\x70\x33\x75\xd2\x52\xe6\xc5\xa0\xff\x13\x3b\x59\x72\x43\x13\xf9\x88\x84\x1b\xd6\x1e\xc2\x97\x67\xa4\x60\x8a\x5b\xc4\x5b\x10\x4e\x4f\xc9\x82\x61\xe4\x54\x0a\x10\x38\x2a\x49\x5d\x64\xdd\x5f\x6c\x03\x90\x66\xd9\xd3\x58\xef\xb1\x66\x71\x17\x8e\x88\x4f\x07\x0a\x07\xfd\x02\xa0\x0b\x63\xb7\xf5\x75\xf6\x42\xbf\x91\xee\xc3\xbb\x90\xdb\xa9\xa2\x1d\xf3\x17\x9c\xf1\x2e\xa9\x52\x5d\x09\x74\xd6\xfc\x44\xbf\x69\xfc\x54\xf8\xa5\xff\x98\x67\x06\x67\x8d\x7c\xe0\x6c\xce\x44\xdf\x29\x74\xb9\x66\xe6\x7a\xca\x31\x4e\x0b\x58\xac\xc4\x15\x54\xa4\x42\xef\x35\x87\xab\xba\xf1\x82\x95\xec\xa5\x9c\xa8\xa1\x0e\xdd\x3f\xbd\x1f\xac\x0b\x06\x01\x3d\xe5\xf7\x33\x37\x51\xc5\x7d\xeb\x4d\xae\xf9\xe4\xc5\x5e\x93\x74\x1e\xd1\xd2\xf7\xf9\x63\xcd\xed\xc6\xef\xdb\x5d\x8b\x14\xd7\xd6\x12\xe2\x61\x2f\x30\x96\x6f\x4e\x67\x60\xd1\xa4\x6f\xbe\xe5\x0d\xcc\xff\xc0\xb2\xe5\x17\x7b\x1c\x60\x27\xad\xae\xe0\x90\x75\xb6\x55\xcf\x85\xdd\xbb\x4e\x44\x83\xd5\xde\x7b\x38\xa9\x10\xf9\x96\x71\x1c\x05\x8c\x1b\x97\xe6\x21\x27\x48\xc8\xcc\x7d\xe8\xcf\x7a\x56\xaf\x75\xe2\x91\x86\x7c\x26\x88\xe9\x99\xc6\x55\x3d\x7a\xaf\x3d\x2f\x62\xc2\xf5\x3b\xf8\x8c\xf2\x04\x40\x07\xdb\xe9\x29\x85\x65\x31\xb0\xad\x6b\x48\xa6\x11\x8b\xf3\x5c\xce\x82\x7e\x5d\x0c\xd2\xa1\x9b\x3f\xc3\x73\x95\xe1\xce\xd2\x13\x7f\x0c\x72\x6f\x5c\xc9\x91\x33\x3a\x0f\x07\x94\xda\x0b\x6d\x75\x73\x74\x21\x7e\xae\xbc\xbb\x6d\x87\x43\x1f\x08\x9a\x57\x10\x2c\xa5\x37\x3b\x8d\x73\x0a\x92\x02\x60\x59\xc6\xa8\x80\x94\xe9\xc6\x29\xd8\x1e\xcc\xf8\x6b\x4e\x8f\x09\x1d\x32\x55\x63\xd1\xf4\x01\x6c\x97\x97\x2c\x58\x4b\xc7\x6d\x1f\xb4\xed\x94\xb7\x21\x34\x4d\x00\xcc\x67\x24\xf5\x64\x9d\xfe\xd8\x4d\xc5\x11\x58\x3e\x1a\x08\xa4\x3c\x24\x09\x93\x41\x72\xff\x3f\x0d\xfc\x93\x99\x6b\x84\x79\xc0\x50\xdc\x19\x30\x9a\xa9\x98\xf7\x09\xed\xa3\xb3\xcf\x80\x6b\xec\x71\x7e\x17\x18\xb8\xcc\x10\x06\x0b\x33\x5c\x46\xf1\x7c\x52\x2a\xc0\xbb\x69\x6f\xb4\x39\x3a\x94\x50\xbe\x5f\xa7\x55\xea\x0d\x71\xb3\x0a\x84\x31\x51\x5c\x44\x63\x90\x15\x4b\xc2\xa4\x95\x1b\x3f\x15\xf4\x19\xce\x20\xb0\x30\x2b\xd9\x00\x25\xd8\x3c\x47\xa0\x18\xf6\x88\x6a\xb1\xfb\xb7\x57\x7d\x5c\x06\x6b\xab\x23\xd8\x41\x89\xcc\xff\x63\x40\xa3\xca\x41\xdf\x5c\x6d\x99\x4b\x26\xb8\xfc\x34\xc6\x90\xdf\xb2\x29\xc8\x37\x60\x22\x4b\xdc\xe8\xe8\x67\xd1\xf5\xa0\x97\x73\x6d\x3f\x19\xd8\x22\x9f\x91\x43\xac\x03\x70\x93\xd4\xcc\x32\xab\x10\x4b\x58\x28\xf1\xcc\x84\x49\x5a\x68\xd7\x67\xb7\xfb\xd7\x25\xd4\x34\x71\x9a\x36\x01\xb5\xfb\x23\x36\x4a\x5e\x41\x51\xc6\xf9\x15\xce\x53\xf7\xde\xbb\xb9\xf1\x5b\x81\x1c\xb0\x2b\xb8\x73\x94\xff\xb6\x1e\x8b\x8a\xe5\x74\x9d\xc7\x43\x2b\x51\x6b\x8a\x62\x79\x90\x53\x7b\x9c\xdf\xd2\xa0\x94\x39\xb7\xdc\x04\x39\x97\xe0\xf5\x90\x36\xab\x34\x70\xaf\x1b\xc7\x67\x10\x11\xe5\xb4\x72\xe3\xf6\xad\x45\x6b\xa7\x06\xd5\x50\x66\x1c\xbc\xf6\x10\x7e\x9b\x7e\xe4\x9a\x82\x05\x2d\x90\x1b\xb7\x9f\xb1\x8d\x82\x21\x6a\xee\xfa\x2e\x76\x39\x0f\x80\x94\x3c\xc8\x56\xa0\x08\xc7\x25\x6b\x84\xd8\x85\x7f\xa6\x34\xad\x7d\xd4\x50\x13\x86\xbb\xab\xe2\x38\xa5\x8a\xec\xb7\x7a\x0d\xe5\xff\xaa\xa5\x63\xa1\x96\x8b\x72\xb9\x2b\xa5\x8d\x1a\x1e\xf6\xf9\xed\x04\x9f\xf3\x8b\x7f\xc3\x42\x27\x46\x16\x31\xfe\xc6\x53\xe7\x81\xf1\x57\xec\x73\x86\x36\x2b\x66\x77\x8a\xfc\x89\x82\xcd\xae\x50\xe1\x29\xf4\x32\x9b\xfe\x35\xcd\x9d\xa3\xd5\x75\x22\x04\xfa\x72\x75\xcc\xbc\x01\xab\xf8\x5c\x6c\xf3\xab\x9e\xab\xb2\xea\x7a\x1c\x77\x9e\x67\x3d\x0f\x95\x16\xb1\x85\x15\x4d\xc8\x3c\xc5\xf6\x93\x70\xe3\x14\x19\x8b\x7f\xa8\x3c\xe5\xc5\xc9\x1c\x2c\x50\xe5\x44\x89\xb3\xa6\x70\xa3\x30\xa4\xe4\x9f\xca\x51\x7c\x83\xa9\x53\x2c\xbc\x7e\xdc\x84\x0c\xd0\x10\xb3\x7e\xcc\x75\x37\x45\x30\x16\xed\x1a\xb4\x45\xe4\x5f\xc1\x23\x8b\x14\xe2\xf8\xf9\x31\x66\xcb\xf7\xd3\x8b\x85\x28\xba\xa0\xfa\xd3\xe9\xe7\x6f\x4b\x32\xee\xbb\x60\x52\x68\x81\x62\x0b\xca\x5b\x11\xac\x06\x3d\xbe\x21\x69\xe5\x43\x78\x43\xf6\xd2\xd4\x86\x85\x5a\xd5\xf1\x92\xb2\x68\xb2\xf3\xeb\x25\xde\xea\xbd\x2d\xe8\x9c\x48\xba\x28\xf1\xee\x2c\x84\x65\x86\x56\xc3\x37\x33\x9b\x53\xac\xf9\x88\xba\xf2\x9a\xc5\xc9\x19\x9e\xc7\x91\x2b\x28\x94\x09\x34\xbc\x02\xb1\x31\xd1\x46\x13\x54\x62\x6b\x69\x08\x35\xba\x09\xab\xaf\xa0\xca\x7f\x51\x55\x79\xe5\x33\xc4\xbb\xfd\xa2\xbc\x9f\x2f\xae\xdd\x35\x38\xce\x8c\x1e\x36\x06\xea\x98\x39\x5e\x0f\xf8\x84\x92\x04\x5f\x47\xcc\xa8\x5f\x4a\xf1\x6f\x95\x0a\xbb\xf3\xf2\x22\x9d\xe5\x8e\xa2\xb4\x56\x92\xd4\xba\x84\x3e\x70\xe5\xae\xed\x29\xf6\x88\x07\x13\x8a\xaf\x5c\x99\x4b\x30\xd4\x73\x11\xeb\xb9\x69\x10\x76\x77\xdc\xf0\x07\xf6\x4d\x0b\x32\xc3\x60\x0c\xd3\x2b\xd4\x2c\xa6\x9e\xe4\x6d\x78\x6c\xf0\xcf\x94\x96\xbc\x51\x60\x2c\x98\x9f\xc5\x4f\x76\xc4\xd3\x83\xce\x41\x4a\xf4\x5f\xc9\x48\xe5\xb9\x71\xe3\x02\x0a\xf4\x47\xc5\x89\xb0\x99\x56\xc9\x03\x3d\x09\x04\xd6\x44\x5d\x7e\x9f\xff\x7c\x90\x39\x39\xf7\x9c\x2d\x4c\x30\xb6", 4096); *(uint64_t*)0x200000004ad0 = 0x200000004a40; memcpy((void*)0x200000004a40, "\x88\x4f\x38\x13\x09\x89\x6a\x88\x17\x38\x89\x99\x4e\x74\xc6\x06\x94\xf7\xba\xa4\x5b\xe0\x88\xe5\x9b\xc3\xe9\x39\x72\x82\x57\xe8\xd2\xdb\x71", 35); res = syscall(__NR_shmctl, /*shmid=*/6, /*cmd=*/0xcul, /*buf=*/0x200000004a80ul); if (res != -1) r[10] = *(uint32_t*)0x200000004a88; break; case 19: *(uint32_t*)0x200000004d40 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x23, /*optval=*/0x200000004c40ul, /*optlen=*/0x200000004d40ul); if (res != -1) r[11] = *(uint32_t*)0x200000004c74; break; case 20: *(uint32_t*)0x200000004e00 = 7; *(uint32_t*)0x200000004e04 = 0xee00; *(uint32_t*)0x200000004e08 = -1; *(uint32_t*)0x200000004e0c = 8; *(uint32_t*)0x200000004e10 = 0x80; *(uint32_t*)0x200000004e14 = 5; *(uint16_t*)0x200000004e18 = 0xfffc; *(uint32_t*)0x200000004e1c = 1; *(uint64_t*)0x200000004e20 = 7; *(uint64_t*)0x200000004e28 = 5; *(uint64_t*)0x200000004e30 = 0xbed1; *(uint32_t*)0x200000004e38 = r[5]; *(uint32_t*)0x200000004e3c = r[7]; *(uint16_t*)0x200000004e40 = 1; *(uint16_t*)0x200000004e42 = 0; *(uint64_t*)0x200000004e48 = 0x200000004d80; *(uint64_t*)0x200000004e50 = 0x200000004dc0; memcpy((void*)0x200000004dc0, "\x05\xc9\x21\x56\x87\xa3\xff\x17\x47\xca\xe5\xc1\x8c\xb1\x86\xed\x5c\x62\x98\x43\x37\xf9\x0f\x0a\xb5\x94\x8e\x21\xc6\x3d\x16\x86\xf1\xda\x14\x59\xa8\x97\x18\xa9\xf8\x49\x30\xb8\x92\xc2\xad\x4d\xe6\x1f\x71\x4a\xb8", 53); res = syscall(__NR_shmctl, /*shmid=*/5, /*cmd=*/2, /*buf=*/0x200000004e00ul); if (res != -1) { r[12] = *(uint32_t*)0x200000004e04; r[13] = *(uint32_t*)0x200000004e08; } break; case 21: *(uint32_t*)0x200000004f00 = 7; *(uint32_t*)0x200000004f04 = -1; *(uint32_t*)0x200000004f08 = -1; *(uint32_t*)0x200000004f0c = 1; *(uint32_t*)0x200000004f10 = 0; *(uint32_t*)0x200000004f14 = 0x98; *(uint16_t*)0x200000004f18 = 4; *(uint64_t*)0x200000004f20 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 6; *(uint64_t*)0x200000004f28 = 0x200000004ec0; *(uint8_t*)0x200000004ec0 = 5; *(uint64_t*)0x200000004f30 = 0xc; *(uint64_t*)0x200000004f38 = 0x1ff800000; *(uint64_t*)0x200000004f40 = 8; *(uint64_t*)0x200000004f48 = 0x7f; *(uint64_t*)0x200000004f50 = 3; *(uint16_t*)0x200000004f58 = 0x101; *(uint16_t*)0x200000004f5a = 8; *(uint16_t*)0x200000004f5c = 0x1000; *(uint32_t*)0x200000004f60 = r[5]; *(uint32_t*)0x200000004f64 = r[8]; res = syscall(__NR_msgctl, /*msqid=*/4, /*cmd=*/0ul, /*buf=*/0x200000004f00ul); if (res != -1) { r[14] = *(uint32_t*)0x200000004f04; r[15] = *(uint32_t*)0x200000004f60; } break; case 22: *(uint32_t*)0x200000005080 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x22, /*optval=*/0x200000004f80ul, /*optlen=*/0x200000005080ul); if (res != -1) r[16] = *(uint32_t*)0x200000004fb4; break; case 23: *(uint32_t*)0x2000000052c0 = 8; *(uint32_t*)0x2000000052c4 = 0; *(uint32_t*)0x2000000052c8 = 0; *(uint32_t*)0x2000000052cc = 0x7f; *(uint32_t*)0x2000000052d0 = 5; *(uint32_t*)0x2000000052d4 = 0x80000001; *(uint16_t*)0x2000000052d8 = 0x43; *(uint32_t*)0x2000000052dc = 7; *(uint64_t*)0x2000000052e0 = 2; *(uint64_t*)0x2000000052e8 = 0; *(uint64_t*)0x2000000052f0 = -1; *(uint32_t*)0x2000000052f8 = 0xf; *(uint32_t*)0x2000000052fc = r[7]; *(uint16_t*)0x200000005300 = 2; *(uint16_t*)0x200000005302 = 0; *(uint64_t*)0x200000005308 = 0x2000000050c0; memcpy((void*)0x2000000050c0, "\xbc\xc4\xb5\xd8\x6e\x91\xb0\x2b\x73\xe1\x6c\x46\x65\xdc\x30\x88\xf7\xcc\x98\x26\xda\x78\x07\xf9\xa8\x30\x0d\x9d\x89\x80\xde\x67\xa1\xa2\xa1\x53\xe9\x54\x66\xe7\x6d\x2c\x38\xc4\x15\x58\xc0\x8e\xfe\x37\xee\x81\xd9\x90\x46\x74\xce\xd8\x6d\xda\x9b\x2b\x6c\xc7\xc9\x7b\x19\x97\x58\xbe\xf8\xd9\x2d\xd2\x0e\x0e\x69\x86\x4d\x6f\xcd\x03\xa8\x0c\xa0\x12\x01\x9c\xf4\x1e\x51\x66\x47\x50\x38\xfc\xd3\x60\x33\x84\x36\xe7\x82\x7e\xf7\x30\x46\x91\x87\xe6\xa4\x95\xf5\xbf\x01\x8e\xe7\xca\xa7\x1c\x80\x4a\x38\x67\x56\xc3\x24\x2b\x30\xec\xa0\xb8\x41\x16\x6d\x78\x39\xe9\x4a\x56\x39\xd0\x8f\xbc\x06\xda\xc1\xf8\x61\x49\x44\x56\xd8\xd1\x53\xde\x7f\xc3\x03\x87\xd4\x52\x30\x4e\x7c\x30\x69\xbb\xfb\x42\x43\x91\xd0\x4f\xab\x12\x03\x7c\x6d\x6a\xe6\x02\x5d\xf8\x69\xfa\x3a\x45\xe0\x31\x48\xc2\xdd\x05\x2c", 195); *(uint64_t*)0x200000005310 = 0x2000000051c0; memcpy((void*)0x2000000051c0, "\x0b\x7d\x67\x85\x2a\x6f\x3d\x89\x68\xf4\x76\xad\xad\x16\x72\xe6\xdc\xfc\xeb\xe8\xe6\x24\x9d\x8c\xc7\x2d\x1a\x05\xc2\x8a\xcd\x3d\xed\xa6\x43\x14\x81\xc8\x8e\xe1\xc2\xc0\x99\x44\xee\x73\x33\xd9\xd1\x6b\x3f\x9b\xd1\x86\xbe\x36\x21\x0e\x7e\x52\xfd\xac\x24\x09\x97\x73\xc0\x7a\xf6\xf1\xa9\x40\xe4\xba\xec\x3a\xda\x47\x66\xe3\x80\x14\xad\x52\x7a\x5d\xf7\x7c\x90\x61\xc5\xa4\xca\xcc\xc4\x8b\xcf\x15\x62\x20\x7f\x8d\xb0\x4d\x60\x8a\x82\x3c\x71\x97\x9b\xda\xf7\x02\xb9\xa6\xec\x8f\x62\xf2\x3d\x31\x6b\x69\xa8\xe4\x0f\x1c\xd7\x92\x58\x5f\x34\xd8\xff\x6c\x70\x56\x41\xdb\xc0\x9a\x02\x45\xef\xad\x32\x6c\xa8\x4d\x8c\xa3\x9d\x29\xcc\x33\xa4\xa3\xfb\xe7\x6c\x24\x0d\x05\x5e\x26\x1e\x16\xd6\xbb\x5d\x9c\x23\x1f\xe3\xc9\xe8\x4f\xe5\x95\x65\xbe\xfc\x53\xfe\x9d\x11\x9e\xb5\x0c\xe0\x4e\x6e\x3c\x1d\xf2\x16\xae\x69\xc3\x13\xd8\x0b\xb6\xa7\x7e\x21\x9b\x94\x51\x65\x72\xee\xaa\x39\x8b\xfe\xa6\x49\x33\x5a\xe8\x11\x4c\xb0\x57\x42\x36\xf4\x61\x31\x67\xd9\x75\x8b\x53\xb6\x6c\xb6\xba\x75\xd7\x5a\xf9\x2f\x3c\x6e\x63\x8b\x82", 250); res = syscall(__NR_shmctl, /*shmid=*/2, /*cmd=*/5, /*buf=*/0x2000000052c0ul); if (res != -1) { r[17] = *(uint32_t*)0x2000000052c4; r[18] = *(uint32_t*)0x2000000052c8; } break; case 24: memcpy((void*)0x200000005340, "./file0\000", 8); *(uint64_t*)0x200000005380 = 0x355; *(uint64_t*)0x200000005388 = 0x100000001; *(uint64_t*)0x200000005390 = 5; *(uint32_t*)0x200000005398 = 7; *(uint32_t*)0x20000000539c = -1; *(uint32_t*)0x2000000053a0 = 0xee01; *(uint32_t*)0x2000000053a4 = 0; *(uint64_t*)0x2000000053a8 = 7; *(uint64_t*)0x2000000053b0 = 2; *(uint64_t*)0x2000000053b8 = 2; *(uint64_t*)0x2000000053c0 = 6; *(uint64_t*)0x2000000053c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000053d0 = 7; *(uint64_t*)0x2000000053d8 = 4; *(uint64_t*)0x2000000053e0 = 0xfff; *(uint64_t*)0x2000000053e8 = 0x17b; *(uint64_t*)0x2000000053f0 = 0xffffffffffff27a1; memset((void*)0x2000000053f8, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000005340ul, /*statbuf=*/0x200000005380ul); if (res != -1) r[19] = *(uint32_t*)0x2000000053a0; break; case 25: *(uint32_t*)0x200000006480 = 7; *(uint32_t*)0x200000006484 = 0xee00; *(uint32_t*)0x200000006488 = 0; *(uint32_t*)0x20000000648c = 0; *(uint32_t*)0x200000006490 = 7; *(uint32_t*)0x200000006494 = 8; *(uint16_t*)0x200000006498 = 0x3ff; *(uint32_t*)0x20000000649c = 0x10; *(uint64_t*)0x2000000064a0 = 2; *(uint64_t*)0x2000000064a8 = 8; *(uint64_t*)0x2000000064b0 = 0x7fffffff; *(uint32_t*)0x2000000064b8 = r[8]; *(uint32_t*)0x2000000064bc = 0xffff; *(uint16_t*)0x2000000064c0 = -1; *(uint16_t*)0x2000000064c2 = 0; *(uint64_t*)0x2000000064c8 = 0x200000005440; memcpy((void*)0x200000005440, "\x4c\xf7\x7c\x89\xa8\xa3\x6d\x9b\x71\xd1\x6c\x43\xca\x99\xca\xec\x65\x90\x56\x4d\x89\x51\x86\x4c\xcc\xc3\x48\x10\x2a\x77\x79\xcd\x97\xd9\x51\x00\x3a\xe8\x76\xa9\xa0\x30\x1c\x11\x86\x7f\xf6\x43\x2c\x9c\x54\xbd\x04\xee\x43\x3f\xce\x5f\x5d\xb9\xeb\x71\xb7\x62\x21\xd2\x84\xc7\x8d\xc7\xdb\x27\x84\x0c\xa0\xb1\xe9\xa5\xa1\x19\xf0\xd7\x4f\xf6\x48\x5b\x52\xa9\x86\xa6\x71\x7f\x3c\xfd\x72\x6d\x0a\x6a\x03\x8b\xed\x21\x89\x34\x4a\x3d\x14\xc2\xf1\x19\xbf\x2e\x54\x3f\xe4\xe7\x16\xbc\x4c\x5b\xec\x83\x76\x7d\xa2\xf9\x7d\x1c\xce\x4b\x26\x96\xbc\x5f\x99\x89\xfd\x42\xdc\x97\xa0\xc1\x6c\xdc\x2f\xa9\x67\xad\xaa\xa2\xba\xc7\x30\xe2\xcb\xda\x74\x4d\xc3\x12\x1e\x3f\x01\x5b\x66\xea\xe8\x91\x56\xb2\x62\x63\x9f\x95\xbb\x01\x4a\xba\x78\xbf\x2a\x48\x01\x49\x9b\xf3\x82\x68\xd7\x7d\x99\x49\x4a\xef\x48\x6b\x9b\x38\x8a\x1e\xba\xcb\x4b\x77\x1a\x52\xbf\xa2\x99\x90\xe9\x36\x18\xaf\x03\x76\x2f\x95\x3e\x34\x80\xfe\x01\xdd\xe9\x2c\xa7\x83\x5c\xcd\x5e\x88\x64\xdb\xc9\x10\x0d\x25\xc4\xfa\x63\x2c\x9f\xeb\xdd\xfd\xb1\xe7\x7f\x1b\xcd\x76\x79\xea\x46\x89\xd2\xc8\x50\x4e\x50\xaf\x69\x52\xc8\x89\xd3\x28\xc1\x2c\x66\xc9\x0d\x8e\xad\x36\x92\x70\xd9\x4e\x5a\xa3\x42\xfb\x23\x87\xdc\x7c\xfe\x6e\xde\x70\x54\x64\x98\x5f\x30\x1f\xeb\x34\xb0\x02\xcc\xef\xb8\x0f\xde\x10\xd9\xfc\x1c\xb3\x9b\x5f\x87\x75\x24\x98\x6d\xd1\x24\x47\xa7\xc9\x6f\x63\x50\x7c\xb4\xd8\x80\x68\xed\xfd\x77\x48\xfb\x2b\x66\x7a\xe1\xae\xdb\xb4\x16\x37\x75\x74\xd7\x0a\x3f\x6d\xe4\x6e\x4a\x3e\x5c\x14\x9a\x64\xa4\x36\x46\x66\xbd\x99\xfd\xb0\xe4\x13\xa1\x33\x5b\xa9\x32\x57\x5d\x1e\x92\x28\x50\x8d\x61\x4b\x66\x3a\xb1\x7a\xcb\x21\xb2\xac\x4d\x36\x18\xa6\x59\x43\x80\x4d\x5b\xa5\x2c\xbb\x04\x3a\x96\x19\x86\x12\x02\xb5\x05\x14\x0e\x48\x44\xb8\xce\xb6\xfa\xf5\x02\x42\x23\xd9\x63\x6c\xb0\xbe\x38\x4a\x4c\xc1\xdd\x3d\x4f\x35\x76\x29\x52\x1a\x07\x69\x84\x18\xdd\x1a\x97\xc3\x94\x17\x19\x6f\x86\x1a\xfb\x05\xbd\x70\x2f\x4c\xcd\xc3\xd4\x4b\x5a\x41\x93\x37\x8b\x93\x6f\x53\xc5\xc4\xb0\x9c\x98\x58\xbe\x95\xe3\x49\xba\xeb\x7e\xb4\xda\x30\x94\x00\xa4\xdb\xb0\x8a\x24\xd0\xbb\x37\x72\xbe\xe7\xa3\x87\x3c\xf8\xd7\x6e\x06\xdf\x6f\x7c\xe5\x91\xf4\x0b\xdc\x84\x9e\xa0\x4c\xad\xe8\x86\xf0\x75\xe1\x45\x8f\x02\x1f\x1b\x73\x0b\x0c\xb5\xc3\x28\xb9\x11\x41\x2a\xee\x96\x16\xab\x5f\xdc\x83\x1e\x34\xce\xa6\x9d\xe1\xa4\x08\x06\xaa\xfd\x4e\x64\xd3\xcd\x70\xc1\xa6\xc6\xf6\x36\xd3\xbb\x94\xc9\x95\x97\x7c\x59\x4f\x0f\x4e\x90\xd7\xae\xc4\x3f\xec\x4c\x8a\xa7\x07\xd0\x0d\xfa\x26\xff\x9d\xb8\xa4\x5e\x6a\xc6\x5b\x5e\x5c\xea\xc4\x3f\x78\xb5\x0f\x1e\x4f\x49\x4c\x85\x82\x7b\x3f\x0e\xa1\xf7\xa4\xfe\x3b\xbb\xd3\x90\xe3\x61\x66\x28\xed\x47\x70\xdd\x36\x66\x94\x89\x35\x13\xdc\x1c\xd2\x52\xd3\x88\x7a\x2f\x19\xa8\x46\xd1\x8e\xe7\xba\xf8\xb5\x68\x0e\x61\x80\x0b\xaa\xf0\x04\x18\x10\xa5\xa2\x1f\xe0\x6c\xba\x83\xe0\x62\x1b\x26\x26\xc3\xec\x5b\xa6\x2d\xfe\x1f\x94\xae\x16\x11\x4c\x9f\x89\xe8\x94\x58\xa0\x69\x22\x2b\x43\xb4\x50\x4d\xca\x5f\xd9\x69\xc0\x66\x66\xdc\xf9\x82\x43\x46\x31\x59\x7b\xab\xaa\xd4\x65\xcb\x73\x9e\x72\x83\x5f\x69\xad\x69\x9b\x0e\xfb\xe2\x16\xa1\x2c\xc1\x88\xd5\x4b\xeb\x66\x86\x1c\x78\xc8\x02\x25\x43\x8d\xeb\x75\xb3\xaf\x96\xa6\x0a\x08\x4e\x68\xed\xce\xca\x25\x2c\x22\x22\x5b\x4f\x3e\x56\xe9\x9f\x97\x6c\x2a\x08\x2a\x29\xf4\xa5\xbc\x3d\x0c\x25\x1f\x91\x22\xb5\x84\x66\x1f\x39\xbf\xd1\x8d\xfb\x9d\x57\xa5\x91\xc6\xd7\x01\x3b\x42\x0b\xd1\xe4\xc4\x7e\x80\x4c\xc4\x0e\xdf\xfa\x4d\xc9\x0c\xda\x1d\xe0\xa6\xe5\xf0\xd7\xa4\xd1\xc0\xa0\x2b\xf9\x25\x82\x90\x06\x43\xf9\x7f\x8f\x2c\xc1\x37\x68\x37\x4c\xc1\x36\x10\xf2\x7c\x3a\xb9\xd6\x93\x14\x79\xd0\x21\x5c\x4a\xd6\x69\xef\x80\x2e\x32\x92\x87\x88\xc5\x25\xf7\x52\xed\xae\x47\x7f\xf8\x9e\xa3\xf0\xc8\x7d\x9e\xc7\xeb\x1e\xf5\x12\xdc\xab\x10\x37\x28\x42\x91\x86\x13\x22\xf8\x72\xaa\x26\x1f\xa4\x67\x46\xed\xd8\x39\x85\xee\x32\x0f\xef\x53\xb1\x15\x18\xf5\xd5\x8f\x84\x68\x19\xb8\x8b\x16\x58\x8c\x13\xdd\x01\x90\x58\xa1\xce\x86\x5b\x4e\x68\x5e\x94\x78\x53\x9b\x9b\x9a\xf6\x9a\x13\x12\x6d\x6a\xd3\x0b\x2b\xac\xb1\x44\xc0\x2f\xfb\x15\x39\x66\xd2\x0f\x56\x56\x84\xa8\x74\x91\x31\xc7\xde\xf8\x8f\x2c\x87\xe4\x8e\xac\x6c\x0a\xf5\x76\xcc\x86\x11\x18\xa9\xb7\x18\xdc\xa2\xea\xfb\xc5\x41\x3b\xb6\xe7\x51\x37\x46\x47\x9b\xd8\x01\xf0\x7b\x94\x65\xbd\x80\xd0\xdc\x3d\x83\xee\xb7\xd6\x88\xf9\x13\xbb\xc7\x87\xb2\x3a\x90\xa8\x63\x7c\x57\x98\x84\xa1\x58\x5d\x53\x23\xb0\x4a\x44\x9f\xee\xbd\x0c\xbe\x2b\xc3\x27\x21\x24\x4e\x92\xe5\xd0\x33\xe2\x0d\x0b\x2c\xcf\x8e\xd5\xe2\x39\x00\x19\x9d\xc5\xec\xde\xa4\x29\xa2\x59\x61\xc9\x07\xaf\x8d\x93\xd5\x7d\x5d\x0d\x7f\xf9\x90\x31\x0a\xc0\x92\xdc\x44\x7e\x88\xcf\x81\x61\x7b\x67\x75\x4a\xd8\xee\x0b\x12\x53\x2c\x73\x13\xd1\x5f\xd6\x5c\x9f\x65\xc0\xa9\x4b\x75\x5a\x09\xd2\x40\x78\xbd\xe2\x75\xa4\x44\x57\xec\xa4\xc8\xb2\xb3\xbc\x0d\xfd\x4c\x8a\xcb\x9d\x2c\x6c\x4a\x8d\xaa\x22\xa6\xcd\x96\x1b\x44\x76\xb0\x78\x80\xf8\xcf\x09\x88\xbc\xe7\xdd\x8d\x3c\x3f\xbd\x9c\xfd\xb6\x56\x3b\x68\x10\x34\xb2\x72\xfb\x3c\xde\x59\x1d\xe8\x03\xd0\xb6\x84\x05\xd2\x5d\xea\x80\x1e\xe8\x71\x3a\xeb\x54\x98\x19\x83\x95\x79\x9d\xb2\xab\x19\xfb\xce\xdb\xaa\x3c\xed\x3e\x12\x4d\x29\x3d\x63\xee\x8c\x12\xd9\x31\x07\x9f\xd9\x4c\xa0\xfb\x5c\x45\x69\x32\xa0\x7a\xc6\x65\xb9\x41\x0d\x12\x37\x73\x58\x72\x76\x67\x64\xc0\x5e\x85\x2e\x06\x1d\xc3\x99\xbb\x31\xed\x48\x8d\x1b\xa5\xae\xf5\x3a\xc7\xb4\x53\x6c\x6e\x5f\xc4\x5c\x96\xa9\x93\x85\x51\x2f\xe6\xee\x8a\x22\x78\xa0\x6b\xe1\x9a\x7c\xdd\xf3\xca\x67\x8b\xdd\x73\xc2\x55\xc1\x59\xea\x07\x35\x57\xd6\x66\xf6\x7b\x9d\x1b\x99\x68\xe0\x23\xf6\x36\xc6\x93\xa8\xad\xfc\x92\x3a\xcf\xf1\x08\xed\x43\x70\xbb\x96\x6b\x0f\x4c\x05\x03\x4b\x08\x57\x6c\x2b\xc8\x9c\xee\xb5\x7c\x63\x3d\x2a\x7c\x87\x66\x5b\xe7\xe7\x5f\xfb\x30\xed\xb5\xfe\x9f\xcd\xc7\x25\x6a\x01\x12\xd4\x9f\x52\x03\x18\x00\xb7\x0f\x69\x80\x38\xf0\xf1\xf8\x12\x23\xcb\xe0\xe3\x0b\x47\xe8\x05\x70\x97\x1d\x4f\xa8\x4d\xa5\x80\x99\xf8\x75\xac\x76\x32\x3c\x5a\xc2\x5b\x69\xc5\xea\xf6\x78\x25\xab\x8a\xc9\x8c\xbd\x6d\xc0\x16\x37\x51\xa4\x7a\x1e\x52\x99\x8e\x00\xe0\x5c\x1c\x69\x01\xf5\x04\x34\x03\x18\x72\x79\x02\xb1\xed\x2b\xd2\xcf\xf2\xd2\xed\x09\x60\x1a\x8c\xed\xf4\x52\x8c\x1c\x13\xa6\x70\x37\x5f\xe3\xa6\x85\xc7\xcb\x14\x72\x3b\x55\x9c\xe2\x78\x6c\xa2\x95\x5a\xe3\x51\xef\xf8\x39\x75\x8c\x31\x1e\x99\xed\x53\xff\x12\x83\x72\xbf\x9f\xc3\x8c\x57\x0b\xd9\x00\xb4\x97\xc9\x31\x61\xc3\x4d\x8b\x4e\x48\x06\xeb\xcc\xda\x16\x11\x44\x5e\xa9\xd6\x76\xbd\xc1\x46\xea\x5b\xa1\x00\xfc\x5d\x99\x5b\x2c\xa6\x07\x09\xfa\xbb\xf6\xaa\xbb\x01\xef\x24\x3a\x12\x9a\x3c\x67\x38\xcf\x66\xf6\xd3\xe3\xb0\x03\x20\xbe\x0f\x85\xe7\x54\x87\x89\x37\xe3\x97\x62\xde\xbb\xf5\xa3\xe7\xa8\x11\x10\x35\x66\x34\x0f\xdf\x7d\xac\x84\x50\xe6\x8e\xff\x10\x2c\xbf\xd4\x95\xa8\x01\xde\x06\xe7\x4d\xf5\x7f\xe0\x6e\x15\xed\xfb\xa4\xda\x71\xa4\x33\x39\xc5\x24\x8f\x42\x2e\xe2\x9a\x22\xef\xa4\x93\x69\x0d\x97\x24\x6e\x20\x83\xbe\x24\xc2\x1e\xe4\xf2\xf1\xd6\x0d\x75\x3b\x2d\xa7\x5a\x15\x40\x8a\xf7\xf4\xff\xc3\xf1\x16\x73\xb8\x93\x45\x79\x57\x50\xc2\xea\x6b\x6c\x78\x9c\x9e\x4e\xd0\x93\x05\x61\x71\xe9\xfd\x9a\x67\x54\x86\xa4\xa5\x1a\xfa\x96\x7e\x00\x9c\x5a\xb5\xda\x74\xfb\x7f\xcd\x00\x04\x4a\xb9\x4b\x28\x7b\x54\x21\x78\x48\xd4\x78\x48\xd6\xa1\x16\xae\xd4\x1d\x45\x4c\xdc\xbf\x4a\xd8\xd8\x6e\x62\x99\x97\xe3\x08\xb8\x6e\x23\xea\x1b\xf1\xa4\xd2\x52\x96\xb1\x9f\xa7\x9f\x2a\x8c\x9b\x13\x70\x2b\x76\x28\xc8\x9f\x71\xba\x6d\x5c\x3a\xa6\x56\xd4\x31\x8c\x4e\xc3\x30\x5b\x9d\x7a\xe2\x93\x74\xe9\x35\x67\x09\xc4\x6d\x40\x1c\x6b\x74\x51\x18\xbc\x70\xd1\xac\x74\xfb\xc5\x7d\x92\x48\xb1\xa9\x15\xde\x03\xdf\x36\x7a\x9a\x10\x44\x75\x27\x75\xe3\xb3\x36\xa9\x35\xbc\x08\x2a\x2c\x88\x29\x9f\xad\x16\x99\x3f\x6e\x3f\x43\x73\xde\x0c\x48\x8a\xf1\xaf\x00\xad\xb9\x40\xcb\x45\xf5\xcf\xd5\x37\x2d\x6c\x0a\x4c\x69\x6f\x96\x63\x6d\x52\xd2\x79\x39\xde\x72\x99\x74\xa9\xa5\xbe\x21\xf9\x9b\x49\xfc\x6d\x4c\x65\xac\xa9\x8c\x28\x74\xf3\x67\x1d\xe2\x92\x64\x94\x1c\xd4\xa4\xa6\xbe\x0b\x20\x21\xac\x02\xad\xcd\x17\x56\xbf\xcf\xf1\x0e\x76\x55\xdb\x95\x8b\xb9\x99\x81\x0d\x8b\x3f\xee\x98\x32\x64\x6d\xed\xbe\xee\x86\x89\x2e\xce\xb4\xfa\x04\xb7\x28\x4f\xdc\xe5\x66\x9d\xc7\xee\xb7\x75\xd0\x09\xca\x17\x6d\x82\xbb\xdd\xd4\x26\x27\x16\xef\xbb\xe1\x8c\x8c\x79\xf6\xc7\x6c\xb5\x9b\xfa\x82\xa1\x9a\x66\x81\xe0\xd5\xa4\x9d\xbd\x64\x29\x33\x64\x8a\xf8\x81\xc5\x69\x40\xe8\xc5\xe1\x8f\xb8\x28\x8c\x35\xe1\x30\xe1\xf6\x28\x17\xaf\x3f\x18\x7d\x00\x2d\x1b\x9a\x1d\x58\x4b\x66\x2e\xbc\x5c\x9c\x95\x20\xc4\xd5\x16\x64\x9f\x2d\x99\x36\x3e\xff\xf1\x16\x34\x8c\xae\xd4\x35\x56\xb5\x8e\xa9\xb7\xc4\x25\x5f\xd2\x7e\xfb\x05\xed\xec\xe7\x55\x35\x96\x3d\x32\xef\x59\x7e\xb1\x33\x49\x5d\xc6\xff\x01\x17\xd9\x23\x02\x7f\x10\x8d\xbc\x64\xcb\xaa\x4b\xed\xd5\x65\xe0\x57\xa0\xe2\x86\x49\x90\x8d\x87\xab\x01\x64\xa1\x15\x5a\xbe\x46\x03\xec\x3f\x81\xc3\xb5\x32\x7e\xd0\xd5\xe1\xfc\x89\x01\x62\x51\x0a\xfc\xa7\xb9\x1d\x61\x85\x75\x73\xf6\x18\x43\x86\xa7\xa7\xcb\xfb\xa8\xef\xf7\x9f\xb8\x83\xd0\x4a\xa6\xbb\x7f\x93\xf7\x76\xa3\x75\x56\x5f\x67\xa0\x37\xe4\x75\xe2\x8b\x57\xf4\x2c\xa0\xfc\x54\xa3\x0b\x9d\x91\xee\xd1\x24\xcd\xc1\xbc\x53\xfe\xaa\x47\x58\x28\xf2\x0d\xb8\xba\x50\x81\x5c\x81\x2a\x1e\x9c\x74\x54\xcd\x41\x44\xeb\x9a\x42\x3e\x6d\x17\x2e\xde\xe0\xba\xd9\x4c\xd1\x50\xbb\xeb\x4d\xea\xbc\x6e\x98\xe3\xe5\xf7\xc6\xbb\x47\xf3\x5f\x11\x0e\xec\x4b\xa6\x32\xe9\xc4\x26\xaf\x69\x9a\x5b\xd6\xc2\x33\x1e\xf0\xc1\x1d\x24\xa5\xa3\xf3\x88\x8f\xae\x3a\x36\xa8\x9f\xb8\xa0\xdb\xdb\xa9\xca\xdf\xb9\xe0\x52\xa9\x3f\x00\xed\x75\x75\x5b\x4d\x78\xd9\x9a\xaa\x84\xf6\x9d\xcc\x6a\x6a\xb0\x5e\xad\xd8\x17\xb9\xf7\x04\xe9\xa7\x69\x7a\x31\x5f\x36\xac\x99\xd2\x99\xb5\xcb\x8a\x2f\x0c\x7c\xd5\x3a\xa1\x6f\xda\xd2\x33\x19\x47\xd8\x1a\x52\x73\x4d\xc3\x8e\xfd\x03\x09\xb4\x83\x7f\xcc\x18\xc8\x8a\x0c\xb8\xbf\x5f\x96\xe4\x20\x91\x92\x26\x6a\x2c\x7f\x60\x37\x1d\x41\xfc\x8c\x7d\x05\x0a\xe4\x3b\xf5\xf6\x74\x07\xb5\x4f\x4b\x73\x1e\x0f\x71\x95\x65\x9c\xd7\x1e\xcc\xcf\x87\xe6\x8e\x1b\x4b\xb8\x74\x70\x73\x36\xca\x5b\xce\x6a\xe7\xd5\x88\xd6\xd6\x8e\x2f\x66\xea\xf0\xfa\xa2\x6d\x48\x8e\xf0\xa1\xa0\xb5\x96\x86\xaf\x81\x20\x55\x8f\xd7\x6c\x9d\x19\x59\x0a\x96\x11\xd5\xf3\xec\xa0\x0e\x14\x81\x94\xd9\xb6\x95\x94\x12\x4b\xe0\x05\xcd\xde\x6d\x57\xb2\x6c\x53\xac\x64\x88\x23\x6d\xe7\xdc\x8e\xf1\x7e\xee\x67\xcd\x94\x8e\x32\xd8\xc1\x1f\x14\xbd\x24\x78\xb5\xd7\xe2\xc1\xd3\x9d\x02\xb4\x75\x95\xce\xbe\x08\x51\xf9\x94\x48\x96\x0d\xd6\x4c\x14\xa8\x4d\xac\x88\x7c\xe5\xb3\x93\x09\xb1\x53\x0b\x71\x29\x5c\x36\xb1\xb1\x95\x92\x24\x2d\x66\x17\xf9\xba\x31\x5c\x8d\x0a\x9d\x39\x79\x25\x41\xd1\x1c\x0e\xc9\x99\x97\x51\x69\xe8\xaf\x06\xa4\x44\xb7\x16\xc4\x52\x40\xb3\x15\xa0\x89\x61\xfa\xc6\xa6\x96\x81\xd8\x32\x19\x8a\xad\x3d\xe1\x0e\xf3\xa4\x88\xf5\x07\xab\x56\xfd\x19\x4f\x6d\x94\x37\x6d\x24\x96\x8d\x5c\xaa\xdf\x3f\x2c\x3e\xfb\x66\x7d\xd1\xd1\x9b\x18\xdc\x8d\xab\x53\xdf\x92\xc2\xdc\x0f\xb4\xad\x49\xaa\x80\x34\xcf\x6f\x9e\xae\x62\x20\xbe\xae\xc0\x87\x84\xca\xc7\x65\xda\x9e\x98\x21\x9e\xca\xe0\xfb\xa0\x94\x24\x0d\x3d\xf3\x4f\x3c\x89\x53\x9b\x20\x6a\x9a\xf3\x8d\xac\x75\x87\x4b\x0b\xee\xed\xc9\xb3\x79\x5d\x5f\x1d\x1f\x90\x65\xa8\x1a\xc5\xe1\x55\x88\xc1\x79\xc4\xb0\xef\xfc\xba\x46\x6b\x91\x70\xb1\x2e\x72\xfb\x52\x5a\xcc\x0e\x2b\xf5\xb8\xc4\x3e\xfb\xdf\x53\x27\x9e\x5c\x9f\xee\x04\xb0\x29\xdb\x52\x20\xba\x82\xd4\x93\x0e\x96\x37\x4b\xaf\x43\x38\xae\xf5\x55\x0f\xb5\x92\x20\x15\xa1\xf9\xf0\x76\xf3\x61\x5e\xe6\xd8\x14\xda\x80\x8d\x1b\xbc\xad\x1b\x17\x6d\x5b\xb2\x0b\x79\x58\x82\x47\x6c\x0c\x72\x34\x5e\xb1\x61\x34\x80\x7a\x82\xb9\xd8\x6c\x9d\x7a\x4d\x84\xd1\x89\xbe\x30\x9b\xa0\x25\x30\x3e\xea\x18\x89\xb0\x5c\xdc\xea\x4c\x20\x73\xcf\xb3\x0b\xb3\xb9\x0f\x35\xbc\xd6\xee\x79\x0f\x13\x60\xf9\x63\xdc\xd6\xbe\x81\x16\x8d\xe7\x5e\x1d\x04\xe8\x15\x0d\x2c\x00\x00\x5d\xf7\xfa\xde\xac\x9e\x5c\x3d\x20\x26\x79\x9c\xbb\x2a\x2d\xb4\x26\x8e\x4d\x1c\xb6\x14\xf1\x58\xef\x12\xa0\xb2\x28\x2e\x42\xba\x33\xff\x9d\x67\xce\xda\x79\x32\x0f\x1d\x89\x72\x77\xf4\x86\x58\x8a\x0d\xc0\xe4\x6c\x1c\x0f\xa2\x23\xbe\x06\xcd\xac\xa9\x09\x48\x33\x58\xbe\x8b\x18\x2b\x37\xe3\x78\x9f\x7c\x93\x95\x9c\x0b\x45\x33\x5b\x2c\x00\xca\xd1\xa7\x0f\x8d\x04\x08\x13\x83\xa7\x9c\x3f\xd5\x95\xfc\x86\x47\xbb\x65\x52\xc6\x08\x1c\x26\xc7\x20\xed\x1b\x22\x9a\x19\x2b\x9a\x91\xfa\x1e\x12\xcd\x31\x84\x0f\x86\xe0\xda\xd7\xfe\xb7\xda\xde\xad\xd2\x32\x70\x9b\xc9\x9a\xa8\xfb\xc3\xa8\x7a\xf0\xd5\xc8\x2e\x53\xac\xeb\x61\x22\xbf\x9b\x71\xb7\xbc\x92\xa0\xa0\x63\x95\x7c\xc6\x66\xfa\xfb\xad\x1f\x68\x8b\xd9\x11\x60\x8b\xfc\x76\x81\xc6\x4d\x81\x91\xc5\xd0\xc8\x0f\x7d\xed\xd5\xa9\xad\x4e\xbc\xcd\x04\xe2\x61\x8d\x9a\xad\x12\x1f\xd9\xaa\x8b\x8d\x68\x48\x72\x0a\x73\x67\x22\xc7\xec\xed\x31\x54\x04\x19\x65\x9c\x09\x11\xa0\x6e\x03\x9e\x95\x9c\x84\xdd\x5c\xc1\x64\x0e\xba\x08\x50\x5e\xa4\x89\xa1\x21\xdd\xca\x4a\x09\xc6\x3b\x2e\x27\x1d\x1e\xdb\x91\xae\xa0\x42\xe9\x2b\xea\x12\x93\x9a\xb6\xd4\x15\x7e\xfa\x94\xa6\x8d\x07\xb5\xf9\xb2\x05\x8b\xcc\xae\xf5\x82\x6e\xbd\x37\x65\x7a\x99\xbe\x45\x13\x4a\xa3\x0a\x84\xa4\xc4\xe0\x8e\x46\x3b\x75\x64\x5c\x2b\x72\x6c\x14\xf3\x57\x50\xef\xa6\x80\x40\x8d\x1e\xa9\xf3\xf5\x6f\xeb\x10\x60\xc7\xb8\xe8\x11\x46\x81\xc2\x49\x92\xaa\x2e\x1e\x65\x21\x9a\x03\x6a\xfc\x03\x4d\xba\x75\xa3\x90\xaf\xce\x29\x63\xd7\x56\xc7\xea\xf6\x7d\x21\x3c\x75\x37\x19\x35\xf9\xea\xb4\xd4\x28\xc5\x43\x22\xe3\x24\x98\xa4\x34\x02\x54\xcc\x41\xfb\xb5\x5c\xf6\x3b\x4f\x3f\x43\xc8\x93\x01\x01\xf3\xae\x35\x42\xfb\x96\xac\x77\x62\x63\x78\x9a\x98\x4a\x3a\x62\xbb\x46\xc5\xa4\xa4\x1b\x85\xf9\xd6\x6b\x47\xfb\x28\xea\x76\x5b\xbc\xdb\x52\xb0\x1f\x4c\x15\xeb\xe1\x88\xb4\x54\xc3\xae\x27\x7d\xc8\xa9\xf8\xa1\xc6\x34\x16\x3c\x63\x1b\xd5\x43\x0a\x8a\x80\xb8\x0b\x37\x33\x41\x3a\x1e\x00\xeb\x3f\xff\x34\xbc\x5a\xa8\xd9\x07\xd7\x9d\xe8\x86\x6c\xbc\x6f\x10\x66\x13\x56\x27\x77\x16\xc8\x84\x74\xbe\x9b\x39\x30\x18\xa7\xd8\xb9\xb3\xe1\xce\x4b\x7a\x32\x6b\x77\xf6\x2f\xcf\xa9\x49\x4e\x1b\x7c\x02\x80\xc3\xa2\x5e\xe3\x46\xc9\x4a\xe4\xcb\x3a\xf3\xfe\x09\x53\x4e\x63\x83\x6d\x5a\x00\xa6\x28\x08\x74\x2f\x5c\xc9\x26\x08\x8a\x6e\xd1\x1e\xa2\x05\x1a\x33\xc6\x0b\x2d\xed\xd2\x06\x9f\xc9\xfc\x2f\x2c\xd4\x53\x66\x61\x8e\x11\x00\x02\x16\xef\x80\x17\x16\x3a\xa8\x28\xea\xe1\xd1\x5f\x02\x06\x7a\xa4\x6a\xf4\x67\x75\x0c\xfd\xd3\x6f\x7e\xcb\xa0\xfd\x1f\x73\x82\xc2\xa7\x8a\xa4\x0c\xcb\x03\x7e\xd7\x24\x90\x75\x9f\x08\xe4\xa2\x57\xb7\x3e\x1b\x45\x19\xec\x47\x20\xd9\x08\x1d\xd4\x64\xa4\x7a\xd4\x68\xf8\x88\x1c\xa3\x02\x3e\x75\x31\x00\xae\x0a\x1b\x29\x89\xac\x57\x4e\xbb\x9a\xc9\x13\x4b\xf1\x62\x02\xce\x61\xae\xaa\xfd\xf7\x68\x9b\xb9\x21\xc4\xa3\x9a\x46\xf0\x3a\x14\xde\xcf\xfe\xc7\x8c\xf9\xff\xd0\x1b\x4f\xca\x7d\x7b\xd4\x00\x30\xfe\xfa\x02\x59\x1a\x28\x45\x1b\xd3\x5d\xa7\x46\xdb\x7b\x5c\xdf\xd5\xee\x9e\xb6\xc5\x1b\x3b\xe0\x5f\xb0\xcd\x5d\x39\xe8\x10\x3b\x0e\x90\x3e\xec\x11\x0b\x3f\xf1\xf9\xdf\x98\x12\x32\xa5\x58\x23\x42\x81\x03\x9b\x46\x63\x76\x41\x84\x9d\x64\x12\xfe\xb7\x4a\x37\xb1\x39\x3c\x31\x51\x3c\xd9\x94\xad\x23\x9e\x20\xad\xdc\x7b\x6b\xe2\xbe\x44\x88\x57\xba\xcb\x20\xcb\x14\x69\xfe\x94\x46\x94\x6b\x6d\x60\x34\x9f\xf3\x92\x19\xf7\xc0\x02\xec\xb4\xdb\xfd\x31\x7f\x79\xd9\x50\xb3\x95\xdd\x77\xcf\xd4\x9a\x6f\xad\x36\xbe\x0b\xd4\x59\x1e\x4d\x2c\xa8\x37\xfe\x73\x74\xa3\x67\x92\xcc\xb0\xb2\xb0\x27\xc6\x9d\xcb\x08\x52\x74\x93\x09\xb9\x37\x17\x72\x72\xf4\xa8\x0d\x8e\x2a\x24\x99\x7f\xfc\xa2\x08\xb7\xf5\x28\xbe\x82\x11\x65\x56\xd2\x35\xf1\x7d\x57\x4d\x17\xac\xc1\xc4\xb5\x83\x63\xf0\x3f\x6b\x21\x77\xa2\xd9\xbd\x31\xd7\xda\x8b\x2d\x37\xea\x2a\x5e\xac\xe2\xb4\xf3\xea\xb5\x49\xcc\x55\xb3\x8e\x0f\x17\x31\xcc\x82\xef\x54\x8a\x5c\xb6\xa7\x56\x4b\x44\x2a\x86\xda\x73\x12\xa9\x4a\x13\x15\xe2\x70\xf3\x90\xa1\x97\xb9\x1e\x43\x5f\xa7\x04\x43\xf3\x87\xcf\x53\x73\x8f\x77\x5a\x23\x62\xa8\x72\x17\xb5\x74\xf8\xf6\x3c\xa6\x36\x13\x37\x52\x05\xdc\x19\x44\x98\xa0\xc9\x29\xff\x13\x00\x14\xd7\x42\x6a\xf7\xc0\xd0\x98\xd6\x9a\xff\x0d\xa1\x02\x7b\x12\x3c\x02\x3e\x73\x2e\x0c\xa1\xeb\x69\x5b\x42\x10\xad\xca\xef\x92\x85\xfe\xc8\xc8\x3f\xea\x7e\xfb\x3b\x5a\x09\xab\x0e\x26\xa2\xc0\x92\x6e\x15\x8e\xe1\x70\x89\xef\x7f\x8e\xab\x53\x75\x71\x8b\xa2\xe8\xab\x68\x3d\x2a\x1e\xef\xe2\x5c\x2e\x30\x3f\x41\x9e\xd0\x14\x23\x79\x98\x67\xe0\x2e\xb0\x1a\xe2\x00\x02\x20\x71\x36\xa6\x0a\x87\x50\x77\x39\x3a\x01\x9a\xe7\xdf\x3a\xad\xc5\xd4\xae\xd4\xd4\x59\xce\xdd\xe9\x66\xd8\x4f\xa6\x4c\x2e\x56\x48\x60\x17\x2b\xe4\x1b\x9f\xbd\xcc\x9b\xb2\x9c\xc2\xaf\x86\xbc\xb8\xda\x14\xd1\xd7\xef\xd6\xd9\x0f\xef\xd4\x73\xfb\xac\x5b\x05\x59\xac\x2b\xdc\x11\x0c\x7f\xda\xa9\x21\xd9\x20\x73\x1f\x36\x2f\x95\xd4\x26\x68\x0b\x73\x31\x2d\xa5\x8f\xac\xc4\xd0\xa1\xd7\xba\x59\x0b\x3e\x91\xc0\x3b\xf3\xb5\xf5\x00\xa5\xca\xe4\x6b\xed\x37\x37\x02\x12\x9e\xe2\xf2\x5b\x05\x00\x21\x9b\xbe\xc0\x50\x28\x59\x49\xf2\xde\x49\x48\x32\x89\x64\x32\x9b\x1a\x46\xa3\x84\x21\xc1\x37\xcb\x95\xb9\x92\x90\xb4\xf6\xcb\x46\xb5\x76\x69\x7c\x95\xb9\x37\x8e\x7c\x15\xca\xa0\x4a\xb0\xe8\xa0\x4b\x8d\xf8\xbc\x46\xd6\x15\xfa\x29", 4096); *(uint64_t*)0x2000000064d0 = 0x200000006440; memcpy((void*)0x200000006440, "\x1c\x3d\x61\xef\xc1\x46\x7b\x6b\x61\xe9\xe5\xf0\x6f\xa3\xd1\xdc\xc0\xe7\x00\x35\xdc\xc9\xc6\xc3\xb0\x0d\xf5\x89\x00", 29); res = syscall(__NR_shmctl, /*shmid=*/0x8001, /*cmd=*/0xfffffee8, /*buf=*/0x200000006480ul); if (res != -1) r[20] = *(uint32_t*)0x200000006484; break; case 26: res = syscall(__NR_getgid); if (res != -1) r[21] = res; break; case 27: res = syscall(__NR_geteuid); if (res != -1) r[22] = res; break; case 28: *(uint64_t*)0x200000006a80 = 0xfff; *(uint64_t*)0x200000006a88 = 0xd; *(uint32_t*)0x200000006a90 = r[6]; *(uint64_t*)0x200000006a98 = 7; *(uint64_t*)0x200000006aa0 = 2; memset((void*)0x200000006aa8, 0, 16); *(uint64_t*)0x200000006ab8 = 0xf; *(uint16_t*)0x200000006ac0 = 0; *(uint16_t*)0x200000006ac2 = 0x46; *(uint32_t*)0x200000006ac4 = -1; *(uint32_t*)0x200000006ac8 = 0; *(uint32_t*)0x200000006acc = 0xfffffffd; *(uint32_t*)0x200000006ad0 = 0xf7; *(uint64_t*)0x200000006ad8 = 0x7f; *(uint64_t*)0x200000006ae0 = 8; *(uint32_t*)0x200000006ae8 = 9; *(uint64_t*)0x200000006af0 = 3; *(uint32_t*)0x200000006af8 = 0x200; *(uint64_t*)0x200000006b00 = 4; *(uint32_t*)0x200000006b08 = 5; *(uint64_t*)0x200000006b10 = 0x62; *(uint32_t*)0x200000006b18 = 5; *(uint32_t*)0x200000006b1c = 0xff; *(uint32_t*)0x200000006b20 = 0x6cbf; *(uint32_t*)0x200000006b24 = 0x48; *(uint16_t*)0x200000006b28 = 0; *(uint16_t*)0x200000006b2a = 0x8001; *(uint16_t*)0x200000006b2c = 0x7f; *(uint16_t*)0x200000006b2e = 6; *(uint16_t*)0x200000006b30 = 8; memset((void*)0x200000006b32, 0, 2); *(uint32_t*)0x200000006b34 = 0x40; *(uint32_t*)0x200000006b38 = 0xffff; *(uint16_t*)0x200000006b3c = 0xa; *(uint16_t*)0x200000006b3e = 0xb04b; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0c0586d, /*arg=*/0x200000006a80ul); if (res != -1) { r[23] = *(uint32_t*)0x200000006a90; r[24] = *(uint32_t*)0x200000006ac8; } break; case 29: memcpy((void*)0x2000000016c0, "\x27\xfe\x2f\xfe\x47\x40\x4c\x4a\xc0\xa1\xec\xab\x30\xbb\xcb\x86\x4e\xad\x78\xfe\xd0\xc0\xe1\x75\xac\x99\x94\xf2\x2c\x05\xa4\x71\x88\x98\x8b\x3f\xf7\xcd\xde\xc1\xf6\xf3\x9e\x60\x61\x60\xf4\xf1\x99\xd3\x74\x5e\x26\xe2\x74\x8d\x68\xe3\x5a\x99\xf1\xbc\x4a\xc3\x20\x84\x63\x4f\x2c\x0b\xa5\xd1\xe0\x00\x0e\x2d\x5b\xee\x77\x7a\x2a\xb5\x09\xe7\xc9\x4c\x43\xf2\x97\xb8\x25\x93\x43\x78\xff\xa3\xbb\x79\x42\x25\x6f\xc5\x2a\x69\xe2\x38\x20\xcd\x52\x0e\x75\x59\xed\x9a\x31\xa9\x54\xdf\x95\x5d\xe5\xbc\x7c\x18\x55\xd9\x74\xb9\x5f\xf0\x0a\x84\xdc\x2d\x9a\xd6\x79\x64\x33\x44\x34\xd5\x28\xbc\xe5\x93\x48\x08\xb4\x8f\x8e\x25\x1a\x17\x9e\xb4\x7d\xee\x2a\x10\x8b\x50\x09\x2f\x55\x98\x16\x13\x6c\xff\xe9\xbd\x6e\x0a\x34\x00\x4e\x62\xd5\x0f\x73\xc1\x4b\x23\xce\x17\x51\x8f\x95\x4c\x4b\xc6\x1e\x61\x75\x75\x6c\x12\x04\xe2\xf2\x7c\x18\x2b\x9e\x3a\x7e\x3b\x82\x3d\xc2\xd2\x10\xe5\x23\x2c\x7a\xd0\xe8\xd8\xe0\x49\xf0\xe9\x20\x60\xb6\x20\x49\x9b\x0b\x8f\x4b\x4b\x97\x1d\x29\xa9\x7a\xe9\x4c\xe3\xce\xa6\xfb\x4e\x42\x96\xf7\x2e\x3d\xea\xbf\xf5\x62\xe7\x92\x43\x93\x3c\xfc\x53\x00\xe3\xc4\x1c\x6a\xb9\xc0\x55\x9a\xe2\x4b\x21\xce\x45\xbc\x69\xb7\xa1\xeb\x56\xc0\x8b\x82\x2b\xa1\x0f\xbc\xb0\xbd\x23\x8f\x6f\xcd\x60\xed\x24\x09\x2b\x3f\x47\xf1\x90\x0e\x3d\x33\x73\x37\x96\x49\xda\xa3\x95\x9b\xcb\x31\x9d\x7a\x74\xab\x3e\x62\xbb\x5f\xbd\xfa\x42\xf9\xd3\xb3\xe7\x34\x0e\xfd\x12\xd9\xdb\x73\x8b\x9a\x7a\x58\x1d\x91\x4f\x4d\xeb\x34\x00\x5a\xac\xae\xe8\x65\xdd\x59\x5a\xd5\xf0\x07\xc4\x8b\x51\x68\xe6\x99\xe5\x2d\xec\xc6\x66\x50\x9f\x0b\xac\x51\x6d\x5d\x8b\x1e\xcc\x1c\x99\xe6\x01\xb8\xf8\x5a\xf1\xc6\x76\x23\xfd\x2c\xff\x7b\x88\x38\x41\xae\xcd\xdf\x3a\x85\x23\x99\x80\xd3\xea\x2a\xe6\x37\x8d\x59\xcc\x24\x2b\x2a\xbc\xda\x91\xe9\x18\x48\x7c\xfe\xa0\x37\x83\x90\x17\xee\xfb\xed\x85\xe0\xde\x24\x14\x8b\x3c\x67\xec\xad\xc8\xbb\xe5\x1f\xfd\xd0\x69\x6a\x55\xd8\xff\x21\x52\x31\x78\xa6\x82\x9e\xc4\xd3\xf2\x59\x77\x43\x3b\x85\xe9\x23\x8f\xe5\xd8\xb1\x43\x7c\x54\xa9\x33\x82\xfa\x15\x25\x49\xcf\xca\x4e\x47\x00\x70\x5f\x3c\xe5\xa2\x60\xa4\xb9\x43\xdd\x3e\x53\x2c\xc1\x96\xc8\x12\x95\x18\x22\x55\x66\xe9\x3e\x29\xa8\xc6\xf0\x2f\x05\x4a\x94\xee\x5f\xe2\x1e\x5a\xd5\xbf\x55\xdd\x7f\xde\x9a\xc6\x41\xf3\x47\xa9\x92\xe8\x19\x7f\xe5\xfc\x4b\x9c\x65\xef\x4d\x68\x79\x21\xdf\xf0\xf6\xcb\x82\xa3\xa9\x6f\x6d\xf1\xcf\xae\xdf\xfc\xed\x7c\xb0\x6b\x21\xde\x9b\x83\xcd\xe5\xf9\x6b\xda\xd6\xee\x4c\x61\x7b\x9d\xa7\x66\xcc\x44\x37\x12\xf8\x4e\xf7\xc3\x87\x08\x07\x0b\xd1\x9d\xb9\x0a\xbe\x25\x10\x09\xd9\xbb\xcc\xe7\xc4\x19\xbf\x7e\xfa\x7e\xa7\x00\x86\xa9\x5a\x27\xe7\x35\x9d\x3b\xcf\x81\x89\x9b\xb6\xb7\x56\x0c\x58\x22\x7d\xb9\x2b\xbe\x34\x2e\x60\x01\x9f\xf0\xcd\xbe\xec\x13\xbd\xb5\x6c\x5b\x5f\xdf\xdb\xce\x7e\x2f\x5a\x7d\x97\x1d\xbb\xc6\x4c\x59\xc5\x11\x1d\x0b\x45\x2a\xf5\x79\x80\xe2\x17\x85\xd5\xaf\x08\x84\x82\x2d\x12\xf4\x08\x1e\x83\x81\xd1\x6e\x0f\x41\x19\x36\x27\x4b\x90\x30\x21\x5c\x4b\x0b\x47\x07\x4d\xab\x09\xb9\xfa\x23\x22\xa8\x80\x50\xa6\x24\x48\xff\xb2\xbd\xbb\x9d\x6b\x87\x52\x1b\x3b\xfe\xb5\xde\x77\x36\xa4\xde\x11\xff\x4e\x56\xd4\x1a\xae\xd9\x00\x61\xe8\xf1\x3c\x37\x89\xa4\x4a\x63\xe7\x69\x02\xc4\xee\x9b\x6f\xc7\x35\xab\x8f\xf9\x52\x5a\xf0\xab\x52\x16\x7e\x04\xd3\x47\x96\x67\x85\x2b\x75\x5d\x00\x74\xcc\x95\x07\x80\x94\xdf\xe0\x39\x26\x00\x7f\xcf\x4b\x2b\x68\xe2\x62\xd1\x17\xdf\x6c\x91\x81\x27\xcd\x6a\x56\x42\xb8\x0c\x30\xbf\x91\x6a\x1e\x51\x52\x02\x29\xe1\xe0\xec\xe3\x5a\xc9\xb9\x09\xfd\x5f\xf9\x2b\x93\x0a\xa5\x5a\xe6\x0a\x2a\x7f\x52\x74\xe0\x47\xae\x70\xcd\x1d\x89\x4c\x3a\x93\x09\x4d\x5e\x88\xca\x4f\xf4\xa1\xf7\xa7\x4c\x25\x72\xc5\x91\xf2\x54\xec\x09\x46\xde\x4f\x96\x24\x83\x88\xb0\x6f\x7f\x0a\x7d\xaa\x49\x0f\x43\x59\x18\x4a\x76\xa5\x6a\x9b\xbc\xa5\x93\xc6\xf6\xfe\x47\x9c\x67\x5f\xb0\x2c\x63\x54\x7d\x08\x04\x96\x3b\xbb\xfe\x5c\x66\x87\x69\xf3\xcf\x16\xbe\x9c\xd5\x11\x78\x03\x0d\x64\xcc\x2b\xb9\xd8\x26\x34\x39\x9d\xb8\x85\x9e\x48\x87\xc8\xce\xce\x4c\x85\x2f\x5c\xb7\x6c\xe7\x0a\x6c\x4e\xdd\x0e\x8a\x46\x5c\xbf\x78\x27\xb2\x1b\x55\x38\x57\x97\x71\xfb\x56\xb7\x99\x74\xaa\x36\x28\x85\x16\xbd\x08\xa9\x39\x49\x00\x16\x0f\x75\xd6\xbb\xe8\x9d\xe7\x0f\x8b\x5c\xea\xcc\x94\x19\xfc\x5a\x3d\x5e\xe5\xea\x78\x3d\x0c\xa8\x08\xa6\x24\x8c\x13\xad\x17\xc8\x73\xbc\x93\xe0\xe5\x0a\x39\x48\x7f\xb2\x5e\xc3\x23\x30\x70\xd7\x77\x6e\x7c\xe8\xba\x02\x2c\xcd\x8e\x2d\xb5\x64\x55\x94\xe0\xb2\xd8\x74\xed\xe7\x39\xf9\x3b\x61\x7f\xfe\xfa\xf3\xd8\x46\x8e\x66\xee\xcc\x85\x61\xfd\xb8\x1d\xd4\xfe\x7c\x77\x9d\xd9\x3c\xce\x31\x7a\x8f\x5c\xb8\x65\x51\xc2\x61\x66\xc7\x82\x4c\x87\x14\x0d\x96\x47\x50\x8c\xbb\xc1\x5c\x1d\x3b\x72\x08\x60\x91\x68\x90\x9e\x89\x0e\x9e\x9f\xd2\x67\x1d\x3a\x9a\x75\x27\xa7\x34\x47\x1f\x2c\x74\x80\x92\x6d\x8d\x18\xba\x6e\x24\xda\x6d\x6c\xee\x42\x2a\xeb\xfb\x14\xd1\xf1\x2a\x91\x5f\xfb\x73\x75\xcc\xb3\xec\xc9\x86\x3c\x45\x53\x4a\x97\xa9\x22\x43\x32\x17\xdd\xe2\x20\x35\x45\xaa\x98\x3e\x2a\x6c\x54\x65\x11\xd8\x62\x64\x28\xaa\xbe\x7c\xec\x1d\x0e\x81\x24\xde\x19\x83\xd5\xab\x1e\xd6\xe9\xde\xe8\x2f\x0d\xf4\x69\x9f\x4a\xb7\x07\x06\xc3\x4c\x75\x4d\x0c\xd8\xb6\xde\x54\x1c\xa8\xa7\x1d\x5f\x98\x25\xfc\x13\x15\x84\x80\xd5\x98\x0e\x64\x15\xcc\xa0\x5c\x57\x57\x89\x41\x69\x22\x3b\x43\xcc\x29\x63\x09\x18\x24\xcf\x95\x3f\xcf\x54\x53\x05\x58\xad\x5c\xe4\x22\xfc\xe9\x9f\x5f\x26\x50\xb7\xde\xc7\x02\xfe\x12\xbb\xb0\x8c\x28\x51\x9f\x08\xb6\x35\x4c\xf5\x8d\x01\xf0\x27\x23\x70\x70\xcb\x43\x8f\xe4\x80\x7b\x7b\x1f\x7e\xbc\x27\xf2\x74\xfd\x50\xef\x37\xad\x06\x0a\x7a\xdc\xdf\x65\x96\x2f\x8a\x52\xc0\x4b\x56\x9d\x7d\xb3\xd8\x6a\x0f\xeb\x6c\x78\xed\x1a\xdb\x36\x18\x66\xf7\xd5\x60\x65\x69\xd9\x10\xc6\x72\x7c\xdd\x76\xc6\xbb\x2a\x40\x5e\xd1\x2d\xfc\x2e\xdc\x81\x66\x67\x87\xf3\xa3\xa2\x39\xc6\x2f\x65\xd2\xd9\x8d\x8b\x07\xc5\x91\x13\x55\xa3\xa6\x20\x66\x46\xfe\x74\xc0\x75\xa6\x77\x80\x72\x87\x0f\xd6\x52\xaa\x4d\xf9\xaa\x3b\x96\xf1\x45\xc3\xaf\xa7\x4f\x5a\xaa\x8d\x7f\xf0\x42\x7c\x93\x89\xdd\x54\x62\xaf\x0e\xb6\x82\x8f\x3a\xa5\x4c\x75\x2b\xb4\xc8\x9d\x18\x21\x07\x61\x72\xa9\x25\xf1\x46\xae\xf7\x89\xde\xb1\x4c\x6b\x6c\xb2\x87\x33\x88\xcb\xe0\xbe\x06\x28\x71\x04\x8c\x49\x67\x9d\x72\xc3\xf3\x25\xc7\x7e\xa3\x19\xed\x28\xfa\x27\x86\x10\x40\xf6\xbe\x5d\x4f\x32\xcf\x29\xca\xc1\x12\x43\xda\x04\x2b\xec\xf2\x12\x5d\x21\xe7\x35\x49\x3a\xc7\x69\x4a\xa9\x61\xee\x92\x44\x3f\xc5\x88\xc2\xad\xc0\xf9\x7a\xc7\xb5\xfa\xe1\x0d\x43\xdd\xb8\x1f\x31\x12\x85\x82\x18\x5b\x9a\xa1\x24\xfe\x6e\xd7\x80\xac\x95\x4f\x84\x42\x17\x67\xf9\x0f\x5c\x0b\x56\x94\x43\xd6\x3b\xea\xc0\x68\x4e\xd6\x8b\xc5\x03\x9a\x27\x56\x7b\xd2\x33\xb8\xf2\x67\x5e\x1a\xfa\x14\x0d\xf8\xe1\xe6\x4f\x0a\x90\xec\x55\x3b\x52\x17\x27\x39\xd0\xd6\xb3\x88\x49\x47\xf2\x66\x69\x29\xcb\x5d\xd7\x93\x19\x42\xc0\x6e\x9d\xf9\xec\x79\x17\xf1\xd9\x3a\x2f\x0f\xbe\x5c\xd0\xf5\x73\xc0\x10\x2f\xf0\x20\x5e\x4d\x59\xdd\xd6\x03\xdb\x5d\xa5\x66\x94\xbd\x92\x87\x3e\xe2\x1f\xe7\x78\x6a\x87\x42\x8b\xdf\x19\xa1\xa8\x7d\x72\xba\x69\x7f\xbe\x0e\xd9\x75\xdb\x5b\xb3\xa7\x05\x17\x7f\x3a\x13\x69\xe2\x9d\xec\x75\x81\xd4\x3a\xea\x38\x55\x94\x3f\xf4\xef\xa4\xd7\xaf\x36\x22\xc3\x19\xd7\x8b\x31\x08\x37\x88\xd2\x03\x10\x20\x82\x99\xca\x03\x47\xaf\xff\xe5\x4e\xca\xf1\xfb\xec\xe6\xe0\x93\x5a\xbc\x7a\xa8\xf8\x55\x3f\x99\x96\xff\x1d\x46\xb8\x8b\x78\xdf\x2f\xe2\x67\xf1\x69\x9f\x2e\xbf\x19\x25\xb8\xe5\x0c\xb4\x6c\x8a\x10\x3c\xfb\x55\x65\x10\x15\x5d\xdb\x84\x27\x6e\x1e\x0a\xef\x3f\x41\x1c\x7a\xf3\xd2\x05\x93\xb6\xfe\xc7\x00\x6a\xa7\xa4\xee\x33\x80\x2a\xad\x16\x89\x49\xda\xd9\xfa\x91\x18\x88\xd7\xf6\x1b\xf1\x6d\xb2\x26\x50\x03\x41\x6f\xb5\x76\xde\x44\xf8\x0b\x9c\x90\x1a\xce\x45\x4d\x2b\x04\xb3\x74\xf3\xdc\xfc\x38\xfd\xd6\xed\xcf\xab\x24\xd3\x67\xaf\xf3\xf6\xd8\x29\x8a\x41\x33\xd0\x81\x56\x3d\xe1\x36\x5b\xea\xff\x74\xda\x25\x2b\x24\x8f\xa6\x1d\x80\xe7\x2c\xbb\xd5\x85\x33\xe7\x51\x8d\xba\xe1\xa9\x25\xd9\x91\x2b\xfe\x70\xfb\xc6\x4b\x8c\x81\xce\x26\x25\x30\xbd\x11\xae\x83\xf3\x66\xe3\x8c\x53\xbf\xd5\xa0\xda\xc9\x78\x5b\x92\x2b\xcd\xd1\xa3\xb6\x83\xf4\x3f\x8d\x48\x5d\xfc\xc6\xdd\x00\xb6\xcd\xde\xa0\x64\xf8\x46\xfb\x26\x93\xd4\x8f\xa9\x7b\x52\x63\xf5\x37\xea\xbf\x6c\x0e\x54\x9a\x78\xd2\xbc\xad\xb2\xe8\xfd\xb2\xb1\xb0\xf4\x7f\xd4\x9d\xc6\x1c\xa1\x05\x8b\xb8\x88\x2a\xa1\xca\x2e\xd3\x41\xfe\xb7\x37\xd5\xea\xae\x0e\xa0\x8f\x94\x5a\x04\xa3\x8b\x6e\x31\x37\xf9\x61\xa7\x56\x3a\xd1\x3c\xec\x30\x07\x2b\x91\x43\xe4\xf9\xc7\x82\x4e\x7c\xbd\xa2\xdf\x89\xb7\x4c\x14\x2d\xad\xaf\x5c\xa2\x4b\x6f\xe9\x09\xce\x3a\x1f\xf3\x7e\xe5\xa0\xb6\x61\xd3\x07\x39\xef\x0c\x37\x2c\xf7\xa1\xb4\xc6\xa0\xe5\x19\xb4\x8b\x40\xdc\x79\x4c\xd6\x13\x56\x75\x66\x09\xf6\x8d\xd5\x8f\x72\x4b\xdd\x86\xdb\x7f\x26\x49\xb9\x0e\x16\x35\x30\xca\x69\xf0\x69\x6a\xdd\xfc\xef\x84\xef\xc9\xf9\xe0\x4d\x9d\x6e\x18\xed\x17\xf7\x4f\xf8\x07\xe9\x2b\x0f\x33\x0f\xb6\xe0\x6e\x0e\x2f\x19\x3e\xa0\x3a\x18\x1c\x86\x73\x95\x0a\x19\xeb\xa2\x2f\xd6\xb1\xb5\x6e\xbb\x33\x6e\x02\x48\xc6\x4f\x93\x6c\xaf\xd3\x31\x1f\xd5\x0c\x50\xfc\x91\x61\x56\xbb\x28\x15\x6d\x15\xd7\xf4\xd5\xa7\x98\xd8\x62\x6a\xfc\x6b\xa7\xd2\x17\xd2\xc9\xf1\xa9\x8f\xed\xe6\x2b\x1b\xac\xfc\x31\x4d\xfa\x89\xe8\xcb\xb8\xc3\x7b\xd5\x26\xdd\x53\xed\xe8\x1b\x19\x53\xce\xf5\x17\x70\x3b\xab\xce\x44\x6e\x86\x3b\xf9\xd2\x46\xb0\x3b\x88\x50\x2c\x7f\xdb\xac\x4d\x87\xf1\xea\xad\x86\xed\x17\x0d\x71\x0d\x81\xea\xf3\x95\xae\xf6\x0d\xc1\x64\xd9\x11\x66\x01\xa5\xa5\x8c\x79\xa8\x92\x75\xc9\x5d\x28\x91\x2e\x87\x08\xfe\xe2\x47\x2e\x6b\x87\xd2\xe0\x77\xd3\x62\xc0\xba\x8f\x4b\xc6\xa5\xe3\x87\x45\xea\xe9\x10\x46\xbc\x61\xe6\xa0\x40\xcb\xfe\x38\x20\x4f\x17\xe6\x04\xf0\xe1\x40\x5e\x8e\xe0\x7d\x71\x41\xb6\x98\xbc\x2b\xe7\x69\x0a\x8f\x0b\xf3\x1d\x58\xae\x90\x6c\xb7\x0e\x4f\xe5\xfe\x03\x56\x31\xd7\x65\x33\xb7\xa7\xb0\x32\xe1\xb1\xee\xe2\x14\x28\x08\x4a\xfb\xcc\x93\x0a\x9f\x28\xe9\xf1\x7e\x26\x9a\x69\x97\xaf\x83\x8f\x95\xe2\xfb\x39\x5b\x54\x0a\x1d\x49\xf3\xd4\x29\x02\x74\xd2\xd3\x1f\x76\x08\x35\xff\x73\x51\xd2\x5b\x62\xe1\x35\xad\xf5\x9e\x01\x18\x87\x2d\x17\x84\x3d\x99\x15\x4f\x46\x60\xfa\x8f\x48\xb6\xc4\x86\x8b\x1f\xbc\x6b\x84\xda\x61\xf9\x81\x23\x16\x7b\x06\x73\x70\xa5\x4f\xc6\xc5\xa6\x88\xe3\x1d\x42\x01\xac\x4c\x4d\x56\x46\xf9\xa4\xa4\xa8\x04\xa1\x75\x16\x7c\xf7\x9d\xda\x22\xf4\xd6\x86\x72\x81\xcb\x0b\x3e\x09\x99\xfa\xd7\xbf\x26\x51\x2d\x13\x14\x40\xa8\xf9\xec\x75\xfe\x9d\xf6\x80\x54\x78\x55\xd8\xc9\xb3\xb3\xf0\xd5\x14\x19\x7c\x2a\xf0\xd6\x72\x99\x13\x73\xb8\xd4\xac\x1d\xd5\x1e\x1f\x90\x74\x50\xd6\x21\x01\xb5\xe2\x61\x3e\xa2\x89\xc1\x94\xd0\x73\x5e\x1c\x5e\x16\x69\x09\xeb\x71\xee\x2a\x4e\xe5\xff\x99\x14\x0c\x0b\xec\xca\x26\x72\xfa\xf6\x94\x49\x38\xc6\x18\x09\xd8\xbf\x2f\xaa\x56\x1f\x9b\x56\xda\xb8\x5d\xed\x7e\xe7\x35\xd3\x00\xc8\xda\x84\xc5\x7f\x06\x7b\x2f\xe5\x09\x29\xca\xe1\x39\x87\x5a\xbb\xab\x08\x47\x42\xc9\x07\x06\xbc\x31\xfc\x4c\x68\x53\x88\x89\x71\x87\x69\xd1\xc6\xda\x0e\xe1\x82\x6e\xcd\xe1\xf6\x0e\xa6\x6c\xed\x44\xc2\x4f\xe2\x87\x5d\xcb\xc8\x7a\x35\x72\xaf\x96\x45\x5e\xdf\x31\xe0\x51\xe5\x42\x2a\x8e\x29\x10\xc7\xd9\x75\xdf\x64\x48\xda\x0c\x0f\x83\x3f\x61\xf7\x15\x05\x98\xfb\x47\xfa\xe9\x38\x35\x7a\x7b\x64\x5e\x40\x6d\xf9\xa4\xa3\x0c\xdd\x1c\xef\x6d\xdb\x26\x3c\x9f\x06\xb2\x68\x76\x7a\x9a\x0f\x92\xc4\xea\x13\x80\xe5\xe3\x6f\x5f\x2a\x3e\x90\xbf\x87\xd6\x81\x8c\x5a\xef\xc3\x43\x9c\x4f\x4d\xe2\xcf\xb4\xdb\x14\x57\x56\x84\x8b\x27\xb6\x18\xc2\x2f\xee\xa3\xf9\xf4\x60\x15\x57\xf5\x3c\x2a\xae\x71\xdb\xc0\xe9\x46\x82\x43\xf1\xbf\x3b\x08\x6b\x4d\xca\xb2\x73\x4d\x61\x28\xc5\x44\x15\x46\x90\x3d\x2f\xea\x40\xc7\xca\x48\x40\xac\x4b\x1b\x3e\xa8\x89\x7c\xf0\x37\x62\x3e\x42\x7f\xb1\xef\x9c\x0e\x7d\xeb\x9e\xba\x0f\x8e\x5a\x5b\x29\xd4\x22\x92\x3f\x2f\xc8\xc5\xdc\x13\x69\xfe\x52\x67\x09\x24\x7c\x27\x76\xf5\xb7\x68\x7c\xcf\x42\x0b\x0d\xc8\x44\x61\x10\x5c\x2a\x31\xcc\xe9\xde\xcc\xa3\x0b\x74\x6b\xfe\x43\x44\x0d\x49\xc4\x77\x5a\x2d\xfc\x88\xf0\x49\xe2\x3a\x30\xe2\xde\x2c\xe6\x34\x54\x9b\xbc\x0c\x26\x30\x97\xeb\xb8\x04\x4b\x4b\x9b\xb6\xf5\xf9\x5a\x4a\x49\x9a\x3d\xce\x9c\x11\xb9\x94\x87\xd9\x96\xeb\x57\xd6\x54\x09\x0b\x43\x6d\xfe\x0b\x94\x79\x6e\x93\xfe\xae\x2b\x63\xd0\x13\x20\xaf\x73\x23\xa8\x00\x6b\xc7\x5f\x95\xa0\xc6\xce\x53\x69\x18\x02\xa0\x97\x10\x88\x81\xbd\xa6\x4a\x2c\xf8\xed\x8f\x67\x52\xe1\x98\x15\xe7\x1e\x2b\x85\x54\xfa\xc0\x30\x18\x75\x26\x21\x09\x33\x11\x51\x91\x5f\x6b\x19\x36\x2c\x2d\x82\xc3\x04\x74\x78\x52\x5a\x64\x9a\xe4\xc9\xa4\x1f\x75\x60\x83\xf1\x38\x15\x6f\x6e\xc4\xea\x04\xb4\x4f\x65\x2a\xb1\xe6\x6c\x5c\x63\x0e\x61\x30\x06\x2a\x26\x0b\xe5\x53\xf1\x0b\x8b\x70\x0e\x6c\x6b\x08\x9f\x0b\x09\xce\x11\x7c\xa7\x8d\x45\xae\xc4\x33\x97\x64\xdc\x2e\x39\xb5\xbb\x95\x56\x02\xd5\x73\x23\xe4\x0d\x49\xec\xf8\x98\x71\x84\xa1\x2d\x21\x99\x3c\x03\xb4\x58\xfc\xa9\x8c\x77\x30\x71\xc2\x24\x2d\x90\x59\x65\x99\x33\x6e\x1c\x69\xff\x55\x1a\xf3\xef\x27\xaa\xa7\x4c\x54\x7f\x23\x1a\x1e\xf6\x4a\x2f\xbe\x54\x98\xf5\xbf\xfd\x9e\x59\x7b\x8d\x87\x1a\x07\x3e\x82\xf1\x3f\x5b\xdf\x21\x89\xd3\x61\x64\x9d\xbe\x14\x4e\x7c\x2f\xb2\x6a\x51\x88\x84\xc4\xf2\x76\xaf\xa0\x44\x50\xb3\xb1\x26\x15\x11\xa1\x86\x15\x07\xe9\x4b\xe4\xb0\xc3\x01\xe6\x24\x71\xbb\x95\x33\x63\xe5\x4a\x80\xac\x90\xb2\x55\x1b\x01\x2d\x74\xa5\x62\x1e\x26\x5b\xf9\x12\x60\xa4\x67\xfe\x76\x06\xe7\x95\x92\x27\x2a\xa2\x08\xb1\x29\x35\xa8\x99\x1d\xfb\x81\x7a\x5c\xb0\x5a\xcb\xa7\x9d\xcc\xb9\x7d\x0a\x0f\x9e\xb5\x82\x5e\x16\xd1\x24\xa7\x72\x24\xc9\xa0\x9a\x53\x35\xf1\xce\xd7\x85\x63\x6a\xe3\x58\x15\x98\xaf\x5c\x28\xe5\x4e\xa8\xdc\xc4\xc7\x22\xe4\xa6\x58\xa3\x3f\xa7\xc4\x73\xf3\xb5\xe7\x4e\xd5\x62\x56\x80\xf0\x7c\x7d\x47\x29\x66\xab\x64\x6a\xc3\xac\x2d\x67\x46\x9c\x43\xdb\xab\x6b\x88\x67\x79\xde\xf7\x94\x17\x69\x8c\xfe\xd9\x47\x2f\xdc\xab\x0f\x80\x79\xf2\x21\x28\x54\x41\x88\x1e\xaa\xe4\xc2\x11\xa8\x14\xe6\xd4\xe6\xc2\x5d\x49\xa5\x70\x67\x38\xb0\x3b\x35\xc0\xd2\x84\xfc\xd6\x75\x50\x5b\x0a\xdc\x88\xd0\x43\x90\xf3\xa1\xb0\xc8\x27\x85\xba\x7b\xf0\x29\xaa\x46\x18\x71\x31\xdb\xdc\x36\xaa\xed\x98\x0b\x90\x88\x8e\x67\xe8\xa8\xbe\x7c\x1f\x7c\x5e\x3a\xd4\x44\x2e\x97\xaa\x77\xc7\xe1\xd2\x86\xc2\x9d\x8b\x76\x1e\xc9\x12\x50\x52\x9b\xff\xfc\x56\xce\x2d\x1f\x4e\x79\xcf\x74\x23\x7f\x02\x05\x0a\xfb\x6e\x25\xd5\x43\x65\x45\xda\x66\x62\x29\x70\xe8\x9e\x4c\xb9\xe7\x7e\x0e\x9a\x66\x72\xfe\xb0\x33\x28\x56\x8d\x75\xd5\x14\x65\x77\x2b\x5e\x40\x8e\x40\xeb\xc9\x67\x6e\x7e\x5e\xe7\xab\x0c\xbf\xca\x5f\xf0\xc0\x23\xb3\x93\x52\x94\x64\x66\x8b\x77\x4a\xe1\xb5\xce\xf7\x6d\x67\xf1\xd7\x35\xb8\x72\x81\x55\x5b\x39\x6c\x78\x58\x70\x1c\x6d\x42\xb0\xf3\x65\xb2\x53\xe7\xbc\xcb\x64\xc2\xdc\x39\xbf\xed\x64\x59\x06\xae\x68\xbc\x5e\xbc\x3c\xda\x73\xf3\x86\xb4\xb9\x79\x53\xb3\xca\x6c\x73\x5f\x7c\x47\xe4\x76\x29\x25\xd3\x59\x94\x80\xe7\xc1\x76\x33\xe5\x27\x6a\xf7\x5a\x60\x33\x2b\xab\x2d\x8c\x03\x9e\x4f\x98\x0a\x7d\xe8\x12\x29\xbd\x17\x4f\x6e\x50\xe5\xde\x20\xd2\x0b\x51\x8c\x41\x8b\x6e\xb6\xa0\x6e\xe9\x37\x89\xfb\x6f\x4a\x6e\xcb\x8b\x01\x69\x1a\xd1\xeb\x2a\xe9\x51\xa4\x2f\x97\x6e\x01\x8a\xc4\xb5\x85\xbb\xc3\xf4\x2d\xa7\x9e\x55\xd1\xb7\xf2\x4e\x90\x9f\xce\xe2\x34\x36\xb7\x27\xdd\x9c\xe4\x7b\x41\xb3\xbc\xaa\x88\x37\x15\xd3\x16\xac\xdc\x55\xe0\xfc\xab\x97\xef\x90\xda\x85\x9a\x80\xeb\xeb\xc6\xdf\xd0\xaf\x95\x24\xe8\xa3\x6b\x3f\x71\xeb\xd7\x03\xb0\xaf\xcb\xd7\xac\xc6\xaa\x41\x36\x48\xad\x93\x5e\x70\x94\xa2\x93\xf1\xad\x65\x9b\xf5\x59\x51\x51\x1b\x8f\xea\xa0\x39\x0b\x98\x2c\x91\xb1\xa1\xbc\x04\xcb\x1e\x15\x8b\x13\x2e\x8f\xf2\xfe\x46\x66\x7f\x10\x31\x2a\x25\x46\x8f\x07\x32\x48\x10\xa9\x7d\xdf\xad\x6d\xf0\xd6\x1e\xe5\xdb\x19\x29\x58\x02\x27\xea\x26\x06\x82\xa8\x93\x7d\x03\x79\xbb\xcd\x79\x6a\xa1\x3f\xe9\x2f\x79\x3e\x95\x8d\x28\xd8\xe4\x56\x4b\xfd\xd4\x94\x4d\x7e\xba\xdd\xdd\x67\x33\x92\xc6\x77\x2d\x09\x61\xce\xbe\x60\xa3\xd9\xe9\xf9\x6e\x4a\x4c\xa0\x7e\x55\xd3\x1e\x9d\x94\x25\xe0\x01\x71\xab\xa0\x2f\x0a\xef\x4b\x8f\x5e\x43\xec\x62\x32\x7a\x95\x0f\xe2\x92\x42\x7d\x51\x34\x76\xc3\x18\x39\xa5\xd1\x1e\x03\xf7\x94\x9c\xb2\xd8\x34\x3e\xf4\xb9\x82\x68\x79\x71\x90\x34\x4a\x7a\x68\x91\xcd\xdd\xe2\x9f\xae\xf1\x33\x3f\x7f\xb7\x50\x69\xa7\x4e\x80\x6a\x41\x21\xad\xdf\x98\x68\x35\x28\x1f\x48\x68\xf1\x5c\x73\x43\xe1\x30\x7d\x23\x7b\xb5\x0a\x7e\xc6\x76\x4b\x9f\x43\x25\xb6\xe4\x13\x57\xed\xc3\x3d\x24\x7a\x58\x3e\x28\x57\x35\xfa\xff\xc5\xbe\xbc\x40\x04\x76\xaf\x6c\x5c\xdd\x34\x91\x37\x47\x08\x60\xd1\x59\xa9\x76\xef\x3c\x47\x61\x28\x5e\xbb\x8c\x53\xa7\xef\x56\x9e\xe2\xe7\x10\xd4\x18\x19\xeb\x85\xcb\x3e\x38\xc6\xd6\xcc\xd0\x35\x87\xfb\x08\x28\xf6\x31\xc1\x99\x00\x15\x3a\x6f\x1e\xdb\x81\x2a\x58\xea\xd0\x41\xc6\x3a\x6a\xc6\x28\x38\x06\xd3\xcf\xb6\x9b\x65\x59\x1a\x82\x9b\xab\xa9\x7a\x36\x7c\x9b\x0f\x24\x97\xb4\x4f\x3c\xa8\x5a\x07\x31\xe5\x94\x2b\x57\xec\xf9\xc2\xde\xe0\x1e\xf7\xea\x53\x3f\x8b\xa3\x17\xf7\x4c\x30\xf4\x9b\xd6\x94\x89\x73\x53\x61\x09\x22\x92\x20\x55\x09\xc5\x74\x20\x06\x63\xf7\x71\xcf\x4d\x1d\x48\x4f\xe5\xa9\xc4\xcd\x3b\x0c\xc4\x32\xe9\x25\xb3\x02\xfa\xb0\x57\x4b\x53\x60\x6f\x27\x77\x56\x3d\x67\x94\xfb\x5f\xe4\x87\xd5\xce\x7b\x5b\xea\xb3\x99\xbf\x77\x27\xb6\x7e\xeb\xf9\xb9\xda\xcf\x5c\x56\x78\xec\x98\x21\xa3\x4d\xc0\x30\xd0\x36\xd0\x4d\x70\x25\xed\x5b\x17\x82\x96\x5c\xf2\x62\xbb\xa0\xb3\xde\x34\x97\x4d\x1e\x77\xa6\x3e\x9b\xb5\x2d\xc6\x59\xde\x69\x0e\x47\xb3\x5f\x4b\xbc\xa6\x6f\x8d\x5e\x0a\x27\x1a\x04\xa2\x89\x43\x5f\x5d\xc9\x01\x3c\x06\x52\x63\x3d\xcc\xe4\x10\x2f\xcb\xe4\x7f\xb4\xc5\xeb\x9a\x6e\xaf\xf5\x46\x3c\x73\xc1\x1e\x37\xe8\xdf\x9d\xab\x09\x32\x33\x49\x22\xfe\xd8\x0d\x5e\x3e\xd1\x25\xdd\xe3\x76\x4f\x48\xd4\x96\xf4\xf3\xb4\x9f\x03\x22\xa9\xb9\xb9\x68\xff\x75\xef\xed\xb3\x69\xb4\xb1\xc9\xaf\xc5\xd2\x7e\x68\xd7\x6d\x17\xc2\x16\xc4\xfe\xd8\x2d\xc2\x48\x7a\xab\xc6\x60\xbb\x55\xb2\xee\x17\xd6\x83\x65\xda\x84\x08\xc4\x5a\xf3\x87\x83\xac\x2b\xe5\x47\x72\xbb\xea\x41\xf5\x86\x84\x56\xee\x66\xa2\x7a\x36\xbe\x49\x9a\x5e\x5d\xd3\x39\x6f\x48\x05\xe2\x2a\x2c\xdc\x22\x90\x79\xc2\xa5\x3c\x92\x99\x55\x92\x69\xed\x1c\x51\x22\x13\x54\x4f\x2b\xf3\x31\x38\x8e\x1c\xb8\x5e\x55\x50\x91\x5f\x8f\x27\xa4\x7b\xa9\xfc\x9a\x50\xce\x01\xcd\x2b\x53\xb3\x7f\x35\x79\x66\xf1\xd0\x0b\xd3\x40\xe0\x50\xc9\xd8\x4f\x29\x14\xb8\xab\xd4\x29\x48\x26\xe7\x50\x0b\x0d\xca\xe9\xcd\x4d\x28\x4d\x17\x34\x56\x53\xcc\xb4\x69\xc5\xee\x3a\x31\x05\x8e\xae\x14\xfe\xd7\x55\x85\xcd\xe2\xfd\x71\xb8\x8e\xbf\x51\x73\x59\x77\x4e\x90\x23\x46\x6e\xa5\xa4\x79\x56\xb8\x22\x56\x71\x79\x2d\xf4\x5b\x9f\x38\xb1\x0a\xb0\x3f\x9e\xde\x1d\xdb\x2e\x15\x7d\x61\xc0\x95\xd9\xb8\x2b\x97\x7c\xc0\x9d\x92\x97\x45\x56\x0f\xe8\x10\x65\x03\xff\x7d\xd2\x28\xdb\x22\xb2\x51\x77\x68\x97\xee\x15\xb1\x80\xb4\xb4\x63\x1f\x85\xec\xf6\xa6\x07\x4e\xfd\x2c\xdf\x40\xa4\x48\xda\xd6\x23\x31\xc2\x7e\xd8\xb3\x37\x7f\xde\x4b\x15\x33\x12\x6a\x4d\xc7\x08\xb7\x72\x02\xf6\xf8\xc0\x15\x96\x6e\xf7\x11\xc4\xc4\x96\xe9\x03\x4c\xf1\x5a\x33\xbc\x99\x8a\x43\x26\x5e\xdf\xe4\x36\x34\x2d\x7e\xb4\x97\x3b\xe8\xab\x0a\xe6\x71\x9a\x1a\xaa\x41\xe0\xd7\x6d\x95\x2b\x06\x80\x8d\xff\x02\xfd\x81\x60\x34\x29\xa3\x6f\xf7\x44\x0e\x0b\x21\x5d\x9e\xbc\x90\x8e\xfc\x14\x5b\x6e\x1b\x7f\xeb\x53\xbd\x5e\x17\x5c\x7d\x1a\x77\x64\xf9\x04\x07\x44\xb8\x1d\xb8\x6f\xd2\x2c\x0a\x38\xa2\xda\xf7\x44\x0b\xbf\xe8\x83\x50\x09\xd4\xae\xbb\xb1\x1a\x0e\x91\x48\xbc\x04\x95\x1f\xc0\x6e\xc1\xc2\xa2\x68\xa0\x5c\xc2\xcc\x76\x79\x1b\x82\x26\x9f\x96\x3d\x3d\x2f\x56\x4a\xe0\x37\x89\x60\x19\x40\xd5\x6f\x28\xe5\xab\x01\x52\xac\xf6\x63\xe4\x81\x19\x52\x09\xef\xc1\xa3\xa1\xb4\x72\x53\x6e\x0a\xcf\x9a\xe3\x83\xb5\x95\x1d\xfb\xb6\xbd\x4d\x1e\xb5\x55\x01\x02\xc3\xd7\xfa\x23\x65\xa3\x6f\xb7\xc5\x94\x9c\xc7\x27\xce\x57\x31\x1d\xec\x52\xa4\xc3\xb9\x1f\x0d\x5e\xc3\x67\x7c\x26\x5d\x58\x35\x53\x5f\x16\x00\x69\x85\xce\x84\x6e\xf1\x2a\x46\xcb\x86\x62\xcf\xf8\x5a\xf2\xff\xd4\xb3\xb3\x50\x85\x70\x5d\x45\xdf\x3e\x8c\x60\xee\x49\x63\x82\x3c\xea\x99\xdd\x55\xc0\xc3\x3d\xa9\xde\x35\x4f\x70\x9f\x2a\x45\x83\x56\x13\x25\xc4\xa5\x95\x4a\x34\xe2\xab\x32\x73\x8c\x2f\x3f\xbf\xb2\x78\x6a\xa5\x78\x28\xef\x30\x91\x12\x2e\x59\x32\x05\x8c\x12\xd5\x0d\x0e\x89\xee\x5d\xc1\xe3\xee\x41\x35\xd3\x8c\x0c\x98\x4d\xaf\x39\x47\x67\x02\x72\x71\x4d\xe8\x93\x57\x20\xc1\xf3\xd3\xdd\x9f\xc5\x75\x29\xa7\x50\x13\xd8\x59\x46\x48\x42\x33\xce\x69\x25\x77\x18\xd3\xcd\x66\x7c\xd0\x88\x6d\x1f\x3c\x25\x7c\xca\xc6\xb4\x8e\xe5\xcd\xc0\x3e\xb6\xc6\xaa\x2a\x78\xd6\x8e\x2a\x9c\x22\x53\x95\x44\x50\x91\x57\x62\xf3\xf2\xfa\xde\x0a\xc7\x85\x93\xcc\x38\xe5\x5c\xef\x3b\xc0\xbf\xb9\x38\xeb\xd0\xa6\x1c\x73\x9c\x02\x4a\xdd\xaf\x44\x34\x06\xa7\xb6\x02\x63\x60\xa7\xfc\x87\xc2\x74\xa9\xbd\xcd\xb2\xeb\x5c\xf4\x70\xb5\x3f\x7f\xc1\xbd\x4e\xd0\x5c\xea\xa6\x65\x28\xce\xf7\x9e\x9d\xe7\x8d\xa4\x2b\x16\x7c\x82\xcf\x4d\xad\xca\x57\x07\xd0\xa1\x66\xb0\xf4\x1b\x7f\x7e\x34\x21\xa8\xf8\x8f\x6d\x88\xd2\x4c\xfd\x99\x81\xb5\x0b\x6c\x34\x2b\xb4\x9c\xce\x4b\x82\x3f\x3c\xfd\xb1\x7b\xba\x24\xfd\xb1\x60\x1b\xa0\x60\xa4\x79\x2c\x09\x09\xa7\xc7\xce\xbf\x0c\x33\xe8\xff\x27\xfb\x6e\x32\x7c\x88\x77\xfb\x31\xef\xd8\xbb\x0b\x9f\xca\x28\x29\xca\xc2\xc1\x43\xf4\xa5\xbd\x0a\xfb\xa4\x32\x45\x48\xaf\x32\xf0\x5f\x58\x1a\xe2\x64\xc9\xe2\x0d\x0f\x16\x04\xe1\x12\xc6\xe2\xbc\x51\x8b\x78\x09\x7c\x14\x5d\x87\x1a\x3c\x02\x87\x37\x1b\x0c\xf6\xbd\xcf\x17\x26\x63\x71\xc7\x46\x4d\x87\xa5\x5f\x52\xe0\x1e\x29\x78\x66\xd6\xd4\x98\x86\x8a\xc0\x16\x48\x24\x9c\x1e\xdd\x31\x45\x80\xbf\xc3\x58\x34\xb1\x5d\x10\x8d\xdb\xaf\x6c\xa3\x53\x6a\xa4\x31\x61\x01\x9c\x3a\xf0\xb3\x31\xd9\xd0\x71\xeb\x0a\x50\x44\x23\x55\xa2\xa2\xe1\x95\x47\x4e\x13\xb7\x97\x1d\x95\x6a\xd5\x4e\xd5\x90\xb4\x29\xd6\xa1\xec\x7e\x38\xd4\x1a\x27\x53\x6b\xbb\xfa\xda\xd1\xb3\x5f\xc8\xf8\x27\xa9\x2e\x0b\xaf\xfa\xbb\x81\x18\x16\xcf\xb4\xcd\xac\x4b\x98\xc5\xf6\xf7\x1c\xdc\xf3\x06\x49\x53\x6f\x78\x00\xeb\x6b\x7c\xee\x22\x2d\x64\x16\x5e\x0c\xa9\x50\x46\x93\xb6\xd8\x45\x9b\xc3\x27\xe5\xda\x2e\x6f\x38\xa4\xee\x24\x72\xca\x5e\x6c\xaa\x08\x11\xd0\x42\xf8\xfb\x32\xa9\x9b\xd3\x61\x01\xcf\x19\xac\xce\xee\xd7\x3b\x44\xe3\xde\xb2\x23\xcf\x28\x2e\xcd\x4c\x43\x9f\x55\xf5\xc2\x74\xe2\xc7\x56\xc6\x7c\x23\xc0\x0e\xf7\xbf\xfa\x4b\x60\x12\xa1\x33\x4d\x0c\x97\xf8\x16\xa6\x12\x3c\xbc\xb7\x7a\xce\x8e\x7b\xe0\x51\x52\x69\x24\x86\x22\x02\x8b\x7a\x9c\x0e\x49\xf1\xc8\xdd\xe8\x66\xd3\xbb\x0c\x53\xdb\x9c\x67\xb1\x0b\x20\xd4\xbb\x26\x3f\x2c\x5a\x01\x85\xba\xcc\xfa\x7b\x8f\xe8\x25\x65\x70\x78\xfa\xba\xb0\x03\xb9\x31\x8a\x84\xf7\x65\xda\xaf\xc3\x7f\x49\x6e\xfb\xbc\xe9\xfa\x5d\x2c\x1f\x0a\x4b\x2a\xd0\xcf\x92\x69\x61\x84\x40\x71\x3b\xc3\xd9\x29\x85\xff\xbd\x6c\xc1\x9a\xfc\x86\x70\x30\x44\x37\x0e\xab\xc4\xde\x11\xf3\xbc\xbf\xb2\x21\xdd\xdc\x51\xbb\xa3\x52\xdc\x28\xfd\x49\xc0\x84\x04\x7f\xb0\xed\x8b\x97\x42\xa9\x6e\x53\xef\x4c\xcb\x94\xce\x4c\xad\x74\x6e\x9c\xae\xee\xc8\x43\xf7\x2b\x77\x9c\xc5\x8d\x25\xfe\x93\x1c\x1a\xf8\xa7\x95\xe1\x95\x68\x5c\x92\x18\x58\x03\xad\xbe\xc6\x06\x6c\xdd\xd8\x7e\x0b\x9a\x53\x80\xaf\xcd\x80\x79\x8f\x58\x08\x59\xea\xb3\x17\xcb\x27\x83\x11\x2a\xf7\xb3\x62\xa5\x9a\xe7\xa8\x24\x74\x94\x40\xe6\x66\x61\xb7\x88\xb8\x56\x05\x49\xa0\xb1\x35\x0d\xfb\x7a\x5e\x88\x92\x8d\x55\x8c\xbc\x8a\x26\xa0\xd7\x4e\x67\x63\x4e\xe9\xec\x1c\x1c\xa0\x8a\xfc\x5b\xeb\x43\xda\x65\xf4\xae\x0a\xc7\xeb\x25\x74\x42\xc9\x99\x0e\xdc\xf9\x3b\x1d\xad\xfe\xa9\x0b\xc2\x92\xbb\xf1\xd8\x23\xc6\x1e\xe9\x69\x24\x9f\x67\xbe\x07\xd7\x0d\xf8\xaf\xc7\xc3\xe5\xbf\x14\x5f\x28\xa2\xd0\x6c\x88\x0e\xff\x9a\x18\x11\x27\xc1\x34\x60\xa0\x6b\x36\x64\xa9\x4c\x88\x8b\x07\xaf\x77\xe8\x4d\x60\xde\xab\x76\x42\x28\xff\xea\x21\x63\x3f\x02\x04\xa5\xd7\xec\x4a\x0b\x30\x3f\xb0\x8f\xb7\x67\x28\xc4\x3d\x90\x73\x80\x01\x83\xc8\xb9\x9e\x22\xd6\x05\xa5\xe6\x39\x9c\x04\x9f\x7f\x88\x7c\xb9\xd7\xfb\xa9\x4d\xb3\x23\x08\x4b\xf9\x4d\xf5\x44\xf6\xce\x2d\xd4\x9a\x21\xd2\xca\xb5\x4d\xf0\x43\x97\x48\x2a\x64\xd2\x90\x0b\xb4\x0f\xa8\x7f\x42\xec\x75\xd6\x8b\xab\x17\x71\x4a\x93\x4b\xcd\xf3\x6f\x87\x07\x4f\x60\x28\xf9\xd6\x1a\x00\xad\xff\xc0\x6d\x62\x4b\xc6\x42\x97\x05\x96\x82\xcc\x8a\xdc\x7e\x2f\xb2\x10\xbd\x22\xfb\xd4\xad\x3d\x35\x15\xf7\x1b\x93\x31\x26\x75\x9e\xc4\xc0\x01\xed\x5c\xdb\xac\xe7\xcc\xe4\x31\x9b\x7a\xb5\x0f\xfc\x8f\x2f\x8f\x1b\xb8\x1a\xc0\x7f\x81\xdf\xff\x33\x54\x50\xac\xf0\x8e\x13\x91\x2d\x3c\x5f\x3a\xa1\x25\x81\x81\x1e\xbd\xb4\x41\x6e\xad\xa2\x59\x65\x1c\x07\x0b\x06\xea\x7e\x18\xa8\xf0\xc4\x00\x57\x5a\x0e\x7f\xdc\x4c\x88\x64\x5d\x35\xc2\xd3\x6a\x8c\xe6\xa2\x97\x2f\x35\x5d\x1a\x5d\x83\x2c\xd7\xef\x2c\x61\x1f\xd1\x10\x59\xda\x39\x0e\xc8\xc8\x74\x91\xd4\x96\x4f\xa4\x0b\x80\x83\x90\x57\x36\x2e\x67\x64\x55\xc7\x17\x2a\x23\x15\x4e\xfe\xba\x6f\xc9\xab\x4c\x15\xa7\x37\xe2\x99\xc1\xf1\x4d\xaa\x8f\x34\x97\xe3\x37\x0a\x52\x3e\xc1\x5c\x52\xba\xd9\x87\x10\x90\x03\xf8\xdc\xee\x4a\xc6\xc9\x0b\x0f\x8e\x4b\x74\x91\x97\x87\x88\xa9\xc1\xb2\x3a\x14\x39\x6b\x50\x8a\xa9\x51\x75\xfe\x3b\xd6\xa8\xb4\xa9\xc2\x17\xf4\xc9\x84\x2c\x1c\x33\x9d\x4d\x95\xdb\x83\xce\x6e\x7e\x7a\xc8\x8e\xae\x04\x13\x96\x10\x55\x22\x0b\x65\x69\x3d\x49\xa2\xf6\x96\xf6\x41\x42\x19\x25\xb4\x2f\x77\xb0\xf9\x43\x12\x39\x52\x7f\xd6\xd8\x6d\x6f\x9a\xbd\xf3\xd2\x7c\x0a\x79\xa6\xb0\x5a\x61\xdd\x7d\x99\x3d\xe2\xd4\xee\x99\x73\xb7\x78\xff\x19\x5d\x12\x40\xdb\x18\x36\xa5\x25\x8b\x4f\x57\x44\x97\xca\x2f\x9b\x34\x97\x78\x00\xe7\x28\x29\x7d\x98\x3e\x1e\x58\x5f\xaf\x45\x38\x1b\x47\x6d\x25\x31\xe8\x6c\xc6\xe8\x35\xa9\x72\xc3\xa5\xbb\xcc\xba\x7d\x85\x2e\xdc\x83\xbb\xad\x4c\x85\x20\x64\x00\x70\x87\xbb\xd3\x6b\xf8\xa8\x00\xf9\x1e\xea\x0a\x72\xd9\xa7\x5f\x5d\xb3\x5b\x10\x98\x68\x6d\x51\x34\x0a\x17\x2c\x70\x1b\xc4\x7b\x14\x0c\xe5\x2e\xf4\x75\x02\xd0\x07\x1e\x54\x55\x97\x97\x5a\x55\xca\x1e\x91\x21\x76\x45\xe3\xcf\xeb\xf4\xa6\x20\x1a\x84\x81\xf6\x51\x13\x86\x0f\x59\x28\x63\xaf\x1d\xd4\x73\x38\x3b\x1b\x79\xab\x32\xcf\xcd\x46\xe6\xac\xe2\x95\x8d\x42\xcc\xe5\xf9\xb2\x34\x76\x81\xf7\x70\x7a\xb4\xa3\x5f\x9a\xf5\x21\xd4\xc1\xba\xd7\x51\x30\x33\xa5\xf7\xaf\x2b\x7a\x2d\x3a\x49\x14\xd3\x84\x62\xb1\x6b\x85\xd6\x9f\xa6\x0c\x0c\x5e\xf5\x4b\xa2\xfb\x78\xfb\x15\x6a\x94\x7c\xf8\x0b\x1d\xac\xcd\x58\x9f\xdd\x07\x91\xb3\xa9\xeb\x83\x5b\x61\x53\x4a\x16\xf8\xf4\xb1\xca\xbb\xd3\x86\xb4\xc2\x1b\xa9\x7d\xe9\x16\xd2\xcf\x48\xb7\x20\x8c\x1b\xda\x77\xec\xf8\x16\x77\xcb\xce\x25\x58\x2c\xca\xb9\xa6\x5a\x2b\x73\xdd\x34\xb0\x02\xc2\x34\x94\x8a\x42\xb5\x66\x4d\x56\xd8\x24\x42\x9a\x78\xb6\x97\x03\x67\xec\x17\x0d\x1b\x11\x0b\x22\x23\x17\x58\x72\xbd\xc8\x66\x31\x8d\xe0\x66\xfe\xa5\x60\x15\x1d\x88\x25\xde\xe8\x2d\x34\x4b\x81\x6f\xb5\x5a\xaa\x52\x4e\x86\x08\x62\xac\x0c\x36\xcb\x6b\x6e\x81\xf4\x12\x3d\xa5\x9c\xb3\xef\xfe\x29\xce\x76\x98\xe2\xaa\x0c\x60\x36\x82\x0c\x45\x7f\x40\x42\x33\xe3\x22\x61\x31\x9a\x46\xbc\x8b\xd3\xde\x3c\x94\x8d\xc5\x2e\x27\xca\x52\x7d\xf7\xad\x68\xe6\xc4\xd4\xba\x8f\x6b\x43\x13\xa2\x94\x02\x98\x10\x59\xa1\x48\x79\x7f\xa0\x88\x02\x57\xfe\x04\x27\x01\x19\x28\xaf\x75\x2f\x81\xb8\x18\x68\x02\x10\x8f\x05\x90\x19\x50\x39\xc8\x38\x25\x72\x02\x42\x14\x10\xb8\xa3\x59\xe6\x9d\xdc\xd4\x74\x70\xf4\xd0\x5a\xe2\x89\x83\x4b\xe3\x04\xca\xf4\x9b\xbb\xac\xfd\xbe\x92\x7f\x42\x3b\xe9\xb8\x78\x82\xb0\xfa\xb4\xf5\x0b\xc7\xcd\xbf\xf6\xef\x10\x1f\x33\xf7\x03\x55\x6d\x45\xb6\xac\xe1\x64\x3c\xd7\xe7\x5a\xcf\x74\x06\x3e\x3e\x34\xe9\x63\xdb\x19\xf0\xd1\x9f\x14\x82\x9c\x91\xc4\x50\x66\x1d\x0e\x80\x9d\x5b\x79\x09\x69\x5b\xa1\x54\x46\xc8\x76\xa1\x67\xec\xca\x09\xfc\x00\xe1\x73\x7c\xbd\x4e\xf4\xf7\x0a\x50\xe3\xa0\x0f\xc9\x6f\x0e\x10\x23\xe5\xc8\x1e\x67\xd2\x47\xae\x0e\xc7\xec\x26\x72\x52\x80\x4a\x65\xb3\x01\xb9\x1a\x59\x9b\x8c\xe3\x7d\x95\xa9\x3d\xd9\xa9\x11\xdf\xb3\x95\xf3\x61\x92\x4e\x82\xea\x28\x1e\xfd\x7a\x2e\x01\x5a\xad\xaf\x64\x85\xfc\xea\xee\x0a\xb9\x05\xe1\x39\x6c\x12\x56\x03\xaf\xf4\xca\x16\x5f\x74\x9c\x23\x31\x02\x50\xf8\x00\xb2\xa8\x79\x17\xb9\x42\x1b\x0b\x4c\xde\xc9\xd8\x64\x14\xeb\x82\x23\x74\xb0\xd4\x32\x53\x58\xb2\xbf\x43\xe0\xe3\x12\x58\x88\x79\x76\x5c\x25\xc0\x98\xd1\x71\x86\x53\xbe\xa5\x27\x68\xdd\x7f\x10\x0f\xbd\x2b\x6a\xfc\xcf\x02\x13\x46\x9a\x7f\xa2\x5b\x5f\x77\xc6\xb5\x6c\xa0\x9d\xf8\x86\xa1\x6e\xd2\x4f\x51\xe2\x1d\x07\x8f\x25\xc4\x88\x87\xda\x12\xde\xa5\x7c\x8f\x48\x25\xf2\x7a\xe3\xd9\x16\x01\x96\xeb\x6b\xe0\x9f\x7b\xe8\xb2\x39\xa0\x5d\xbf\x6a\xae\xca\x96\x37\x09\x0d\x1e\x6f\x76\xeb\x93\x69\x27\x4c\x3a\xad\xa3\x36\x24\x3b\x8b\x9c\x59\xc3\xf9\xc9\x1a\xb4\x3f\xc9\x27\x3b\xb5\xbf\x2b\x59\xde\x8f\xbc\x50\x6c\x94\x36\x56\x5e\x4c\x9b\xa2\x96\x50\xb3\x78\x4d\x87\xf3\x37\xa4\xa4\xb5\x28\xca\x2a\x28\x0c\xed\xc3\x69\xb0\x09\x0c\x3f\x69\xc7\x60\x4a\x6d\xf3\x1f\xba\x78\x1c\x07\xd5\x8d\xba\xdd\x7c\x85\xa6\x26\xf8\x85\xf0\x9a\x91\x22\x4e\x79\xbd\x68\x79\x3f\x16\x7e\xbd\x8d\xa1\x0e\x5d\xa7\x8c\xfa\x7e\xbf\x10\xa8\xf2\xc9\x00\x3f\xb1\xcd\xd8\x7e\x46\x98\x61\xf3\xed\x23\xd2\x5b\xcb\x14\x53\x0a\x8f\xf8\xd9\x1e\x9e\x0c\x7c\x39\x76\xc3\xaf\xc7\xbd\x50\x05\xcc\xef\x59\xfa\xec\x52\xba\x35\x69\x3d\x0f\x0d\xce\xba\x84\x3a\xdd\x5a\x74\x7e\x0a\xa7\x2f\x09\xf2\xf4\x52\x81\xc9\xd4\xc6\xf1\xbb\x78\x37\x9a\xec\x78\x2c\x64\x81\x0d\xe3\x23\xc8\xab\xac\xc9\xfb\x7e\x7d\xbc\x1e\x29\x13\xa8\x5d\xf0\xbd\xb6\xac\x70\x1a\x68\x26\x9e\x79\xab\x28\x45\x8c\x02\x91\xe1\x84\x0b\x34\xac\xe2\xd0\xdc\xa9\x02\x9f\x6d\x95\x0e\x6e\xf1\xe5\xcb\xb9\x52\x4d\xb5\x01\xdc\x30\x22\x73\x3c\xb1\x0b\xb7\x4e\x9e\x69\x82\x45\xa9\x8d\xff\xe2\x37\x8c\x42\x54\x81\x19\xdd\x60\xf2\xb0\x21\x95\x3b\x30\x0f\x38\x97\x26\x61\xc3\xeb\xdf\x64\xa3\xaf\xb3\xc6\x29\xcc\xa5\xec\x93\x8c\x31\xee\x8c\xb6\x82\xdd\x38\xf3\x58\x18\x12\xf7\xba\x64\x31\xc1\x60\x65\x90\x39\xe7\xcf\xe7\x85\x9b\x1a\xa8\x13\x08\x33\xf1\xf6\x37\x24\xf8\x63\xb3\xe2\xa1\x8f\x9e\xbd\x1e\xa6\x14\xd3\x0d\x28\xbd\x4f\x5b\x8c\x26\x17\xbe\xcd\x8a\x4d\x8b\x3a\x9b\x42\xb8\x5d\x8e\x80\xc8\xfa\xf7\xd9\xcf\x56\x37\xdd\x98\x82\x6a\x10\xb6\x92\x40\x29\x33\xd2\xae\x0e\xa9\x08\xff\x5d\x6c\x22\xfc\x33\x5b\xe0\x06\x14\xa0\xf5\xe7\x00\x4e\xbe\xf7\x1f\xd2\x3d\x3f\x90\x11\x59\x84\xf0\xe4\x6e\x82\xac\x8b\x03\xe5\xd2\xbf\xea\xa2\x19\x23\x33\xc1\xa0\xa9\xfb\x19\xa7\x5b\xdc\x8f\x90\x58\x33\x6e\x86\xf3\xf7\xb3\x0f\x0b\xed\x24\xc4\xb2\x30\xcd\xfc\x92\xa9\x88\x5b\xe5\x1c\x0b\x85\x1c\xd7\xa0\x4a\x62\xfb\x3c\xe4\x7e\x76\x5a\x11\x4e\xf7\x68\x6b\xc7\xd8\x2e\xf5\xe1\xca\x02\x14\xb9\x5b\x64\xe5\x7f\x85\x12\x15\xce\x5a\x47\xdd\xfb\x91\x93\x2c\x85\x4c\x65\x25\xeb\xe7\xf6\xe1\x68\x45\xfa\x22\x5a\x74\x09\x3f\x6a\x26\x80\x08\x5a\x8f\xef\x66\x54\x1f\xc3\x64\x3f\xc8\x14\xc5\xa8\x06\x41\x5f\x70\x68\x8a\x4b\xe7\x7b\xea\xf7\x5d\x71\x02\x6e\x4d\xff\x38\x00\x12\x4b\xde\xc0\xe0\x65\x46\x3e\xdc\x69\x64\x1f\x67\xc7\xc4\x2b\x8e\x02\x5f\x81\x40\x6f\xd4\x89\x6d\x5d\xb8\xe1\x9f\xec\x09\x98\x09\xad\x50\xa9\x8a\x83\xb3\xca\xa8\xfd\x87\x31\x05\x14\xf4\xa7\xaf\xd9\xa9\x70\xc4\x56\x23\x1d\x91\x6b\x26\xd5\xc6\x2b\xc4\x83\x4a\xf9\xbc\x27\x77\xa7\xc7\xd3\xbb\xf5\xf2\xc6\xd8\x28\x93\x5f\x3b\x82\x77\x43\xc0\x92\x22\x32\x8e\x8e\x82\x91\xbb\x28\x3e\xba\x7d\x4b\xc8\x97\x87\x7f\x6e\x50\xa5\xfa\xbc\x77\xab\xf3\x15\x34\xd7\x00\x96\x2e\xde\xcb\x1d\xf4\xee\x12\x28\xa7\x29\xdf\x7d\xa8\x57\x71\xa3\xf1\xe3\x04\x29\xfa\xc9\x93\xd9\x73\x8d\x9d\x67\x28\xbf\x49\x2b\x47\x91\x43\x8c\x3c\xf6\xd5\x9a\xf8\x09\x97\x4a\xec\x44\x80\x98\xc2\x6c\xb3\x79\x1e\x43\x72\x40\x76\xef\x5c\xa9\xc7\x0c\xb3\xf5\x8a\xcc\xb5\x39\x94\x37\x86\xce\x98\xb0\x92\xc9\x65\xa1\x47\xd1\x87\x0a\xd4\x54\x68\x6b\xa5\x79\xc9\xd1\x0a\x61\x31\xd4\xd9\x80\xff\x68\x89\x8f\xb1\x1a\x0a\x9f\x61\xe6\x0a\x86\x42\x7f\x60\x66\x00\x88\x98\x4e\xed\x16\xac\xf6\xd3\x14\x30\x18\x3b\x81\x91\x2a\xdc\xde\x80\x84\x45\x71\x22\xec\xdd\x70\x54\xcf\x3d\xdd\xee\x25\xa9\x75\xfb\x24\x48\xe7\x1a\x27\xae\xdf\x68\x68\x5e\x9e\x8b\xf6\x07\x05\x6d\x68\xd7\x20\x60\x75\x99\xcb\x49\x97\xa1\xd5\x91\xa1\xcc\x17\x4e\xdd\xc6\x6f\x39\x16\x0a\x2e\x55\xee\xe6\xc8\x2b\x21\x8c\x5b\x96\x3a\x02\x68\x11\x7f\xcc\xda\x93\x14\xd7\xde\x3b\x1b\xfd\xf1\xde\x33\x83\x10\x41\x8d\xbb\x11\xf7\x3b\xfc\x1a\x70\x5a\x7f\x12\x56\x0c\x6a\x83\x6e\xbc\x1c\x92\x7d\x14\x27\xeb\x6d\x71\x04\xf9\x42\x70\x5a\x25\xe7\xa7\x94\x88\x76\x8c\x70\x7c\xdd\xb0\x59\xd0\x6f\x4f\x55\xd6\x41\x14\x65\x8b\xb3\x27\x07\x2a\x0f\x24\x8f\x91\x91\xae\xbf\x83\x8c\xcf\x46\x4e\x3d\xb3\x8b\xd0\x15\xc1\xfe\x7e\x0a\x1c\xe8\xc8\x54\xe0\x64\xad\x28\xdf\x20\x85\x4e\xca\xf4\x42\x88\x1d\x5b\x92\x2d\xb3\x32\x7a\x73\xa8\x00\x7f\x84\xaa\xcb\x94\x1b\xc1\x23\x27\x42\xd0\xad\x98\xeb\x8f\x05\xa8\x12\xc7\x95\x7f\xb4\xb6\x88\x52\x2e\xa6\xa1\xd5\xef\x22\xda\xbf\x25\x37\xb5\xf6\x8d\x81\xe0\x6b\x51\x78\x39\xb4\x74\x23\x85\x64\x96\x79\x29\xfa\x82\x31\xeb\x8e\xaa\x9b\xf7\x95\x54\x91\x79\x39\x33\x6f\x71\xed\xad\x5c\x01\x1d\xe4\xa9\x88\x7c\x9d\x8b\xfe\x58\x8c\x17\x47\xb4\x7e\xca\xe6\x41\xae\x07\x6a\x53\xcb\x66\x1d\x34\x46\x59\xed\x82\xa4\xf1\x06\x12\xea\x2e\xe0\x0a\x44\x4d\xe7\xe4\xb1\xa0\xc5\x61\x4d\x4a\x63\x69\xb4\x8c\xfa\xe5\x31\x6e\x83\x89\xcb\x72\x0a\x11\x11\x71\x38\x3a\x78\x79\x80\x31\xaf\x5e\x49\x76\xb8\x91\x75\xac\x1e\xfa\x79\xca\x7d\xd7\x28\xd2\x1c\xf2\x85\x3f\x69\x87\x03\x79\xdc\xd6\x91\xf4\x12\xb0\xda\xbb\x49\xf7\x4d\x48\xf9\x31\x3b\xe4\x58\x95\xe8\xd4\xe7\x8e\x23\xe3\x57\xa9\xa2\x29\x4b\xef\xb1\x73\xce\xcc\xdd\xb7\xde\xc8\x47\x81\x92\x0e\x95\x1e\xcc\x86\x3b\xdc\x84\x3a\xf7\x53\x5e\x72\x1a\x7a\x7f\x5b\xd6\xe0\xd3\x7f\xe9\xe5\xb5\xaf\x3f\x2a\xaa\x62\x96\x71\x12\xc0\xfe\x84\x8d\x3c\x38\xa6\x46\xde\xd7\xde\xba\x1a\xb9\x8d\x40\x88\x1b\xa2\xfc\x91\x8a\x86\x64\xbb\xab\xea\x14\xbe\x6f\x5b\xb9\x2e\x25\x4c\x47\x1b\x32\x4a\x02\x6c\x66\x1d\xe4\xb9\x7b\xa0\xae\x1f\x67\x06\x3f\x41\xa5\x61\x9d\xa8\xa4\x9a\x7a\xd6\xcf\x81\x53\x97\x7a\x4c\x63\x17\x1b\xba\x20\x88\x4b\x73\x44\xc4\x05\xd6\x1b\x9c\xe3\xce\x90\xdd\x0b\x6d\x86\xbe\x27\xc0\x28\xa2\xa4\x8f\xe0\x40\xd6\xf9\xd2\xf5\xdc\x24\x66\xcb\x9f\x74\x5e\x5a\x98\xe5\x26\x64\x98\xb1\x4d\x16\xe3\xfc\xee\x12\x02\x6c\x0f\x46\xb7\xfd\x1d\x30\x07\x65\x05\xcd\x64\xc1\xd6\x0c\x5c\xac\x8c\xb4\x00\xea\x6b\x75\x22\xc1\x65\xb0\x09\x4f\xf0\xff\x65\x6d\x08\x16\x73\x05\x6b\x73\xee\xe3\xef\xcb\xfb\xa2\x60\xff\x87\xe4\x30\x4c\x8e\xb1\x4a\xea\xdf\xda\xa0\x95\x70\xf6\x30\x64\x6c", 8192); *(uint64_t*)0x200000006c80 = 0x2000000036c0; *(uint32_t*)0x2000000036c0 = 0x50; *(uint32_t*)0x2000000036c4 = 0; *(uint64_t*)0x2000000036c8 = 8; *(uint32_t*)0x2000000036d0 = 7; *(uint32_t*)0x2000000036d4 = 0x2d; *(uint32_t*)0x2000000036d8 = 7; *(uint32_t*)0x2000000036dc = 0x8000008; *(uint16_t*)0x2000000036e0 = 7; *(uint16_t*)0x2000000036e2 = 0xfc00; *(uint32_t*)0x2000000036e4 = 0x3ff; *(uint32_t*)0x2000000036e8 = 0x59; *(uint16_t*)0x2000000036ec = 0; *(uint16_t*)0x2000000036ee = 0; *(uint32_t*)0x2000000036f0 = 0xe0; *(uint32_t*)0x2000000036f4 = 0x10000; memset((void*)0x2000000036f8, 0, 24); *(uint64_t*)0x200000006c88 = 0x200000003740; *(uint32_t*)0x200000003740 = 0x18; *(uint32_t*)0x200000003744 = 0; *(uint64_t*)0x200000003748 = 6; *(uint64_t*)0x200000003750 = 0x80000001; *(uint64_t*)0x200000006c90 = 0x200000003780; *(uint32_t*)0x200000003780 = 0x18; *(uint32_t*)0x200000003784 = 0; *(uint64_t*)0x200000003788 = 4; *(uint64_t*)0x200000003790 = 2; *(uint64_t*)0x200000006c98 = 0x2000000037c0; *(uint32_t*)0x2000000037c0 = 0x18; *(uint32_t*)0x2000000037c4 = 0xffffffda; *(uint64_t*)0x2000000037c8 = 0x37; *(uint32_t*)0x2000000037d0 = 0; *(uint32_t*)0x2000000037d4 = 0; *(uint64_t*)0x200000006ca0 = 0x200000003800; *(uint32_t*)0x200000003800 = 0x18; *(uint32_t*)0x200000003804 = 0; *(uint64_t*)0x200000003808 = 1; *(uint32_t*)0x200000003810 = 0xff; *(uint32_t*)0x200000003814 = 0; *(uint64_t*)0x200000006ca8 = 0x200000003840; *(uint32_t*)0x200000003840 = 0x28; *(uint32_t*)0x200000003844 = 0x26; *(uint64_t*)0x200000003848 = 0x7fffffffffffffff; *(uint64_t*)0x200000003850 = 0x7a; *(uint64_t*)0x200000003858 = 8; *(uint32_t*)0x200000003860 = 0; *(uint32_t*)0x200000003864 = 0; *(uint64_t*)0x200000006cb0 = 0x200000003880; *(uint32_t*)0x200000003880 = 0x60; *(uint32_t*)0x200000003884 = 0xfffffff5; *(uint64_t*)0x200000003888 = 1; *(uint64_t*)0x200000003890 = 0x81; *(uint64_t*)0x200000003898 = 6; *(uint64_t*)0x2000000038a0 = 0x3ff; *(uint64_t*)0x2000000038a8 = 2; *(uint64_t*)0x2000000038b0 = 4; *(uint32_t*)0x2000000038b8 = 4; *(uint32_t*)0x2000000038bc = 8; *(uint32_t*)0x2000000038c0 = 2; *(uint32_t*)0x2000000038c4 = 0; memset((void*)0x2000000038c8, 0, 24); *(uint64_t*)0x200000006cb8 = 0x200000003900; *(uint32_t*)0x200000003900 = 0x18; *(uint32_t*)0x200000003904 = 0; *(uint64_t*)0x200000003908 = 0; *(uint32_t*)0x200000003910 = 0xb; *(uint32_t*)0x200000003914 = 0; *(uint64_t*)0x200000006cc0 = 0x200000003940; *(uint32_t*)0x200000003940 = 0x12; *(uint32_t*)0x200000003944 = 0xaeab5fde; *(uint64_t*)0x200000003948 = 9; memcpy((void*)0x200000003950, "^\000", 2); *(uint64_t*)0x200000006cc8 = 0x200000003980; *(uint32_t*)0x200000003980 = 0x20; *(uint32_t*)0x200000003984 = 0; *(uint64_t*)0x200000003988 = 0; *(uint64_t*)0x200000003990 = 0; *(uint32_t*)0x200000003998 = 2; *(uint32_t*)0x20000000399c = 0; *(uint64_t*)0x200000006cd0 = 0x2000000039c0; *(uint32_t*)0x2000000039c0 = 0x78; *(uint32_t*)0x2000000039c4 = 0; *(uint64_t*)0x2000000039c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000039d0 = 3; *(uint32_t*)0x2000000039d8 = 0x67; *(uint32_t*)0x2000000039dc = 0; *(uint64_t*)0x2000000039e0 = 3; *(uint64_t*)0x2000000039e8 = 2; *(uint64_t*)0x2000000039f0 = 5; *(uint64_t*)0x2000000039f8 = 2; *(uint64_t*)0x200000003a00 = 0; *(uint64_t*)0x200000003a08 = 0x5b; *(uint32_t*)0x200000003a10 = 0x200; *(uint32_t*)0x200000003a14 = 6; *(uint32_t*)0x200000003a18 = 0xf0b7; *(uint32_t*)0x200000003a1c = 0x1000; *(uint32_t*)0x200000003a20 = 1; *(uint32_t*)0x200000003a24 = -1; *(uint32_t*)0x200000003a28 = -1; *(uint32_t*)0x200000003a2c = 4; *(uint32_t*)0x200000003a30 = 6; *(uint32_t*)0x200000003a34 = 0; *(uint64_t*)0x200000006cd8 = 0x200000004b00; *(uint32_t*)0x200000004b00 = 0x90; *(uint32_t*)0x200000004b04 = 0; *(uint64_t*)0x200000004b08 = 7; *(uint64_t*)0x200000004b10 = 1; *(uint64_t*)0x200000004b18 = 3; *(uint64_t*)0x200000004b20 = 0x10000; *(uint64_t*)0x200000004b28 = 0x200; *(uint32_t*)0x200000004b30 = 8; *(uint32_t*)0x200000004b34 = 0xa87; *(uint64_t*)0x200000004b38 = 4; *(uint64_t*)0x200000004b40 = 1; *(uint64_t*)0x200000004b48 = 7; *(uint64_t*)0x200000004b50 = 1; *(uint64_t*)0x200000004b58 = 0xfffffffffffffffd; *(uint64_t*)0x200000004b60 = 4; *(uint32_t*)0x200000004b68 = 9; *(uint32_t*)0x200000004b6c = 0xffff; *(uint32_t*)0x200000004b70 = 0x10000000; *(uint32_t*)0x200000004b74 = 0; *(uint32_t*)0x200000004b78 = 0xf40; *(uint32_t*)0x200000004b7c = 0; *(uint32_t*)0x200000004b80 = r[10]; *(uint32_t*)0x200000004b84 = 0x8001; *(uint32_t*)0x200000004b88 = 9; *(uint32_t*)0x200000004b8c = 0; *(uint64_t*)0x200000006ce0 = 0x200000004bc0; *(uint32_t*)0x200000004bc0 = 0x48; *(uint32_t*)0x200000004bc4 = 0; *(uint64_t*)0x200000004bc8 = 0x5c; *(uint64_t*)0x200000004bd0 = 1; *(uint64_t*)0x200000004bd8 = 4; *(uint32_t*)0x200000004be0 = 6; *(uint32_t*)0x200000004be4 = 8; memset((void*)0x200000004be8, 255, 6); *(uint64_t*)0x200000004bf0 = 1; *(uint64_t*)0x200000004bf8 = 8; *(uint32_t*)0x200000004c00 = 0; *(uint32_t*)0x200000004c04 = 0xb; *(uint64_t*)0x200000006ce8 = 0x200000006500; *(uint32_t*)0x200000006500 = 0x478; *(uint32_t*)0x200000006504 = 0; *(uint64_t*)0x200000006508 = 2; *(uint64_t*)0x200000006510 = 1; *(uint64_t*)0x200000006518 = 1; *(uint64_t*)0x200000006520 = 0xf; *(uint64_t*)0x200000006528 = 9; *(uint32_t*)0x200000006530 = 0x7fffffff; *(uint32_t*)0x200000006534 = 0x3ff; *(uint64_t*)0x200000006538 = 5; *(uint64_t*)0x200000006540 = 0xb3fc; *(uint64_t*)0x200000006548 = 3; *(uint64_t*)0x200000006550 = 0xa2d9; *(uint64_t*)0x200000006558 = 3; *(uint64_t*)0x200000006560 = 0x80000000; *(uint32_t*)0x200000006568 = 4; *(uint32_t*)0x20000000656c = 5; *(uint32_t*)0x200000006570 = 2; *(uint32_t*)0x200000006574 = 0x6000; *(uint32_t*)0x200000006578 = 0xfff; *(uint32_t*)0x20000000657c = -1; *(uint32_t*)0x200000006580 = 0xee01; *(uint32_t*)0x200000006584 = 5; *(uint32_t*)0x200000006588 = 6; *(uint32_t*)0x20000000658c = 0; *(uint64_t*)0x200000006590 = 5; *(uint64_t*)0x200000006598 = 9; *(uint32_t*)0x2000000065a0 = 6; *(uint32_t*)0x2000000065a4 = 6; memcpy((void*)0x2000000065a8, "wlan1\000", 6); *(uint64_t*)0x2000000065b0 = 3; *(uint64_t*)0x2000000065b8 = 1; *(uint64_t*)0x2000000065c0 = 4; *(uint64_t*)0x2000000065c8 = 0xf; *(uint32_t*)0x2000000065d0 = 1; *(uint32_t*)0x2000000065d4 = 5; *(uint64_t*)0x2000000065d8 = 4; *(uint64_t*)0x2000000065e0 = 0xffc; *(uint64_t*)0x2000000065e8 = 2; *(uint64_t*)0x2000000065f0 = 0xffffffffffffdbca; *(uint64_t*)0x2000000065f8 = 0x35; *(uint64_t*)0x200000006600 = 0x5fa; *(uint32_t*)0x200000006608 = 8; *(uint32_t*)0x20000000660c = 5; *(uint32_t*)0x200000006610 = 0x16d; *(uint32_t*)0x200000006614 = 0x6000; *(uint32_t*)0x200000006618 = 0x8000; *(uint32_t*)0x20000000661c = r[11]; *(uint32_t*)0x200000006620 = 0xee00; *(uint32_t*)0x200000006624 = 8; *(uint32_t*)0x200000006628 = 2; *(uint32_t*)0x20000000662c = 0; *(uint64_t*)0x200000006630 = 2; *(uint64_t*)0x200000006638 = 0x3e8; *(uint32_t*)0x200000006640 = 0x16; *(uint32_t*)0x200000006644 = 5; memcpy((void*)0x200000006648, "bpf_lsm_path_truncate\000", 22); *(uint64_t*)0x200000006660 = 6; *(uint64_t*)0x200000006668 = 3; *(uint64_t*)0x200000006670 = 0xcff0; *(uint64_t*)0x200000006678 = 0xfffffffffffffbff; *(uint32_t*)0x200000006680 = 3; *(uint32_t*)0x200000006684 = 3; *(uint64_t*)0x200000006688 = 5; *(uint64_t*)0x200000006690 = 4; *(uint64_t*)0x200000006698 = 8; *(uint64_t*)0x2000000066a0 = 9; *(uint64_t*)0x2000000066a8 = 0x10; *(uint64_t*)0x2000000066b0 = 5; *(uint32_t*)0x2000000066b8 = 0x91; *(uint32_t*)0x2000000066bc = 0xfff; *(uint32_t*)0x2000000066c0 = 0xfffffffd; *(uint32_t*)0x2000000066c4 = 0xc000; *(uint32_t*)0x2000000066c8 = 3; *(uint32_t*)0x2000000066cc = r[12]; *(uint32_t*)0x2000000066d0 = 0xee00; *(uint32_t*)0x2000000066d4 = 0x80; *(uint32_t*)0x2000000066d8 = 0x40; *(uint32_t*)0x2000000066dc = 0; *(uint64_t*)0x2000000066e0 = 0; *(uint64_t*)0x2000000066e8 = 8; *(uint32_t*)0x2000000066f0 = 6; *(uint32_t*)0x2000000066f4 = 0x80000001; memcpy((void*)0x2000000066f8, "wlan1\000", 6); *(uint64_t*)0x200000006700 = 3; *(uint64_t*)0x200000006708 = 2; *(uint64_t*)0x200000006710 = 8; *(uint64_t*)0x200000006718 = 9; *(uint32_t*)0x200000006720 = 0x80000000; *(uint32_t*)0x200000006724 = 0xd149; *(uint64_t*)0x200000006728 = 3; *(uint64_t*)0x200000006730 = 4; *(uint64_t*)0x200000006738 = 5; *(uint64_t*)0x200000006740 = 0xe; *(uint64_t*)0x200000006748 = 0x7a; *(uint64_t*)0x200000006750 = 0xd52; *(uint32_t*)0x200000006758 = 0; *(uint32_t*)0x20000000675c = 5; *(uint32_t*)0x200000006760 = 6; *(uint32_t*)0x200000006764 = 0xa000; *(uint32_t*)0x200000006768 = 2; *(uint32_t*)0x20000000676c = r[14]; *(uint32_t*)0x200000006770 = 0; *(uint32_t*)0x200000006774 = 0x7fffffff; *(uint32_t*)0x200000006778 = 5; *(uint32_t*)0x20000000677c = 0; *(uint64_t*)0x200000006780 = 4; *(uint64_t*)0x200000006788 = 0x7ff; *(uint32_t*)0x200000006790 = 2; *(uint32_t*)0x200000006794 = 0x78d; memcpy((void*)0x200000006798, "\300\'", 2); *(uint64_t*)0x2000000067a0 = 2; *(uint64_t*)0x2000000067a8 = 0; *(uint64_t*)0x2000000067b0 = 6; *(uint64_t*)0x2000000067b8 = 0x7fffffff; *(uint32_t*)0x2000000067c0 = 5; *(uint32_t*)0x2000000067c4 = 5; *(uint64_t*)0x2000000067c8 = 2; *(uint64_t*)0x2000000067d0 = 0xc; *(uint64_t*)0x2000000067d8 = 0xbde5; *(uint64_t*)0x2000000067e0 = 5; *(uint64_t*)0x2000000067e8 = 8; *(uint64_t*)0x2000000067f0 = 0x10; *(uint32_t*)0x2000000067f8 = 9; *(uint32_t*)0x2000000067fc = 6; *(uint32_t*)0x200000006800 = 0xe31; *(uint32_t*)0x200000006804 = 0x2000; *(uint32_t*)0x200000006808 = 0x5b8; *(uint32_t*)0x20000000680c = r[16]; *(uint32_t*)0x200000006810 = r[18]; *(uint32_t*)0x200000006814 = 6; *(uint32_t*)0x200000006818 = 8; *(uint32_t*)0x20000000681c = 0; *(uint64_t*)0x200000006820 = 2; *(uint64_t*)0x200000006828 = 0x80; *(uint32_t*)0x200000006830 = 0; *(uint32_t*)0x200000006834 = 0xb6; *(uint64_t*)0x200000006838 = 5; *(uint64_t*)0x200000006840 = 2; *(uint64_t*)0x200000006848 = 0x80000001; *(uint64_t*)0x200000006850 = 2; *(uint32_t*)0x200000006858 = 6; *(uint32_t*)0x20000000685c = 0xff; *(uint64_t*)0x200000006860 = 3; *(uint64_t*)0x200000006868 = 5; *(uint64_t*)0x200000006870 = 8; *(uint64_t*)0x200000006878 = 3; *(uint64_t*)0x200000006880 = 0x8001; *(uint64_t*)0x200000006888 = 5; *(uint32_t*)0x200000006890 = 1; *(uint32_t*)0x200000006894 = 7; *(uint32_t*)0x200000006898 = 2; *(uint32_t*)0x20000000689c = 0x1000; *(uint32_t*)0x2000000068a0 = 1; *(uint32_t*)0x2000000068a4 = 0xee01; *(uint32_t*)0x2000000068a8 = r[19]; *(uint32_t*)0x2000000068ac = 0x10001; *(uint32_t*)0x2000000068b0 = 6; *(uint32_t*)0x2000000068b4 = 0; *(uint64_t*)0x2000000068b8 = 0; *(uint64_t*)0x2000000068c0 = 6; *(uint32_t*)0x2000000068c8 = 5; *(uint32_t*)0x2000000068cc = 6; memset((void*)0x2000000068d0, 170, 5); *(uint64_t*)0x2000000068d8 = 3; *(uint64_t*)0x2000000068e0 = 1; *(uint64_t*)0x2000000068e8 = 0x8000000000000000; *(uint64_t*)0x2000000068f0 = 0x2e; *(uint32_t*)0x2000000068f8 = 5; *(uint32_t*)0x2000000068fc = 7; *(uint64_t*)0x200000006900 = 6; *(uint64_t*)0x200000006908 = 5; *(uint64_t*)0x200000006910 = 5; *(uint64_t*)0x200000006918 = 0xb; *(uint64_t*)0x200000006920 = 0; *(uint64_t*)0x200000006928 = 2; *(uint32_t*)0x200000006930 = 0xffff; *(uint32_t*)0x200000006934 = 0; *(uint32_t*)0x200000006938 = 8; *(uint32_t*)0x20000000693c = 0x2000; *(uint32_t*)0x200000006940 = 9; *(uint32_t*)0x200000006944 = r[20]; *(uint32_t*)0x200000006948 = r[21]; *(uint32_t*)0x20000000694c = 2; *(uint32_t*)0x200000006950 = 7; *(uint32_t*)0x200000006954 = 0; *(uint64_t*)0x200000006958 = 6; *(uint64_t*)0x200000006960 = 0xfffffffffffffffb; *(uint32_t*)0x200000006968 = 5; *(uint32_t*)0x20000000696c = 6; memset((void*)0x200000006970, 170, 5); *(uint64_t*)0x200000006cf0 = 0x200000006980; *(uint32_t*)0x200000006980 = 0xa0; *(uint32_t*)0x200000006984 = 0; *(uint64_t*)0x200000006988 = 0xd05; *(uint64_t*)0x200000006990 = 5; *(uint64_t*)0x200000006998 = 3; *(uint64_t*)0x2000000069a0 = 0x8000000000000001; *(uint64_t*)0x2000000069a8 = 7; *(uint32_t*)0x2000000069b0 = 5; *(uint32_t*)0x2000000069b4 = 2; *(uint64_t*)0x2000000069b8 = 3; *(uint64_t*)0x2000000069c0 = 4; *(uint64_t*)0x2000000069c8 = 5; *(uint64_t*)0x2000000069d0 = 3; *(uint64_t*)0x2000000069d8 = 8; *(uint64_t*)0x2000000069e0 = 1; *(uint32_t*)0x2000000069e8 = 0x8001; *(uint32_t*)0x2000000069ec = 0; *(uint32_t*)0x2000000069f0 = 0xfff; *(uint32_t*)0x2000000069f4 = 0x8000; *(uint32_t*)0x2000000069f8 = 0x101; *(uint32_t*)0x2000000069fc = r[22]; *(uint32_t*)0x200000006a00 = 0xee00; *(uint32_t*)0x200000006a04 = 7; *(uint32_t*)0x200000006a08 = 0xac; *(uint32_t*)0x200000006a0c = 0; *(uint64_t*)0x200000006a10 = 0; *(uint32_t*)0x200000006a18 = 0x10; *(uint32_t*)0x200000006a1c = 0; *(uint64_t*)0x200000006cf8 = 0x200000006a40; *(uint32_t*)0x200000006a40 = 0x20; *(uint32_t*)0x200000006a44 = 0; *(uint64_t*)0x200000006a48 = 0xffffffff; *(uint32_t*)0x200000006a50 = 4; *(uint32_t*)0x200000006a54 = 0; *(uint32_t*)0x200000006a58 = 9; *(uint32_t*)0x200000006a5c = 0xa; *(uint64_t*)0x200000006d00 = 0x200000006b40; *(uint32_t*)0x200000006b40 = 0x130; *(uint32_t*)0x200000006b44 = 0; *(uint64_t*)0x200000006b48 = 0x1ff; *(uint64_t*)0x200000006b50 = 0x6276287e; *(uint32_t*)0x200000006b58 = 7; *(uint32_t*)0x200000006b5c = 0; memset((void*)0x200000006b60, 0, 16); *(uint32_t*)0x200000006b70 = 0x800; *(uint32_t*)0x200000006b74 = 2; *(uint64_t*)0x200000006b78 = 3; *(uint32_t*)0x200000006b80 = 0x1e; *(uint32_t*)0x200000006b84 = -1; *(uint32_t*)0x200000006b88 = r[24]; *(uint16_t*)0x200000006b8c = 0x4000; memset((void*)0x200000006b8e, 0, 2); *(uint64_t*)0x200000006b90 = 0x800; *(uint64_t*)0x200000006b98 = 9; *(uint64_t*)0x200000006ba0 = 8; *(uint64_t*)0x200000006ba8 = 0x32f3fcde; *(uint64_t*)0x200000006bb0 = 6; *(uint32_t*)0x200000006bb8 = 1; *(uint32_t*)0x200000006bbc = 0; *(uint64_t*)0x200000006bc0 = 4; *(uint32_t*)0x200000006bc8 = 0xe30; *(uint32_t*)0x200000006bcc = 0; *(uint64_t*)0x200000006bd0 = 0x4d; *(uint32_t*)0x200000006bd8 = 3; *(uint32_t*)0x200000006bdc = 0; *(uint64_t*)0x200000006be0 = 6; *(uint32_t*)0x200000006be8 = 8; *(uint32_t*)0x200000006bec = 0; *(uint32_t*)0x200000006bf0 = 6; *(uint32_t*)0x200000006bf4 = 2; *(uint32_t*)0x200000006bf8 = 0xfb; *(uint32_t*)0x200000006bfc = 2; memset((void*)0x200000006c00, 0, 112); syz_fuse_handle_req(/*fd=*/r[9], /*buf=*/0x2000000016c0, /*len=*/0x2000, /*res=*/0x200000006c80); break; case 30: memcpy((void*)0x200000006d40, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000006d40, /*fd=*/r[23]); break; case 31: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 32: *(uint32_t*)0x200000006d84 = 0xd0f0; *(uint32_t*)0x200000006d88 = 0x20; *(uint32_t*)0x200000006d8c = 0; *(uint32_t*)0x200000006d90 = 0x1e5; *(uint32_t*)0x200000006d98 = -1; memset((void*)0x200000006d9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x28c2, /*params=*/0x200000006d80, /*ring_ptr=*/0x200000006e00, /*sqes_ptr=*/0x200000006e40); if (res != -1) r[25] = *(uint64_t*)0x200000006e00; break; case 33: syz_io_uring_complete(/*ring_ptr=*/r[25]); break; case 34: *(uint32_t*)0x200000006e84 = 0x979d; *(uint32_t*)0x200000006e88 = 4; *(uint32_t*)0x200000006e8c = 1; *(uint32_t*)0x200000006e90 = 0x206; *(uint32_t*)0x200000006e98 = r[9]; memset((void*)0x200000006e9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x7c1f, /*params=*/0x200000006e80, /*ring_ptr=*/0x200000006f00, /*sqes_ptr=*/0x200000006f40); if (res != -1) { r[26] = res; r[27] = *(uint64_t*)0x200000006f00; r[28] = *(uint64_t*)0x200000006f40; } break; case 35: res = syscall(__NR_io_uring_register, /*fd=*/r[26], /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul); if (res != -1) r[29] = res; break; case 36: *(uint8_t*)0x200000007000 = 0x1c; *(uint8_t*)0x200000007001 = 0x14; *(uint16_t*)0x200000007002 = 0; *(uint32_t*)0x200000007004 = r[23]; *(uint64_t*)0x200000007008 = 0x200000006f80; *(uint64_t*)0x200000006f80 = 0x818480; *(uint64_t*)0x200000006f88 = 0; *(uint64_t*)0x200000006f90 = 0x35; *(uint64_t*)0x200000007010 = 0x200000006fc0; memcpy((void*)0x200000006fc0, "./file0\000", 8); *(uint32_t*)0x200000007018 = 0x18; *(uint32_t*)0x20000000701c = 0; *(uint64_t*)0x200000007020 = 0x23456; *(uint16_t*)0x200000007028 = 0; *(uint16_t*)0x20000000702a = r[29]; memset((void*)0x20000000702c, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[27], /*sqes_ptr=*/r[28], /*sqe=*/0x200000007000); break; case 37: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[9], /*usermem=*/0x200000bfd000); if (res != -1) r[30] = res; break; case 38: *(uint64_t*)0x200000007400 = 0; *(uint64_t*)0x200000007408 = 0x200000007040; *(uint64_t*)0x200000007040 = 0x65; *(uint64_t*)0x200000007048 = 0x20; *(uint64_t*)0x200000007050 = 0x92e; *(uint64_t*)0x200000007058 = 8; *(uint64_t*)0x200000007060 = 0x130; *(uint64_t*)0x200000007068 = 0x18; *(uint64_t*)0x200000007070 = 1; *(uint64_t*)0x200000007078 = 0x68; *(uint64_t*)0x200000007080 = 0x20; *(uint64_t*)0x200000007088 = 1; *(uint64_t*)0x200000007090 = 0; *(uint64_t*)0x200000007098 = 0x17d; *(uint64_t*)0x2000000070a0 = 0x20; *(uint64_t*)0x2000000070a8 = 0xffffffff; *(uint64_t*)0x2000000070b0 = 0xbd0d; *(uint64_t*)0x2000000070b8 = 0x183; *(uint64_t*)0x2000000070c0 = 0x18; *(uint64_t*)0x2000000070c8 = 1; *(uint64_t*)0x2000000070d0 = 0xa; *(uint64_t*)0x2000000070d8 = 0x6a; memcpy((void*)0x2000000070e0, "\x36\x49\x0f\xc7\xaa\xd6\x61\x97\xc0\x26\x66\x0f\x38\x80\x94\x5e\x00\x80\x00\x00\x0f\x01\xba\x00\x80\x00\x00\x8f\xc9\xb8\x9b\x29\x47\x0f\xc7\xae\x20\x00\x00\x00\x45\x0f\x09\xc4\xe2\xd1\x39\x67\xc4\x36\x0f\x01\x7f\x05\x66\x64\x2e\x64\x3e\xd8\xf1\xc7\x44\x24\x00\x25\xfd\x00\x00\xc7\x44\x24\x02\x54\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x14\x24", 89); *(uint8_t*)0x200000007139 = 0xc3; *(uint64_t*)0x20000000713a = 0x180; *(uint64_t*)0x200000007142 = 0x38; *(uint64_t*)0x20000000714a = 0; *(uint64_t*)0x200000007152 = 0xb5; *(uint64_t*)0x20000000715a = 7; *(uint64_t*)0x200000007162 = 5; *(uint64_t*)0x20000000716a = 0; *(uint64_t*)0x200000007172 = 0x12f; *(uint64_t*)0x20000000717a = 0x18; *(uint64_t*)0x200000007182 = 3; *(uint64_t*)0x20000000718a = 0x12c; *(uint64_t*)0x200000007192 = 0x18; *(uint64_t*)0x20000000719a = 0; *(uint64_t*)0x2000000071a2 = 0x154; *(uint64_t*)0x2000000071aa = 0x38; *(uint64_t*)0x2000000071b2 = 3; *(uint64_t*)0x2000000071ba = 4; *(uint64_t*)0x2000000071c2 = 5; *(uint64_t*)0x2000000071ca = 0x1ff; *(uint64_t*)0x2000000071d2 = 8; *(uint64_t*)0x2000000071da = 0x130; *(uint64_t*)0x2000000071e2 = 0x18; *(uint64_t*)0x2000000071ea = 0; *(uint64_t*)0x2000000071f2 = 0x6a; *(uint64_t*)0x2000000071fa = 0x28; *(uint64_t*)0x200000007202 = 0xc636; *(uint64_t*)0x20000000720a = 5; *(uint64_t*)0x200000007212 = 4; *(uint64_t*)0x20000000721a = 0x12c; *(uint64_t*)0x200000007222 = 0x18; *(uint64_t*)0x20000000722a = 0; *(uint64_t*)0x200000007232 = 0x12f; *(uint64_t*)0x20000000723a = 0x18; *(uint64_t*)0x200000007242 = 1; *(uint64_t*)0x20000000724a = 0x65; *(uint64_t*)0x200000007252 = 0x20; *(uint64_t*)0x20000000725a = 0x8a3; *(uint64_t*)0x200000007262 = 9; *(uint64_t*)0x20000000726a = 0x68; *(uint64_t*)0x200000007272 = 0x20; *(uint64_t*)0x20000000727a = 4; *(uint64_t*)0x200000007282 = 6; *(uint64_t*)0x20000000728a = 0x12f; *(uint64_t*)0x200000007292 = 0x18; *(uint64_t*)0x20000000729a = 3; *(uint64_t*)0x2000000072a2 = 0x12d; *(uint64_t*)0x2000000072aa = 0x18; *(uint64_t*)0x2000000072b2 = 2; *(uint64_t*)0x2000000072ba = 0x17d; *(uint64_t*)0x2000000072c2 = 0x20; *(uint64_t*)0x2000000072ca = 0x8080000; *(uint64_t*)0x2000000072d2 = 0x943e; *(uint64_t*)0x2000000072da = 0x17c; *(uint64_t*)0x2000000072e2 = 0x38; *(uint64_t*)0x2000000072ea = 3; *(uint64_t*)0x2000000072f2 = 0x31; *(uint64_t*)0x2000000072fa = 0xc; *(uint64_t*)0x200000007302 = 6; *(uint64_t*)0x20000000730a = 8; *(uint64_t*)0x200000007312 = 0x180; *(uint64_t*)0x20000000731a = 0x38; *(uint64_t*)0x200000007322 = 2; *(uint64_t*)0x20000000732a = 0x36; *(uint64_t*)0x200000007332 = 1; *(uint64_t*)0x20000000733a = 2; *(uint64_t*)0x200000007342 = 3; *(uint64_t*)0x20000000734a = 0x130; *(uint64_t*)0x200000007352 = 0x18; *(uint64_t*)0x20000000735a = 1; *(uint64_t*)0x200000007362 = 0x130; *(uint64_t*)0x20000000736a = 0x18; *(uint64_t*)0x200000007372 = 0; *(uint64_t*)0x20000000737a = 0x180; *(uint64_t*)0x200000007382 = 0x38; *(uint64_t*)0x20000000738a = 3; *(uint64_t*)0x200000007392 = 0x72; *(uint64_t*)0x20000000739a = 2; *(uint64_t*)0x2000000073a2 = 5; *(uint64_t*)0x2000000073aa = 2; *(uint64_t*)0x2000000073b2 = 0x12f; *(uint64_t*)0x2000000073ba = 0x18; *(uint64_t*)0x2000000073c2 = 2; *(uint64_t*)0x2000000073ca = 0x12f; *(uint64_t*)0x2000000073d2 = 0x18; *(uint64_t*)0x2000000073da = 2; *(uint64_t*)0x200000007410 = 0x3a2; syz_kvm_add_vcpu(/*vm=*/r[30], /*text=*/0x200000007400); break; case 39: res = syscall(__NR_ioctl, /*fd=*/r[9], /*cmd=*/0xae01, /*type=*/5ul); if (res != -1) r[31] = res; break; case 40: *(uint64_t*)0x200000007680 = 0; *(uint64_t*)0x200000007688 = 0x200000007440; memcpy((void*)0x200000007440, "\xcd\xfa\xef\x13\x00\x00\x00\x3e\x00\x00\x10\x62\x04\x00\x10\x7a\x00\x00\x10\x66\xc1\x00\x10\x62\xa6\x03\x00\x7e\xb9\xf0\x00\x3e\xe9\x0e\x10\x62\x04\x00\x10\x7a\xa3\x30\x10\x66\x88\x26\x10\x62\xa6\x03\x00\x7e\x24\x00\x00\x4c\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xf6\x63\x60\xba\xaa\x80\x3c\x42\xab\x84\x60\x04\x00\x84\x78\xa5\xa4\x84\x64\xdb\xea\x84\x60\xc7\xb2\xa0\x3c\x4e\xd4\xa5\x60\x04\x00\xa5\x78\x8e\xd5\xa5\x64\xc9\xc4\xa5\x60\xf6\x27\xc0\x3c\x0e\x37\xc6\x60\x04\x00\xc6\x78\x10\x50\xc6\x64\xf3\x3c\xc6\x60\x64\xae\xe0\x3c\x0f\xe0\xe7\x60\x04\x00\xe7\x78\xf8\x33\xe7\x64\x27\xe1\xe7\x60\xf9\xfe\x00\x3d\x88\x3a\x08\x61\x04\x00\x08\x79\xf6\x6c\x08\x65\xcb\x9b\x08\x61\xe7\x22\x20\x3d\xa3\x5b\x29\x61\x04\x00\x29\x79\xbb\xbc\x29\x65\x5e\x83\x29\x61\xd9\x75\x40\x3d\x52\x94\x4a\x61\x04\x00\x4a\x79\xdb\x25\x4a\x65\xf3\x5e\x4a\x61\x02\x00\x00\x44\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x50\xf3\x63\x60\x42\x00\x00\x44\x0d\x0b\xc0\x3e\xa1\xda\xd6\x62\x04\x00\xd6\x7a\xeb\x5a\xd6\x66\x62\x96\xd6\x62\x9c\xb0\x00\x7c\xec\x06\x00\x7c\xa4\x00\x00\x4c\x3d\x6a\xa0\x3e\x17\x1b\xb5\x62\x04\x00\xb5\x7a\x72\x93\xb5\x66\x34\x54\xb5\x62\xa6\x03\xa0\x7e\xd4\x8d\xa0\x3e\x12\xd2\xb5\x62\x04\x00\xb5\x7a\xf6\xf5\xb5\x66\x15\xe0\xb5\x62\xa6\x03\xa0\x7e\x24\x00\x00\x4c\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x05\xc0\x3f\x00\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x00\xc0\x3f\x21\x8c\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf6\x78\xbd\x63\x00\x00\xc0\x3f\x0a\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xfa\x78\xbd\x63\x97\x4b\xc0\x3f\x5c\x3b\xde\x63\x00\x00\xdd\x93\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x49\x30\x84\x64\xf2\x78\x84\x60\x22\x00\x00\x44\x00\x00\x80\x3f\x00\x00\x9c\x63\x04\x00\x9c\x7b\x00\x00\x9c\x67\x1a\x00\x9c\x63\x24\x01\xc0\x7f", 524); *(uint64_t*)0x200000007690 = 0x20c; *(uint64_t*)0x2000000076c0 = 1; *(uint64_t*)0x2000000076c8 = 6; syz_kvm_setup_cpu(/*fd=*/r[31], /*cpufd=*/r[23], /*usermem=*/0x200000fe5000, /*text=*/0x200000007680, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_IR*/2, /*opts=*/0x2000000076c0, /*nopt=*/1); break; case 41: syz_kvm_setup_syzos_vm(/*fd=*/r[23], /*usermem=*/0x200000c00000); break; case 42: *(uint32_t*)0x200000007700 = 0; syz_memcpy_off(/*ring_ptr=*/0, /*flag_off=SQ_FLAGS_OFFSET*/0x114, /*src=*/0x200000007700, /*src_off=*/0, /*nbytes=*/4); break; case 43: memcpy((void*)0x200000007740, "fuse\000", 5); memcpy((void*)0x200000007780, "./file0\000", 8); memcpy((void*)0x2000000077c0, "fd", 2); *(uint8_t*)0x2000000077c2 = 0x3d; sprintf((char*)0x2000000077c3, "0x%016llx", (long long)r[23]); *(uint8_t*)0x2000000077d5 = 0x2c; memcpy((void*)0x2000000077d6, "rootmode", 8); *(uint8_t*)0x2000000077de = 0x3d; sprintf((char*)0x2000000077df, "%023llo", (long long)0x6000); *(uint8_t*)0x2000000077f6 = 0x2c; memcpy((void*)0x2000000077f7, "user_id", 7); *(uint8_t*)0x2000000077fe = 0x3d; sprintf((char*)0x2000000077ff, "%020llu", (long long)r[22]); *(uint8_t*)0x200000007813 = 0x2c; memcpy((void*)0x200000007814, "group_id", 8); *(uint8_t*)0x20000000781c = 0x3d; sprintf((char*)0x20000000781d, "%020llu", (long long)r[13]); *(uint8_t*)0x200000007831 = 0x2c; memcpy((void*)0x200000007832, "max_read", 8); *(uint8_t*)0x20000000783a = 0x3d; sprintf((char*)0x20000000783b, "0x%016llx", (long long)3); *(uint8_t*)0x20000000784d = 0x2c; memcpy((void*)0x20000000784e, "default_permissions", 19); *(uint8_t*)0x200000007861 = 0x2c; memcpy((void*)0x200000007862, "allow_other", 11); *(uint8_t*)0x20000000786d = 0x2c; memcpy((void*)0x20000000786e, "default_permissions", 19); *(uint8_t*)0x200000007881 = 0x2c; memcpy((void*)0x200000007882, "allow_other", 11); *(uint8_t*)0x20000000788d = 0x2c; memcpy((void*)0x20000000788e, "default_permissions", 19); *(uint8_t*)0x2000000078a1 = 0x2c; memcpy((void*)0x2000000078a2, "default_permissions", 19); *(uint8_t*)0x2000000078b5 = 0x2c; memcpy((void*)0x2000000078b6, "allow_other", 11); *(uint8_t*)0x2000000078c1 = 0x2c; memcpy((void*)0x2000000078c2, "permit_directio", 15); *(uint8_t*)0x2000000078d1 = 0x2c; memcpy((void*)0x2000000078d2, "uid<", 4); sprintf((char*)0x2000000078d6, "%020llu", (long long)r[17]); *(uint8_t*)0x2000000078ea = 0x2c; memcpy((void*)0x2000000078eb, "appraise", 8); *(uint8_t*)0x2000000078f3 = 0x2c; memcpy((void*)0x2000000078f4, "smackfshat", 10); *(uint8_t*)0x2000000078fe = 0x3d; memcpy((void*)0x2000000078ff, "\300\'", 2); *(uint8_t*)0x200000007901 = 0x2c; memcpy((void*)0x200000007902, "appraise", 8); *(uint8_t*)0x20000000790a = 0x2c; *(uint8_t*)0x20000000790b = 0; memcpy((void*)0x200000007940, "\xa4\xb2\x22\xdf\x2b\xa1\x0d\xf2\x4f\x54\x81\xe0\xdc\x5e\x93\xb8\x1b\x1b\x82\xe9\xa2\x14\xca\xbc\xe3\x44\x80\x0a\xd5\x4d\xe6\x10\xfa\x1e\xda\x44\xb9\x04\x05\x26\xf2\xdc\x7c\x73\x1c\x54\x73\xc8\xc6\xdc\x94\x19\x2a\x03\x48\x4e\x6d\x62\xbb\x49\x12\x86\x12\x54\x3a\x9d\x01\x6e\xd9\xa3\x73\x0e\x51\x08\x0f\x5c\x86\x0d\x03\xa7\x7e\xd5\x01\x64\xbc\xf9\x9c\x42\xd3\x56\x8a\x97\x4a\x92\x7a\x87\x9d\xe4\x1e\xdc\x2f\x55\x52\x36\x58\x86\x12\x1a\x31\x09\x5b\x97\xaa\x08\xee\x29\x77\x11\x1f\x7c\xc5\x6a\x77\xc0\xf2\xa1\x6b\x32\xb1\x9d\xf5\x0a\x24\x9c\xd3\x05\x8e\x60\xa6\xae\x8c\x96\x34\x9d\x5e\x5c\x00\x97\x59\x4c\xe0\x1c\x1f\xbe\xe5\xee\x94\x60\x6f\xef\x67\x32\x31\xe6\x57\x00\xbc\x71\x5f\x1f\x01\x19\xc8\x4e\xd2\x7b\x8a\xf3\x8e\xd1\x53\xd3\x94\xd6\xb2\x2c\xca\x54\xdb\x55\xa3\x1b\xc2\x5b\x45\xe8\x1d\xec\xa7\xbe\xdb\x69\x66\x91\xae\x6b\x92\xf0\x9e\xea\x3e\x2b\x5e\x8a\xf2\xf9\x96\x33\x9d\xec\x59\x2e\xde\xc5\x89\x7e\x94\xeb", 228); syz_mount_image(/*fs=*/0x200000007740, /*dir=*/0x200000007780, /*flags=MS_PRIVATE*/0x40000, /*opts=*/0x2000000077c0, /*chdir=*/1, /*size=*/0, /*img=*/0x200000007940); break; case 44: memcpy((void*)0x200000007a40, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000007a40, /*id=*/7, /*flags=*/0); break; case 45: memcpy((void*)0x200000007a80, "net/psched\000", 11); syz_open_procfs(/*pid=*/r[4], /*file=*/0x200000007a80); break; case 46: syz_open_pts(/*fd=*/r[9], /*flags=O_PATH|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|FASYNC|0x402*/0x292c02); break; case 47: syz_pidfd_open(/*pid=*/r[15], /*flags=*/0); break; case 48: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=*/0ul); if (res != -1) r[32] = res; break; case 49: syz_pkey_set(/*key=*/r[32], /*val=PKEY_DISABLE_WRITE|PKEY_DISABLE_ACCESS*/3); break; case 50: syz_socket_connect_nvme_tcp(); break; case 51: *(uint8_t*)0x200000007ac0 = 0x12; *(uint8_t*)0x200000007ac1 = 1; *(uint16_t*)0x200000007ac2 = 0x250; *(uint8_t*)0x200000007ac4 = 0x58; *(uint8_t*)0x200000007ac5 = 6; *(uint8_t*)0x200000007ac6 = 0x54; *(uint8_t*)0x200000007ac7 = 8; *(uint16_t*)0x200000007ac8 = 0x13d3; *(uint16_t*)0x200000007aca = 0x3348; *(uint16_t*)0x200000007acc = 0x15b2; *(uint8_t*)0x200000007ace = 1; *(uint8_t*)0x200000007acf = 2; *(uint8_t*)0x200000007ad0 = 3; *(uint8_t*)0x200000007ad1 = 1; *(uint8_t*)0x200000007ad2 = 9; *(uint8_t*)0x200000007ad3 = 2; *(uint16_t*)0x200000007ad4 = 0x283; *(uint8_t*)0x200000007ad6 = 2; *(uint8_t*)0x200000007ad7 = 9; *(uint8_t*)0x200000007ad8 = 2; *(uint8_t*)0x200000007ad9 = 0x10; *(uint8_t*)0x200000007ada = 8; *(uint8_t*)0x200000007adb = 9; *(uint8_t*)0x200000007adc = 4; *(uint8_t*)0x200000007add = 0x26; *(uint8_t*)0x200000007ade = 0xb; *(uint8_t*)0x200000007adf = 5; *(uint8_t*)0x200000007ae0 = 0x83; *(uint8_t*)0x200000007ae1 = 0x18; *(uint8_t*)0x200000007ae2 = 0x74; *(uint8_t*)0x200000007ae3 = 0xee; *(uint8_t*)0x200000007ae4 = 9; *(uint8_t*)0x200000007ae5 = 5; *(uint8_t*)0x200000007ae6 = 0xb; *(uint8_t*)0x200000007ae7 = 3; *(uint16_t*)0x200000007ae8 = 8; *(uint8_t*)0x200000007aea = 4; *(uint8_t*)0x200000007aeb = 0xfb; *(uint8_t*)0x200000007aec = 0x6a; *(uint8_t*)0x200000007aed = 0xbd; *(uint8_t*)0x200000007aee = 0xc; memcpy((void*)0x200000007aef, "\x8b\x82\xbd\x3f\xc8\x13\x7d\x3d\x25\x9c\xe7\xbc\x14\x0d\xe0\x82\x3d\xe2\x22\x2e\xed\x4c\x57\x0e\xdc\xb8\x45\x53\xcd\x1e\xfd\x64\x9d\xd3\x52\xdd\x37\x5d\x81\xda\x8d\xa8\xe6\x86\x3f\xb4\x82\xec\xb3\xa1\x6f\x12\x22\x10\xbf\xf2\x5c\x59\xa3\xaf\xc6\x54\x28\x48\xc0\x6e\x1b\x98\x3f\xbc\x8d\xd0\xde\x62\x7c\xfd\xdf\x9f\x90\x5f\x5c\xb6\xed\x4a\x25\xec\x59\x47\x59\x9b\x15\xb5\x38\xc7\xbb\x0b\x0d\x65\xd4\xa3\x1b\x31\x9f\x73\x83\x95\x5c\xe7\x66\xef\x4c\x66\xd1\x8b\xc7\x5d\x69\xb2\xdd\x7d\x13\x6c\x78\xea\xec\x1e\x22\x03\xeb\x91\x8d\xd6\x16\x09\xde\x40\xf4\xf6\x93\x91\x7e\xeb\x17\xfc\x38\x7b\xb4\x27\x34\x1f\x64\x16\xe0\xb8\xc4\x6a\x24\x45\xa5\xc4\x9b\xd9\xc8\x6d\xfe\x21\xc5\x98\xac\xf1\x7e\xa9\x8f\xfe\xce\x20\x2a\x21\xdc\x93\xa0\xb8\x30\xd2\x9a\xf8\x7c", 187); *(uint8_t*)0x200000007baa = 0xc7; *(uint8_t*)0x200000007bab = 6; memcpy((void*)0x200000007bac, "\xf5\x45\x9e\x11\x78\x00\xd2\x2a\x25\xa4\x86\xd1\x44\x2f\x5c\xbd\x4d\x3d\x77\x6c\xd0\x61\xd2\xc1\x85\xf9\x92\x4e\xae\x6a\x4d\x7b\x14\xc5\x8b\x59\x98\x63\xd3\x21\xe3\xea\x80\xa2\x5f\x6d\x8b\xe5\x1d\x5c\xa7\x0c\x27\x6c\xe0\xe6\xd9\x03\x8f\x88\x77\x6b\x96\x14\x28\x7d\xb7\xee\x21\x13\xf0\xe7\xe1\xf0\x18\x73\xb6\x13\xd7\x63\xda\x5f\x87\xf8\x6c\xd1\x86\x0b\xd6\x23\x46\x3f\xc6\xd9\x3d\x9f\x94\x8d\x0d\x4d\x70\xd7\x2a\x8a\xc1\xde\xc1\xad\xce\xb8\x71\x67\x29\x90\x64\x28\xd5\xb6\xe2\x4b\x01\x49\x9b\xfa\x6a\x0a\xa0\x48\x2e\xed\x8c\x77\x51\xa1\xc7\xec\x94\x4d\xb1\x92\x54\xa7\x4b\x61\x14\x2e\x72\x5a\x7a\x29\x0c\x41\x42\x87\x5d\x34\x7b\x3e\x48\x3f\x4e\x2d\xb8\x37\x3e\xf8\xfe\xad\x81\x18\xce\x07\xd8\x12\x33\x2b\x21\x1d\xa9\x73\x3d\x44\x4f\x7d\x70\x6a\x64\x39\xc2\x9a\xea\xed\xd0\x30\x00\xa2\xa8", 197); *(uint8_t*)0x200000007c71 = 9; *(uint8_t*)0x200000007c72 = 5; *(uint8_t*)0x200000007c73 = 0xa; *(uint8_t*)0x200000007c74 = 0xc; *(uint16_t*)0x200000007c75 = 0x400; *(uint8_t*)0x200000007c77 = 0xc; *(uint8_t*)0x200000007c78 = 0; *(uint8_t*)0x200000007c79 = 0xb5; *(uint8_t*)0x200000007c7a = 7; *(uint8_t*)0x200000007c7b = 0x25; *(uint8_t*)0x200000007c7c = 1; *(uint8_t*)0x200000007c7d = 1; *(uint8_t*)0x200000007c7e = 0xb; *(uint16_t*)0x200000007c7f = 7; *(uint8_t*)0x200000007c81 = 9; *(uint8_t*)0x200000007c82 = 5; *(uint8_t*)0x200000007c83 = 2; *(uint8_t*)0x200000007c84 = 0x10; *(uint16_t*)0x200000007c85 = 0x20; *(uint8_t*)0x200000007c87 = 7; *(uint8_t*)0x200000007c88 = 5; *(uint8_t*)0x200000007c89 = 5; *(uint8_t*)0x200000007c8a = 0x24; *(uint8_t*)0x200000007c8b = 7; memcpy((void*)0x200000007c8c, "\xad\x98\x31\x4a\x82\xd7\xae\xbb\xfc\xe8\x51\x78\x75\x22\x71\xb1\x58\xc0\x5d\xea\x1b\xf5\xa2\x45\x9c\x43\x1d\xf1\x80\xc1\xf3\xb2\xbe\x3b", 34); *(uint8_t*)0x200000007cae = 9; *(uint8_t*)0x200000007caf = 5; *(uint8_t*)0x200000007cb0 = 3; *(uint8_t*)0x200000007cb1 = 2; *(uint16_t*)0x200000007cb2 = 8; *(uint8_t*)0x200000007cb4 = 7; *(uint8_t*)0x200000007cb5 = 0xf3; *(uint8_t*)0x200000007cb6 = 4; *(uint8_t*)0x200000007cb7 = 9; *(uint8_t*)0x200000007cb8 = 5; *(uint8_t*)0x200000007cb9 = 5; *(uint8_t*)0x200000007cba = 0; *(uint16_t*)0x200000007cbb = 0x40; *(uint8_t*)0x200000007cbd = 2; *(uint8_t*)0x200000007cbe = 3; *(uint8_t*)0x200000007cbf = 2; *(uint8_t*)0x200000007cc0 = 0x6a; *(uint8_t*)0x200000007cc1 = 0xa; memcpy((void*)0x200000007cc2, "\xf7\xdd\x67\x50\x5d\x35\x3d\x93\xb6\xe1\xf3\xac\x2d\x8f\x9f\x76\x60\x12\xd2\x04\xe5\x58\xa7\x07\x6c\x6a\x1d\xd6\x64\x8b\x29\x28\xac\xaf\x80\x17\x10\xc8\x55\x50\x67\xe0\x71\x5e\x60\x77\x2d\x9a\x84\xc7\x14\xf6\x3d\x52\x7b\x9f\x15\x32\xa5\xac\x65\x11\x62\x7f\x9e\x84\x00\xe6\x2a\xd6\xbd\x25\xec\x51\xec\x63\x0a\xfc\x10\xe1\xf0\xf2\xfe\x01\xc9\x58\x8e\x28\x97\xef\x26\xd5\xea\x8b\xcf\x97\x0e\x51\xfc\x28\xd8\x4a\x62\x8c", 104); *(uint8_t*)0x200000007d2a = 9; *(uint8_t*)0x200000007d2b = 4; *(uint8_t*)0x200000007d2c = 0x48; *(uint8_t*)0x200000007d2d = 0xe; *(uint8_t*)0x200000007d2e = 3; *(uint8_t*)0x200000007d2f = 0xca; *(uint8_t*)0x200000007d30 = 0x1e; *(uint8_t*)0x200000007d31 = 0x4a; *(uint8_t*)0x200000007d32 = 0xf5; *(uint8_t*)0x200000007d33 = 9; *(uint8_t*)0x200000007d34 = 5; *(uint8_t*)0x200000007d35 = 0xb; *(uint8_t*)0x200000007d36 = 4; *(uint16_t*)0x200000007d37 = 0x400; *(uint8_t*)0x200000007d39 = 5; *(uint8_t*)0x200000007d3a = 0xf7; *(uint8_t*)0x200000007d3b = 0xf6; *(uint8_t*)0x200000007d3c = 9; *(uint8_t*)0x200000007d3d = 5; *(uint8_t*)0x200000007d3e = 0xe; *(uint8_t*)0x200000007d3f = 0x10; *(uint16_t*)0x200000007d40 = 0x3ff; *(uint8_t*)0x200000007d42 = 1; *(uint8_t*)0x200000007d43 = 0xd; *(uint8_t*)0x200000007d44 = 0x80; *(uint8_t*)0x200000007d45 = 9; *(uint8_t*)0x200000007d46 = 5; *(uint8_t*)0x200000007d47 = 5; *(uint8_t*)0x200000007d48 = 0x10; *(uint16_t*)0x200000007d49 = 0x10; *(uint8_t*)0x200000007d4b = 0x95; *(uint8_t*)0x200000007d4c = 3; *(uint8_t*)0x200000007d4d = 0; *(uint8_t*)0x200000007d4e = 7; *(uint8_t*)0x200000007d4f = 0x25; *(uint8_t*)0x200000007d50 = 1; *(uint8_t*)0x200000007d51 = 0x82; *(uint8_t*)0x200000007d52 = 0xae; *(uint16_t*)0x200000007d53 = 0x12; *(uint32_t*)0x200000007ec0 = 0xa; *(uint64_t*)0x200000007ec4 = 0x200000007d80; *(uint8_t*)0x200000007d80 = 0xa; *(uint8_t*)0x200000007d81 = 6; *(uint16_t*)0x200000007d82 = 0x110; *(uint8_t*)0x200000007d84 = 4; *(uint8_t*)0x200000007d85 = 1; *(uint8_t*)0x200000007d86 = 6; *(uint8_t*)0x200000007d87 = 8; *(uint8_t*)0x200000007d88 = 0xe; *(uint8_t*)0x200000007d89 = 0; *(uint32_t*)0x200000007ecc = 0x3b; *(uint64_t*)0x200000007ed0 = 0x200000007dc0; *(uint8_t*)0x200000007dc0 = 5; *(uint8_t*)0x200000007dc1 = 0xf; *(uint16_t*)0x200000007dc2 = 0x3b; *(uint8_t*)0x200000007dc4 = 4; *(uint8_t*)0x200000007dc5 = 0x14; *(uint8_t*)0x200000007dc6 = 0x10; *(uint8_t*)0x200000007dc7 = 4; *(uint8_t*)0x200000007dc8 = 6; memcpy((void*)0x200000007dc9, "\xfd\xf4\x04\x3a\xe7\xf5\x9e\x3e\x81\xfe\x30\x3d\x4d\xe3\xea\x16", 16); *(uint8_t*)0x200000007dd9 = 7; *(uint8_t*)0x200000007dda = 0x10; *(uint8_t*)0x200000007ddb = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007ddc, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007dde, 6, 0, 16); *(uint8_t*)0x200000007de0 = 7; *(uint8_t*)0x200000007de1 = 0x10; *(uint8_t*)0x200000007de2 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007de3, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 7, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 0xd, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de5, 0x95d7, 0, 16); *(uint8_t*)0x200000007de7 = 0x14; *(uint8_t*)0x200000007de8 = 0x10; *(uint8_t*)0x200000007de9 = 4; *(uint8_t*)0x200000007dea = 3; memcpy((void*)0x200000007deb, "\xbc\x6a\x92\x66\xbf\x50\x6e\x90\x62\x0d\x9c\x90\x0e\x18\x01\x43", 16); *(uint32_t*)0x200000007ed8 = 1; *(uint32_t*)0x200000007edc = 0x98; *(uint64_t*)0x200000007ee0 = 0x200000007e00; *(uint8_t*)0x200000007e00 = 0x98; *(uint8_t*)0x200000007e01 = 3; memcpy((void*)0x200000007e02, "\xd9\x5f\x3f\xca\xaa\x58\xf9\xd3\x6d\x03\xe3\xa2\xd5\x56\x6a\x51\x91\xf7\x42\xf7\x23\xfa\x49\xe3\x64\xe0\x3b\x0d\x28\x8a\x7f\xcb\x45\x79\xb5\x8c\x56\xd8\x24\xbe\x57\xf9\xad\x0f\x87\x03\xd3\x01\x1c\xac\x46\x84\x33\xfa\x22\xc2\x3b\xfa\xf1\x5d\xad\x54\x1e\xfb\x01\x38\xc4\x6b\xb8\xf8\x86\x92\x15\x15\x5c\x26\x85\xd6\x9b\x75\xff\xe6\x8c\x0c\xbd\x6e\x71\x74\x3a\xbd\x43\x55\xe1\x2d\x9d\xcb\x7d\xff\x16\xbb\x07\x5d\xa5\x53\xc1\x78\x13\x9e\xde\x2c\x28\x5a\x4a\x28\x45\xe8\x88\x9c\x23\x45\x04\xd9\x68\xd8\x70\xb6\x08\x4a\x7b\x4a\xb0\xdc\xdb\x83\xd4\x3b\xb2\xf4\xe7\xa0\x15\x6b\x80\xa6\x89\x19\xcb\xb7\xda\x84", 150); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0x295, /*dev=*/0x200000007ac0, /*conn_descs=*/0x200000007ec0); if (res != -1) r[33] = res; break; case 52: *(uint8_t*)0x200000007f00 = 0x12; *(uint8_t*)0x200000007f01 = 1; *(uint16_t*)0x200000007f02 = 0x200; *(uint8_t*)0x200000007f04 = -1; *(uint8_t*)0x200000007f05 = -1; *(uint8_t*)0x200000007f06 = -1; *(uint8_t*)0x200000007f07 = 0x40; *(uint16_t*)0x200000007f08 = 0xcf3; *(uint16_t*)0x200000007f0a = 0x9271; *(uint16_t*)0x200000007f0c = 0x108; *(uint8_t*)0x200000007f0e = 1; *(uint8_t*)0x200000007f0f = 2; *(uint8_t*)0x200000007f10 = 3; *(uint8_t*)0x200000007f11 = 1; *(uint8_t*)0x200000007f12 = 9; *(uint8_t*)0x200000007f13 = 2; *(uint16_t*)0x200000007f14 = 0x48; *(uint8_t*)0x200000007f16 = 1; *(uint8_t*)0x200000007f17 = 1; *(uint8_t*)0x200000007f18 = 0; *(uint8_t*)0x200000007f19 = 0x80; *(uint8_t*)0x200000007f1a = 0xfa; *(uint8_t*)0x200000007f1b = 9; *(uint8_t*)0x200000007f1c = 4; *(uint8_t*)0x200000007f1d = 0; *(uint8_t*)0x200000007f1e = 0; *(uint8_t*)0x200000007f1f = 6; *(uint8_t*)0x200000007f20 = -1; *(uint8_t*)0x200000007f21 = 0; *(uint8_t*)0x200000007f22 = 0; *(uint8_t*)0x200000007f23 = 0; *(uint8_t*)0x200000007f24 = 9; *(uint8_t*)0x200000007f25 = 5; *(uint8_t*)0x200000007f26 = 1; *(uint8_t*)0x200000007f27 = 2; *(uint16_t*)0x200000007f28 = 0x200; *(uint8_t*)0x200000007f2a = 0; *(uint8_t*)0x200000007f2b = 0; *(uint8_t*)0x200000007f2c = 0; *(uint8_t*)0x200000007f2d = 9; *(uint8_t*)0x200000007f2e = 5; *(uint8_t*)0x200000007f2f = 0x82; *(uint8_t*)0x200000007f30 = 2; *(uint16_t*)0x200000007f31 = 0x200; *(uint8_t*)0x200000007f33 = 0; *(uint8_t*)0x200000007f34 = 0; *(uint8_t*)0x200000007f35 = 0; *(uint8_t*)0x200000007f36 = 9; *(uint8_t*)0x200000007f37 = 5; *(uint8_t*)0x200000007f38 = 0x83; *(uint8_t*)0x200000007f39 = 3; *(uint16_t*)0x200000007f3a = 0x40; *(uint8_t*)0x200000007f3c = 1; *(uint8_t*)0x200000007f3d = 0; *(uint8_t*)0x200000007f3e = 0; *(uint8_t*)0x200000007f3f = 9; *(uint8_t*)0x200000007f40 = 5; *(uint8_t*)0x200000007f41 = 4; *(uint8_t*)0x200000007f42 = 3; *(uint16_t*)0x200000007f43 = 0x40; *(uint8_t*)0x200000007f45 = 1; *(uint8_t*)0x200000007f46 = 0; *(uint8_t*)0x200000007f47 = 0; *(uint8_t*)0x200000007f48 = 9; *(uint8_t*)0x200000007f49 = 5; *(uint8_t*)0x200000007f4a = 5; *(uint8_t*)0x200000007f4b = 2; *(uint16_t*)0x200000007f4c = 0x200; *(uint8_t*)0x200000007f4e = 0; *(uint8_t*)0x200000007f4f = 0; *(uint8_t*)0x200000007f50 = 0; *(uint8_t*)0x200000007f51 = 9; *(uint8_t*)0x200000007f52 = 5; *(uint8_t*)0x200000007f53 = 6; *(uint8_t*)0x200000007f54 = 2; *(uint16_t*)0x200000007f55 = 0x200; *(uint8_t*)0x200000007f57 = 0; *(uint8_t*)0x200000007f58 = 0; *(uint8_t*)0x200000007f59 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000007f00, /*conn_descs=*/0); if (res != -1) r[34] = res; break; case 53: *(uint8_t*)0x200000007f80 = 0x12; *(uint8_t*)0x200000007f81 = 1; *(uint16_t*)0x200000007f82 = 0x110; *(uint8_t*)0x200000007f84 = 0; *(uint8_t*)0x200000007f85 = 0; *(uint8_t*)0x200000007f86 = 0; *(uint8_t*)0x200000007f87 = 0x40; *(uint16_t*)0x200000007f88 = 0x1d6b; *(uint16_t*)0x200000007f8a = 0x101; *(uint16_t*)0x200000007f8c = 0x40; *(uint8_t*)0x200000007f8e = 1; *(uint8_t*)0x200000007f8f = 2; *(uint8_t*)0x200000007f90 = 3; *(uint8_t*)0x200000007f91 = 1; *(uint8_t*)0x200000007f92 = 9; *(uint8_t*)0x200000007f93 = 2; *(uint16_t*)0x200000007f94 = 0xd3; *(uint8_t*)0x200000007f96 = 3; *(uint8_t*)0x200000007f97 = 1; *(uint8_t*)0x200000007f98 = 1; *(uint8_t*)0x200000007f99 = 0x80; *(uint8_t*)0x200000007f9a = 0x80; *(uint8_t*)0x200000007f9b = 9; *(uint8_t*)0x200000007f9c = 4; *(uint8_t*)0x200000007f9d = 0; *(uint8_t*)0x200000007f9e = 0; *(uint8_t*)0x200000007f9f = 0; *(uint8_t*)0x200000007fa0 = 1; *(uint8_t*)0x200000007fa1 = 1; *(uint8_t*)0x200000007fa2 = 0; *(uint8_t*)0x200000007fa3 = 0; *(uint8_t*)0x200000007fa4 = 0xa; *(uint8_t*)0x200000007fa5 = 0x24; *(uint8_t*)0x200000007fa6 = 1; *(uint16_t*)0x200000007fa7 = 0; *(uint8_t*)0x200000007fa9 = 0x7c; *(uint8_t*)0x200000007faa = 2; *(uint8_t*)0x200000007fab = 1; *(uint8_t*)0x200000007fac = 2; *(uint8_t*)0x200000007fad = 0xd; *(uint8_t*)0x200000007fae = 0x24; *(uint8_t*)0x200000007faf = 8; *(uint8_t*)0x200000007fb0 = 2; *(uint16_t*)0x200000007fb1 = 8; *(uint8_t*)0x200000007fb3 = 9; memcpy((void*)0x200000007fb4, "\x0c\xff\xda\x3f\x22\x7b", 6); *(uint8_t*)0x200000007fba = 9; *(uint8_t*)0x200000007fbb = 4; *(uint8_t*)0x200000007fbc = 1; *(uint8_t*)0x200000007fbd = 0; *(uint8_t*)0x200000007fbe = 0; *(uint8_t*)0x200000007fbf = 1; *(uint8_t*)0x200000007fc0 = 2; *(uint8_t*)0x200000007fc1 = 0; *(uint8_t*)0x200000007fc2 = 0; *(uint8_t*)0x200000007fc3 = 9; *(uint8_t*)0x200000007fc4 = 4; *(uint8_t*)0x200000007fc5 = 1; *(uint8_t*)0x200000007fc6 = 1; *(uint8_t*)0x200000007fc7 = 1; *(uint8_t*)0x200000007fc8 = 1; *(uint8_t*)0x200000007fc9 = 2; *(uint8_t*)0x200000007fca = 0; *(uint8_t*)0x200000007fcb = 0; *(uint8_t*)0x200000007fcc = 0x12; *(uint8_t*)0x200000007fcd = 0x24; *(uint8_t*)0x200000007fce = 2; *(uint8_t*)0x200000007fcf = 2; *(uint16_t*)0x200000007fd0 = 6; *(uint16_t*)0x200000007fd2 = 0x9a; *(uint8_t*)0x200000007fd4 = 0x20; memcpy((void*)0x200000007fd5, "\x2d\xa5\xee\x78\xa2\x8e\x1f\x1a\x41", 9); *(uint8_t*)0x200000007fde = 0xd; *(uint8_t*)0x200000007fdf = 0x24; *(uint8_t*)0x200000007fe0 = 2; *(uint8_t*)0x200000007fe1 = 1; *(uint8_t*)0x200000007fe2 = 0xf8; *(uint8_t*)0x200000007fe3 = 3; *(uint8_t*)0x200000007fe4 = 0x69; *(uint8_t*)0x200000007fe5 = 0x6d; memcpy((void*)0x200000007fe6, "e)", 2); memcpy((void*)0x200000007fe8, "\xbf\x07\x94", 3); *(uint8_t*)0x200000007feb = 0xb; *(uint8_t*)0x200000007fec = 0x24; *(uint8_t*)0x200000007fed = 2; *(uint8_t*)0x200000007fee = 1; *(uint8_t*)0x200000007fef = 5; *(uint8_t*)0x200000007ff0 = 4; *(uint8_t*)0x200000007ff1 = 0x5b; *(uint8_t*)0x200000007ff2 = 3; memset((void*)0x200000007ff3, 68, 1); memcpy((void*)0x200000007ff4, "\x26\x18", 2); *(uint8_t*)0x200000007ff6 = 9; *(uint8_t*)0x200000007ff7 = 0x24; *(uint8_t*)0x200000007ff8 = 2; *(uint8_t*)0x200000007ff9 = 2; *(uint16_t*)0x200000007ffa = 0x7b4; *(uint16_t*)0x200000007ffc = 8; *(uint8_t*)0x200000007ffe = 4; *(uint8_t*)0x200000007fff = 0xc; *(uint8_t*)0x200000008000 = 0x24; *(uint8_t*)0x200000008001 = 2; *(uint8_t*)0x200000008002 = 1; *(uint8_t*)0x200000008003 = 0; *(uint8_t*)0x200000008004 = 3; *(uint8_t*)0x200000008005 = 8; *(uint8_t*)0x200000008006 = 8; memset((void*)0x200000008007, 170, 1); memcpy((void*)0x200000008008, "\xe8\xe5\xb4", 3); *(uint8_t*)0x20000000800b = 9; *(uint8_t*)0x20000000800c = 5; *(uint8_t*)0x20000000800d = 1; *(uint8_t*)0x20000000800e = 9; *(uint16_t*)0x20000000800f = 0x40; *(uint8_t*)0x200000008011 = 6; *(uint8_t*)0x200000008012 = 5; *(uint8_t*)0x200000008013 = 0; *(uint8_t*)0x200000008014 = 7; *(uint8_t*)0x200000008015 = 0x25; *(uint8_t*)0x200000008016 = 1; *(uint8_t*)0x200000008017 = 0x80; *(uint8_t*)0x200000008018 = 1; *(uint16_t*)0x200000008019 = 4; *(uint8_t*)0x20000000801b = 9; *(uint8_t*)0x20000000801c = 4; *(uint8_t*)0x20000000801d = 2; *(uint8_t*)0x20000000801e = 0; *(uint8_t*)0x20000000801f = 0; *(uint8_t*)0x200000008020 = 1; *(uint8_t*)0x200000008021 = 2; *(uint8_t*)0x200000008022 = 0; *(uint8_t*)0x200000008023 = 0; *(uint8_t*)0x200000008024 = 9; *(uint8_t*)0x200000008025 = 4; *(uint8_t*)0x200000008026 = 2; *(uint8_t*)0x200000008027 = 1; *(uint8_t*)0x200000008028 = 1; *(uint8_t*)0x200000008029 = 1; *(uint8_t*)0x20000000802a = 2; *(uint8_t*)0x20000000802b = 0; *(uint8_t*)0x20000000802c = 0; *(uint8_t*)0x20000000802d = 7; *(uint8_t*)0x20000000802e = 0x24; *(uint8_t*)0x20000000802f = 1; *(uint8_t*)0x200000008030 = 3; *(uint8_t*)0x200000008031 = 0x1e; *(uint16_t*)0x200000008032 = 4; *(uint8_t*)0x200000008034 = 7; *(uint8_t*)0x200000008035 = 0x24; *(uint8_t*)0x200000008036 = 1; *(uint8_t*)0x200000008037 = 0x6f; *(uint8_t*)0x200000008038 = 7; *(uint16_t*)0x200000008039 = 0; *(uint8_t*)0x20000000803b = 0xa; *(uint8_t*)0x20000000803c = 0x24; *(uint8_t*)0x20000000803d = 2; *(uint8_t*)0x20000000803e = 2; *(uint16_t*)0x20000000803f = 8; *(uint16_t*)0x200000008041 = 2; *(uint8_t*)0x200000008043 = 8; memset((void*)0x200000008044, 102, 1); *(uint8_t*)0x200000008045 = 0x10; *(uint8_t*)0x200000008046 = 0x24; *(uint8_t*)0x200000008047 = 2; *(uint8_t*)0x200000008048 = 2; *(uint16_t*)0x200000008049 = 9; *(uint16_t*)0x20000000804b = 0x401; *(uint8_t*)0x20000000804d = 5; memcpy((void*)0x20000000804e, "\x53\xb1\x1d\xbc\x8c\xd3\x10", 7); *(uint8_t*)0x200000008055 = 9; *(uint8_t*)0x200000008056 = 5; *(uint8_t*)0x200000008057 = 0x82; *(uint8_t*)0x200000008058 = 9; *(uint16_t*)0x200000008059 = 8; *(uint8_t*)0x20000000805b = 0; *(uint8_t*)0x20000000805c = 0x28; *(uint8_t*)0x20000000805d = 6; *(uint8_t*)0x20000000805e = 7; *(uint8_t*)0x20000000805f = 0x25; *(uint8_t*)0x200000008060 = 1; *(uint8_t*)0x200000008061 = 0x80; *(uint8_t*)0x200000008062 = 5; *(uint16_t*)0x200000008063 = 0xd; *(uint32_t*)0x2000000081c0 = 0xa; *(uint64_t*)0x2000000081c4 = 0x200000008080; *(uint8_t*)0x200000008080 = 0xa; *(uint8_t*)0x200000008081 = 6; *(uint16_t*)0x200000008082 = 0x110; *(uint8_t*)0x200000008084 = 0x59; *(uint8_t*)0x200000008085 = 0xa5; *(uint8_t*)0x200000008086 = 5; *(uint8_t*)0x200000008087 = 0x10; *(uint8_t*)0x200000008088 = 1; *(uint8_t*)0x200000008089 = 0; *(uint32_t*)0x2000000081cc = 0x39; *(uint64_t*)0x2000000081d0 = 0x2000000080c0; *(uint8_t*)0x2000000080c0 = 5; *(uint8_t*)0x2000000080c1 = 0xf; *(uint16_t*)0x2000000080c2 = 0x39; *(uint8_t*)0x2000000080c4 = 5; *(uint8_t*)0x2000000080c5 = 0xb; *(uint8_t*)0x2000000080c6 = 0x10; *(uint8_t*)0x2000000080c7 = 1; *(uint8_t*)0x2000000080c8 = 4; *(uint16_t*)0x2000000080c9 = 8; *(uint8_t*)0x2000000080cb = 3; *(uint8_t*)0x2000000080cc = 0xb8; *(uint16_t*)0x2000000080cd = 9; *(uint8_t*)0x2000000080cf = 4; *(uint8_t*)0x2000000080d0 = 0x14; *(uint8_t*)0x2000000080d1 = 0x10; *(uint8_t*)0x2000000080d2 = 4; *(uint8_t*)0x2000000080d3 = 2; memcpy((void*)0x2000000080d4, "\x9d\x9a\xb0\x97\x8e\x2a\xac\xe2\x6d\xe6\x63\x06\xe6\xe2\x96\x3d", 16); *(uint8_t*)0x2000000080e4 = 0xb; *(uint8_t*)0x2000000080e5 = 0x10; *(uint8_t*)0x2000000080e6 = 1; *(uint8_t*)0x2000000080e7 = 4; *(uint16_t*)0x2000000080e8 = 0; *(uint8_t*)0x2000000080ea = 6; *(uint8_t*)0x2000000080eb = 4; *(uint16_t*)0x2000000080ec = 1; *(uint8_t*)0x2000000080ee = 5; *(uint8_t*)0x2000000080ef = 3; *(uint8_t*)0x2000000080f0 = 0x10; *(uint8_t*)0x2000000080f1 = 0xb; *(uint8_t*)0x2000000080f2 = 7; *(uint8_t*)0x2000000080f3 = 0x10; *(uint8_t*)0x2000000080f4 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000080f5, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f7, 0xfff2, 0, 16); *(uint32_t*)0x2000000081d8 = 1; *(uint32_t*)0x2000000081dc = 0x84; *(uint64_t*)0x2000000081e0 = 0x200000008100; *(uint8_t*)0x200000008100 = 0x84; *(uint8_t*)0x200000008101 = 3; memcpy((void*)0x200000008102, "\x00\x0a\x6c\x9f\x4a\x15\xea\xbc\x97\xa9\x2a\xb6\x65\x23\x1b\x2c\xf9\x05\x73\x21\xeb\x43\x0c\x65\x21\xf4\x97\xa8\xc3\xce\x81\x62\x68\xcb\x33\x7f\xa4\x8d\xee\xcf\xeb\x28\xb2\x30\x5f\xcf\x2d\x2e\x98\x8c\xc8\xb8\xb9\x80\xa1\x33\x2d\xc4\x06\xbc\x34\x69\x5f\xa2\x4d\xc3\x60\x9f\x61\x9d\x7a\xc2\x84\xcc\x3a\xe7\xf0\xaf\xe4\x44\xd5\x78\xc9\x51\xd9\xae\xdc\x4c\x68\x2e\x10\x0c\xfe\xb6\x61\x9b\x98\xa9\x6b\x19\x78\xd8\xed\xe7\x57\x4e\x96\x9f\x8a\xe8\xe3\xdf\xb8\x35\xbd\xe5\xcc\xd9\x22\x13\x3e\x53\x03\x6f\xf4\x4e\xda\x52\xa0\xa9", 130); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0xe5, /*dev=*/0x200000007f80, /*conn_descs=*/0x2000000081c0); if (res != -1) r[35] = res; break; case 54: *(uint32_t*)0x200000008380 = 0x2c; *(uint64_t*)0x200000008384 = 0x200000008200; *(uint8_t*)0x200000008200 = 0x40; *(uint8_t*)0x200000008201 = 0x22; *(uint32_t*)0x200000008202 = 0x31; *(uint8_t*)0x200000008206 = 0x31; *(uint8_t*)0x200000008207 = 5; memcpy((void*)0x200000008208, "\x74\xe8\x3d\xcf\x53\xdd\x2d\x0e\xca\xc0\xaa\x34\x67\xb1\x8d\xfa\x71\xb2\x6c\xdd\x40\x3d\x95\x5c\x0f\xfe\x22\x81\x7b\x01\xfe\x57\x95\xd5\x1c\xf2\x4a\x6a\xe3\xb8\xe3\x2f\x1b\x7a\xc5\xf8\xca", 47); *(uint64_t*)0x20000000838c = 0x200000008240; *(uint8_t*)0x200000008240 = 0; *(uint8_t*)0x200000008241 = 3; *(uint32_t*)0x200000008242 = 0x1e; *(uint8_t*)0x200000008246 = 0x1e; *(uint8_t*)0x200000008247 = 3; memcpy((void*)0x200000008248, "\x89\x57\xa5\x01\xd8\x3c\x69\xe5\x4f\x70\xf6\x2f\x93\x2a\x50\xb6\x55\x06\xc3\x88\xc1\x28\x23\x9d\x36\x22\x9e\xe2", 28); *(uint64_t*)0x200000008394 = 0x200000008280; *(uint8_t*)0x200000008280 = 0; *(uint8_t*)0x200000008281 = 0xf; *(uint32_t*)0x200000008282 = 0x4f; *(uint8_t*)0x200000008286 = 5; *(uint8_t*)0x200000008287 = 0xf; *(uint16_t*)0x200000008288 = 0x4f; *(uint8_t*)0x20000000828a = 6; *(uint8_t*)0x20000000828b = 0x1c; *(uint8_t*)0x20000000828c = 0x10; *(uint8_t*)0x20000000828d = 0xa; *(uint8_t*)0x20000000828e = 0; STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 5, 5, 27); *(uint16_t*)0x200000008293 = 0xf000; *(uint16_t*)0x200000008295 = 0x409; *(uint32_t*)0x200000008297 = 0xc000; *(uint32_t*)0x20000000829b = 0x17f; *(uint32_t*)0x20000000829f = 0xff3f30; *(uint32_t*)0x2000000082a3 = 0xffffaf; *(uint8_t*)0x2000000082a7 = 0x10; *(uint8_t*)0x2000000082a8 = 0x10; *(uint8_t*)0x2000000082a9 = 0xa; *(uint8_t*)0x2000000082aa = 9; STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 4, 5, 27); *(uint16_t*)0x2000000082af = 0xff0f; *(uint16_t*)0x2000000082b1 = 0xf87; *(uint32_t*)0x2000000082b3 = 0xc030; *(uint8_t*)0x2000000082b7 = 7; *(uint8_t*)0x2000000082b8 = 0x10; *(uint8_t*)0x2000000082b9 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000082ba, 4, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bc, 5, 0, 16); *(uint8_t*)0x2000000082be = 0xa; *(uint8_t*)0x2000000082bf = 0x10; *(uint8_t*)0x2000000082c0 = 3; *(uint8_t*)0x2000000082c1 = 0; *(uint16_t*)0x2000000082c2 = 4; *(uint8_t*)0x2000000082c4 = 0xd2; *(uint8_t*)0x2000000082c5 = 3; *(uint16_t*)0x2000000082c6 = 5; *(uint8_t*)0x2000000082c8 = 0xa; *(uint8_t*)0x2000000082c9 = 0x10; *(uint8_t*)0x2000000082ca = 3; *(uint8_t*)0x2000000082cb = 0; *(uint16_t*)0x2000000082cc = 0; *(uint8_t*)0x2000000082ce = 1; *(uint8_t*)0x2000000082cf = 7; *(uint16_t*)0x2000000082d0 = 2; *(uint8_t*)0x2000000082d2 = 3; *(uint8_t*)0x2000000082d3 = 0x10; *(uint8_t*)0x2000000082d4 = 0xb; *(uint64_t*)0x20000000839c = 0x200000008300; *(uint8_t*)0x200000008300 = 0x20; *(uint8_t*)0x200000008301 = 0x29; *(uint32_t*)0x200000008302 = 0xf; *(uint8_t*)0x200000008306 = 0xf; *(uint8_t*)0x200000008307 = 0x29; *(uint8_t*)0x200000008308 = 8; *(uint16_t*)0x200000008309 = 1; *(uint8_t*)0x20000000830b = 7; *(uint8_t*)0x20000000830c = 4; memcpy((void*)0x20000000830d, "\b\r$}", 4); memcpy((void*)0x200000008311, "\x67\x01\x6d\xee", 4); *(uint64_t*)0x2000000083a4 = 0x200000008340; *(uint8_t*)0x200000008340 = 0x20; *(uint8_t*)0x200000008341 = 0x2a; *(uint32_t*)0x200000008342 = 0xc; *(uint8_t*)0x200000008346 = 0xc; *(uint8_t*)0x200000008347 = 0x2a; *(uint8_t*)0x200000008348 = 0x16; *(uint16_t*)0x200000008349 = 0x80; *(uint8_t*)0x20000000834b = 9; *(uint8_t*)0x20000000834c = 3; *(uint8_t*)0x20000000834d = 3; *(uint16_t*)0x20000000834e = 2; *(uint16_t*)0x200000008350 = 0xf000; *(uint32_t*)0x2000000087c0 = 0x84; *(uint64_t*)0x2000000087c4 = 0x2000000083c0; *(uint8_t*)0x2000000083c0 = 0; *(uint8_t*)0x2000000083c1 = 0x11; *(uint32_t*)0x2000000083c2 = 0x1f; memcpy((void*)0x2000000083c6, "\x16\xd6\x0d\x77\x43\x50\x14\x52\xff\xd5\x73\x04\x24\xbc\x4a\x97\x0c\xc6\x49\x0b\xb9\xcc\x85\x93\x86\x99\xed\xf2\x7a\x0c\x7d", 31); *(uint64_t*)0x2000000087cc = 0x200000008400; *(uint8_t*)0x200000008400 = 0; *(uint8_t*)0x200000008401 = 0xa; *(uint32_t*)0x200000008402 = 1; *(uint8_t*)0x200000008406 = 9; *(uint64_t*)0x2000000087d4 = 0x200000008440; *(uint8_t*)0x200000008440 = 0; *(uint8_t*)0x200000008441 = 8; *(uint32_t*)0x200000008442 = 1; *(uint8_t*)0x200000008446 = 4; *(uint64_t*)0x2000000087dc = 0x200000008480; *(uint8_t*)0x200000008480 = 0x20; *(uint8_t*)0x200000008481 = 0; *(uint32_t*)0x200000008482 = 4; *(uint16_t*)0x200000008486 = 0xe554; *(uint16_t*)0x200000008488 = 1; *(uint64_t*)0x2000000087e4 = 0x2000000084c0; *(uint8_t*)0x2000000084c0 = 0x20; *(uint8_t*)0x2000000084c1 = 0; *(uint32_t*)0x2000000084c2 = 4; *(uint16_t*)0x2000000084c6 = 0x200; *(uint16_t*)0x2000000084c8 = 0x2b; *(uint64_t*)0x2000000087ec = 0x200000008500; *(uint8_t*)0x200000008500 = 0x40; *(uint8_t*)0x200000008501 = 7; *(uint32_t*)0x200000008502 = 2; *(uint16_t*)0x200000008506 = 0xfd37; *(uint64_t*)0x2000000087f4 = 0x200000008540; *(uint8_t*)0x200000008540 = 0x40; *(uint8_t*)0x200000008541 = 9; *(uint32_t*)0x200000008542 = 1; *(uint8_t*)0x200000008546 = 0; *(uint64_t*)0x2000000087fc = 0x200000008580; *(uint8_t*)0x200000008580 = 0x40; *(uint8_t*)0x200000008581 = 0xb; *(uint32_t*)0x200000008582 = 2; memcpy((void*)0x200000008586, "E\"", 2); *(uint64_t*)0x200000008804 = 0x2000000085c0; *(uint8_t*)0x2000000085c0 = 0x40; *(uint8_t*)0x2000000085c1 = 0xf; *(uint32_t*)0x2000000085c2 = 2; *(uint16_t*)0x2000000085c6 = 2; *(uint64_t*)0x20000000880c = 0x200000008600; *(uint8_t*)0x200000008600 = 0x40; *(uint8_t*)0x200000008601 = 0x13; *(uint32_t*)0x200000008602 = 6; memcpy((void*)0x200000008606, "\x2f\xa6\xdd\xe0\x3a\x0f", 6); *(uint64_t*)0x200000008814 = 0x200000008640; *(uint8_t*)0x200000008640 = 0x40; *(uint8_t*)0x200000008641 = 0x17; *(uint32_t*)0x200000008642 = 6; memcpy((void*)0x200000008646, "\xde\x1c\x10\x2b\x02\x7e", 6); *(uint64_t*)0x20000000881c = 0x200000008680; *(uint8_t*)0x200000008680 = 0x40; *(uint8_t*)0x200000008681 = 0x19; *(uint32_t*)0x200000008682 = 2; memcpy((void*)0x200000008686, "\x0d\x97", 2); *(uint64_t*)0x200000008824 = 0x2000000086c0; *(uint8_t*)0x2000000086c0 = 0x40; *(uint8_t*)0x2000000086c1 = 0x1a; *(uint32_t*)0x2000000086c2 = 2; *(uint16_t*)0x2000000086c6 = 2; *(uint64_t*)0x20000000882c = 0x200000008700; *(uint8_t*)0x200000008700 = 0x40; *(uint8_t*)0x200000008701 = 0x1c; *(uint32_t*)0x200000008702 = 1; *(uint8_t*)0x200000008706 = 0xfd; *(uint64_t*)0x200000008834 = 0x200000008740; *(uint8_t*)0x200000008740 = 0x40; *(uint8_t*)0x200000008741 = 0x1e; *(uint32_t*)0x200000008742 = 1; *(uint8_t*)0x200000008746 = 0xfd; *(uint64_t*)0x20000000883c = 0x200000008780; *(uint8_t*)0x200000008780 = 0x40; *(uint8_t*)0x200000008781 = 0x21; *(uint32_t*)0x200000008782 = 1; *(uint8_t*)0x200000008786 = 0xc9; syz_usb_control_io(/*fd=*/r[35], /*descs=*/0x200000008380, /*resps=*/0x2000000087c0); break; case 55: syz_usb_disconnect(/*fd=*/r[33]); break; case 56: syz_usb_ep_read(/*fd=*/r[34], /*ep=*/7, /*len=*/0xfc, /*data=*/0x200000008880); break; case 57: *(uint8_t*)0x200000008980 = 0x12; *(uint8_t*)0x200000008981 = 1; *(uint16_t*)0x200000008982 = 0x200; *(uint8_t*)0x200000008984 = 7; *(uint8_t*)0x200000008985 = 1; *(uint8_t*)0x200000008986 = 1; *(uint8_t*)0x200000008987 = 0x20; *(uint16_t*)0x200000008988 = 0x525; *(uint16_t*)0x20000000898a = 0xa4a8; *(uint16_t*)0x20000000898c = 0x40; *(uint8_t*)0x20000000898e = 1; *(uint8_t*)0x20000000898f = 2; *(uint8_t*)0x200000008990 = 3; *(uint8_t*)0x200000008991 = 1; *(uint8_t*)0x200000008992 = 9; *(uint8_t*)0x200000008993 = 2; *(uint16_t*)0x200000008994 = 0x24; *(uint8_t*)0x200000008996 = 1; *(uint8_t*)0x200000008997 = 1; *(uint8_t*)0x200000008998 = 0xf4; *(uint8_t*)0x200000008999 = 0x60; *(uint8_t*)0x20000000899a = 4; *(uint8_t*)0x20000000899b = 9; *(uint8_t*)0x20000000899c = 4; *(uint8_t*)0x20000000899d = 0; *(uint8_t*)0x20000000899e = 3; *(uint8_t*)0x20000000899f = 2; *(uint8_t*)0x2000000089a0 = 0; *(uint8_t*)0x2000000089a1 = 0; *(uint8_t*)0x2000000089a2 = 0; *(uint8_t*)0x2000000089a3 = 0x81; *(uint8_t*)0x2000000089a4 = 9; *(uint8_t*)0x2000000089a5 = 5; *(uint8_t*)0x2000000089a6 = 1; *(uint8_t*)0x2000000089a7 = 2; *(uint16_t*)0x2000000089a8 = 0x400; *(uint8_t*)0x2000000089aa = 0; *(uint8_t*)0x2000000089ab = 8; *(uint8_t*)0x2000000089ac = 2; *(uint8_t*)0x2000000089ad = 9; *(uint8_t*)0x2000000089ae = 5; *(uint8_t*)0x2000000089af = 0x82; *(uint8_t*)0x2000000089b0 = 2; *(uint16_t*)0x2000000089b1 = 0x3ff; *(uint8_t*)0x2000000089b3 = 4; *(uint8_t*)0x2000000089b4 = 0x48; *(uint8_t*)0x2000000089b5 = 8; *(uint32_t*)0x200000008f00 = 0xa; *(uint64_t*)0x200000008f04 = 0x2000000089c0; *(uint8_t*)0x2000000089c0 = 0xa; *(uint8_t*)0x2000000089c1 = 6; *(uint16_t*)0x2000000089c2 = 0x250; *(uint8_t*)0x2000000089c4 = 0x7d; *(uint8_t*)0x2000000089c5 = 0xdd; *(uint8_t*)0x2000000089c6 = 3; *(uint8_t*)0x2000000089c7 = 0x20; *(uint8_t*)0x2000000089c8 = 0xfa; *(uint8_t*)0x2000000089c9 = 0; *(uint32_t*)0x200000008f0c = 0x154; *(uint64_t*)0x200000008f10 = 0x200000008a00; *(uint8_t*)0x200000008a00 = 5; *(uint8_t*)0x200000008a01 = 0xf; *(uint16_t*)0x200000008a02 = 0x154; *(uint8_t*)0x200000008a04 = 6; *(uint8_t*)0x200000008a05 = 0xe8; *(uint8_t*)0x200000008a06 = 0x10; *(uint8_t*)0x200000008a07 = 1; memcpy((void*)0x200000008a08, "\xd0\x31\xa9\x16\x5b\x9e\x27\x3f\xf6\xff\xe5\x55\x84\x9a\xf6\xdc\xa6\x6e\x17\xa6\x8e\xe5\xac\x78\x4d\xca\x23\xe4\xa5\x6d\x46\x16\x9a\xd0\x6e\xad\x2b\x8b\xcd\x99\x7e\xac\x2e\xcb\x8b\x2a\x25\x26\xaa\x20\x0d\xb5\x57\x58\xd0\x86\x59\x46\x92\x83\xd6\xec\xfb\xa9\x82\xc3\x00\xae\x82\xcc\xf4\xa8\xbf\x07\x3d\xbd\xe4\x53\x76\xb4\xf6\xfc\x55\x9b\xe5\x19\xf8\x2e\x8e\x5b\x2c\xf5\x9c\x3a\x3a\xf4\xf2\x90\x70\x7e\x76\x7a\x4e\x27\x68\x51\x09\x0d\x90\xbe\x0a\xb6\x6f\x78\x8e\x77\x60\xcd\x71\xab\x86\x5e\xa8\xb6\xbc\xc5\xf3\x5f\x60\x53\x81\x54\xa0\x99\xc3\x54\xa3\x59\x34\x17\x68\x2f\xc3\x9d\x2a\x6a\x25\x5e\xf4\xbb\x65\xf8\xd9\x7a\xf2\x9b\xeb\x0f\x87\x34\xa6\x8e\xd8\x4e\xf0\x8d\xf6\x9e\x9b\x35\xfa\x2e\x3f\xe6\x5e\x99\x38\xff\x44\x1d\xc3\xe7\x98\x2a\x81\xcc\xca\xf9\x62\x1d\x5d\xbc\x66\x3b\x80\xab\x44\x8c\x97\x5c\xbc\x19\xbb\x6c\x39\x01\xa0\x2c\x16\xb3\x2d\xfa\xf9\xf5\xc2\x20\xfa\x21\x43\x49\x37\xb4\x62\x03\x81\x05\xe6\xd0\x86", 229); *(uint8_t*)0x200000008aed = 0x4b; *(uint8_t*)0x200000008aee = 0x10; *(uint8_t*)0x200000008aef = 3; memcpy((void*)0x200000008af0, "\x10\xbe\xd1\x91\x2f\x7d\xc9\x4a\xc6\xd8\x7c\xbc\x68\x96\x2c\x89\xe7\x77\xcc\x51\xa2\x57\xd0\xca\xd3\x3c\xdc\xf3\x36\xa3\x1a\xc3\x9b\x86\x71\x44\xc2\xc9\x6b\xe4\x0f\xcc\xac\x19\x63\x3a\x54\x77\x87\xbc\x6e\x4f\xe9\x1e\x91\xfa\x47\x59\xdb\x2a\x86\x7d\x85\x9c\xd5\xa6\x0c\x84\xc1\xa3\x8e\x09", 72); *(uint8_t*)0x200000008b38 = 0xb; *(uint8_t*)0x200000008b39 = 0x10; *(uint8_t*)0x200000008b3a = 1; *(uint8_t*)0x200000008b3b = 2; *(uint16_t*)0x200000008b3c = 9; *(uint8_t*)0x200000008b3e = 0x77; *(uint8_t*)0x200000008b3f = 9; *(uint16_t*)0x200000008b40 = 0x2cf; *(uint8_t*)0x200000008b42 = 0; *(uint8_t*)0x200000008b43 = 0xb; *(uint8_t*)0x200000008b44 = 0x10; *(uint8_t*)0x200000008b45 = 1; *(uint8_t*)0x200000008b46 = 0xc; *(uint16_t*)0x200000008b47 = 5; *(uint8_t*)0x200000008b49 = 8; *(uint8_t*)0x200000008b4a = 5; *(uint16_t*)0x200000008b4b = 9; *(uint8_t*)0x200000008b4d = 0x16; *(uint8_t*)0x200000008b4e = 3; *(uint8_t*)0x200000008b4f = 0x10; *(uint8_t*)0x200000008b50 = 0xb; *(uint8_t*)0x200000008b51 = 3; *(uint8_t*)0x200000008b52 = 0x10; *(uint8_t*)0x200000008b53 = 0xb; *(uint32_t*)0x200000008f18 = 0xa; *(uint32_t*)0x200000008f1c = 4; *(uint64_t*)0x200000008f20 = 0x200000008b80; *(uint8_t*)0x200000008b80 = 4; *(uint8_t*)0x200000008b81 = 3; *(uint16_t*)0x200000008b82 = 0x40e; *(uint32_t*)0x200000008f28 = 4; *(uint64_t*)0x200000008f2c = 0x200000008bc0; *(uint8_t*)0x200000008bc0 = 4; *(uint8_t*)0x200000008bc1 = 3; *(uint16_t*)0x200000008bc2 = 0x427; *(uint32_t*)0x200000008f34 = 4; *(uint64_t*)0x200000008f38 = 0x200000008c00; *(uint8_t*)0x200000008c00 = 4; *(uint8_t*)0x200000008c01 = 3; *(uint16_t*)0x200000008c02 = 0x415; *(uint32_t*)0x200000008f40 = 4; *(uint64_t*)0x200000008f44 = 0x200000008c40; *(uint8_t*)0x200000008c40 = 4; *(uint8_t*)0x200000008c41 = 3; *(uint16_t*)0x200000008c42 = 0x1c0a; *(uint32_t*)0x200000008f4c = 4; *(uint64_t*)0x200000008f50 = 0x200000008c80; *(uint8_t*)0x200000008c80 = 4; *(uint8_t*)0x200000008c81 = 3; *(uint16_t*)0x200000008c82 = 0x83e; *(uint32_t*)0x200000008f58 = 4; *(uint64_t*)0x200000008f5c = 0x200000008cc0; *(uint8_t*)0x200000008cc0 = 4; *(uint8_t*)0x200000008cc1 = 3; *(uint16_t*)0x200000008cc2 = 0x300a; *(uint32_t*)0x200000008f64 = 4; *(uint64_t*)0x200000008f68 = 0x200000008d00; *(uint8_t*)0x200000008d00 = 4; *(uint8_t*)0x200000008d01 = 3; *(uint16_t*)0x200000008d02 = 0x300a; *(uint32_t*)0x200000008f70 = 4; *(uint64_t*)0x200000008f74 = 0x200000008d40; *(uint8_t*)0x200000008d40 = 4; *(uint8_t*)0x200000008d41 = 3; *(uint16_t*)0x200000008d42 = 0x423; *(uint32_t*)0x200000008f7c = 0x9f; *(uint64_t*)0x200000008f80 = 0x200000008d80; *(uint8_t*)0x200000008d80 = 0x9f; *(uint8_t*)0x200000008d81 = 3; memcpy((void*)0x200000008d82, "\xd4\x8e\x87\x24\x64\x9a\x28\x41\x92\x3d\x48\xb8\xb2\x35\xfd\xc4\x31\x5e\x0d\xfb\xe1\xb8\xa8\xa0\x83\x53\xaf\x5b\x63\x0b\xeb\x6e\xca\x1d\x6b\xe0\x3d\x88\xd5\x58\x79\x33\xd6\xad\xe1\x22\xb2\xad\x4c\x55\x80\x40\xe7\xf2\x03\xd8\xc7\xaf\x79\x0a\xf8\x5d\xe3\x6e\x84\x1e\xb9\x48\x0a\xfa\x1a\xaf\x9a\x22\x6f\x4d\xe2\x8c\xd4\x44\x15\x57\x41\x1c\x77\x37\xf7\x4d\x7d\x60\x31\x3c\xd3\xd0\x51\x28\x4f\xce\xb5\xb3\x27\x83\x73\xf6\x3c\x72\xa8\x4e\x8d\xe4\xe2\x3b\xf6\x4e\x2a\x69\xc0\x57\x91\x06\xc9\x33\x18\x03\xe2\xef\x32\xfd\x09\x88\x9a\xdc\xe7\xbc\xd7\xeb\x61\x34\xc4\x65\xed\x17\x38\x6d\x3f\x97\xa4\xe8\xa4\xe9\xc4\x19\xf9\xc6\xeb\x2d\x32", 157); *(uint32_t*)0x200000008f88 = 0xa4; *(uint64_t*)0x200000008f8c = 0x200000008e40; *(uint8_t*)0x200000008e40 = 0xa4; *(uint8_t*)0x200000008e41 = 3; memcpy((void*)0x200000008e42, "\x81\x10\x3e\x0d\x22\x88\x43\x34\x4b\x9a\x28\x85\x67\x53\x24\xf5\x79\xdf\x27\x8e\x6d\x25\x06\x59\x98\xbd\xbb\x69\xb8\xee\xd0\xe1\xdb\x8d\xf1\x6b\x19\x64\x6d\x92\xc5\xd0\x35\x21\xf7\x73\xc1\x6c\x24\xde\xea\xe5\x56\xbe\x69\xb0\x4e\x1e\x96\x6f\xeb\xfb\xf3\x7f\x3b\xbc\x6d\xd6\x4c\x83\xf4\xc2\xa8\x7d\xaf\x95\xfb\x91\xe1\x0a\x36\xc0\x06\x9f\x4d\x51\x7b\xf3\x96\x21\x11\xd8\xf9\xc8\x45\x32\x3c\x0b\x91\xe6\x8d\xea\x34\xb2\x77\xb4\x10\x72\x0b\xdf\x4a\x58\x64\xfe\x06\x9b\xde\xe8\x4f\xa9\xe4\x46\x55\x49\x71\x3f\xb3\x33\xaa\xed\x85\x5b\xaf\x29\x53\x27\xe1\xfb\x65\x17\x29\xfe\x4a\xcf\x1d\x9e\xbf\x80\xd6\x4c\x29\xfc\xd3\x68\xee\x16\x11\xe5\x50\xd7\xb6\x7a", 162); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_SUPER*/5, /*dev_len=*/0x36, /*dev=*/0x200000008980, /*conn_descs=*/0x200000008f00); if (res != -1) r[36] = res; break; case 58: memcpy((void*)0x200000008fc0, "\x18\x15\x12\xf6\x08\x38\x97\xf1\xb9\x4a\xd0\x1c\x9d\x8c\xc9\xeb\x6d\x7c\x14\x9c\x5e\xdf\x5e\xcf\x21\xcf\x4a\x2b\x2a\x9f\xf0\x2e\x0d\x8f\x8a\x4f\x60\xf7\xb3\x1a\xd0\xb2\x55\x2e\x14\x87\x8f\x84\x0f\x51\xa9\x7c\x25\x63\xb6\x19\xb1\x01\xea\x77\x61\x3b\x97\x52\x36\x7f\x0f\x6e\x6a\x62\x37\x81\xa3\x83\xe4\x99\xdc\x26\xfe\xd6\x0a\xfe\x6f\x15\x6d\x32\x6b\xc1\x41\xd6\x61\x5d\x18\xb6\x1a\x5c\x06\xcb\x49\xd9\xe0\x08\xe0\x5f\x65\x37\x6a\xef\xb5\xec\x21\xed\xc4\x68\xb8\x43\x4a\x0c\x9e\x39\xd1\x20\xbc\xd3\x11\x32\xf0\x75\x5c\x1f\xca\xf9\x1f\xec\xb2\x73\x3f\x98\x18\x42\x56\xd2\xf7\x9e\x80\x45\x2d\xc8\x6c\xf3\x19\x85\x08\x2e\x38\x60\x17\xeb\xe8\x21\x25\xc7\x8b\xee\x42\xf9\x49\xca\x67\x98\x67\x34\x33\xfb\x0a\x20\xd9\x16\x1b\x69\x8f\x04\x66\xb0\xea\x53\x58\x7a\x3f\x08\xcc\x34\x35\xbb\x7c\x19\x3f\x4a\xdc\xd2\xe5\xe1\x04\xf3\x3e\x3e\x1c\xdd\x33\xba\x95\x1f\xc9\xf7\x6b\x10\x8a\x40\x74\xc8\x07\x2b\x16\x46\x59\x62\xeb\x28\xe1\x38\xc9\x18\x8c\x3e\x54\xa0\x0a\xfb\x4f\xb1\x71\x0a\x27\x3a\x1f\x1c\x53\x0a\xda\x0d\x50", 251); syz_usb_ep_write(/*fd=*/r[36], /*ep=*/0xf9, /*len=*/0xfb, /*data=*/0x200000008fc0); break; case 59: syz_usbip_server_init(/*speed=USB_SPEED_FULL*/2); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); setup_sysctl(); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :6036:17: error: '__NR_socketcall' undeclared (first use in this function) :6036:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor156124959 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/6 (1.31s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: ioctl$IMCTRLREQ(0xffffffffffffffff, 0x80044945, &(0x7f0000000000)={0x4006, 0xd, 0x2, 0x8}) (fail_nth: 1) ioctl$SNDRV_TIMER_IOCTL_GINFO(0xffffffffffffffff, 0xc0f85403, &(0x7f0000000040)={{0x0, 0x1, 0x4, 0x2, 0x5}, 0x81, 0x0, 'id1\x00', 'timer0\x00', 0x0, 0x6, 0x3, 0x70a, 0x9}) (async) r0 = syz_open_dev$ircomm(&(0x7f0000000140), 0x0, 0x0) (rerun: 4) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXTA3D_RGXCREATERENDERCONTEXT(0xffffffffffffffff, 0xc0206440, &(0x7f0000000340)={0x82, 0x8, &(0x7f0000000280)={0x1, 0x0, 0xc0, &(0x7f0000000180)="5b58ac0ed1d27b217d3fdc6299cdde4d85321f7bbaa064d361519cdde43b225cf00658ddbfbd914cf79eceb348f18692315c3c69ec148e2dd928ac7ee62f5111b9dccaca88524912341955f79b0f2206b80e6e5a7e681a629694a34f9b0e39877eefde60a068cdc44545d6fe45d0000c9961a1ff168747447e346b16460875c691de1183b2d7b032cfae85497d0d8848d4baa9adc6caaccd9af6019ea2ba6f3b4e6018df94cacabeddec7b600230ea7790019399d0beb61f427df8359cc34893", 0x0, 0x0, &(0x7f0000000240), 0x10000, 0x0, 0x0, 0x81, 0xe}, &(0x7f0000000300)={0x0}, 0x44, 0xc}) ioctl$DRM_IOCTL_PVR_SRVKM_CMD_PVRSRV_BRIDGE_RGXCMP_RGXGETLASTCOMPUTECONTEXTRESETREASON(r0, 0xc0206440, &(0x7f0000000400)={0x81, 0x4, &(0x7f0000000380)={r1}, &(0x7f00000003c0), 0x8, 0xc}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r0, 0xc08c5335, &(0x7f0000000440)={0x3, 0x6, 0x1, 'queue1\x00', 0xdae}) r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000540), r0) sendmsg$TIPC_NL_BEARER_GET(r0, &(0x7f0000000880)={&(0x7f0000000500)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000840)={&(0x7f0000000580)={0x2b4, r2, 0x400, 0x70bd2d, 0x25dfdbfb, {}, [@TIPC_NLA_PUBL={0x44, 0x3, 0x0, 0x1, [@TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3f}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x2}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x4c00000}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x3}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x6}, @TIPC_NLA_PUBL_UPPER={0x8, 0x3, 0x67c}, @TIPC_NLA_PUBL_TYPE={0x8, 0x1, 0x7}]}, @TIPC_NLA_LINK={0x3c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_PROP={0x2c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x220a}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x9c0}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x101}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x3}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x8}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x6}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}]}, @TIPC_NLA_BEARER={0xb8, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_PROP={0x24, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_BEARER_PROP={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8}]}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz2\x00'}, @TIPC_NLA_BEARER_PROP={0xc, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}]}, @TIPC_NLA_BEARER_PROP={0x1c, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x12}]}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14, 0x1, @in={0x2, 0x4e21, @multicast2}}, {0x14, 0x2, @in={0x2, 0x4e20, @broadcast}}}}, @TIPC_NLA_BEARER_DOMAIN={0x8, 0x3, 0xb}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz1\x00'}]}, @TIPC_NLA_NET={0x20, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x8}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x6}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x80}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x2}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK={0x10c, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x9, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x187}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x40}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x10}]}, @TIPC_NLA_LINK_PROP={0x24, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xc0fb}, @TIPC_NLA_PROP_TOL={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x3}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x6}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x18}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x80000000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0xfffffff2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xd0}]}, @TIPC_NLA_LINK_PROP={0x1c, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xf}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x401}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x9}]}, @TIPC_NLA_LINK_PROP={0x54, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0xe6a9}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x10000}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x2000}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x9}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x6}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x81}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x3ff}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x19}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1a}]}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x1}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x79}]}]}, 0x2b4}, 0x1, 0x0, 0x0, 0x4040811}, 0x0) read$snddsp(r0, &(0x7f00000008c0)=""/29, 0x1d) ioctl$KBASE_IOCTL_STICKY_RESOURCE_MAP(0xffffffffffffffff, 0x4010801d, &(0x7f0000000980)={0x6, &(0x7f0000000940)=[0x904e, 0x1, 0x9, 0x6, 0xe, 0x5]}) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@mgmt_frame=@deauth={{{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1}, {0x4}, @device_a, @broadcast, @from_mac=@device_b, {0x1, 0x7f}}, 0x1f, @val={0x8c, 0x18, {0x5d9, "8e85144c6433", @long="e023fbed513011c5707e452472e2055d"}}}, 0x34) syz_80211_join_ibss(&(0x7f0000000080)='wlan1\x00', &(0x7f00000000c0)=@random="3a386465f389380e26b0cb13f98a36e2214f099ee0d0b29b754e31d6efc82c04", 0x20, 0x0) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_path_truncate\x00') r3 = syz_clone(0x4004000, &(0x7f0000000140)="daa4ed40f7cf4da86377e864d8e6c6d4fc5486af4a6f23dea58b3243a291b0180dbaf5c92758af73f9", 0x29, &(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)="40f276856b8191c4f312759d795a22c3c7edc91678794f4eeac45746fcc9930722c8189ba59565f7327cbcd4506164eb9f6ff175f1f08d60247091772c185ac38304e9b5b3") r4 = getpgrp(r3) r5 = syz_clone3(&(0x7f0000000500)={0x800, &(0x7f0000000280)=0xffffffffffffffff, &(0x7f00000002c0)=0x0, &(0x7f0000000300)=0x0, {0x12}, &(0x7f0000000340)=""/102, 0x66, &(0x7f00000003c0)=""/198, &(0x7f00000004c0)=[r3, r3, r3, r4], 0x4}, 0x58) syz_create_resource$binfmt(&(0x7f0000000580)='./file0\x00') syz_emit_ethernet(0x101a, &(0x7f00000005c0)={@remote, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}, @val={@void, {0x8100, 0x7, 0x0, 0x3}}, {@llc_tr={0x11, {@snap={0xab, 0x1fe, "fe", "1622d0", 0x1b, "e65515bded2366eb29e120fec39b24808c92d09c78d7f5b7b11d8a64fe8fb0e0ea7a265610503e40fe69ea35f6a592cca6605cbab30ca2b6e81defbfa8975d3233a7b511fa76cb1b755c8d00c96c16443f2b1682d6f197dea702f3216131e4d76b49c13ecc66674fc2fe47ae163527636f868d604cca513f5112bb56c3ab4ba6aea3059e1a484546566112328bdd5ba37697af7f361913e718bf091a66aed625deb89ea8c63fb756c958819dd3d2467301b0cd35eafbcc0f96ca0aaf82d82c8156f5fa27ea2d1d298f564f94160fd4b81af8f9e62eaffd504a2cd9412d4b6df66b447e1029b1a015a3f9207dbf1957660c19a6e0e73660325510e34133ffc4275e4e1d6d7acab29f9b371d0217382faee8c77911aa3f5378b09a5f6523357d2adec78972e15295abedbaa9969f37f316d474b2347dc11b523a88a0cd5745ae30ad7612f830013d78a6b149f3b332e6e7c5fb13bb95845924c3f180c3c6f347bb328022e5d07f540ec60bdbd9e8352d385e1b943062aa0bf38206a1d95e2f42e15838ade610c0c44e038b790096b521d1112f35c9922cbee2bfb184d6f979a7721cf0e6fd69fa705ae3e253113d2fc772ca741e96db42fc8ca72abd6d3d43c4bb64f13d2e5a5a8c433baf25ce3286c2e2355fc130e86841cde79482c3539d57122eecf25f3e35751e81980de375a713c18f9bcd952bde4bf36610a52ae2317c8b6689deb1810a091169200b2a9eeebeff191dafc5bc32b774cad960c8414ff0eee708563daefbfb26f59f6a8f289ea5fcba17412119f3faf53001a0f5a44f9c6dd6ac8d3380273e07c6ffdba5a224636ded1974137a40175f4944941ede7117cd3ddbb800defc6f8306e3f0435eeb74d44e021c9abdc636052b5170da68981617b28471a581a1eb095c6d3c977ef0fce842b5f260f2b276ac6cf24b2297f3e75479c7412f405e48343f4db14e4210bee79d3273bdef00d8175dd603b442210632bc8cb2ebfc4392bf8aefd9d4a264a63341f15189f8ac9add56f605e8797e2d70863afedb792eaf982ffac60ea0af41ceaadd6b2878511c8edd8bb273914bccf17a2d4393d4e235144be8ae79fd28a47d3c33bfc8ac4d199fdc73cf8e03cb6f15f4134599f2d95c46cb1a6e77d816080ae7e1ef85edab4b4553cee197da9594104139276ad2b9099def507e600efbb6a9877d8d7569e0599318aa400ea4674cc2bc0b86efdd2ddfb3966647ab570d200094b6ec63403274201d65481378db16529bd775feed537223c0d4e710125cafea8b65b9ef669cf32592fc3a93dd2d21a95e54ad2362302b1d5db5e6fe547edbac508c82d6b39a820b25bf1078418accf067c018443c430f9f2338afebe9705a654d50bc1595073615c52bc93703e446fe6befd76149bdfa9d69cff69b9d9b4f3fa0bb04900737116e49b4d0c08848215dbf90dbd523e9abff71319cf0a358be976598c41fd6d16edc3f0856ebbcc1e4086e79621a233991554e01420215c5ada574b6442e0134a744db4eddc1142f2936f7d9412dbb63cacddd60b2563fee5623ab0ece52481dac6fae957b61918a871c32652e0e7f73f2c2b424d4dffd636665e06bd0422195a1aa8cf62e89fb47fc0708ebf49a5f3b586ac088f570b11ed8d069dcf88ef1e849a22560ca8b60aec9859719983916a4a4b9246ea2ddb8409b0ec2d36728647a8f7462f2d4c4706c4b1888098d61d3231d89ee15026e63b55e1af3845bd60a72493af19313188400870de9bff53eb68011928201c34828ffcd88b35e4fca14c06a6790b5f28e8f85f0c906e1ea44ef4f6c50bcfa0213d0462fbf90324dcad6fc0008d575e5df11a98b7b231884c0626890f9cb18dcf85063f426fac0025bc6bd16e74c53eabb81423633df7391be5cb1ccd73ea25c7e7055fed3146202b97fd7f1a85890d444a20ce0d051efa2a3357d32f8585c0f798a3607c350f22ddb5c9912ce3684b2d7aa6c785b792504c31c7edb6dc5fa6d069f0352e3e9f771e146ab80ac39a120d005452e190a9147cb48fa8539f3a3c1d88716575003248e021a7038bd63657d46440402571949c24555432d26dbaa9d2cd2906ce0cf746dcd9348433bef36297b4a7a07faf2688249297c960a0fd8a3257534ea1372a3af5cdba9a6a48fbc95a07549a82bdd6181b1fa3fddc71d77b3460c6a32405589b89edf715a910fcc72449d9c36967fa9768a0ee59b23418561cf4f6b0fd9cbe02d19c7997e55259550dfdd97616015d2224c18c15a80b743ef8857d181d7efe40499f66d20158c0f62e4c692b3bd64ef3825a32bd662d9f580779d60a34669150e7874a45a7101af48cb3a6e3f763db20c5014edef61d07887c79d5711ed11be5306f7c4c2b7bba2bc8236c93a49bd2a252c4510785e0cebf75fbe5c69d928d8e48fe9f56a33ce6e0552630f338ab632320e750c32ede137447aa9aa69e3c3ea8ce4daf6eeb91d0a339974ce9875ccc30fcc08ecb203c3e4a7da99224b71d6ebf77331721fbb6ada6403d43eba812c0bddc6018062ca1231994de110586bff4589e52b8ab440baf13c24b35883ba4ae2ea8cc1fcfb49a7123bd6fafbb7291adb7f81fc58208cb7559ee5cfd779f899c11ee49ad92b0057e8dd79dfaa1f15bf659c360c8228eb36a9d17e0d479a88b9da28f3e962bedc108e22332bf55144f0b2ba0e21a334acd8bed5922128dbc75eeed571e1049e2689dda8992e2f9539373f0dd20e2bd43cb5ba34080ad38bf160a37cb0b7c39c015918202dd8349c4eacc0e4a40436b8d1eee12f9a6b9e2dbac9ca7c190c1bedc390dde78f896bd2837ce30d8ea888db6971930feee72206e308c7ada862b664b4b48b11d39dc7b1816d3da555778998eca5e3b4ac20c83c55021db6406eb6ab125f2bb2ec1a2c8fbda5bb0df736393dc62f9078de52e46872b4c18bde2959b18fea581e0eb42038522fb7af7ed40538ea7fd08e865102f5a9929c24a9fe936230655a7b131ab9eaeb9c491ef98d407dbbbded8852c387d6fd7741179775ea4a4562eaf0dee83f87ef117178086544f4cda982d3c0cf618bd1ed663cc9f4bdc77632398d24fe3002a7a78c079d0a5f5ac3bbdabd85309090aa0b5a8c269468ac8b7fa4428bd98bab7bd5643c721dd7d92810bbfde6bf8bf2013ee5e587d0da9991c66f58ccfa0fe497d0d743f0be668cef72d8a922fec8e10f368934227c98e9abe1f85bac46f80f17a15ccea46d256e1f56710e489cd7106fac936aea65f0e8a5d79d43730989a2642ee7ad9f35d8ea7a80647e15fb4db645efd8ca830469261efe740a2288bcc72b5c40a665d51812ce9a1df192dc4d9604153e84b86b8709fbce27aa27a99c73cc948a10561c1d4fcd0aca5e4f52d43b17f6790f1f79f00b90ed573b6a621bf3d64200274321292a04379e0ea3366bfad2d1fcfe3a05608d9be0e459cebc878ba6ad6de83922154a7ecbd01f5cfc77299c69c670a2763660b2ab98539c3050a64f10a89099a8bc54e234512250d273136455fe5825d5dbb4e9b733ee28dc11d0e2b3f9f4072b048771509c017af5d6d64385a54924f55c8d16cc1a72d8519301194f445c424e51d49f6616016580d2ea70ba1e0c86670926c738779ee67c3926bd2f90376e211ec1d7860737af1136446b2faa01baba239b7a5868f40780cdd13329fd67730bdfd298b20d63f1448e9fcff309e9091c39ccc75aabf18e598ecf0342ba94fc420373aedf83d4cbf0e5f176ea4bca7f0cc72faef9bdb6797be191e1d304704659b6b63b2066358d4eca8ea898cdde509cd2b9145c55adc3c46fbd2989817ad2403d4a0d6b6e6aaad0b2311d43d216e6cc8446b0d946e43916e662c5e687bffee3f3f21d9f34ea1624074d1d90273f0683f202b6cc24300b8f5a6325d6ce06bd69c9a95d6c8af3be8967e3bd49efc3e9c5f27ab9aaddc0ffabf87e7ed08d4253844f1f48f08a9fa268e13e0d73dc6af0abfadc5443a9a1daf12b4dbfd5f7902a5d41313683355d5e716f3a65a315170749bbaf8846dfd332bef6cd1443729abf2147120e53018bf2d062dd07bd5e20e30bf58bb4900db9aaea54a6402cc1ad562e8a59233868f38d666afd7b96aca5f9ec2aa94b4c22f6dd54924a1f5d98eaff57f742b01378d3b1c6322781b99d8774b07fd5b4af2b88bd4915f6eae83e33b469afa153324ee889105a74d3680d39e55a4a39183416961346447fc5a8532832031c52517a3896360d51fe593ef5a639eeee83df74db9e4d3218dd901db76a6130aef73955dbc866778a2c3421d4090b1df7648a42c558af46150e902b3129e5fe1071458ac93abc76d495e744412fb98ae401cbe04427d0f30e314eb6047513adffdd11a566f9734e058fa3bd2d1d6506122ae869725e3a6f4252ee5e971c430cd02cff254759c908943953ba8c978f1cae5ddf28c5d9dc85d27c2d4c19a16e34e094f1ca9172397cd4c5615e384715605452919ad74e70c78c282c0cce1bc618ae012f5283d1081399fd79c95e52a523f3729a180780547f9766507e21109254831787c1131ccd4ce8e5e9f3d24750ed3676fbff23dd4218e05eb68efc0a7be9cef8189c08e186f938ba691172d235fa32ca4b0e30b111189f32d15daf3cfff0a429a446aa68ec18c0c0755efc080733e9c3548f029e8dd634b3b6b69ba749486704d0f9ad702961773251624117f56945c04b8c6f0350a3d99a7b6e033f13ac7c01a1ffcb5a4cd7412bc176f50af905b0b6aa36d67289ceb12a6572c4eb872fb06f96735d31e8a153ff9bde2181e235868ad7dde54705c187130ae0fce01bdf3bf64e6ac86842bec3e0ef09b60a4c691134d89b6c6c6465ca949b58ef63a556918bd5c7f835c0e002f2cb4123d66481c737470f26b590fee1ad40eb641e73ec3501c69ca4fa50b75d9f23ae9e041c88df37a8947bbd0722f22911aba12976db4759af63f2b143ac155bf56333f6f6a69219453b92e5361843581802fb722a2c3ce2dec3e1e278444020ec6ee424ec7fc559d9cfcf68b2010eaaa9b391b071b6d53df5a2788cafe84a081bc3f0810194818039e68fc1b76de13ddba48a741b11bc963b8422a510a1a132d870153c2d01305c767c9d188c64b5d14979e1563aa7fdea0b85ff3de913fae64b3a7ccf087e933ab15ccc0c77fdafe42acd070780f2a7cc15a117a2bdd9576e574b10b56a00e007d69291985b50ef1296f37ec9b74c4623da3f94e0bb69f46e52c8765569b8817af5482532a50232f050635e67e235aec75c8f69efbe25383467cc82f43a214a142a8b76817f22338aeb3d4f0d39fc1dd1023a07b53adbe754884af3b789cb2dd9f386b26378d0d54267c47efa0ea5a7c26cc80d9bf9cf16bd217754a1951e9fd7fbe64335610faa909f0d7f77786f974c1becec9cb49be7f79e7bfbe29ea82cd13c197fbaa48f46019617ce6c6ad08c9a1d41c716baef284a4e4d77c06e4ddc07a46c3534beafd3729088ad142cd22bd5a220e589314c242a304581e88a246b51790d238c131ec7b09de7e1c618708363335fccf56eee3000466ce5fd70c5b3f35884a467469673d2dd5a8a2362e6028206a2ecde709d7cb1888bfe78cf6803f05ab0b11eae6d935ae116b3fd841a2717ed52790dd4f802cdcf72e4409d68c086a542d66eb14538421564ac9ed37617987ef2f4b83f43022394a2479c764b30f56c6ea76c1a056f82ad78ad980d1b5603a0ecbb72437bc2a1838b9ae37cd6ddefd2927e9d9adb7d56a98695c78ecb1f65739fe094edbfafce3f"}}}}}, 0x0) syz_emit_vhci(&(0x7f0000001600)=@HCI_VENDOR_PKT, 0x2) syz_extract_tcp_res(&(0x7f0000001640), 0x401, 0x8001) r9 = socketcall$auto_SYS_ACCEPT(0x5, &(0x7f0000001680)=0x4) shmctl$auto_SHM_UNLOCK(0x6, 0xc, &(0x7f0000004a80)={{0x80000000, 0xee01, 0xee01, 0x5, 0xfffffff8, 0x1, 0x6bc1}, 0x40, 0xffff, 0x2265, 0xfffffffffffffff8, @inferred=r3, @inferred=r8, 0xfffa, 0x0, &(0x7f0000003a40)="8917f96eff001e006491da948f25c3ac3665392d077a2878a0c47186fbb59600e8725c574893c0d645651cd496d4d6c43dd8d9e3ceca2e2a35fd60785cd77ec5c5eed5ea44a853769a52cb3e89d06c0995f77e9b7ecc68fa521ac4b193ee67dccec0a7d13f3c068ee046a9a142011cd4ba8e67f381e16745d81a2b5bf11f4ef0014330c95f0f5bc89d00f16129a9637782e5a6f4d922e0f07457ee515e1bbf5654906d887ba02bee664da72a51b5dcdf4becca2d8067e35753c0312359efb6da86149afc1010d0c6c86cc9c8831ca1276ca968811c87baab121c9d817273196e97ae66f397667e023fc23319c24fa823572226fb748ac54ff528236b0781a20ed52e116927a22b11e0b8aceb36d2cf4a78eb3465fcb9c9493eadd44686766fb26d4d0a54d028273a5c605388534e4937f18ca90532445f946651f3634e9b365bb8ed7242b91231ba06347eab1f320096374fbd8a7a94c2fa7154415c923fd66cd626489e7c79cad39b66b0674b9439b57b79ec7903d35ec314db9d7e415df3c4f75514b1c83e9b6b271dabebd3b793a78ad5baef25393934bc1b4969eb6128d3521490470f25e7a47b13ee0c4772d0473da518441b7bd362bc99b09cf696beb9e5f9d3d5e88e9e960e259e4fe67cfa3b2abde10010f3c6a60d269ad13e59052e8ab951401dde345c4fed4fea6d91b84daeeebf45fa7998ee41da06875e7bc48d9de54de36d9e27495fe7e88e024e7dd3587dcbc71cd433b71a4d972b026559efbf17c2b02b2357b9d913a764c95c5aa7b32fd2c0b62b47f27e4785e76d8562b4e43edc6d610d2b97dd1a1ee65bd1ef89e0110b14c2025b04b8cf16f0c2c1ab89ad30bdbd8b9894278b4be8d08155ec0cd20f544f18a4f26a980decac1ce2942127d8d0350dc4a9a32930af33531822319dd139e27cf769d068879608c2517d59965fbffe9879afd487875ad239586bbecad1b00e1377203abe3fc582faaf4f9e08e57658812209b3a8653bf39e126b79474ced54b74fd477b03a80906e346dfc7f5a86410f6bbc64a7ff88c37aa1d1871331ad2a63fecea9b43d3fad062de70ddd1c773ae62568ff3be804583d3a5a10796813cd4b51f67b09910b427eb92804e7f27adcd8ec9afb24e3151b48a38cc5992799df37e5cf6ad577941ad7e2caf15619236927342e87b5b260473716a9bad70b3951f7265c20c000852667fde0c4b7f27a32b7ee133cbc65ba4dc3910c2375e195ba7654e2d2d45f916e47f107595adc63247840df4ecaeb9640fb661986add0dd02796d5810f51c93fdcf8974da1f1014f2f4adb16f04e733b53ac2e8b4a853e93a935a732028c8e3ec120fc541e5126f2d88dd4bbca06fa610163464cb17f45e7a2be0e51d8e45e37c5091d762ce5bfdb69353bafb955c25544702dcf7d1394aac7a49a0787ff1687425a375249ca378bc4f4aa24abca24a871fd67425b2f66093b5b9872499ec85faeffbf43f0a4d3efb5ceae705a1a8e1f2bf79f553c1c9f38bd09f93a822beb454744dd1177eea67b7bd6c421e58246202ab902f79e0155f1de2bf226f61bb39bfc2fba3479f25eea7f01f70bc08a98e8874e5d1384283b99607eaa52e895490bdb21c81cb3b3791c1dece0ebce67cc45bcba299bb892c9d1950bf335e954fd303c65e1afec48a3d3e10a404352a1302efcebe1254eb2b25d6f450b26a3f1bd7f577e54c95e5661174d32782fe6b11996542fe1b9751396288d27a47e3c98d1cc3f3ab558ba3e82a6c3ed4840f4e3d79369573c37534073e79adfd2323832b65e7a6c45b72579138e226291d2700dac3a1cc916140f54cb28b3470856189812544366f757c0a294ee2b5bf6c308ad4df230d5a743b8cf7a1f64a3061983f223850262c7574ae480a02f68c043ba7aa822ff645d4e4482c14cbb58c15f65c98d1692f939d0d95585045424abe5e58651477f91d0c1dafb3f33af9e69b794e13eb0c429de9b92bbc5f9282a2e6c9119f6fd8603fe11af2d516c9a7ad38e3337b969c3d9593f0d4ac95c44e7f47e810f6970a1a6f18f209fedc35656dc5c536b0396aedaf83ca46655edcc4088c6fcffa689a878309c1767b2187c9b5fa575efd80e0574a577673b45edac8b1c912ce60cd18290d31025c80eba3d997e4792be23a49c0094ee28548fa33275e6c280bb6e0a0aa8e7904c641cbcb3d994946f0e4c6d6b191d3465364793a697f2c25d130923c799a3a8d7169a37ac29bddfb766d5130b5e4bd43978aad3549052cf6f564768052032346aef8f5844b9704842c0f1fa7d26c697188c0e8641658d6d299a61ff140a4b94f04f6ec06ffca6e574bdd600372ed5d166aeeae4f24e1ec3c212f05aa8537f0ab831e472f32164a0887c6f4e42532565f055a8cd435e9cc9108967e422c6d0e740633c9778471efa8a44ab55a06bdb6b817f8a6cc55d52ace6ec438ad4fbee7c64e00fc65c76a3616c35fb71bb6084f44f8083dff56d771e1d323584b82f105e0a211ceae9afc0f5e61a2649476440cf68d9abffb48decd0e8d2ed10907d35e390daa1eef83dac8ab44e2ac5886f6235f6bd7b69ff3c098b558894908d4cd28247fb6ec4bb5b163f6b2eef386e7ce26de759bd6e24e46aa2b38f0a4e6a4785af14bd6035a326c29af215a4c1c45ae767bd7e6db1bae69be045ef0b1eb3934ac5ebe3a4c1dd59bb96053beeb5561b521c47852d9a2c66cfaf82c2a016e5de729ea0e0ce4f98085792b5e5a802cd7fbac9ef38e203ebb3651f1b30af6ea29fa179f8b192641604be02929daffadd6c97ba4cd56790cc243d0470eb8c1ae7812da666b0b329fb3f04f78e25ad17b4b39781382ad937e08ad3448b63238185b982242190fd1e4ad8fbba55d6abf96e016e1d98d37d51c2ee1e41f54f8ac7e038e3616f569d024690ea303bec698beb98b9ea49f6b87e3f7104997a6ad7d33db8fb79ada8c5f7f54ee17f7b3d86aa1532b439cd8de90b5fd7fc3325680061d9319d1835e603faf7933bfd60d733965f0f25adf3945092bb99e95346602faf6aabeb33cbca3b219b4f8afafe825c6627c0c7b00c33875b69d01c08b90e6fa64f09b42932e1ccc9b3da36771667d5bb7531a2ac174bc412dffad7c6f8fd4dad330fb415a97e8136cd5c0bb7d00d2b2c956936c9f5f747e3c9a361d79d048cb3f528f187f9bba5d78d7309b1b256fbb349cd52945541a5a57809f2d71a8e80557b23be4fb31caddc59553b6bc0faa165e4ab1f8279ca6e307ce7920c43bdbadec04ef8be70d57af598d1d8a896a0952b23cba464e0e9b3625f993dc12c8f774e87da051eca49bd14e4e2e270cf75dc8343b2ad4b0a2178cb557c6d0eb1a0b23ed92580ce5ada78c2bb10ddd25d4bb147d61a00f5e1d1d5c888d47424c04de7d41384e2c688a57358d05814ad917135a80eccd1d1f147242a5da4dad0838322e9a2fa531fbb6b0832b6700f87279846ce2331679b82f04fe1be1e8ce9f610b63ff30ad0b76977817739a295c9ec9dcf11f81a67619407304c1d594c5196db1bdebfe03f22adaac9253d753967138bc9d2cf4735491d2745c23e5d229c74627dd191bc6c038513914dbdcfacb8bcb2814dc525edad889520999fce64469c60694405961518441c3e84453afa3499e3a8983b57f94593e8664719d5e6598422bb8cbc51620b259413bea16490bbe6c9a72bf21f6b4d499371ad9fc8277dd3f2f7523cc5e6ceebf74fc3944136b2d56daa2040374319a1c83c3bb0c962d321d8039170b98b604c8ed42c596314a01139c9d36ccd6f2cbd3113b2c9d4e19f08694463610a368f8ac74f29794f14560e0a3d481c673410ad9466581aa2a334ff380a100fb049ad8196eb4784ea1bedc139a7054f18a8d44bca0a3d0122f5dc3a1c4d29bde35e332bdf28cb9b98543ad3e33143af87903b5624f62305598de275833208ec8370682ad9f0f9ac64c439044a2de3033468734f49266138859695b60a6fb45d794b871c19cbedf59b764453b78cfead4c501b1f8c0ff827b70297392697adb13ceff2f139bff3ba238798a07fe5f55a0ef5b75ccb498bb8943bab4a671f125fb06f2e59f77fdb02cb23e8687568dc0d5c4860994a37ccab365d7a70803c6a6f48f5b3ff1cbdd51d8961f973c703375d252e6c5a0ff133b59724313f988841bd61ec29767a4608a5bc45b104e4fc98261e4540a10382a495d64dd5f6c039066d9d358efb16671178e884f070a07fd02a00b63b7f575f642bf91eec3bb90dba9a21df3179cf12ea9525d0974d6fc44bf69fc54f8a5ff986706678d7ce06cce44df2974b966e67aca314e0b58acc41554a442ef3587abbaf18295eca59ca8a10edd3fbd1fac0b06013de5f7333751c57deb4daef9e4c55e93741ed1d2f7f963cdedc6efdb5d8b14d7d612e2612f30966f4e6760d1a46fbee50dccffc0b2e5177b1c6027adaee09075b655cf85ddbb4e4483d5de7b38a910f996711c058c1b97e6212748c8cc7de8cf7a56af75e291867c2688e999c6553d7aaf3d2f62c2f53bf88cf2044007dbe929856531b0ad6b48a6118bf35cce827e5d0cd2a19b3fc37395e1ced2137f0c726f5cc991333a0f0794da0b6d757374217eaebcbb6d87431f089a57102ca5373b8d730a92026059c6a88094e9c629d81eccf86b4e8f091d325563d1f4016c97972c584bc76d1fb4ed94b721344d00cc6724f5649dfed84dc511583e1a08a43c2409934172ff3f0dfc93996b8479c050dc19309aa998f709eda3b3cf806bec717e1718b8cc10060b335c46f17c522ac0bb696fb4393a9450be5fa755ea0d71b30a8431515c446390154bc2a4951b3f15f419ce20b0302bd90025d83c47a018f6886ab1fbb7577d5c066bab23d84189ccff6340a3ca41df5c6d994b26b8fc34c690dfb229c83760224bdce8e867d1f5a097736d3f19d8229f9143ac037093d4cc32ab104b5828f1cc84495a68d767b7fbd725d434719a3601b5fb23364a5e4151c6f915ce53f7debbb9f15b811cb02bb87394ffb61e8b8ae5749dc7432b516b8a627990537b9cdfd2a09439b7dc043997e0f59036ab3470af1bc7671011e5b472e3f6ad456ba706d550661cbcf6107e9b7ee49a82052d901bb79fb18d82216aeefa2e76390f80943cc856a008c7256b84d8857fa634ad7dd4501386bbabe238a58aecb77a0de5ffaaa563a1968b72b92ba58d1a1ef6f9ed049ff38b7fc34227461631fec653e781f157ec7386362b66778afc8982cdae50e129f4329bfe35cd9da3d5752204fa7275ccbc01abf85c6cf3ab9eabb2ea7a1c779e673d0f9516b185154dc83cc5f69370e314198b7fa83ce5c5c91c2c50e54489b3a670a330a4e49fca517c83a9532cbc7edc840cd010b37ecc7537453016ed1ab445e45fc1238b14e2f8f93166cbf7d38b8528baa0fad3e9e76f4b32eebb60526881620bca5b11ac063dbe2169e5437843f6d2d486855ad5f192b268b2f3eb25deeabd2de89c48ba28f1ee2c84658656c337339b53acf988baf29ac5c9199ec7912b28940934bc02b131d1461354626b690835ba09abafa0ca7f515579e533c4bbfda2bc9f2faedd3538ce8c1e3606ea98395e0ff88492045f47cca85f4af16f950abbf3f2229de58ea2b45692d4ba843e70e5aeed29f68807138aaf5c994b30d47311ebb969107677dcf007f64d0b32c3600cd32bd42ca69ee46d786cf0cf9496bc51602c989fc54f76c4d383ce414af45fc948e5b971e3020af447c589b09956c9033d0904d6445d7e9fff7c903939f79c2d4c30b6", &(0x7f0000004a40)="884f381309896a88173889994e74c60694f7baa45be088e59bc3e939728257e8d2db71"}) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000004c40)={{{@in, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast1}, 0x0, @in=@remote}}, &(0x7f0000004d40)=0xe8) shmctl$auto(0x5, 0x2, &(0x7f0000004e00)={{0x7, 0xee00, 0xffffffffffffffff, 0x8, 0x80, 0x5, 0xfffc}, 0x1, 0x7, 0x5, 0xbed1, @inferred=r5, @inferred=r7, 0x1, 0x0, &(0x7f0000004d80), &(0x7f0000004dc0)="05c9215687a3ff1747cae5c18cb186ed5c62984337f90f0ab5948e21c63d1686f1da1459a89718a9f84930b892c2ad4de61f714ab8"}) msgctl$auto_IPC_RMID(0x4, 0x0, &(0x7f0000004f00)={{0x7, 0xffffffffffffffff, 0xffffffffffffffff, 0x1, 0x0, 0x98, 0x4}, &(0x7f0000004e80)=0x6, &(0x7f0000004ec0)=0x5, 0xc, 0x1ff800000, 0x8, 0x7f, 0x3, 0x101, 0x8, 0x1000, @inferred=r5, @inferred=r8}) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, &(0x7f0000004f80)={{{@in6=@mcast1, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@remote}, 0x0, @in=@multicast2}}, &(0x7f0000005080)=0xe8) shmctl$auto(0x2, 0x5, &(0x7f00000052c0)={{0x8, 0x0, 0x0, 0x7f, 0x5, 0x80000001, 0x43}, 0x7, 0x2, 0x0, 0xffffffffffffffff, @raw=0xf, @inferred=r7, 0x2, 0x0, &(0x7f00000050c0)="bcc4b5d86e91b02b73e16c4665dc3088f7cc9826da7807f9a8300d9d8980de67a1a2a153e95466e76d2c38c41558c08efe37ee81d9904674ced86dda9b2b6cc7c97b199758bef8d92dd20e0e69864d6fcd03a80ca012019cf41e5166475038fcd360338436e7827ef730469187e6a495f5bf018ee7caa71c804a386756c3242b30eca0b841166d7839e94a5639d08fbc06dac1f861494456d8d153de7fc30387d452304e7c3069bbfb424391d04fab12037c6d6ae6025df869fa3a45e03148c2dd052c", &(0x7f00000051c0)="0b7d67852a6f3d8968f476adad1672e6dcfcebe8e6249d8cc72d1a05c28acd3deda6431481c88ee1c2c09944ee7333d9d16b3f9bd186be36210e7e52fdac24099773c07af6f1a940e4baec3ada4766e38014ad527a5df77c9061c5a4caccc48bcf1562207f8db04d608a823c71979bdaf702b9a6ec8f62f23d316b69a8e40f1cd792585f34d8ff6c705641dbc09a0245efad326ca84d8ca39d29cc33a4a3fbe76c240d055e261e16d6bb5d9c231fe3c9e84fe59565befc53fe9d119eb50ce04e6e3c1df216ae69c313d80bb6a77e219b94516572eeaa398bfea649335ae8114cb0574236f4613167d9758b53b66cb6ba75d75af92f3c6e638b82"}) stat$auto(&(0x7f0000005340)='./file0\x00', &(0x7f0000005380)={0x355, 0x100000001, 0x5, 0x7, 0xffffffffffffffff, 0xee01, 0x0, 0x7, 0x2, 0x2, 0x6, 0xfffffffffffffff7, 0x7, 0x4, 0xfff, 0x17b, 0xffffffffffff27a1}) shmctl$auto(0x8001, 0xfffffee8, &(0x7f0000006480)={{0x7, 0xee00, 0x0, 0x0, 0x7, 0x8, 0x3ff}, 0x10, 0x2, 0x8, 0x7fffffff, @inferred=r8, @raw=0xffff, 0xffff, 0x0, &(0x7f0000005440)="4cf77c89a8a36d9b71d16c43ca99caec6590564d8951864cccc348102a7779cd97d951003ae876a9a0301c11867ff6432c9c54bd04ee433fce5f5db9eb71b76221d284c78dc7db27840ca0b1e9a5a119f0d74ff6485b52a986a6717f3cfd726d0a6a038bed2189344a3d14c2f119bf2e543fe4e716bc4c5bec83767da2f97d1cce4b2696bc5f9989fd42dc97a0c16cdc2fa967adaaa2bac730e2cbda744dc3121e3f015b66eae89156b262639f95bb014aba78bf2a4801499bf38268d77d99494aef486b9b388a1ebacb4b771a52bfa29990e93618af03762f953e3480fe01dde92ca7835ccd5e8864dbc9100d25c4fa632c9febddfdb1e77f1bcd7679ea4689d2c8504e50af6952c889d328c12c66c90d8ead369270d94e5aa342fb2387dc7cfe6ede705464985f301feb34b002ccefb80fde10d9fc1cb39b5f877524986dd12447a7c96f63507cb4d88068edfd7748fb2b667ae1aedbb416377574d70a3f6de46e4a3e5c149a64a4364666bd99fdb0e413a1335ba932575d1e9228508d614b663ab17acb21b2ac4d3618a65943804d5ba52cbb043a9619861202b505140e4844b8ceb6faf5024223d9636cb0be384a4cc1dd3d4f357629521a07698418dd1a97c39417196f861afb05bd702f4ccdc3d44b5a4193378b936f53c5c4b09c9858be95e349baeb7eb4da309400a4dbb08a24d0bb3772bee7a3873cf8d76e06df6f7ce591f40bdc849ea04cade886f075e1458f021f1b730b0cb5c328b911412aee9616ab5fdc831e34cea69de1a40806aafd4e64d3cd70c1a6c6f636d3bb94c995977c594f0f4e90d7aec43fec4c8aa707d00dfa26ff9db8a45e6ac65b5e5ceac43f78b50f1e4f494c85827b3f0ea1f7a4fe3bbbd390e3616628ed4770dd366694893513dc1cd252d3887a2f19a846d18ee7baf8b5680e61800baaf0041810a5a21fe06cba83e0621b2626c3ec5ba62dfe1f94ae16114c9f89e89458a069222b43b4504dca5fd969c06666dcf982434631597babaad465cb739e72835f69ad699b0efbe216a12cc188d54beb66861c78c80225438deb75b3af96a60a084e68edceca252c22225b4f3e56e99f976c2a082a29f4a5bc3d0c251f9122b584661f39bfd18dfb9d57a591c6d7013b420bd1e4c47e804cc40edffa4dc90cda1de0a6e5f0d7a4d1c0a02bf92582900643f97f8f2cc13768374cc13610f27c3ab9d6931479d0215c4ad669ef802e32928788c525f752edae477ff89ea3f0c87d9ec7eb1ef512dcab1037284291861322f872aa261fa46746edd83985ee320fef53b11518f5d58f846819b88b16588c13dd019058a1ce865b4e685e9478539b9b9af69a13126d6ad30b2bacb144c02ffb153966d20f565684a8749131c7def88f2c87e48eac6c0af576cc861118a9b718dca2eafbc5413bb6e7513746479bd801f07b9465bd80d0dc3d83eeb7d688f913bbc787b23a90a8637c579884a1585d5323b04a449feebd0cbe2bc32721244e92e5d033e20d0b2ccf8ed5e23900199dc5ecdea429a25961c907af8d93d57d5d0d7ff990310ac092dc447e88cf81617b67754ad8ee0b12532c7313d15fd65c9f65c0a94b755a09d24078bde275a44457eca4c8b2b3bc0dfd4c8acb9d2c6c4a8daa22a6cd961b4476b07880f8cf0988bce7dd8d3c3fbd9cfdb6563b681034b272fb3cde591de803d0b68405d25dea801ee8713aeb5498198395799db2ab19fbcedbaa3ced3e124d293d63ee8c12d931079fd94ca0fb5c456932a07ac665b9410d1237735872766764c05e852e061dc399bb31ed488d1ba5aef53ac7b4536c6e5fc45c96a99385512fe6ee8a2278a06be19a7cddf3ca678bdd73c255c159ea073557d666f67b9d1b9968e023f636c693a8adfc923acff108ed4370bb966b0f4c05034b08576c2bc89ceeb57c633d2a7c87665be7e75ffb30edb5fe9fcdc7256a0112d49f52031800b70f698038f0f1f81223cbe0e30b47e80570971d4fa84da58099f875ac76323c5ac25b69c5eaf67825ab8ac98cbd6dc0163751a47a1e52998e00e05c1c6901f504340318727902b1ed2bd2cff2d2ed09601a8cedf4528c1c13a670375fe3a685c7cb14723b559ce2786ca2955ae351eff839758c311e99ed53ff128372bf9fc38c570bd900b497c93161c34d8b4e4806ebccda1611445ea9d676bdc146ea5ba100fc5d995b2ca60709fabbf6aabb01ef243a129a3c6738cf66f6d3e3b00320be0f85e754878937e39762debbf5a3e7a811103566340fdf7dac8450e68eff102cbfd495a801de06e74df57fe06e15edfba4da71a43339c5248f422ee29a22efa493690d97246e2083be24c21ee4f2f1d60d753b2da75a15408af7f4ffc3f11673b89345795750c2ea6b6c789c9e4ed093056171e9fd9a675486a4a51afa967e009c5ab5da74fb7fcd00044ab94b287b54217848d47848d6a116aed41d454cdcbf4ad8d86e629997e308b86e23ea1bf1a4d25296b19fa79f2a8c9b13702b7628c89f71ba6d5c3aa656d4318c4ec3305b9d7ae29374e9356709c46d401c6b745118bc70d1ac74fbc57d9248b1a915de03df367a9a1044752775e3b336a935bc082a2c88299fad16993f6e3f4373de0c488af1af00adb940cb45f5cfd5372d6c0a4c696f96636d52d27939de729974a9a5be21f99b49fc6d4c65aca98c2874f3671de29264941cd4a4a6be0b2021ac02adcd1756bfcff10e7655db958bb999810d8b3fee9832646dedbeee86892eceb4fa04b7284fdce5669dc7eeb775d009ca176d82bbddd4262716efbbe18c8c79f6c76cb59bfa82a19a6681e0d5a49dbd642933648af881c56940e8c5e18fb8288c35e130e1f62817af3f187d002d1b9a1d584b662ebc5c9c9520c4d516649f2d99363efff116348caed43556b58ea9b7c4255fd27efb05edece75535963d32ef597eb133495dc6ff0117d923027f108dbc64cbaa4bedd565e057a0e28649908d87ab0164a1155abe4603ec3f81c3b5327ed0d5e1fc890162510afca7b91d61857573f6184386a7a7cbfba8eff79fb883d04aa6bb7f93f776a375565f67a037e475e28b57f42ca0fc54a30b9d91eed124cdc1bc53feaa475828f20db8ba50815c812a1e9c7454cd4144eb9a423e6d172edee0bad94cd150bbeb4deabc6e98e3e5f7c6bb47f35f110eec4ba632e9c426af699a5bd6c2331ef0c11d24a5a3f3888fae3a36a89fb8a0dbdba9cadfb9e052a93f00ed75755b4d78d99aaa84f69dcc6a6ab05eadd817b9f704e9a7697a315f36ac99d299b5cb8a2f0c7cd53aa16fdad2331947d81a52734dc38efd0309b4837fcc18c88a0cb8bf5f96e4209192266a2c7f60371d41fc8c7d050ae43bf5f67407b54f4b731e0f7195659cd71ecccf87e68e1b4bb874707336ca5bce6ae7d588d6d68e2f66eaf0faa26d488ef0a1a0b59686af8120558fd76c9d19590a9611d5f3eca00e148194d9b69594124be005cdde6d57b26c53ac6488236de7dc8ef17eee67cd948e32d8c11f14bd2478b5d7e2c1d39d02b47595cebe0851f99448960dd64c14a84dac887ce5b39309b1530b71295c36b1b19592242d6617f9ba315c8d0a9d39792541d11c0ec999975169e8af06a444b716c45240b315a08961fac6a69681d832198aad3de10ef3a488f507ab56fd194f6d94376d24968d5caadf3f2c3efb667dd1d19b18dc8dab53df92c2dc0fb4ad49aa8034cf6f9eae6220beaec08784cac765da9e98219ecae0fba094240d3df34f3c89539b206a9af38dac75874b0beeedc9b3795d5f1d1f9065a81ac5e15588c179c4b0effcba466b9170b12e72fb525acc0e2bf5b8c43efbdf53279e5c9fee04b029db5220ba82d4930e96374baf4338aef5550fb5922015a1f9f076f3615ee6d814da808d1bbcad1b176d5bb20b795882476c0c72345eb16134807a82b9d86c9d7a4d84d189be309ba025303eea1889b05cdcea4c2073cfb30bb3b90f35bcd6ee790f1360f963dcd6be81168de75e1d04e8150d2c00005df7fadeac9e5c3d2026799cbb2a2db4268e4d1cb614f158ef12a0b2282e42ba33ff9d67ceda79320f1d897277f486588a0dc0e46c1c0fa223be06cdaca909483358be8b182b37e3789f7c93959c0b45335b2c00cad1a70f8d04081383a79c3fd595fc8647bb6552c6081c26c720ed1b229a192b9a91fa1e12cd31840f86e0dad7feb7dadeadd232709bc99aa8fbc3a87af0d5c82e53aceb6122bf9b71b7bc92a0a063957cc666fafbad1f688bd911608bfc7681c64d8191c5d0c80f7dedd5a9ad4ebccd04e2618d9aad121fd9aa8b8d6848720a736722c7eced31540419659c0911a06e039e959c84dd5cc1640eba08505ea489a121ddca4a09c63b2e271d1edb91aea042e92bea12939ab6d4157efa94a68d07b5f9b2058bccaef5826ebd37657a99be45134aa30a84a4c4e08e463b75645c2b726c14f35750efa680408d1ea9f3f56feb1060c7b8e8114681c24992aa2e1e65219a036afc034dba75a390afce2963d756c7eaf67d213c75371935f9eab4d428c54322e32498a4340254cc41fbb55cf63b4f3f43c8930101f3ae3542fb96ac776263789a984a3a62bb46c5a4a41b85f9d66b47fb28ea765bbcdb52b01f4c15ebe188b454c3ae277dc8a9f8a1c634163c631bd5430a8a80b80b3733413a1e00eb3fff34bc5aa8d907d79de8866cbc6f10661356277716c88474be9b393018a7d8b9b3e1ce4b7a326b77f62fcfa9494e1b7c0280c3a25ee346c94ae4cb3af3fe09534e63836d5a00a62808742f5cc926088a6ed11ea2051a33c60b2dedd2069fc9fc2f2cd45366618e11000216ef8017163aa828eae1d15f02067aa46af467750cfdd36f7ecba0fd1f7382c2a78aa40ccb037ed72490759f08e4a257b73e1b4519ec4720d9081dd464a47ad468f8881ca3023e753100ae0a1b2989ac574ebb9ac9134bf16202ce61aeaafdf7689bb921c4a39a46f03a14decffec78cf9ffd01b4fca7d7bd40030fefa02591a28451bd35da746db7b5cdfd5ee9eb6c51b3be05fb0cd5d39e8103b0e903eec110b3ff1f9df981232a558234281039b46637641849d6412feb74a37b1393c31513cd994ad239e20addc7b6be2be448857bacb20cb1469fe9446946b6d60349ff39219f7c002ecb4dbfd317f79d950b395dd77cfd49a6fad36be0bd4591e4d2ca837fe7374a36792ccb0b2b027c69dcb0852749309b937177272f4a80d8e2a24997ffca208b7f528be82116556d235f17d574d17acc1c4b58363f03f6b2177a2d9bd31d7da8b2d37ea2a5eace2b4f3eab549cc55b38e0f1731cc82ef548a5cb6a7564b442a86da7312a94a1315e270f390a197b91e435fa70443f387cf53738f775a2362a87217b574f8f63ca63613375205dc194498a0c929ff130014d7426af7c0d098d69aff0da1027b123c023e732e0ca1eb695b4210adcaef9285fec8c83fea7efb3b5a09ab0e26a2c0926e158ee17089ef7f8eab5375718ba2e8ab683d2a1eefe25c2e303f419ed01423799867e02eb01ae20002207136a60a875077393a019ae7df3aadc5d4aed4d459cedde966d84fa64c2e564860172be41b9fbdcc9bb29cc2af86bcb8da14d1d7efd6d90fefd473fbac5b0559ac2bdc110c7fdaa921d920731f362f95d426680b73312da58facc4d0a1d7ba590b3e91c03bf3b5f500a5cae46bed373702129ee2f25b0500219bbec050285949f2de4948328964329b1a46a38421c137cb95b99290b4f6cb46b576697c95b9378e7c15caa04ab0e8a04b8df8bc46d615fa29", &(0x7f0000006440)="1c3d61efc1467b6b61e9e5f06fa3d1dcc0e70035dcc9c6c3b00df58900"}) r21 = getgid() r22 = geteuid() ioctl$auto_XFS_IOC_SWAPEXT(0xffffffffffffffff, 0xc0c0586d, &(0x7f0000006a80)={0xfff, @raw=0xd, @inferred=r6, 0x7, 0x2, '\x00', {0xf, 0x0, 0x46, 0xffffffffffffffff, 0x0, 0xfffffffd, 0xf7, 0x7f, {0x8, 0x9}, {0x3, 0x200}, {0x4, 0x5}, 0x62, 0x5, 0xff, 0x6cbf, 0x48, 0x0, 0x8001, 0x7f, 0x6, 0x8, '\x00', 0x40, 0xffff, 0xa, 0xb04b}}) syz_fuse_handle_req(r9, &(0x7f00000016c0)="27fe2ffe47404c4ac0a1ecab30bbcb864ead78fed0c0e175ac9994f22c05a47188988b3ff7cddec1f6f39e606160f4f199d3745e26e2748d68e35a99f1bc4ac32084634f2c0ba5d1e0000e2d5bee777a2ab509e7c94c43f297b825934378ffa3bb7942256fc52a69e23820cd520e7559ed9a31a954df955de5bc7c1855d974b95ff00a84dc2d9ad67964334434d528bce5934808b48f8e251a179eb47dee2a108b50092f559816136cffe9bd6e0a34004e62d50f73c14b23ce17518f954c4bc61e6175756c1204e2f27c182b9e3a7e3b823dc2d210e5232c7ad0e8d8e049f0e92060b620499b0b8f4b4b971d29a97ae94ce3cea6fb4e4296f72e3deabff562e79243933cfc5300e3c41c6ab9c0559ae24b21ce45bc69b7a1eb56c08b822ba10fbcb0bd238f6fcd60ed24092b3f47f1900e3d3373379649daa3959bcb319d7a74ab3e62bb5fbdfa42f9d3b3e7340efd12d9db738b9a7a581d914f4deb34005aacaee865dd595ad5f007c48b5168e699e52decc666509f0bac516d5d8b1ecc1c99e601b8f85af1c67623fd2cff7b883841aecddf3a85239980d3ea2ae6378d59cc242b2abcda91e918487cfea037839017eefbed85e0de24148b3c67ecadc8bbe51ffdd0696a55d8ff21523178a6829ec4d3f25977433b85e9238fe5d8b1437c54a93382fa152549cfca4e4700705f3ce5a260a4b943dd3e532cc196c8129518225566e93e29a8c6f02f054a94ee5fe21e5ad5bf55dd7fde9ac641f347a992e8197fe5fc4b9c65ef4d687921dff0f6cb82a3a96f6df1cfaedffced7cb06b21de9b83cde5f96bdad6ee4c617b9da766cc443712f84ef7c38708070bd19db90abe251009d9bbcce7c419bf7efa7ea70086a95a27e7359d3bcf81899bb6b7560c58227db92bbe342e60019ff0cdbeec13bdb56c5b5fdfdbce7e2f5a7d971dbbc64c59c5111d0b452af57980e21785d5af0884822d12f4081e8381d16e0f411936274b9030215c4b0b47074dab09b9fa2322a88050a62448ffb2bdbb9d6b87521b3bfeb5de7736a4de11ff4e56d41aaed90061e8f13c3789a44a63e76902c4ee9b6fc735ab8ff9525af0ab52167e04d3479667852b755d0074cc95078094dfe03926007fcf4b2b68e262d117df6c918127cd6a5642b80c30bf916a1e51520229e1e0ece35ac9b909fd5ff92b930aa55ae60a2a7f5274e047ae70cd1d894c3a93094d5e88ca4ff4a1f7a74c2572c591f254ec0946de4f96248388b06f7f0a7daa490f4359184a76a56a9bbca593c6f6fe479c675fb02c63547d0804963bbbfe5c668769f3cf16be9cd51178030d64cc2bb9d82634399db8859e4887c8cece4c852f5cb76ce70a6c4edd0e8a465cbf7827b21b5538579771fb56b79974aa36288516bd08a9394900160f75d6bbe89de70f8b5ceacc9419fc5a3d5ee5ea783d0ca808a6248c13ad17c873bc93e0e50a39487fb25ec3233070d7776e7ce8ba022ccd8e2db5645594e0b2d874ede739f93b617ffefaf3d8468e66eecc8561fdb81dd4fe7c779dd93cce317a8f5cb86551c26166c7824c87140d9647508cbbc15c1d3b7208609168909e890e9e9fd2671d3a9a7527a734471f2c7480926d8d18ba6e24da6d6cee422aebfb14d1f12a915ffb7375ccb3ecc9863c45534a97a922433217dde2203545aa983e2a6c546511d8626428aabe7cec1d0e8124de1983d5ab1ed6e9dee82f0df4699f4ab70706c34c754d0cd8b6de541ca8a71d5f9825fc13158480d5980e6415cca05c5757894169223b43cc2963091824cf953fcf54530558ad5ce422fce99f5f2650b7dec702fe12bbb08c28519f08b6354cf58d01f027237070cb438fe4807b7b1f7ebc27f274fd50ef37ad060a7adcdf65962f8a52c04b569d7db3d86a0feb6c78ed1adb361866f7d5606569d910c6727cdd76c6bb2a405ed12dfc2edc81666787f3a3a239c62f65d2d98d8b07c5911355a3a6206646fe74c075a6778072870fd652aa4df9aa3b96f145c3afa74f5aaa8d7ff0427c9389dd5462af0eb6828f3aa54c752bb4c89d1821076172a925f146aef789deb14c6b6cb2873388cbe0be062871048c49679d72c3f325c77ea319ed28fa27861040f6be5d4f32cf29cac11243da042becf2125d21e735493ac7694aa961ee92443fc588c2adc0f97ac7b5fae10d43ddb81f31128582185b9aa124fe6ed780ac954f84421767f90f5c0b569443d63beac0684ed68bc5039a27567bd233b8f2675e1afa140df8e1e64f0a90ec553b52172739d0d6b3884947f2666929cb5dd7931942c06e9df9ec7917f1d93a2f0fbe5cd0f573c0102ff0205e4d59ddd603db5da56694bd92873ee21fe7786a87428bdf19a1a87d72ba697fbe0ed975db5bb3a705177f3a1369e29dec7581d43aea3855943ff4efa4d7af3622c319d78b31083788d20310208299ca0347afffe54ecaf1fbece6e0935abc7aa8f8553f9996ff1d46b88b78df2fe267f1699f2ebf1925b8e50cb46c8a103cfb556510155ddb84276e1e0aef3f411c7af3d20593b6fec7006aa7a4ee33802aad168949dad9fa911888d7f61bf16db2265003416fb576de44f80b9c901ace454d2b04b374f3dcfc38fdd6edcfab24d367aff3f6d8298a4133d081563de1365beaff74da252b248fa61d80e72cbbd58533e7518dbae1a925d9912bfe70fbc64b8c81ce262530bd11ae83f366e38c53bfd5a0dac9785b922bcdd1a3b683f43f8d485dfcc6dd00b6cddea064f846fb2693d48fa97b5263f537eabf6c0e549a78d2bcadb2e8fdb2b1b0f47fd49dc61ca1058bb8882aa1ca2ed341feb737d5eaae0ea08f945a04a38b6e3137f961a7563ad13cec30072b9143e4f9c7824e7cbda2df89b74c142dadaf5ca24b6fe909ce3a1ff37ee5a0b661d30739ef0c372cf7a1b4c6a0e519b48b40dc794cd61356756609f68dd58f724bdd86db7f2649b90e163530ca69f0696addfcef84efc9f9e04d9d6e18ed17f74ff807e92b0f330fb6e06e0e2f193ea03a181c8673950a19eba22fd6b1b56ebb336e0248c64f936cafd3311fd50c50fc916156bb28156d15d7f4d5a798d8626afc6ba7d217d2c9f1a98fede62b1bacfc314dfa89e8cbb8c37bd526dd53ede81b1953cef517703babce446e863bf9d246b03b88502c7fdbac4d87f1eaad86ed170d710d81eaf395aef60dc164d9116601a5a58c79a89275c95d28912e8708fee2472e6b87d2e077d362c0ba8f4bc6a5e38745eae91046bc61e6a040cbfe38204f17e604f0e1405e8ee07d7141b698bc2be7690a8f0bf31d58ae906cb70e4fe5fe035631d76533b7a7b032e1b1eee21428084afbcc930a9f28e9f17e269a6997af838f95e2fb395b540a1d49f3d4290274d2d31f760835ff7351d25b62e135adf59e0118872d17843d99154f4660fa8f48b6c4868b1fbc6b84da61f98123167b067370a54fc6c5a688e31d4201ac4c4d5646f9a4a4a804a175167cf79dda22f4d6867281cb0b3e0999fad7bf26512d131440a8f9ec75fe9df680547855d8c9b3b3f0d514197c2af0d672991373b8d4ac1dd51e1f907450d62101b5e2613ea289c194d0735e1c5e166909eb71ee2a4ee5ff99140c0becca2672faf6944938c61809d8bf2faa561f9b56dab85ded7ee735d300c8da84c57f067b2fe50929cae139875abbab084742c90706bc31fc4c68538889718769d1c6da0ee1826ecde1f60ea66ced44c24fe2875dcbc87a3572af96455edf31e051e5422a8e2910c7d975df6448da0c0f833f61f7150598fb47fae938357a7b645e406df9a4a30cdd1cef6ddb263c9f06b268767a9a0f92c4ea1380e5e36f5f2a3e90bf87d6818c5aefc3439c4f4de2cfb4db145756848b27b618c22feea3f9f4601557f53c2aae71dbc0e9468243f1bf3b086b4dcab2734d6128c5441546903d2fea40c7ca4840ac4b1b3ea8897cf037623e427fb1ef9c0e7deb9eba0f8e5a5b29d422923f2fc8c5dc1369fe526709247c2776f5b7687ccf420b0dc84461105c2a31cce9decca30b746bfe43440d49c4775a2dfc88f049e23a30e2de2ce634549bbc0c263097ebb8044b4b9bb6f5f95a4a499a3dce9c11b99487d996eb57d654090b436dfe0b94796e93feae2b63d01320af7323a8006bc75f95a0c6ce53691802a097108881bda64a2cf8ed8f6752e19815e71e2b8554fac0301875262109331151915f6b19362c2d82c3047478525a649ae4c9a41f756083f138156f6ec4ea04b44f652ab1e66c5c630e6130062a260be553f10b8b700e6c6b089f0b09ce117ca78d45aec4339764dc2e39b5bb955602d57323e40d49ecf8987184a12d21993c03b458fca98c773071c2242d90596599336e1c69ff551af3ef27aaa74c547f231a1ef64a2fbe5498f5bffd9e597b8d871a073e82f13f5bdf2189d361649dbe144e7c2fb26a518884c4f276afa04450b3b1261511a1861507e94be4b0c301e62471bb953363e54a80ac90b2551b012d74a5621e265bf91260a467fe7606e79592272aa208b12935a8991dfb817a5cb05acba79dccb97d0a0f9eb5825e16d124a77224c9a09a5335f1ced785636ae3581598af5c28e54ea8dcc4c722e4a658a33fa7c473f3b5e74ed5625680f07c7d472966ab646ac3ac2d67469c43dbab6b886779def79417698cfed9472fdcab0f8079f221285441881eaae4c211a814e6d4e6c25d49a5706738b03b35c0d284fcd675505b0adc88d04390f3a1b0c82785ba7bf029aa46187131dbdc36aaed980b90888e67e8a8be7c1f7c5e3ad4442e97aa77c7e1d286c29d8b761ec91250529bfffc56ce2d1f4e79cf74237f02050afb6e25d5436545da66622970e89e4cb9e77e0e9a6672feb03328568d75d51465772b5e408e40ebc9676e7e5ee7ab0cbfca5ff0c023b393529464668b774ae1b5cef76d67f1d735b87281555b396c7858701c6d42b0f365b253e7bccb64c2dc39bfed645906ae68bc5ebc3cda73f386b4b97953b3ca6c735f7c47e4762925d3599480e7c17633e5276af75a60332bab2d8c039e4f980a7de81229bd174f6e50e5de20d20b518c418b6eb6a06ee93789fb6f4a6ecb8b01691ad1eb2ae951a42f976e018ac4b585bbc3f42da79e55d1b7f24e909fcee23436b727dd9ce47b41b3bcaa883715d316acdc55e0fcab97ef90da859a80ebebc6dfd0af9524e8a36b3f71ebd703b0afcbd7acc6aa413648ad935e7094a293f1ad659bf55951511b8feaa0390b982c91b1a1bc04cb1e158b132e8ff2fe46667f10312a25468f07324810a97ddfad6df0d61ee5db1929580227ea260682a8937d0379bbcd796aa13fe92f793e958d28d8e4564bfdd4944d7ebadddd673392c6772d0961cebe60a3d9e9f96e4a4ca07e55d31e9d9425e00171aba02f0aef4b8f5e43ec62327a950fe292427d513476c31839a5d11e03f7949cb2d8343ef4b98268797190344a7a6891cddde29faef1333f7fb75069a74e806a4121addf986835281f4868f15c7343e1307d237bb50a7ec6764b9f4325b6e41357edc33d247a583e285735faffc5bebc400476af6c5cdd349137470860d159a976ef3c4761285ebb8c53a7ef569ee2e710d41819eb85cb3e38c6d6ccd03587fb0828f631c19900153a6f1edb812a58ead041c63a6ac6283806d3cfb69b65591a829baba97a367c9b0f2497b44f3ca85a0731e5942b57ecf9c2dee01ef7ea533f8ba317f74c30f49bd69489735361092292205509c574200663f771cf4d1d484fe5a9c4cd3b0cc432e925b302fab0574b53606f2777563d6794fb5fe487d5ce7b5beab399bf7727b67eebf9b9dacf5c5678ec9821a34dc030d036d04d7025ed5b1782965cf262bba0b3de34974d1e77a63e9bb52dc659de690e47b35f4bbca66f8d5e0a271a04a289435f5dc9013c0652633dcce4102fcbe47fb4c5eb9a6eaff5463c73c11e37e8df9dab0932334922fed80d5e3ed125dde3764f48d496f4f3b49f0322a9b9b968ff75efedb369b4b1c9afc5d27e68d76d17c216c4fed82dc2487aabc660bb55b2ee17d68365da8408c45af38783ac2be54772bbea41f5868456ee66a27a36be499a5e5dd3396f4805e22a2cdc229079c2a53c9299559269ed1c512213544f2bf331388e1cb85e5550915f8f27a47ba9fc9a50ce01cd2b53b37f357966f1d00bd340e050c9d84f2914b8abd4294826e7500b0dcae9cd4d284d17345653ccb469c5ee3a31058eae14fed75585cde2fd71b88ebf517359774e9023466ea5a47956b8225671792df45b9f38b10ab03f9ede1ddb2e157d61c095d9b82b977cc09d929745560fe8106503ff7dd228db22b251776897ee15b180b4b4631f85ecf6a6074efd2cdf40a448dad62331c27ed8b3377fde4b1533126a4dc708b77202f6f8c015966ef711c4c496e9034cf15a33bc998a43265edfe436342d7eb4973be8ab0ae6719a1aaa41e0d76d952b06808dff02fd81603429a36ff7440e0b215d9ebc908efc145b6e1b7feb53bd5e175c7d1a7764f9040744b81db86fd22c0a38a2daf7440bbfe8835009d4aebbb11a0e9148bc04951fc06ec1c2a268a05cc2cc76791b82269f963d3d2f564ae03789601940d56f28e5ab0152acf663e481195209efc1a3a1b472536e0acf9ae383b5951dfbb6bd4d1eb5550102c3d7fa2365a36fb7c5949cc727ce57311dec52a4c3b91f0d5ec3677c265d5835535f16006985ce846ef12a46cb8662cff85af2ffd4b3b35085705d45df3e8c60ee4963823cea99dd55c0c33da9de354f709f2a4583561325c4a5954a34e2ab32738c2f3fbfb2786aa57828ef3091122e5932058c12d50d0e89ee5dc1e3ee4135d38c0c984daf3947670272714de8935720c1f3d3dd9fc57529a75013d85946484233ce69257718d3cd667cd0886d1f3c257ccac6b48ee5cdc03eb6c6aa2a78d68e2a9c2253954450915762f3f2fade0ac78593cc38e55cef3bc0bfb938ebd0a61c739c024addaf443406a7b6026360a7fc87c274a9bdcdb2eb5cf470b53f7fc1bd4ed05ceaa66528cef79e9de78da42b167c82cf4dadca5707d0a166b0f41b7f7e3421a8f88f6d88d24cfd9981b50b6c342bb49cce4b823f3cfdb17bba24fdb1601ba060a4792c0909a7c7cebf0c33e8ff27fb6e327c8877fb31efd8bb0b9fca2829cac2c143f4a5bd0afba4324548af32f05f581ae264c9e20d0f1604e112c6e2bc518b78097c145d871a3c0287371b0cf6bdcf17266371c7464d87a55f52e01e297866d6d498868ac01648249c1edd314580bfc35834b15d108ddbaf6ca3536aa43161019c3af0b331d9d071eb0a50442355a2a2e195474e13b7971d956ad54ed590b429d6a1ec7e38d41a27536bbbfadad1b35fc8f827a92e0baffabb811816cfb4cdac4b98c5f6f71cdcf30649536f7800eb6b7cee222d64165e0ca9504693b6d8459bc327e5da2e6f38a4ee2472ca5e6caa0811d042f8fb32a99bd36101cf19acceeed73b44e3deb223cf282ecd4c439f55f5c274e2c756c67c23c00ef7bffa4b6012a1334d0c97f816a6123cbcb77ace8e7be0515269248622028b7a9c0e49f1c8dde866d3bb0c53db9c67b10b20d4bb263f2c5a0185baccfa7b8fe825657078fabab003b9318a84f765daafc37f496efbbce9fa5d2c1f0a4b2ad0cf9269618440713bc3d92985ffbd6cc19afc86703044370eabc4de11f3bcbfb221dddc51bba352dc28fd49c084047fb0ed8b9742a96e53ef4ccb94ce4cad746e9caeeec843f72b779cc58d25fe931c1af8a795e195685c92185803adbec6066cddd87e0b9a5380afcd80798f580859eab317cb2783112af7b362a59ae7a824749440e66661b788b8560549a0b1350dfb7a5e88928d558cbc8a26a0d74e67634ee9ec1c1ca08afc5beb43da65f4ae0ac7eb257442c9990edcf93b1dadfea90bc292bbf1d823c61ee969249f67be07d70df8afc7c3e5bf145f28a2d06c880eff9a181127c13460a06b3664a94c888b07af77e84d60deab764228ffea21633f0204a5d7ec4a0b303fb08fb76728c43d9073800183c8b99e22d605a5e6399c049f7f887cb9d7fba94db323084bf94df544f6ce2dd49a21d2cab54df04397482a64d2900bb40fa87f42ec75d68bab17714a934bcdf36f87074f6028f9d61a00adffc06d624bc64297059682cc8adc7e2fb210bd22fbd4ad3d3515f71b933126759ec4c001ed5cdbace7cce4319b7ab50ffc8f2f8f1bb81ac07f81dfff335450acf08e13912d3c5f3aa12581811ebdb4416eada259651c070b06ea7e18a8f0c400575a0e7fdc4c88645d35c2d36a8ce6a2972f355d1a5d832cd7ef2c611fd11059da390ec8c87491d4964fa40b80839057362e676455c7172a23154efeba6fc9ab4c15a737e299c1f14daa8f3497e3370a523ec15c52bad987109003f8dcee4ac6c90b0f8e4b7491978788a9c1b23a14396b508aa95175fe3bd6a8b4a9c217f4c9842c1c339d4d95db83ce6e7e7ac88eae0413961055220b65693d49a2f696f641421925b42f77b0f9431239527fd6d86d6f9abdf3d27c0a79a6b05a61dd7d993de2d4ee9973b778ff195d1240db1836a5258b4f574497ca2f9b34977800e728297d983e1e585faf45381b476d2531e86cc6e835a972c3a5bbccba7d852edc83bbad4c852064007087bbd36bf8a800f91eea0a72d9a75f5db35b1098686d51340a172c701bc47b140ce52ef47502d0071e545597975a55ca1e91217645e3cfebf4a6201a8481f65113860f592863af1dd473383b1b79ab32cfcd46e6ace2958d42cce5f9b2347681f7707ab4a35f9af521d4c1bad7513033a5f7af2b7a2d3a4914d38462b16b85d69fa60c0c5ef54ba2fb78fb156a947cf80b1daccd589fdd0791b3a9eb835b61534a16f8f4b1cabbd386b4c21ba97de916d2cf48b7208c1bda77ecf81677cbce25582ccab9a65a2b73dd34b002c234948a42b5664d56d824429a78b6970367ec170d1b110b2223175872bdc866318de066fea560151d8825dee82d344b816fb55aaa524e860862ac0c36cb6b6e81f4123da59cb3effe29ce7698e2aa0c6036820c457f404233e32261319a46bc8bd3de3c948dc52e27ca527df7ad68e6c4d4ba8f6b4313a29402981059a148797fa0880257fe0427011928af752f81b8186802108f0590195039c838257202421410b8a359e69ddcd47470f4d05ae289834be304caf49bbbacfdbe927f423be9b87882b0fab4f50bc7cdbff6ef101f33f703556d45b6ace1643cd7e75acf74063e3e34e963db19f0d19f14829c91c450661d0e809d5b7909695ba15446c876a167ecca09fc00e1737cbd4ef4f70a50e3a00fc96f0e1023e5c81e67d247ae0ec7ec267252804a65b301b91a599b8ce37d95a93dd9a911dfb395f361924e82ea281efd7a2e015aadaf6485fceaee0ab905e1396c125603aff4ca165f749c23310250f800b2a87917b9421b0b4cdec9d86414eb822374b0d4325358b2bf43e0e312588879765c25c098d1718653bea52768dd7f100fbd2b6afccf0213469a7fa25b5f77c6b56ca09df886a16ed24f51e21d078f25c48887da12dea57c8f4825f27ae3d9160196eb6be09f7be8b239a05dbf6aaeca9637090d1e6f76eb9369274c3aada336243b8b9c59c3f9c91ab43fc9273bb5bf2b59de8fbc506c9436565e4c9ba29650b3784d87f337a4a4b528ca2a280cedc369b0090c3f69c7604a6df31fba781c07d58dbadd7c85a626f885f09a91224e79bd68793f167ebd8da10e5da78cfa7ebf10a8f2c9003fb1cdd87e469861f3ed23d25bcb14530a8ff8d91e9e0c7c3976c3afc7bd5005ccef59faec52ba35693d0f0dceba843add5a747e0aa72f09f2f45281c9d4c6f1bb78379aec782c64810de323c8abacc9fb7e7dbc1e2913a85df0bdb6ac701a68269e79ab28458c0291e1840b34ace2d0dca9029f6d950e6ef1e5cbb9524db501dc3022733cb10bb74e9e698245a98dffe2378c42548119dd60f2b021953b300f38972661c3ebdf64a3afb3c629cca5ec938c31ee8cb682dd38f3581812f7ba6431c160659039e7cfe7859b1aa8130833f1f63724f863b3e2a18f9ebd1ea614d30d28bd4f5b8c2617becd8a4d8b3a9b42b85d8e80c8faf7d9cf5637dd98826a10b692402933d2ae0ea908ff5d6c22fc335be00614a0f5e7004ebef71fd23d3f90115984f0e46e82ac8b03e5d2bfeaa2192333c1a0a9fb19a75bdc8f9058336e86f3f7b30f0bed24c4b230cdfc92a9885be51c0b851cd7a04a62fb3ce47e765a114ef7686bc7d82ef5e1ca0214b95b64e57f851215ce5a47ddfb91932c854c6525ebe7f6e16845fa225a74093f6a2680085a8fef66541fc3643fc814c5a806415f70688a4be77beaf75d71026e4dff3800124bdec0e065463edc69641f67c7c42b8e025f81406fd4896d5db8e19fec099809ad50a98a83b3caa8fd87310514f4a7afd9a970c456231d916b26d5c62bc4834af9bc2777a7c7d3bbf5f2c6d828935f3b827743c09222328e8e8291bb283eba7d4bc897877f6e50a5fabc77abf31534d700962edecb1df4ee1228a729df7da85771a3f1e30429fac993d9738d9d6728bf492b4791438c3cf6d59af809974aec448098c26cb3791e43724076ef5ca9c70cb3f58accb539943786ce98b092c965a147d1870ad454686ba579c9d10a6131d4d980ff68898fb11a0a9f61e60a86427f60660088984eed16acf6d31430183b81912adcde8084457122ecdd7054cf3dddee25a975fb2448e71a27aedf68685e9e8bf607056d68d720607599cb4997a1d591a1cc174eddc66f39160a2e55eee6c82b218c5b963a0268117fccda9314d7de3b1bfdf1de338310418dbb11f73bfc1a705a7f12560c6a836ebc1c927d1427eb6d7104f942705a25e7a79488768c707cddb059d06f4f55d64114658bb327072a0f248f9191aebf838ccf464e3db38bd015c1fe7e0a1ce8c854e064ad28df20854ecaf442881d5b922db3327a73a8007f84aacb941bc1232742d0ad98eb8f05a812c7957fb4b688522ea6a1d5ef22dabf2537b5f68d81e06b517839b474238564967929fa8231eb8eaa9bf79554917939336f71edad5c011de4a9887c9d8bfe588c1747b47ecae641ae076a53cb661d344659ed82a4f10612ea2ee00a444de7e4b1a0c5614d4a6369b48cfae5316e8389cb720a111171383a78798031af5e4976b89175ac1efa79ca7dd728d21cf2853f69870379dcd691f412b0dabb49f74d48f9313be45895e8d4e78e23e357a9a2294befb173ceccddb7dec84781920e951ecc863bdc843af7535e721a7a7f5bd6e0d37fe9e5b5af3f2aaa62967112c0fe848d3c38a646ded7deba1ab98d40881ba2fc918a8664bbabea14be6f5bb92e254c471b324a026c661de4b97ba0ae1f67063f41a5619da8a49a7ad6cf8153977a4c63171bba20884b7344c405d61b9ce3ce90dd0b6d86be27c028a2a48fe040d6f9d2f5dc2466cb9f745e5a98e5266498b14d16e3fcee12026c0f46b7fd1d30076505cd64c1d60c5cac8cb400ea6b7522c165b0094ff0ff656d081673056b73eee3efcbfba260ff87e4304c8eb14aeadfdaa09570f630646c", 0x2000, &(0x7f0000006c80)={&(0x7f00000036c0)={0x50, 0x0, 0x8, {0x7, 0x2d, 0x7, 0x8000008, 0x7, 0xfc00, 0x3ff, 0x59, 0x0, 0x0, 0xe0, 0x10000}}, &(0x7f0000003740)={0x18, 0x0, 0x6, {0x80000001}}, &(0x7f0000003780)={0x18, 0x0, 0x4, {0x2}}, &(0x7f00000037c0)={0x18, 0xffffffffffffffda, 0x37}, &(0x7f0000003800)={0x18, 0x0, 0x1, {0xff}}, &(0x7f0000003840)={0x28, 0x26, 0x7fffffffffffffff, {{0x7a, 0x8}}}, &(0x7f0000003880)={0x60, 0xfffffffffffffff5, 0x1, {{0x81, 0x6, 0x3ff, 0x2, 0x4, 0x4, 0x8, 0x2}}}, &(0x7f0000003900)={0x18, 0x0, 0x0, {0xb}}, &(0x7f0000003940)={0x12, 0xf92c178daeab5fde, 0x9, {'^\x00'}}, &(0x7f0000003980)={0x20, 0x0, 0x0, {0x0, 0x2}}, &(0x7f00000039c0)={0x78, 0x0, 0xfffffffffffffff7, {0x3, 0x67, 0x0, {0x3, 0x2, 0x5, 0x2, 0x0, 0x5b, 0x200, 0x6, 0xf0b7, 0x1000, 0x1, 0xffffffffffffffff, 0xffffffffffffffff, 0x4, 0x6}}}, &(0x7f0000004b00)={0x90, 0x0, 0x7, {0x1, 0x3, 0x10000, 0x200, 0x8, 0xa87, {0x4, 0x1, 0x7, 0x1, 0xfffffffffffffffd, 0x4, 0x9, 0xffff, 0x10000000, 0x0, 0xf40, 0x0, r10, 0x8001, 0x9}}}, &(0x7f0000004bc0)={0x48, 0x0, 0x5c, [{0x1, 0x4, 0x6, 0x8, '\xff\xff\xff\xff\xff\xff'}, {0x1, 0x8, 0x0, 0xb}]}, &(0x7f0000006500)={0x478, 0x0, 0x2, [{{0x1, 0x1, 0xf, 0x9, 0x7fffffff, 0x3ff, {0x5, 0xb3fc, 0x3, 0xa2d9, 0x3, 0x80000000, 0x4, 0x5, 0x2, 0x6000, 0xfff, 0xffffffffffffffff, 0xee01, 0x5, 0x6}}, {0x5, 0x9, 0x6, 0x6, 'wlan1\x00'}}, {{0x3, 0x1, 0x4, 0xf, 0x1, 0x5, {0x4, 0xffc, 0x2, 0xffffffffffffdbca, 0x35, 0x5fa, 0x8, 0x5, 0x16d, 0x6000, 0x8000, r11, 0xee00, 0x8, 0x2}}, {0x2, 0x3e8, 0x16, 0x5, 'bpf_lsm_path_truncate\x00'}}, {{0x6, 0x3, 0xcff0, 0xfffffffffffffbff, 0x3, 0x3, {0x5, 0x4, 0x8, 0x9, 0x10, 0x5, 0x91, 0xfff, 0xfffffffd, 0xc000, 0x3, r12, 0xee00, 0x80, 0x40}}, {0x0, 0x8, 0x6, 0x80000001, 'wlan1\x00'}}, {{0x3, 0x2, 0x8, 0x9, 0x80000000, 0xd149, {0x3, 0x4, 0x5, 0xe, 0x7a, 0xd52, 0x0, 0x5, 0x6, 0xa000, 0x2, r14, 0x0, 0x7fffffff, 0x5}}, {0x4, 0x7ff, 0x2, 0x78d, '\xc0\''}}, {{0x2, 0x0, 0x6, 0x7fffffff, 0x5, 0x5, {0x2, 0xc, 0xbde5, 0x5, 0x8, 0x10, 0x9, 0x6, 0xe31, 0x2000, 0x5b8, r16, r18, 0x6, 0x8}}, {0x2, 0x80, 0x0, 0xb6}}, {{0x5, 0x2, 0x80000001, 0x2, 0x6, 0xff, {0x3, 0x5, 0x8, 0x3, 0x8001, 0x5, 0x1, 0x7, 0x2, 0x1000, 0x1, 0xee01, r19, 0x10001, 0x6}}, {0x0, 0x6, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}, {{0x3, 0x1, 0x8000000000000000, 0x2e, 0x5, 0x7, {0x6, 0x5, 0x5, 0xb, 0x0, 0x2, 0xffff, 0x0, 0x8, 0x2000, 0x9, r20, r21, 0x2, 0x7}}, {0x6, 0xfffffffffffffffb, 0x5, 0x6, '\xaa\xaa\xaa\xaa\xaa'}}]}, &(0x7f0000006980)={0xa0, 0x0, 0xd05, {{0x5, 0x3, 0x8000000000000001, 0x7, 0x5, 0x2, {0x3, 0x4, 0x5, 0x3, 0x8, 0x1, 0x8001, 0x0, 0xfff, 0x8000, 0x101, r22, 0xee00, 0x7, 0xac}}, {0x0, 0x10}}}, &(0x7f0000006a40)={0x20, 0x0, 0xffffffff, {0x4, 0x0, 0x9, 0xa}}, &(0x7f0000006b40)={0x130, 0x0, 0x1ff, {0x6276287e, 0x7, 0x0, '\x00', {0x800, 0x2, 0x3, 0x1e, 0xffffffffffffffff, r24, 0x4000, '\x00', 0x800, 0x9, 0x8, 0x32f3fcde, {0x6, 0x1}, {0x4, 0xe30}, {0x4d, 0x3}, {0x6, 0x8}, 0x6, 0x2, 0xfb, 0x2}}}}) syz_genetlink_get_family_id$SEG6(&(0x7f0000006d40), r23) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) syz_io_uring_setup(0x28c2, &(0x7f0000006d80)={0x0, 0xd0f0, 0x20, 0x0, 0x1e5}, &(0x7f0000006e00)=0x0, &(0x7f0000006e40)) syz_io_uring_complete(r25) r26 = syz_io_uring_setup(0x7c1f, &(0x7f0000006e80)={0x0, 0x979d, 0x4, 0x1, 0x206, 0x0, r9}, &(0x7f0000006f00)=0x0, &(0x7f0000006f40)=0x0) r29 = io_uring_register$IORING_REGISTER_PERSONALITY(r26, 0x9, 0x0, 0x0) syz_io_uring_submit(r27, r28, &(0x7f0000007000)=@IORING_OP_OPENAT2={0x1c, 0x14, 0x0, r23, &(0x7f0000006f80)={0x818480, 0x0, 0x35}, &(0x7f0000006fc0)='./file0\x00', 0x18, 0x0, 0x23456, {0x0, r29}}) r30 = syz_kvm_setup_syzos_vm$x86(r9, &(0x7f0000bfd000/0x400000)=nil) syz_kvm_add_vcpu$x86(r30, &(0x7f0000007400)={0x0, &(0x7f0000007040)=[@wrmsr={0x65, 0x20, {0x92e, 0x8}}, @nested_vmresume={0x130, 0x18, 0x1}, @wr_drn={0x68, 0x20, {0x1}}, @nested_amd_invlpga={0x17d, 0x20, {0xffffffff, 0xbd0d}}, @nested_amd_vmsave={0x183, 0x18, 0x1}, @code={0xa, 0x6a, {"36490fc7aad66197c026660f3880945e008000000f01ba008000008fc9b89b29470fc7ae20000000450f09c4e2d13967c4360f017f0566642e643ed8f1c744240025fd0000c744240254000000c7442406000000000f011424"}}, @nested_amd_inject_event={0x180, 0x38, {0x0, 0xb5, 0x7, 0x5}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @enable_nested={0x12c, 0x18}, @nested_intel_vmwrite_mask={0x154, 0x38, {0x3, @control16=0x4, 0x5, 0x1ff, 0x8}}, @nested_vmresume={0x130, 0x18}, @out_dx={0x6a, 0x28, {0xc636, 0x5, 0x4}}, @enable_nested={0x12c, 0x18}, @nested_vmlaunch={0x12f, 0x18, 0x1}, @wrmsr={0x65, 0x20, {0x8a3, 0x9}}, @wr_drn={0x68, 0x20, {0x4, 0x6}}, @nested_vmlaunch={0x12f, 0x18, 0x3}, @nested_create_vm={0x12d, 0x18, 0x2}, @nested_amd_invlpga={0x17d, 0x20, {0x8080000, 0x943e}}, @nested_amd_vmcb_write_mask={0x17c, 0x38, {0x3, @control_area=0x31, 0xc, 0x6, 0x8}}, @nested_amd_inject_event={0x180, 0x38, {0x2, 0x36, 0x1, 0x2, 0x3}}, @nested_vmresume={0x130, 0x18, 0x1}, @nested_vmresume={0x130, 0x18}, @nested_amd_inject_event={0x180, 0x38, {0x3, 0x72, 0x2, 0x5, 0x2}}, @nested_vmlaunch={0x12f, 0x18, 0x2}, @nested_vmlaunch={0x12f, 0x18, 0x2}], 0x3a2}) r31 = ioctl$KVM_CREATE_VM(r9, 0xae01, 0x5) syz_kvm_setup_cpu$ppc64(r31, r23, &(0x7f0000fe5000/0x18000)=nil, &(0x7f0000007680)=[{0x0, &(0x7f0000007440)="cdfaef130000003e000010620400107a00001066c1001062a603007eb9f0003ee90e10620400107aa330106688261062a603007e2400004c0000603c0000636004006378000063640cf66360baaa803c42ab846004008478a5a48464dbea8460c7b2a03c4ed4a5600400a5788ed5a564c9c4a560f627c03c0e37c6600400c6781050c664f33cc66064aee03c0fe0e7600400e778f833e76427e1e760f9fe003d883a086104000879f66c0865cb9b0861e722203da35b296104002979bbbc29655e832961d975403d52944a6104004a79db254a65f35e4a61020000440000603c00006360040063780000636450f36360420000440d0bc03ea1dad6620400d67aeb5ad6666296d6629cb0007cec06007ca400004c3d6aa03e171bb5620400b57a7293b5663454b562a603a07ed48da03e12d2b5620400b57af6f5b56615e0b562a603a07e2400004c0000a03f0000bd630400bd7b4930bd67f278bd630005c03f0000de630000dd930000a03f0000bd630400bd7b4930bd67f278bd630000c03f218cde630000dd930000a03f0000bd630400bd7b4930bd67f678bd630000c03f0a00de630000dd930000a03f0000bd630400bd7b4930bd67fa78bd63974bc03f5c3bde630000dd930000603c00006360040063780000636400f063600000803c000084600400847849308464f2788460220000440000803f00009c6304009c7b00009c671a009c632401c07f", 0x20c}], 0x1, 0x2, &(0x7f00000076c0)=[@featur2={0x1, 0x6}], 0x1) syz_kvm_setup_syzos_vm$x86(r23, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(0x0, 0x114, &(0x7f0000007700), 0x0, 0x4) syz_mount_image$fuse(&(0x7f0000007740), &(0x7f0000007780)='./file0\x00', 0x40000, &(0x7f00000077c0)={{'fd', 0x3d, r23}, 0x2c, {'rootmode', 0x3d, 0x6000}, 0x2c, {'user_id', 0x3d, r22}, 0x2c, {'group_id', 0x3d, r13}, 0x2c, {[{@max_read={'max_read', 0x3d, 0x3}}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@allow_other}, {@default_permissions}, {@default_permissions}, {@allow_other}], [{@permit_directio}, {@uid_lt={'uid<', r17}}, {@appraise}, {@smackfshat={'smackfshat', 0x3d, '\xc0\''}}, {@appraise}]}}, 0x1, 0x0, &(0x7f0000007940)="a4b222df2ba10df24f5481e0dc5e93b81b1b82e9a214cabce344800ad54de610fa1eda44b9040526f2dc7c731c5473c8c6dc94192a03484e6d62bb49128612543a9d016ed9a3730e51080f5c860d03a77ed50164bcf99c42d3568a974a927a879de41edc2f5552365886121a31095b97aa08ee2977111f7cc56a77c0f2a16b32b19df50a249cd3058e60a6ae8c96349d5e5c0097594ce01c1fbee5ee94606fef673231e65700bc715f1f0119c84ed27b8af38ed153d394d6b22cca54db55a31bc25b45e81deca7bedb696691ae6b92f09eea3e2b5e8af2f996339dec592edec5897e94eb") syz_open_dev$I2C(&(0x7f0000007a40), 0x7, 0x0) syz_open_procfs(r4, &(0x7f0000007a80)='net/psched\x00') syz_open_pts(r9, 0x292c02) syz_pidfd_open(r15, 0x0) r32 = pkey_alloc(0x0, 0x0) syz_pkey_set(r32, 0x3) syz_socket_connect_nvme_tcp() r33 = syz_usb_connect(0x1, 0x295, &(0x7f0000007ac0)={{0x12, 0x1, 0x250, 0x58, 0x6, 0x54, 0x8, 0x13d3, 0x3348, 0x15b2, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x283, 0x2, 0x9, 0x2, 0x10, 0x8, [{{0x9, 0x4, 0x26, 0xb, 0x5, 0x83, 0x18, 0x74, 0xee, [], [{{0x9, 0x5, 0xb, 0x3, 0x8, 0x4, 0xfb, 0x6a, [@generic={0xbd, 0xc, "8b82bd3fc8137d3d259ce7bc140de0823de2222eed4c570edcb84553cd1efd649dd352dd375d81da8da8e6863fb482ecb3a16f122210bff25c59a3afc6542848c06e1b983fbc8dd0de627cfddf9f905f5cb6ed4a25ec5947599b15b538c7bb0b0d65d4a31b319f7383955ce766ef4c66d18bc75d69b2dd7d136c78eaec1e2203eb918dd61609de40f4f693917eeb17fc387bb427341f6416e0b8c46a2445a5c49bd9c86dfe21c598acf17ea98ffece202a21dc93a0b830d29af87c"}, @generic={0xc7, 0x6, "f5459e117800d22a25a486d1442f5cbd4d3d776cd061d2c185f9924eae6a4d7b14c58b599863d321e3ea80a25f6d8be51d5ca70c276ce0e6d9038f88776b9614287db7ee2113f0e7e1f01873b613d763da5f87f86cd1860bd623463fc6d93d9f948d0d4d70d72a8ac1dec1adceb8716729906428d5b6e24b01499bfa6a0aa0482eed8c7751a1c7ec944db19254a74b61142e725a7a290c4142875d347b3e483f4e2db8373ef8fead8118ce07d812332b211da9733d444f7d706a6439c29aeaedd03000a2a8"}]}}, {{0x9, 0x5, 0xa, 0xc, 0x400, 0xc, 0x0, 0xb5, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0xb, 0x7}]}}, {{0x9, 0x5, 0x2, 0x10, 0x20, 0x7, 0x5, 0x5, [@generic={0x24, 0x7, "ad98314a82d7aebbfce85178752271b158c05dea1bf5a2459c431df180c1f3b2be3b"}]}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x7, 0xf3, 0x4}}, {{0x9, 0x5, 0x5, 0x0, 0x40, 0x2, 0x3, 0x2, [@generic={0x6a, 0xa, "f7dd67505d353d93b6e1f3ac2d8f9f766012d204e558a7076c6a1dd6648b2928acaf801710c8555067e0715e60772d9a84c714f63d527b9f1532a5ac6511627f9e8400e62ad6bd25ec51ec630afc10e1f0f2fe01c9588e2897ef26d5ea8bcf970e51fc28d84a628c"}]}}]}}, {{0x9, 0x4, 0x48, 0xe, 0x3, 0xca, 0x1e, 0x4a, 0xf5, [], [{{0x9, 0x5, 0xb, 0x4, 0x400, 0x5, 0xf7, 0xf6}}, {{0x9, 0x5, 0xe, 0x10, 0x3ff, 0x1, 0xd, 0x80}}, {{0x9, 0x5, 0x5, 0x10, 0x10, 0x95, 0x3, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0xae, 0x12}]}}]}}]}}]}}, &(0x7f0000007ec0)={0xa, &(0x7f0000007d80)={0xa, 0x6, 0x110, 0x4, 0x1, 0x6, 0x8, 0xe}, 0x3b, &(0x7f0000007dc0)={0x5, 0xf, 0x3b, 0x4, [@ss_container_id={0x14, 0x10, 0x4, 0x6, "fdf4043ae7f59e3e81fe303d4de3ea16"}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x8, 0x6, 0x6}, @ext_cap={0x7, 0x10, 0x2, 0x10, 0x7, 0xd, 0x95d7}, @ss_container_id={0x14, 0x10, 0x4, 0x3, "bc6a9266bf506e90620d9c900e180143"}]}, 0x1, [{0x98, &(0x7f0000007e00)=@string={0x98, 0x3, "d95f3fcaaa58f9d36d03e3a2d5566a5191f742f723fa49e364e03b0d288a7fcb4579b58c56d824be57f9ad0f8703d3011cac468433fa22c23bfaf15dad541efb0138c46bb8f8869215155c2685d69b75ffe68c0cbd6e71743abd4355e12d9dcb7dff16bb075da553c178139ede2c285a4a2845e8889c234504d968d870b6084a7b4ab0dcdb83d43bb2f4e7a0156b80a68919cbb7da84"}}]}) r34 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000007f00)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) r35 = syz_usb_connect$uac1(0x3, 0xe5, &(0x7f0000007f80)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xd3, 0x3, 0x1, 0x1, 0x80, 0x80, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x0, 0x7c}, [@extension_unit={0xd, 0x24, 0x8, 0x2, 0x8, 0x9, "0cffda3f227b"}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x6, 0x9a, 0x20, "2da5ee78a28e1f1a41"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0xf8, 0x3, 0x69, 0x6d, 'e)', "bf0794"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x5, 0x4, 0x5b, 0x3, 'D', "2618"}, @format_type_ii_discrete={0x9, 0x24, 0x2, 0x2, 0x7b4, 0x8, 0x4}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x0, 0x3, 0x8, 0x8, "aa", "e8e5b4"}]}, {{0x9, 0x5, 0x1, 0x9, 0x40, 0x6, 0x5, 0x0, {0x7, 0x25, 0x1, 0x80, 0x1, 0x4}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@as_header={0x7, 0x24, 0x1, 0x3, 0x1e, 0x4}, @as_header={0x7, 0x24, 0x1, 0x6f, 0x7}, @format_type_ii_discrete={0xa, 0x24, 0x2, 0x2, 0x8, 0x2, 0x8, 'f'}, @format_type_ii_discrete={0x10, 0x24, 0x2, 0x2, 0x9, 0x401, 0x5, "53b11dbc8cd310"}]}, {{0x9, 0x5, 0x82, 0x9, 0x8, 0x0, 0x28, 0x6, {0x7, 0x25, 0x1, 0x80, 0x5, 0xd}}}}}}}]}}, &(0x7f00000081c0)={0xa, &(0x7f0000008080)={0xa, 0x6, 0x110, 0x59, 0xa5, 0x5, 0x10, 0x1}, 0x39, &(0x7f00000080c0)={0x5, 0xf, 0x39, 0x5, [@wireless={0xb, 0x10, 0x1, 0x4, 0x8, 0x3, 0xb8, 0x9, 0x4}, @ss_container_id={0x14, 0x10, 0x4, 0x2, "9d9ab0978e2aace26de66306e6e2963d"}, @wireless={0xb, 0x10, 0x1, 0x4, 0x0, 0x6, 0x4, 0x1, 0x5}, @ptm_cap={0x3}, @ext_cap={0x7, 0x10, 0x2, 0x2, 0x5, 0x6, 0xfff2}]}, 0x1, [{0x84, &(0x7f0000008100)=@string={0x84, 0x3, "000a6c9f4a15eabc97a92ab665231b2cf9057321eb430c6521f497a8c3ce816268cb337fa48deecfeb28b2305fcf2d2e988cc8b8b980a1332dc406bc34695fa24dc3609f619d7ac284cc3ae7f0afe444d578c951d9aedc4c682e100cfeb6619b98a96b1978d8ede7574e969f8ae8e3dfb835bde5ccd922133e53036ff44eda52a0a9"}}]}) syz_usb_control_io(r35, &(0x7f0000008380)={0x2c, &(0x7f0000008200)={0x40, 0x22, 0x31, {0x31, 0x5, "74e83dcf53dd2d0ecac0aa3467b18dfa71b26cdd403d955c0ffe22817b01fe5795d51cf24a6ae3b8e32f1b7ac5f8ca"}}, &(0x7f0000008240)={0x0, 0x3, 0x1e, @string={0x1e, 0x3, "8957a501d83c69e54f70f62f932a50b65506c388c128239d36229ee2"}}, &(0x7f0000008280)={0x0, 0xf, 0x4f, {0x5, 0xf, 0x4f, 0x6, [@ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x5, 0xf000, 0x409, [0xc000, 0x17f, 0xff3f30, 0xffffaf]}, @ssp_cap={0x10, 0x10, 0xa, 0x9, 0x1, 0x4, 0xff0f, 0xf87, [0xc030]}, @ext_cap={0x7, 0x10, 0x2, 0x4, 0x1, 0x4, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x4, 0xd2, 0x3, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x1, 0x7, 0x2}, @ptm_cap={0x3}]}}, &(0x7f0000008300)={0x20, 0x29, 0xf, {0xf, 0x29, 0x8, 0x1, 0x7, 0x4, '\b\r$}', "67016dee"}}, &(0x7f0000008340)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x16, 0x80, 0x9, 0x3, 0x3, 0x2, 0xf000}}}, &(0x7f00000087c0)={0x84, &(0x7f00000083c0)={0x0, 0x11, 0x1f, "16d60d7743501452ffd5730424bc4a970cc6490bb9cc85938699edf27a0c7d"}, &(0x7f0000008400)={0x0, 0xa, 0x1, 0x9}, &(0x7f0000008440)={0x0, 0x8, 0x1, 0x4}, &(0x7f0000008480)={0x20, 0x0, 0x4, {0x2f1050d721a8e554, 0x1}}, &(0x7f00000084c0)={0x20, 0x0, 0x4, {0x200, 0x2b}}, &(0x7f0000008500)={0x40, 0x7, 0x2, 0xfd37}, &(0x7f0000008540)={0x40, 0x9, 0x1}, &(0x7f0000008580)={0x40, 0xb, 0x2, 'E\"'}, &(0x7f00000085c0)={0x40, 0xf, 0x2, 0x2}, &(0x7f0000008600)={0x40, 0x13, 0x6, @random="2fa6dde03a0f"}, &(0x7f0000008640)={0x40, 0x17, 0x6, @random="de1c102b027e"}, &(0x7f0000008680)={0x40, 0x19, 0x2, "0d97"}, &(0x7f00000086c0)={0x40, 0x1a, 0x2, 0x2}, &(0x7f0000008700)={0x40, 0x1c, 0x1, 0xfd}, &(0x7f0000008740)={0x40, 0x1e, 0x1, 0xfd}, &(0x7f0000008780)={0x40, 0x21, 0x1, 0xc9}}) syz_usb_disconnect(r33) syz_usb_ep_read(r34, 0x7, 0xfc, &(0x7f0000008880)=""/252) r36 = syz_usb_connect$printer(0x5, 0x36, &(0x7f0000008980)={{0x12, 0x1, 0x200, 0x7, 0x1, 0x1, 0x20, 0x525, 0xa4a8, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0xf4, 0x60, 0x4, [{{0x9, 0x4, 0x0, 0x3, 0x2, 0x0, 0x0, 0x0, 0x81, "", {{{0x9, 0x5, 0x1, 0x2, 0x400, 0x0, 0x8, 0x2}}, [{{0x9, 0x5, 0x82, 0x2, 0x3ff, 0x4, 0x48, 0x8}}]}}}]}}]}}, &(0x7f0000008f00)={0xa, &(0x7f00000089c0)={0xa, 0x6, 0x250, 0x7d, 0xdd, 0x3, 0x20, 0xfa}, 0x154, &(0x7f0000008a00)={0x5, 0xf, 0x154, 0x6, [@generic={0xe8, 0x10, 0x1, "d031a9165b9e273ff6ffe555849af6dca66e17a68ee5ac784dca23e4a56d46169ad06ead2b8bcd997eac2ecb8b2a2526aa200db55758d08659469283d6ecfba982c300ae82ccf4a8bf073dbde45376b4f6fc559be519f82e8e5b2cf59c3a3af4f290707e767a4e276851090d90be0ab66f788e7760cd71ab865ea8b6bcc5f35f60538154a099c354a3593417682fc39d2a6a255ef4bb65f8d97af29beb0f8734a68ed84ef08df69e9b35fa2e3fe65e9938ff441dc3e7982a81cccaf9621d5dbc663b80ab448c975cbc19bb6c3901a02c16b32dfaf9f5c220fa21434937b462038105e6d086"}, @generic={0x4b, 0x10, 0x3, "10bed1912f7dc94ac6d87cbc68962c89e777cc51a257d0cad33cdcf336a31ac39b867144c2c96be40fccac19633a547787bc6e4fe91e91fa4759db2a867d859cd5a60c84c1a38e09"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x9, 0x77, 0x9, 0x2cf}, @wireless={0xb, 0x10, 0x1, 0xc, 0x5, 0x8, 0x5, 0x9, 0x16}, @ptm_cap={0x3}, @ptm_cap={0x3}]}, 0xa, [{0x4, &(0x7f0000008b80)=@lang_id={0x4, 0x3, 0x40e}}, {0x4, &(0x7f0000008bc0)=@lang_id={0x4, 0x3, 0x427}}, {0x4, &(0x7f0000008c00)=@lang_id={0x4, 0x3, 0x415}}, {0x4, &(0x7f0000008c40)=@lang_id={0x4, 0x3, 0x1c0a}}, {0x4, &(0x7f0000008c80)=@lang_id={0x4, 0x3, 0x83e}}, {0x4, &(0x7f0000008cc0)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d00)=@lang_id={0x4, 0x3, 0x300a}}, {0x4, &(0x7f0000008d40)=@lang_id={0x4, 0x3, 0x423}}, {0x9f, &(0x7f0000008d80)=@string={0x9f, 0x3, "d48e8724649a2841923d48b8b235fdc4315e0dfbe1b8a8a08353af5b630beb6eca1d6be03d88d5587933d6ade122b2ad4c558040e7f203d8c7af790af85de36e841eb9480afa1aaf9a226f4de28cd4441557411c7737f74d7d60313cd3d051284fceb5b3278373f63c72a84e8de4e23bf64e2a69c0579106c9331803e2ef32fd09889adce7bcd7eb6134c465ed17386d3f97a4e8a4e9c419f9c6eb2d32"}}, {0xa4, &(0x7f0000008e40)=@string={0xa4, 0x3, "81103e0d228843344b9a2885675324f579df278e6d25065998bdbb69b8eed0e1db8df16b19646d92c5d03521f773c16c24deeae556be69b04e1e966febfbf37f3bbc6dd64c83f4c2a87daf95fb91e10a36c0069f4d517bf3962111d8f9c845323c0b91e68dea34b277b410720bdf4a5864fe069bdee84fa9e4465549713fb333aaed855baf295327e1fb651729fe4acf1d9ebf80d64c29fcd368ee1611e550d7b67a"}}]}) syz_usb_ep_write(r36, 0xf9, 0xfb, &(0x7f0000008fc0)="181512f6083897f1b94ad01c9d8cc9eb6d7c149c5edf5ecf21cf4a2b2a9ff02e0d8f8a4f60f7b31ad0b2552e14878f840f51a97c2563b619b101ea77613b9752367f0f6e6a623781a383e499dc26fed60afe6f156d326bc141d6615d18b61a5c06cb49d9e008e05f65376aefb5ec21edc468b8434a0c9e39d120bcd31132f0755c1fcaf91fecb2733f98184256d2f79e80452dc86cf31985082e386017ebe82125c78bee42f949ca6798673433fb0a20d9161b698f0466b0ea53587a3f08cc3435bb7c193f4adcd2e5e104f33e3e1cdd33ba951fc9f76b108a4074c8072b16465962eb28e138c9188c3e54a00afb4fb1710a273a1f1c530ada0d50") syz_usbip_server_init(0x2) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_PT_POOL 0x5000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x70000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x200000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 8) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t size, uint64_t cpu) { uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; if (cmd->call >= SYZOS_API_STOP) return; if (cmd->size > size) return; volatile uint64_t call = cmd->call; if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit((uint64_t)-1); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; *ptr = exit_code; } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_pdpt_addr = l2_pml4_addr + KVM_PAGE_SIZE; uint64_t l2_pd_addr = l2_pml4_addr + 2 * KVM_PAGE_SIZE; uint64_t l2_pt_addr = l2_pml4_addr + 3 * KVM_PAGE_SIZE; volatile uint64_t* pml4 = (volatile uint64_t*)l2_pml4_addr; volatile uint64_t* pdpt = (volatile uint64_t*)l2_pdpt_addr; volatile uint64_t* pd = (volatile uint64_t*)l2_pd_addr; volatile uint64_t* pt = (volatile uint64_t*)l2_pt_addr; guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pdpt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pd_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id), 0, KVM_PAGE_SIZE); uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; pml4[0] = l2_pdpt_addr | flags; pdpt[0] = l2_pd_addr | flags; pd[0] = l2_pt_addr | flags; uint64_t pt_flags = flags; if (vendor == CPU_VENDOR_INTEL) { pt_flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { pt_flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } for (int i = 0; i < 512; i++) pt[i] = (i * KVM_PAGE_SIZE) | pt_flags; } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%rax push %%rbx push %%rcx push %%rdx push %%rsi push %%rdi push %%rbp push %%r8 push %%r9 push %%r10 push %%r11 push %%r12 push %%r13 push %%r14 push %%r15 mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[stack_cleanup_size], %%rsp jmp after_vmentry_label )" : : [stack_cleanup_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, 0); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); uint64_t tmpreg = 0; asm volatile("mov %%rsp, %0" : "=r"(tmpreg)); vmwrite(VMCS_HOST_RSP, tmpreg); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, VMX_AR_TSS_AVAILABLE); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_DEBUGCTL, 0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR6, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR7, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, efer & ~X86_EFER_SCE); vmcb_write64(vmcb_addr, VMCB_GUEST_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_addr, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline __optnone void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { uint64_t vmx_error_code = 0; uint8_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); if (is_launch) { asm volatile(R"( vmlaunch setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } else { asm volatile(R"( vmresume setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } asm volatile(".globl after_vmentry_label\nafter_vmentry_label:"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile uint8_t* vmcb_ptr = (volatile uint8_t*)vmcb_addr; uint8_t fail_flag = 0; asm volatile( "mov %1, %%rax\n\t" "vmrun\n\t" "setc %0\n\t" : "=q"(fail_flag) : "m"(vmcb_addr) : "rax", "cc", "memory"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } uint64_t exit_reason = vmcb_read64(vmcb_ptr, VMCB_EXIT_CODE); nested_vm_exit_handler_amd(exit_reason, cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 48, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, }; struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; }; #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)((uint64_t)vm->host_mem + sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static void map_4k_page(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)(host_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = (uint64_t*)(host_mem + (pml4[pml4_idx] & PAGE_MASK)); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = (uint64_t*)(host_mem + (pdpt[pdpt_idx] & PAGE_MASK)); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = (uint64_t*)(host_mem + (pd[pd_idx] & PAGE_MASK)); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(host_mem, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; uint64_t host_mem = (uint64_t)vm->gpa0_mem; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + 32 * KVM_PAGE_SIZE}; for (uint64_t i = 0; i < (alloc.last_page - alloc.next_page); i += KVM_PAGE_SIZE) memset((void*)(host_mem + alloc.next_page + i), 0, KVM_PAGE_SIZE); for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) total -= map_4k_region(host_mem, &alloc, syzos_mem_regions[i].gpa, syzos_mem_regions[i].pages); map_4k_region(host_mem, &alloc, X86_SYZOS_ADDR_UNUSED, total); } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = 0, .base_mid = 0, .access = 0x89, .limit_high_and_flags = 0x00, .base_high = 0}; } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)((uint64_t)vm->host_mem + sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)((uint64_t)vm->host_mem + X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); setup_pg_table(vm); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, int cpu_id, size_t text_size) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = executor_fn_guest_addr(guest_main); regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = text_size; regs.rsi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd); setup_cpuid(cpufd); reset_cpu_regs(cpufd, cpu_id, text_size); } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; struct addr_size next = alloc_guest_mem(&allocator, r->pages * KVM_PAGE_SIZE); uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); } struct addr_size next = alloc_guest_mem(&allocator, allocator.size); vm_set_user_memory_region(vmfd, slot++, 0, X86_SYZOS_ADDR_UNUSED, next.size, (uintptr_t)next.addr); } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 500 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 60; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 500 + (call == 12 ? 1500 : 0) + (call == 51 ? 9000 : 0) + (call == 52 ? 9000 : 0) + (call == 53 ? 9000 : 0) + (call == 54 ? 900 : 0) + (call == 55 ? 900 : 0) + (call == 56 ? 900 : 0) + (call == 57 ? 9000 : 0) + (call == 58 ? 900 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 15000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[37] = {0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint32_t*)0x200000000000 = 0x4006; *(uint32_t*)0x200000000004 = 0xd; *(uint32_t*)0x200000000008 = 2; *(uint32_t*)0x20000000000c = 8; inject_fault(1); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x80044945, /*arg=*/0x200000000000ul); break; case 1: *(uint32_t*)0x200000000040 = 0; *(uint32_t*)0x200000000044 = 1; *(uint32_t*)0x200000000048 = 4; *(uint32_t*)0x20000000004c = 2; *(uint32_t*)0x200000000050 = 5; *(uint32_t*)0x200000000054 = 0x81; *(uint32_t*)0x200000000058 = 0; memcpy((void*)0x20000000005c, "id1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); memcpy((void*)0x20000000009c, "timer0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 80); *(uint64_t*)0x2000000000f0 = 0; *(uint64_t*)0x2000000000f8 = 6; *(uint64_t*)0x200000000100 = 3; *(uint64_t*)0x200000000108 = 0x70a; *(uint32_t*)0x200000000110 = 9; memset((void*)0x200000000114, 0, 32); syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0f85403, /*arg=*/0x200000000040ul); break; case 2: memcpy((void*)0x200000000140, "/dev/ircomm#\000", 13); res = -1; res = syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); for (int i = 0; i < 4; i++) { syz_open_dev(/*dev=*/0x200000000140, /*id=*/0, /*flags=*/0); } if (res != -1) r[0] = res; break; case 3: *(uint32_t*)0x200000000340 = 0x82; *(uint32_t*)0x200000000344 = 8; *(uint64_t*)0x200000000348 = 0x200000000280; *(uint32_t*)0x200000000280 = 1; *(uint64_t*)0x200000000284 = 0; *(uint32_t*)0x20000000028c = 0xc0; *(uint64_t*)0x200000000290 = 0x200000000180; memcpy((void*)0x200000000180, "\x5b\x58\xac\x0e\xd1\xd2\x7b\x21\x7d\x3f\xdc\x62\x99\xcd\xde\x4d\x85\x32\x1f\x7b\xba\xa0\x64\xd3\x61\x51\x9c\xdd\xe4\x3b\x22\x5c\xf0\x06\x58\xdd\xbf\xbd\x91\x4c\xf7\x9e\xce\xb3\x48\xf1\x86\x92\x31\x5c\x3c\x69\xec\x14\x8e\x2d\xd9\x28\xac\x7e\xe6\x2f\x51\x11\xb9\xdc\xca\xca\x88\x52\x49\x12\x34\x19\x55\xf7\x9b\x0f\x22\x06\xb8\x0e\x6e\x5a\x7e\x68\x1a\x62\x96\x94\xa3\x4f\x9b\x0e\x39\x87\x7e\xef\xde\x60\xa0\x68\xcd\xc4\x45\x45\xd6\xfe\x45\xd0\x00\x0c\x99\x61\xa1\xff\x16\x87\x47\x44\x7e\x34\x6b\x16\x46\x08\x75\xc6\x91\xde\x11\x83\xb2\xd7\xb0\x32\xcf\xae\x85\x49\x7d\x0d\x88\x48\xd4\xba\xa9\xad\xc6\xca\xac\xcd\x9a\xf6\x01\x9e\xa2\xba\x6f\x3b\x4e\x60\x18\xdf\x94\xca\xca\xbe\xdd\xec\x7b\x60\x02\x30\xea\x77\x90\x01\x93\x99\xd0\xbe\xb6\x1f\x42\x7d\xf8\x35\x9c\xc3\x48\x93", 192); *(uint64_t*)0x200000000298 = 0; *(uint32_t*)0x2000000002a0 = 0; *(uint64_t*)0x2000000002a4 = 0x200000000240; *(uint32_t*)0x2000000002ac = 0x10000; *(uint32_t*)0x2000000002b0 = 0; *(uint64_t*)0x2000000002b4 = 0; *(uint32_t*)0x2000000002bc = 0x81; *(uint32_t*)0x2000000002c0 = 0xe; *(uint64_t*)0x200000000350 = 0x200000000300; *(uint32_t*)0x200000000358 = 0x44; *(uint32_t*)0x20000000035c = 0xc; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0206440, /*arg=*/0x200000000340ul); if (res != -1) r[1] = *(uint64_t*)0x200000000300; break; case 4: *(uint32_t*)0x200000000400 = 0x81; *(uint32_t*)0x200000000404 = 4; *(uint64_t*)0x200000000408 = 0x200000000380; *(uint64_t*)0x200000000380 = r[1]; *(uint64_t*)0x200000000410 = 0x2000000003c0; *(uint32_t*)0x200000000418 = 8; *(uint32_t*)0x20000000041c = 0xc; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc0206440, /*arg=*/0x200000000400ul); break; case 5: *(uint32_t*)0x200000000440 = 3; *(uint32_t*)0x200000000444 = 6; STORE_BY_BITMASK(uint32_t, , 0x200000000448, 1, 0, 1); memcpy((void*)0x200000000449, "queue1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); *(uint32_t*)0x20000000048c = 0xdae; memset((void*)0x200000000490, 0, 60); syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc08c5335, /*arg=*/0x200000000440ul); break; case 6: memcpy((void*)0x200000000540, "TIPCv2\000", 7); res = -1; res = syz_genetlink_get_family_id(/*name=*/0x200000000540, /*fd=*/r[0]); if (res != -1) r[2] = res; break; case 7: *(uint64_t*)0x200000000880 = 0x200000000500; *(uint16_t*)0x200000000500 = 0x10; *(uint16_t*)0x200000000502 = 0; *(uint32_t*)0x200000000504 = 0; *(uint32_t*)0x200000000508 = 0x1000000; *(uint32_t*)0x200000000888 = 0xc; *(uint64_t*)0x200000000890 = 0x200000000840; *(uint64_t*)0x200000000840 = 0x200000000580; *(uint32_t*)0x200000000580 = 0x2b4; *(uint16_t*)0x200000000584 = r[2]; *(uint16_t*)0x200000000586 = 0x400; *(uint32_t*)0x200000000588 = 0x70bd2d; *(uint32_t*)0x20000000058c = 0x25dfdbfb; *(uint8_t*)0x200000000590 = 4; *(uint8_t*)0x200000000591 = 0; *(uint16_t*)0x200000000592 = 0; *(uint16_t*)0x200000000594 = 0x44; STORE_BY_BITMASK(uint16_t, , 0x200000000596, 3, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000597, 1, 7, 1); *(uint16_t*)0x200000000598 = 8; *(uint16_t*)0x20000000059a = 1; *(uint32_t*)0x20000000059c = 6; *(uint16_t*)0x2000000005a0 = 8; *(uint16_t*)0x2000000005a2 = 1; *(uint32_t*)0x2000000005a4 = 0x3f; *(uint16_t*)0x2000000005a8 = 8; *(uint16_t*)0x2000000005aa = 1; *(uint32_t*)0x2000000005ac = 2; *(uint16_t*)0x2000000005b0 = 8; *(uint16_t*)0x2000000005b2 = 1; *(uint32_t*)0x2000000005b4 = 0x4c00000; *(uint16_t*)0x2000000005b8 = 8; *(uint16_t*)0x2000000005ba = 1; *(uint32_t*)0x2000000005bc = 3; *(uint16_t*)0x2000000005c0 = 8; *(uint16_t*)0x2000000005c2 = 1; *(uint32_t*)0x2000000005c4 = 6; *(uint16_t*)0x2000000005c8 = 8; *(uint16_t*)0x2000000005ca = 3; *(uint32_t*)0x2000000005cc = 0x67c; *(uint16_t*)0x2000000005d0 = 8; *(uint16_t*)0x2000000005d2 = 1; *(uint32_t*)0x2000000005d4 = 7; *(uint16_t*)0x2000000005d8 = 0x3c; STORE_BY_BITMASK(uint16_t, , 0x2000000005da, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005db, 1, 7, 1); *(uint16_t*)0x2000000005dc = 9; *(uint16_t*)0x2000000005de = 1; memcpy((void*)0x2000000005e0, "syz1\000", 5); *(uint16_t*)0x2000000005e8 = 0x2c; STORE_BY_BITMASK(uint16_t, , 0x2000000005ea, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000005eb, 1, 7, 1); *(uint16_t*)0x2000000005ec = 8; *(uint16_t*)0x2000000005ee = 3; *(uint32_t*)0x2000000005f0 = 0x220a; *(uint16_t*)0x2000000005f4 = 8; *(uint16_t*)0x2000000005f6 = 4; *(uint32_t*)0x2000000005f8 = 0x9c0; *(uint16_t*)0x2000000005fc = 8; *(uint16_t*)0x2000000005fe = 2; *(uint32_t*)0x200000000600 = 0x101; *(uint16_t*)0x200000000604 = 8; *(uint16_t*)0x200000000606 = 4; *(uint32_t*)0x200000000608 = 3; *(uint16_t*)0x20000000060c = 8; *(uint16_t*)0x20000000060e = 1; *(uint32_t*)0x200000000610 = 8; *(uint16_t*)0x200000000614 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000616, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000617, 1, 7, 1); *(uint16_t*)0x200000000618 = 8; *(uint16_t*)0x20000000061a = 2; *(uint32_t*)0x20000000061c = 6; *(uint16_t*)0x200000000620 = 8; *(uint16_t*)0x200000000622 = 1; *(uint32_t*)0x200000000624 = 1; *(uint16_t*)0x200000000628 = 0xb8; STORE_BY_BITMASK(uint16_t, , 0x20000000062a, 1, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062b, 1, 7, 1); *(uint16_t*)0x20000000062c = 0x24; STORE_BY_BITMASK(uint16_t, , 0x20000000062e, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000062f, 1, 7, 1); *(uint16_t*)0x200000000630 = 8; *(uint16_t*)0x200000000632 = 2; *(uint32_t*)0x200000000634 = 9; *(uint16_t*)0x200000000638 = 8; *(uint16_t*)0x20000000063a = 4; *(uint32_t*)0x20000000063c = 7; *(uint16_t*)0x200000000640 = 8; *(uint16_t*)0x200000000642 = 2; *(uint32_t*)0x200000000644 = 5; *(uint16_t*)0x200000000648 = 8; *(uint16_t*)0x20000000064a = 2; *(uint32_t*)0x20000000064c = 2; *(uint16_t*)0x200000000650 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000652, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000653, 1, 7, 1); *(uint16_t*)0x200000000654 = 8; *(uint16_t*)0x200000000656 = 3; *(uint32_t*)0x200000000658 = 6; *(uint16_t*)0x20000000065c = 8; *(uint16_t*)0x20000000065e = 4; *(uint32_t*)0x200000000660 = 0; *(uint16_t*)0x200000000664 = 0xd; *(uint16_t*)0x200000000666 = 1; memcpy((void*)0x200000000668, "udp:syz2\000", 9); *(uint16_t*)0x200000000674 = 0xc; STORE_BY_BITMASK(uint16_t, , 0x200000000676, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000677, 1, 7, 1); *(uint16_t*)0x200000000678 = 8; *(uint16_t*)0x20000000067a = 4; *(uint32_t*)0x20000000067c = 7; *(uint16_t*)0x200000000680 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000682, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000683, 1, 7, 1); *(uint16_t*)0x200000000684 = 8; *(uint16_t*)0x200000000686 = 1; *(uint32_t*)0x200000000688 = 0x17; *(uint16_t*)0x20000000068c = 8; *(uint16_t*)0x20000000068e = 1; *(uint32_t*)0x200000000690 = 0x17; *(uint16_t*)0x200000000694 = 8; *(uint16_t*)0x200000000696 = 1; *(uint32_t*)0x200000000698 = 0x12; *(uint16_t*)0x20000000069c = 0x2c; *(uint16_t*)0x20000000069e = 4; *(uint16_t*)0x2000000006a0 = 0x14; *(uint16_t*)0x2000000006a2 = 1; *(uint16_t*)0x2000000006a4 = 2; *(uint16_t*)0x2000000006a6 = htobe16(0x4e21); *(uint32_t*)0x2000000006a8 = htobe32(0xe0000002); *(uint16_t*)0x2000000006b4 = 0x14; *(uint16_t*)0x2000000006b6 = 2; *(uint16_t*)0x2000000006b8 = 2; *(uint16_t*)0x2000000006ba = htobe16(0x4e20); *(uint32_t*)0x2000000006bc = htobe32(-1); *(uint16_t*)0x2000000006c8 = 8; *(uint16_t*)0x2000000006ca = 3; *(uint32_t*)0x2000000006cc = 0xb; *(uint16_t*)0x2000000006d0 = 0xd; *(uint16_t*)0x2000000006d2 = 1; memcpy((void*)0x2000000006d4, "udp:syz1\000", 9); *(uint16_t*)0x2000000006e0 = 0x20; STORE_BY_BITMASK(uint16_t, , 0x2000000006e2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000006e3, 1, 7, 1); *(uint16_t*)0x2000000006e4 = 8; *(uint16_t*)0x2000000006e6 = 1; *(uint32_t*)0x2000000006e8 = 8; *(uint16_t*)0x2000000006ec = 0xc; *(uint16_t*)0x2000000006ee = 3; *(uint64_t*)0x2000000006f0 = 6; *(uint16_t*)0x2000000006f8 = 8; *(uint16_t*)0x2000000006fa = 1; *(uint32_t*)0x2000000006fc = 0x80; *(uint16_t*)0x200000000700 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000702, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000703, 1, 7, 1); *(uint16_t*)0x200000000704 = 8; *(uint16_t*)0x200000000706 = 1; *(uint32_t*)0x200000000708 = 2; *(uint16_t*)0x20000000070c = 8; *(uint16_t*)0x20000000070e = 1; *(uint32_t*)0x200000000710 = 9; *(uint16_t*)0x200000000714 = 0x10c; STORE_BY_BITMASK(uint16_t, , 0x200000000716, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000717, 1, 7, 1); *(uint16_t*)0x200000000718 = 9; *(uint16_t*)0x20000000071a = 1; memcpy((void*)0x20000000071c, "syz1\000", 5); *(uint16_t*)0x200000000724 = 0x13; *(uint16_t*)0x200000000726 = 1; memcpy((void*)0x200000000728, "broadcast-link\000", 15); *(uint16_t*)0x200000000738 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000073a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000073b, 1, 7, 1); *(uint16_t*)0x20000000073c = 8; *(uint16_t*)0x20000000073e = 2; *(uint32_t*)0x200000000740 = 0x187; *(uint16_t*)0x200000000744 = 8; *(uint16_t*)0x200000000746 = 4; *(uint32_t*)0x200000000748 = 0x40; *(uint16_t*)0x20000000074c = 8; *(uint16_t*)0x20000000074e = 1; *(uint32_t*)0x200000000750 = 0x10; *(uint16_t*)0x200000000754 = 0x24; STORE_BY_BITMASK(uint16_t, , 0x200000000756, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000757, 1, 7, 1); *(uint16_t*)0x200000000758 = 8; *(uint16_t*)0x20000000075a = 2; *(uint32_t*)0x20000000075c = 0xc0fb; *(uint16_t*)0x200000000760 = 8; *(uint16_t*)0x200000000762 = 2; *(uint32_t*)0x200000000764 = 0; *(uint16_t*)0x200000000768 = 8; *(uint16_t*)0x20000000076a = 2; *(uint32_t*)0x20000000076c = 3; *(uint16_t*)0x200000000770 = 8; *(uint16_t*)0x200000000772 = 4; *(uint32_t*)0x200000000774 = 6; *(uint16_t*)0x200000000778 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x20000000077a, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000000077b, 1, 7, 1); *(uint16_t*)0x20000000077c = 8; *(uint16_t*)0x20000000077e = 1; *(uint32_t*)0x200000000780 = 0x18; *(uint16_t*)0x200000000784 = 8; *(uint16_t*)0x200000000786 = 2; *(uint32_t*)0x200000000788 = 0x80000000; *(uint16_t*)0x20000000078c = 8; *(uint16_t*)0x20000000078e = 2; *(uint32_t*)0x200000000790 = 2; *(uint16_t*)0x200000000794 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x200000000796, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000797, 1, 7, 1); *(uint16_t*)0x200000000798 = 8; *(uint16_t*)0x20000000079a = 4; *(uint32_t*)0x20000000079c = 0xfffffff2; *(uint16_t*)0x2000000007a0 = 8; *(uint16_t*)0x2000000007a2 = 3; *(uint32_t*)0x2000000007a4 = 7; *(uint16_t*)0x2000000007a8 = 8; *(uint16_t*)0x2000000007aa = 3; *(uint32_t*)0x2000000007ac = 0xd0; *(uint16_t*)0x2000000007b0 = 0x1c; STORE_BY_BITMASK(uint16_t, , 0x2000000007b2, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007b3, 1, 7, 1); *(uint16_t*)0x2000000007b4 = 8; *(uint16_t*)0x2000000007b6 = 1; *(uint32_t*)0x2000000007b8 = 0xf; *(uint16_t*)0x2000000007bc = 8; *(uint16_t*)0x2000000007be = 4; *(uint32_t*)0x2000000007c0 = 0x401; *(uint16_t*)0x2000000007c4 = 8; *(uint16_t*)0x2000000007c6 = 1; *(uint32_t*)0x2000000007c8 = 9; *(uint16_t*)0x2000000007cc = 0x54; STORE_BY_BITMASK(uint16_t, , 0x2000000007ce, 7, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000007cf, 1, 7, 1); *(uint16_t*)0x2000000007d0 = 8; *(uint16_t*)0x2000000007d2 = 3; *(uint32_t*)0x2000000007d4 = 0xe6a9; *(uint16_t*)0x2000000007d8 = 8; *(uint16_t*)0x2000000007da = 4; *(uint32_t*)0x2000000007dc = 7; *(uint16_t*)0x2000000007e0 = 8; *(uint16_t*)0x2000000007e2 = 3; *(uint32_t*)0x2000000007e4 = 0x10000; *(uint16_t*)0x2000000007e8 = 8; *(uint16_t*)0x2000000007ea = 3; *(uint32_t*)0x2000000007ec = 0x2000; *(uint16_t*)0x2000000007f0 = 8; *(uint16_t*)0x2000000007f2 = 2; *(uint32_t*)0x2000000007f4 = 9; *(uint16_t*)0x2000000007f8 = 8; *(uint16_t*)0x2000000007fa = 3; *(uint32_t*)0x2000000007fc = 6; *(uint16_t*)0x200000000800 = 8; *(uint16_t*)0x200000000802 = 4; *(uint32_t*)0x200000000804 = 0x81; *(uint16_t*)0x200000000808 = 8; *(uint16_t*)0x20000000080a = 3; *(uint32_t*)0x20000000080c = 0x3ff; *(uint16_t*)0x200000000810 = 8; *(uint16_t*)0x200000000812 = 1; *(uint32_t*)0x200000000814 = 0x19; *(uint16_t*)0x200000000818 = 8; *(uint16_t*)0x20000000081a = 1; *(uint32_t*)0x20000000081c = 0x1a; *(uint16_t*)0x200000000820 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x200000000822, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000823, 1, 7, 1); *(uint16_t*)0x200000000824 = 8; *(uint16_t*)0x200000000826 = 1; *(uint32_t*)0x200000000828 = 1; *(uint16_t*)0x20000000082c = 8; *(uint16_t*)0x20000000082e = 2; *(uint32_t*)0x200000000830 = 0x79; *(uint64_t*)0x200000000848 = 0x2b4; *(uint64_t*)0x200000000898 = 1; *(uint64_t*)0x2000000008a0 = 0; *(uint64_t*)0x2000000008a8 = 0; *(uint32_t*)0x2000000008b0 = 0x4040811; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x200000000880ul, /*f=*/0ul); break; case 8: syscall(__NR_read, /*fd=*/r[0], /*data=*/0x2000000008c0ul, /*len=*/0x1dul); break; case 9: *(uint64_t*)0x200000000980 = 6; *(uint64_t*)0x200000000988 = 0x200000000940; *(uint64_t*)0x200000000940 = 0x904e; *(uint64_t*)0x200000000948 = 1; *(uint64_t*)0x200000000950 = 9; *(uint64_t*)0x200000000958 = 6; *(uint64_t*)0x200000000960 = 0xe; *(uint64_t*)0x200000000968 = 5; syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0x4010801d, /*arg=*/0x200000000980ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xc, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 1, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000042, 4, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x200000000043, 0, 7, 1); *(uint8_t*)0x200000000044 = 8; *(uint8_t*)0x200000000045 = 2; *(uint8_t*)0x200000000046 = 0x11; *(uint8_t*)0x200000000047 = 0; *(uint8_t*)0x200000000048 = 0; *(uint8_t*)0x200000000049 = 0; memset((void*)0x20000000004a, 255, 6); *(uint8_t*)0x200000000050 = 8; *(uint8_t*)0x200000000051 = 2; *(uint8_t*)0x200000000052 = 0x11; *(uint8_t*)0x200000000053 = 0; *(uint8_t*)0x200000000054 = 0; *(uint8_t*)0x200000000055 = 1; STORE_BY_BITMASK(uint16_t, , 0x200000000056, 1, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x200000000056, 0x7f, 4, 12); *(uint16_t*)0x200000000058 = 0x1f; *(uint8_t*)0x20000000005a = 0x8c; *(uint8_t*)0x20000000005b = 0x18; *(uint16_t*)0x20000000005c = 0x5d9; memcpy((void*)0x20000000005e, "\x8e\x85\x14\x4c\x64\x33", 6); memcpy((void*)0x200000000064, "\xe0\x23\xfb\xed\x51\x30\x11\xc5\x70\x7e\x45\x24\x72\xe2\x05\x5d", 16); syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x34); break; case 11: memcpy((void*)0x200000000080, "wlan1\000", 6); memcpy((void*)0x2000000000c0, "\x3a\x38\x64\x65\xf3\x89\x38\x0e\x26\xb0\xcb\x13\xf9\x8a\x36\xe2\x21\x4f\x09\x9e\xe0\xd0\xb2\x9b\x75\x4e\x31\xd6\xef\xc8\x2c\x04", 32); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/0x20, /*join_mode=*/0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_path_truncate\000", 22); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\xda\xa4\xed\x40\xf7\xcf\x4d\xa8\x63\x77\xe8\x64\xd8\xe6\xc6\xd4\xfc\x54\x86\xaf\x4a\x6f\x23\xde\xa5\x8b\x32\x43\xa2\x91\xb0\x18\x0d\xba\xf5\xc9\x27\x58\xaf\x73\xf9", 41); memcpy((void*)0x200000000200, "\x40\xf2\x76\x85\x6b\x81\x91\xc4\xf3\x12\x75\x9d\x79\x5a\x22\xc3\xc7\xed\xc9\x16\x78\x79\x4f\x4e\xea\xc4\x57\x46\xfc\xc9\x93\x07\x22\xc8\x18\x9b\xa5\x95\x65\xf7\x32\x7c\xbc\xd4\x50\x61\x64\xeb\x9f\x6f\xf1\x75\xf1\xf0\x8d\x60\x24\x70\x91\x77\x2c\x18\x5a\xc3\x83\x04\xe9\xb5\xb3", 69); res = -1; res = syz_clone(/*flags=CLONE_NEWUTS|CLONE_VFORK*/0x4004000, /*stack=*/0x200000000140, /*stack_len=*/0x29, /*parentid=*/0x200000000180, /*childtid=*/0x2000000001c0, /*tls=*/0x200000000200); if (res != -1) r[3] = res; break; case 14: res = syscall(__NR_getpgrp, /*pid=*/r[3]); if (res != -1) r[4] = res; break; case 15: *(uint64_t*)0x200000000500 = 0x800; *(uint64_t*)0x200000000508 = 0x200000000280; *(uint64_t*)0x200000000510 = 0x2000000002c0; *(uint64_t*)0x200000000518 = 0x200000000300; *(uint32_t*)0x200000000520 = 0x12; *(uint64_t*)0x200000000528 = 0x200000000340; *(uint64_t*)0x200000000530 = 0x66; *(uint64_t*)0x200000000538 = 0x2000000003c0; *(uint64_t*)0x200000000540 = 0x2000000004c0; *(uint32_t*)0x2000000004c0 = r[3]; *(uint32_t*)0x2000000004c4 = r[3]; *(uint32_t*)0x2000000004c8 = r[3]; *(uint32_t*)0x2000000004cc = r[4]; *(uint64_t*)0x200000000548 = 4; *(uint32_t*)0x200000000550 = -1; res = -1; res = syz_clone3(/*args=*/0x200000000500, /*size=*/0x58); if (res != -1) { r[5] = res; r[6] = *(uint32_t*)0x200000000280; r[7] = *(uint32_t*)0x2000000002c0; r[8] = *(uint32_t*)0x200000000300; } break; case 16: memcpy((void*)0x200000000580, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000580); break; case 17: *(uint64_t*)0x200000001680 = 4; res = syscall(__NR_socketcall, /*call=*/5ul, /*args=*/0x200000001680ul); if (res != -1) r[9] = res; break; case 18: *(uint32_t*)0x200000004a80 = 0x80000000; *(uint32_t*)0x200000004a84 = 0xee01; *(uint32_t*)0x200000004a88 = 0xee01; *(uint32_t*)0x200000004a8c = 5; *(uint32_t*)0x200000004a90 = 0xfffffff8; *(uint32_t*)0x200000004a94 = 1; *(uint16_t*)0x200000004a98 = 0x6bc1; *(uint32_t*)0x200000004a9c = 0x40; *(uint64_t*)0x200000004aa0 = 0xffff; *(uint64_t*)0x200000004aa8 = 0x2265; *(uint64_t*)0x200000004ab0 = 0xfffffffffffffff8; *(uint32_t*)0x200000004ab8 = r[3]; *(uint32_t*)0x200000004abc = r[8]; *(uint16_t*)0x200000004ac0 = 0xfffa; *(uint16_t*)0x200000004ac2 = 0; *(uint64_t*)0x200000004ac8 = 0x200000003a40; memcpy((void*)0x200000003a40, "\x89\x17\xf9\x6e\xff\x00\x1e\x00\x64\x91\xda\x94\x8f\x25\xc3\xac\x36\x65\x39\x2d\x07\x7a\x28\x78\xa0\xc4\x71\x86\xfb\xb5\x96\x00\xe8\x72\x5c\x57\x48\x93\xc0\xd6\x45\x65\x1c\xd4\x96\xd4\xd6\xc4\x3d\xd8\xd9\xe3\xce\xca\x2e\x2a\x35\xfd\x60\x78\x5c\xd7\x7e\xc5\xc5\xee\xd5\xea\x44\xa8\x53\x76\x9a\x52\xcb\x3e\x89\xd0\x6c\x09\x95\xf7\x7e\x9b\x7e\xcc\x68\xfa\x52\x1a\xc4\xb1\x93\xee\x67\xdc\xce\xc0\xa7\xd1\x3f\x3c\x06\x8e\xe0\x46\xa9\xa1\x42\x01\x1c\xd4\xba\x8e\x67\xf3\x81\xe1\x67\x45\xd8\x1a\x2b\x5b\xf1\x1f\x4e\xf0\x01\x43\x30\xc9\x5f\x0f\x5b\xc8\x9d\x00\xf1\x61\x29\xa9\x63\x77\x82\xe5\xa6\xf4\xd9\x22\xe0\xf0\x74\x57\xee\x51\x5e\x1b\xbf\x56\x54\x90\x6d\x88\x7b\xa0\x2b\xee\x66\x4d\xa7\x2a\x51\xb5\xdc\xdf\x4b\xec\xca\x2d\x80\x67\xe3\x57\x53\xc0\x31\x23\x59\xef\xb6\xda\x86\x14\x9a\xfc\x10\x10\xd0\xc6\xc8\x6c\xc9\xc8\x83\x1c\xa1\x27\x6c\xa9\x68\x81\x1c\x87\xba\xab\x12\x1c\x9d\x81\x72\x73\x19\x6e\x97\xae\x66\xf3\x97\x66\x7e\x02\x3f\xc2\x33\x19\xc2\x4f\xa8\x23\x57\x22\x26\xfb\x74\x8a\xc5\x4f\xf5\x28\x23\x6b\x07\x81\xa2\x0e\xd5\x2e\x11\x69\x27\xa2\x2b\x11\xe0\xb8\xac\xeb\x36\xd2\xcf\x4a\x78\xeb\x34\x65\xfc\xb9\xc9\x49\x3e\xad\xd4\x46\x86\x76\x6f\xb2\x6d\x4d\x0a\x54\xd0\x28\x27\x3a\x5c\x60\x53\x88\x53\x4e\x49\x37\xf1\x8c\xa9\x05\x32\x44\x5f\x94\x66\x51\xf3\x63\x4e\x9b\x36\x5b\xb8\xed\x72\x42\xb9\x12\x31\xba\x06\x34\x7e\xab\x1f\x32\x00\x96\x37\x4f\xbd\x8a\x7a\x94\xc2\xfa\x71\x54\x41\x5c\x92\x3f\xd6\x6c\xd6\x26\x48\x9e\x7c\x79\xca\xd3\x9b\x66\xb0\x67\x4b\x94\x39\xb5\x7b\x79\xec\x79\x03\xd3\x5e\xc3\x14\xdb\x9d\x7e\x41\x5d\xf3\xc4\xf7\x55\x14\xb1\xc8\x3e\x9b\x6b\x27\x1d\xab\xeb\xd3\xb7\x93\xa7\x8a\xd5\xba\xef\x25\x39\x39\x34\xbc\x1b\x49\x69\xeb\x61\x28\xd3\x52\x14\x90\x47\x0f\x25\xe7\xa4\x7b\x13\xee\x0c\x47\x72\xd0\x47\x3d\xa5\x18\x44\x1b\x7b\xd3\x62\xbc\x99\xb0\x9c\xf6\x96\xbe\xb9\xe5\xf9\xd3\xd5\xe8\x8e\x9e\x96\x0e\x25\x9e\x4f\xe6\x7c\xfa\x3b\x2a\xbd\xe1\x00\x10\xf3\xc6\xa6\x0d\x26\x9a\xd1\x3e\x59\x05\x2e\x8a\xb9\x51\x40\x1d\xde\x34\x5c\x4f\xed\x4f\xea\x6d\x91\xb8\x4d\xae\xee\xbf\x45\xfa\x79\x98\xee\x41\xda\x06\x87\x5e\x7b\xc4\x8d\x9d\xe5\x4d\xe3\x6d\x9e\x27\x49\x5f\xe7\xe8\x8e\x02\x4e\x7d\xd3\x58\x7d\xcb\xc7\x1c\xd4\x33\xb7\x1a\x4d\x97\x2b\x02\x65\x59\xef\xbf\x17\xc2\xb0\x2b\x23\x57\xb9\xd9\x13\xa7\x64\xc9\x5c\x5a\xa7\xb3\x2f\xd2\xc0\xb6\x2b\x47\xf2\x7e\x47\x85\xe7\x6d\x85\x62\xb4\xe4\x3e\xdc\x6d\x61\x0d\x2b\x97\xdd\x1a\x1e\xe6\x5b\xd1\xef\x89\xe0\x11\x0b\x14\xc2\x02\x5b\x04\xb8\xcf\x16\xf0\xc2\xc1\xab\x89\xad\x30\xbd\xbd\x8b\x98\x94\x27\x8b\x4b\xe8\xd0\x81\x55\xec\x0c\xd2\x0f\x54\x4f\x18\xa4\xf2\x6a\x98\x0d\xec\xac\x1c\xe2\x94\x21\x27\xd8\xd0\x35\x0d\xc4\xa9\xa3\x29\x30\xaf\x33\x53\x18\x22\x31\x9d\xd1\x39\xe2\x7c\xf7\x69\xd0\x68\x87\x96\x08\xc2\x51\x7d\x59\x96\x5f\xbf\xfe\x98\x79\xaf\xd4\x87\x87\x5a\xd2\x39\x58\x6b\xbe\xca\xd1\xb0\x0e\x13\x77\x20\x3a\xbe\x3f\xc5\x82\xfa\xaf\x4f\x9e\x08\xe5\x76\x58\x81\x22\x09\xb3\xa8\x65\x3b\xf3\x9e\x12\x6b\x79\x47\x4c\xed\x54\xb7\x4f\xd4\x77\xb0\x3a\x80\x90\x6e\x34\x6d\xfc\x7f\x5a\x86\x41\x0f\x6b\xbc\x64\xa7\xff\x88\xc3\x7a\xa1\xd1\x87\x13\x31\xad\x2a\x63\xfe\xce\xa9\xb4\x3d\x3f\xad\x06\x2d\xe7\x0d\xdd\x1c\x77\x3a\xe6\x25\x68\xff\x3b\xe8\x04\x58\x3d\x3a\x5a\x10\x79\x68\x13\xcd\x4b\x51\xf6\x7b\x09\x91\x0b\x42\x7e\xb9\x28\x04\xe7\xf2\x7a\xdc\xd8\xec\x9a\xfb\x24\xe3\x15\x1b\x48\xa3\x8c\xc5\x99\x27\x99\xdf\x37\xe5\xcf\x6a\xd5\x77\x94\x1a\xd7\xe2\xca\xf1\x56\x19\x23\x69\x27\x34\x2e\x87\xb5\xb2\x60\x47\x37\x16\xa9\xba\xd7\x0b\x39\x51\xf7\x26\x5c\x20\xc0\x00\x85\x26\x67\xfd\xe0\xc4\xb7\xf2\x7a\x32\xb7\xee\x13\x3c\xbc\x65\xba\x4d\xc3\x91\x0c\x23\x75\xe1\x95\xba\x76\x54\xe2\xd2\xd4\x5f\x91\x6e\x47\xf1\x07\x59\x5a\xdc\x63\x24\x78\x40\xdf\x4e\xca\xeb\x96\x40\xfb\x66\x19\x86\xad\xd0\xdd\x02\x79\x6d\x58\x10\xf5\x1c\x93\xfd\xcf\x89\x74\xda\x1f\x10\x14\xf2\xf4\xad\xb1\x6f\x04\xe7\x33\xb5\x3a\xc2\xe8\xb4\xa8\x53\xe9\x3a\x93\x5a\x73\x20\x28\xc8\xe3\xec\x12\x0f\xc5\x41\xe5\x12\x6f\x2d\x88\xdd\x4b\xbc\xa0\x6f\xa6\x10\x16\x34\x64\xcb\x17\xf4\x5e\x7a\x2b\xe0\xe5\x1d\x8e\x45\xe3\x7c\x50\x91\xd7\x62\xce\x5b\xfd\xb6\x93\x53\xba\xfb\x95\x5c\x25\x54\x47\x02\xdc\xf7\xd1\x39\x4a\xac\x7a\x49\xa0\x78\x7f\xf1\x68\x74\x25\xa3\x75\x24\x9c\xa3\x78\xbc\x4f\x4a\xa2\x4a\xbc\xa2\x4a\x87\x1f\xd6\x74\x25\xb2\xf6\x60\x93\xb5\xb9\x87\x24\x99\xec\x85\xfa\xef\xfb\xf4\x3f\x0a\x4d\x3e\xfb\x5c\xea\xe7\x05\xa1\xa8\xe1\xf2\xbf\x79\xf5\x53\xc1\xc9\xf3\x8b\xd0\x9f\x93\xa8\x22\xbe\xb4\x54\x74\x4d\xd1\x17\x7e\xea\x67\xb7\xbd\x6c\x42\x1e\x58\x24\x62\x02\xab\x90\x2f\x79\xe0\x15\x5f\x1d\xe2\xbf\x22\x6f\x61\xbb\x39\xbf\xc2\xfb\xa3\x47\x9f\x25\xee\xa7\xf0\x1f\x70\xbc\x08\xa9\x8e\x88\x74\xe5\xd1\x38\x42\x83\xb9\x96\x07\xea\xa5\x2e\x89\x54\x90\xbd\xb2\x1c\x81\xcb\x3b\x37\x91\xc1\xde\xce\x0e\xbc\xe6\x7c\xc4\x5b\xcb\xa2\x99\xbb\x89\x2c\x9d\x19\x50\xbf\x33\x5e\x95\x4f\xd3\x03\xc6\x5e\x1a\xfe\xc4\x8a\x3d\x3e\x10\xa4\x04\x35\x2a\x13\x02\xef\xce\xbe\x12\x54\xeb\x2b\x25\xd6\xf4\x50\xb2\x6a\x3f\x1b\xd7\xf5\x77\xe5\x4c\x95\xe5\x66\x11\x74\xd3\x27\x82\xfe\x6b\x11\x99\x65\x42\xfe\x1b\x97\x51\x39\x62\x88\xd2\x7a\x47\xe3\xc9\x8d\x1c\xc3\xf3\xab\x55\x8b\xa3\xe8\x2a\x6c\x3e\xd4\x84\x0f\x4e\x3d\x79\x36\x95\x73\xc3\x75\x34\x07\x3e\x79\xad\xfd\x23\x23\x83\x2b\x65\xe7\xa6\xc4\x5b\x72\x57\x91\x38\xe2\x26\x29\x1d\x27\x00\xda\xc3\xa1\xcc\x91\x61\x40\xf5\x4c\xb2\x8b\x34\x70\x85\x61\x89\x81\x25\x44\x36\x6f\x75\x7c\x0a\x29\x4e\xe2\xb5\xbf\x6c\x30\x8a\xd4\xdf\x23\x0d\x5a\x74\x3b\x8c\xf7\xa1\xf6\x4a\x30\x61\x98\x3f\x22\x38\x50\x26\x2c\x75\x74\xae\x48\x0a\x02\xf6\x8c\x04\x3b\xa7\xaa\x82\x2f\xf6\x45\xd4\xe4\x48\x2c\x14\xcb\xb5\x8c\x15\xf6\x5c\x98\xd1\x69\x2f\x93\x9d\x0d\x95\x58\x50\x45\x42\x4a\xbe\x5e\x58\x65\x14\x77\xf9\x1d\x0c\x1d\xaf\xb3\xf3\x3a\xf9\xe6\x9b\x79\x4e\x13\xeb\x0c\x42\x9d\xe9\xb9\x2b\xbc\x5f\x92\x82\xa2\xe6\xc9\x11\x9f\x6f\xd8\x60\x3f\xe1\x1a\xf2\xd5\x16\xc9\xa7\xad\x38\xe3\x33\x7b\x96\x9c\x3d\x95\x93\xf0\xd4\xac\x95\xc4\x4e\x7f\x47\xe8\x10\xf6\x97\x0a\x1a\x6f\x18\xf2\x09\xfe\xdc\x35\x65\x6d\xc5\xc5\x36\xb0\x39\x6a\xed\xaf\x83\xca\x46\x65\x5e\xdc\xc4\x08\x8c\x6f\xcf\xfa\x68\x9a\x87\x83\x09\xc1\x76\x7b\x21\x87\xc9\xb5\xfa\x57\x5e\xfd\x80\xe0\x57\x4a\x57\x76\x73\xb4\x5e\xda\xc8\xb1\xc9\x12\xce\x60\xcd\x18\x29\x0d\x31\x02\x5c\x80\xeb\xa3\xd9\x97\xe4\x79\x2b\xe2\x3a\x49\xc0\x09\x4e\xe2\x85\x48\xfa\x33\x27\x5e\x6c\x28\x0b\xb6\xe0\xa0\xaa\x8e\x79\x04\xc6\x41\xcb\xcb\x3d\x99\x49\x46\xf0\xe4\xc6\xd6\xb1\x91\xd3\x46\x53\x64\x79\x3a\x69\x7f\x2c\x25\xd1\x30\x92\x3c\x79\x9a\x3a\x8d\x71\x69\xa3\x7a\xc2\x9b\xdd\xfb\x76\x6d\x51\x30\xb5\xe4\xbd\x43\x97\x8a\xad\x35\x49\x05\x2c\xf6\xf5\x64\x76\x80\x52\x03\x23\x46\xae\xf8\xf5\x84\x4b\x97\x04\x84\x2c\x0f\x1f\xa7\xd2\x6c\x69\x71\x88\xc0\xe8\x64\x16\x58\xd6\xd2\x99\xa6\x1f\xf1\x40\xa4\xb9\x4f\x04\xf6\xec\x06\xff\xca\x6e\x57\x4b\xdd\x60\x03\x72\xed\x5d\x16\x6a\xee\xae\x4f\x24\xe1\xec\x3c\x21\x2f\x05\xaa\x85\x37\xf0\xab\x83\x1e\x47\x2f\x32\x16\x4a\x08\x87\xc6\xf4\xe4\x25\x32\x56\x5f\x05\x5a\x8c\xd4\x35\xe9\xcc\x91\x08\x96\x7e\x42\x2c\x6d\x0e\x74\x06\x33\xc9\x77\x84\x71\xef\xa8\xa4\x4a\xb5\x5a\x06\xbd\xb6\xb8\x17\xf8\xa6\xcc\x55\xd5\x2a\xce\x6e\xc4\x38\xad\x4f\xbe\xe7\xc6\x4e\x00\xfc\x65\xc7\x6a\x36\x16\xc3\x5f\xb7\x1b\xb6\x08\x4f\x44\xf8\x08\x3d\xff\x56\xd7\x71\xe1\xd3\x23\x58\x4b\x82\xf1\x05\xe0\xa2\x11\xce\xae\x9a\xfc\x0f\x5e\x61\xa2\x64\x94\x76\x44\x0c\xf6\x8d\x9a\xbf\xfb\x48\xde\xcd\x0e\x8d\x2e\xd1\x09\x07\xd3\x5e\x39\x0d\xaa\x1e\xef\x83\xda\xc8\xab\x44\xe2\xac\x58\x86\xf6\x23\x5f\x6b\xd7\xb6\x9f\xf3\xc0\x98\xb5\x58\x89\x49\x08\xd4\xcd\x28\x24\x7f\xb6\xec\x4b\xb5\xb1\x63\xf6\xb2\xee\xf3\x86\xe7\xce\x26\xde\x75\x9b\xd6\xe2\x4e\x46\xaa\x2b\x38\xf0\xa4\xe6\xa4\x78\x5a\xf1\x4b\xd6\x03\x5a\x32\x6c\x29\xaf\x21\x5a\x4c\x1c\x45\xae\x76\x7b\xd7\xe6\xdb\x1b\xae\x69\xbe\x04\x5e\xf0\xb1\xeb\x39\x34\xac\x5e\xbe\x3a\x4c\x1d\xd5\x9b\xb9\x60\x53\xbe\xeb\x55\x61\xb5\x21\xc4\x78\x52\xd9\xa2\xc6\x6c\xfa\xf8\x2c\x2a\x01\x6e\x5d\xe7\x29\xea\x0e\x0c\xe4\xf9\x80\x85\x79\x2b\x5e\x5a\x80\x2c\xd7\xfb\xac\x9e\xf3\x8e\x20\x3e\xbb\x36\x51\xf1\xb3\x0a\xf6\xea\x29\xfa\x17\x9f\x8b\x19\x26\x41\x60\x4b\xe0\x29\x29\xda\xff\xad\xd6\xc9\x7b\xa4\xcd\x56\x79\x0c\xc2\x43\xd0\x47\x0e\xb8\xc1\xae\x78\x12\xda\x66\x6b\x0b\x32\x9f\xb3\xf0\x4f\x78\xe2\x5a\xd1\x7b\x4b\x39\x78\x13\x82\xad\x93\x7e\x08\xad\x34\x48\xb6\x32\x38\x18\x5b\x98\x22\x42\x19\x0f\xd1\xe4\xad\x8f\xbb\xa5\x5d\x6a\xbf\x96\xe0\x16\xe1\xd9\x8d\x37\xd5\x1c\x2e\xe1\xe4\x1f\x54\xf8\xac\x7e\x03\x8e\x36\x16\xf5\x69\xd0\x24\x69\x0e\xa3\x03\xbe\xc6\x98\xbe\xb9\x8b\x9e\xa4\x9f\x6b\x87\xe3\xf7\x10\x49\x97\xa6\xad\x7d\x33\xdb\x8f\xb7\x9a\xda\x8c\x5f\x7f\x54\xee\x17\xf7\xb3\xd8\x6a\xa1\x53\x2b\x43\x9c\xd8\xde\x90\xb5\xfd\x7f\xc3\x32\x56\x80\x06\x1d\x93\x19\xd1\x83\x5e\x60\x3f\xaf\x79\x33\xbf\xd6\x0d\x73\x39\x65\xf0\xf2\x5a\xdf\x39\x45\x09\x2b\xb9\x9e\x95\x34\x66\x02\xfa\xf6\xaa\xbe\xb3\x3c\xbc\xa3\xb2\x19\xb4\xf8\xaf\xaf\xe8\x25\xc6\x62\x7c\x0c\x7b\x00\xc3\x38\x75\xb6\x9d\x01\xc0\x8b\x90\xe6\xfa\x64\xf0\x9b\x42\x93\x2e\x1c\xcc\x9b\x3d\xa3\x67\x71\x66\x7d\x5b\xb7\x53\x1a\x2a\xc1\x74\xbc\x41\x2d\xff\xad\x7c\x6f\x8f\xd4\xda\xd3\x30\xfb\x41\x5a\x97\xe8\x13\x6c\xd5\xc0\xbb\x7d\x00\xd2\xb2\xc9\x56\x93\x6c\x9f\x5f\x74\x7e\x3c\x9a\x36\x1d\x79\xd0\x48\xcb\x3f\x52\x8f\x18\x7f\x9b\xba\x5d\x78\xd7\x30\x9b\x1b\x25\x6f\xbb\x34\x9c\xd5\x29\x45\x54\x1a\x5a\x57\x80\x9f\x2d\x71\xa8\xe8\x05\x57\xb2\x3b\xe4\xfb\x31\xca\xdd\xc5\x95\x53\xb6\xbc\x0f\xaa\x16\x5e\x4a\xb1\xf8\x27\x9c\xa6\xe3\x07\xce\x79\x20\xc4\x3b\xdb\xad\xec\x04\xef\x8b\xe7\x0d\x57\xaf\x59\x8d\x1d\x8a\x89\x6a\x09\x52\xb2\x3c\xba\x46\x4e\x0e\x9b\x36\x25\xf9\x93\xdc\x12\xc8\xf7\x74\xe8\x7d\xa0\x51\xec\xa4\x9b\xd1\x4e\x4e\x2e\x27\x0c\xf7\x5d\xc8\x34\x3b\x2a\xd4\xb0\xa2\x17\x8c\xb5\x57\xc6\xd0\xeb\x1a\x0b\x23\xed\x92\x58\x0c\xe5\xad\xa7\x8c\x2b\xb1\x0d\xdd\x25\xd4\xbb\x14\x7d\x61\xa0\x0f\x5e\x1d\x1d\x5c\x88\x8d\x47\x42\x4c\x04\xde\x7d\x41\x38\x4e\x2c\x68\x8a\x57\x35\x8d\x05\x81\x4a\xd9\x17\x13\x5a\x80\xec\xcd\x1d\x1f\x14\x72\x42\xa5\xda\x4d\xad\x08\x38\x32\x2e\x9a\x2f\xa5\x31\xfb\xb6\xb0\x83\x2b\x67\x00\xf8\x72\x79\x84\x6c\xe2\x33\x16\x79\xb8\x2f\x04\xfe\x1b\xe1\xe8\xce\x9f\x61\x0b\x63\xff\x30\xad\x0b\x76\x97\x78\x17\x73\x9a\x29\x5c\x9e\xc9\xdc\xf1\x1f\x81\xa6\x76\x19\x40\x73\x04\xc1\xd5\x94\xc5\x19\x6d\xb1\xbd\xeb\xfe\x03\xf2\x2a\xda\xac\x92\x53\xd7\x53\x96\x71\x38\xbc\x9d\x2c\xf4\x73\x54\x91\xd2\x74\x5c\x23\xe5\xd2\x29\xc7\x46\x27\xdd\x19\x1b\xc6\xc0\x38\x51\x39\x14\xdb\xdc\xfa\xcb\x8b\xcb\x28\x14\xdc\x52\x5e\xda\xd8\x89\x52\x09\x99\xfc\xe6\x44\x69\xc6\x06\x94\x40\x59\x61\x51\x84\x41\xc3\xe8\x44\x53\xaf\xa3\x49\x9e\x3a\x89\x83\xb5\x7f\x94\x59\x3e\x86\x64\x71\x9d\x5e\x65\x98\x42\x2b\xb8\xcb\xc5\x16\x20\xb2\x59\x41\x3b\xea\x16\x49\x0b\xbe\x6c\x9a\x72\xbf\x21\xf6\xb4\xd4\x99\x37\x1a\xd9\xfc\x82\x77\xdd\x3f\x2f\x75\x23\xcc\x5e\x6c\xee\xbf\x74\xfc\x39\x44\x13\x6b\x2d\x56\xda\xa2\x04\x03\x74\x31\x9a\x1c\x83\xc3\xbb\x0c\x96\x2d\x32\x1d\x80\x39\x17\x0b\x98\xb6\x04\xc8\xed\x42\xc5\x96\x31\x4a\x01\x13\x9c\x9d\x36\xcc\xd6\xf2\xcb\xd3\x11\x3b\x2c\x9d\x4e\x19\xf0\x86\x94\x46\x36\x10\xa3\x68\xf8\xac\x74\xf2\x97\x94\xf1\x45\x60\xe0\xa3\xd4\x81\xc6\x73\x41\x0a\xd9\x46\x65\x81\xaa\x2a\x33\x4f\xf3\x80\xa1\x00\xfb\x04\x9a\xd8\x19\x6e\xb4\x78\x4e\xa1\xbe\xdc\x13\x9a\x70\x54\xf1\x8a\x8d\x44\xbc\xa0\xa3\xd0\x12\x2f\x5d\xc3\xa1\xc4\xd2\x9b\xde\x35\xe3\x32\xbd\xf2\x8c\xb9\xb9\x85\x43\xad\x3e\x33\x14\x3a\xf8\x79\x03\xb5\x62\x4f\x62\x30\x55\x98\xde\x27\x58\x33\x20\x8e\xc8\x37\x06\x82\xad\x9f\x0f\x9a\xc6\x4c\x43\x90\x44\xa2\xde\x30\x33\x46\x87\x34\xf4\x92\x66\x13\x88\x59\x69\x5b\x60\xa6\xfb\x45\xd7\x94\xb8\x71\xc1\x9c\xbe\xdf\x59\xb7\x64\x45\x3b\x78\xcf\xea\xd4\xc5\x01\xb1\xf8\xc0\xff\x82\x7b\x70\x29\x73\x92\x69\x7a\xdb\x13\xce\xff\x2f\x13\x9b\xff\x3b\xa2\x38\x79\x8a\x07\xfe\x5f\x55\xa0\xef\x5b\x75\xcc\xb4\x98\xbb\x89\x43\xba\xb4\xa6\x71\xf1\x25\xfb\x06\xf2\xe5\x9f\x77\xfd\xb0\x2c\xb2\x3e\x86\x87\x56\x8d\xc0\xd5\xc4\x86\x09\x94\xa3\x7c\xca\xb3\x65\xd7\xa7\x08\x03\xc6\xa6\xf4\x8f\x5b\x3f\xf1\xcb\xdd\x51\xd8\x96\x1f\x97\x3c\x70\x33\x75\xd2\x52\xe6\xc5\xa0\xff\x13\x3b\x59\x72\x43\x13\xf9\x88\x84\x1b\xd6\x1e\xc2\x97\x67\xa4\x60\x8a\x5b\xc4\x5b\x10\x4e\x4f\xc9\x82\x61\xe4\x54\x0a\x10\x38\x2a\x49\x5d\x64\xdd\x5f\x6c\x03\x90\x66\xd9\xd3\x58\xef\xb1\x66\x71\x17\x8e\x88\x4f\x07\x0a\x07\xfd\x02\xa0\x0b\x63\xb7\xf5\x75\xf6\x42\xbf\x91\xee\xc3\xbb\x90\xdb\xa9\xa2\x1d\xf3\x17\x9c\xf1\x2e\xa9\x52\x5d\x09\x74\xd6\xfc\x44\xbf\x69\xfc\x54\xf8\xa5\xff\x98\x67\x06\x67\x8d\x7c\xe0\x6c\xce\x44\xdf\x29\x74\xb9\x66\xe6\x7a\xca\x31\x4e\x0b\x58\xac\xc4\x15\x54\xa4\x42\xef\x35\x87\xab\xba\xf1\x82\x95\xec\xa5\x9c\xa8\xa1\x0e\xdd\x3f\xbd\x1f\xac\x0b\x06\x01\x3d\xe5\xf7\x33\x37\x51\xc5\x7d\xeb\x4d\xae\xf9\xe4\xc5\x5e\x93\x74\x1e\xd1\xd2\xf7\xf9\x63\xcd\xed\xc6\xef\xdb\x5d\x8b\x14\xd7\xd6\x12\xe2\x61\x2f\x30\x96\x6f\x4e\x67\x60\xd1\xa4\x6f\xbe\xe5\x0d\xcc\xff\xc0\xb2\xe5\x17\x7b\x1c\x60\x27\xad\xae\xe0\x90\x75\xb6\x55\xcf\x85\xdd\xbb\x4e\x44\x83\xd5\xde\x7b\x38\xa9\x10\xf9\x96\x71\x1c\x05\x8c\x1b\x97\xe6\x21\x27\x48\xc8\xcc\x7d\xe8\xcf\x7a\x56\xaf\x75\xe2\x91\x86\x7c\x26\x88\xe9\x99\xc6\x55\x3d\x7a\xaf\x3d\x2f\x62\xc2\xf5\x3b\xf8\x8c\xf2\x04\x40\x07\xdb\xe9\x29\x85\x65\x31\xb0\xad\x6b\x48\xa6\x11\x8b\xf3\x5c\xce\x82\x7e\x5d\x0c\xd2\xa1\x9b\x3f\xc3\x73\x95\xe1\xce\xd2\x13\x7f\x0c\x72\x6f\x5c\xc9\x91\x33\x3a\x0f\x07\x94\xda\x0b\x6d\x75\x73\x74\x21\x7e\xae\xbc\xbb\x6d\x87\x43\x1f\x08\x9a\x57\x10\x2c\xa5\x37\x3b\x8d\x73\x0a\x92\x02\x60\x59\xc6\xa8\x80\x94\xe9\xc6\x29\xd8\x1e\xcc\xf8\x6b\x4e\x8f\x09\x1d\x32\x55\x63\xd1\xf4\x01\x6c\x97\x97\x2c\x58\x4b\xc7\x6d\x1f\xb4\xed\x94\xb7\x21\x34\x4d\x00\xcc\x67\x24\xf5\x64\x9d\xfe\xd8\x4d\xc5\x11\x58\x3e\x1a\x08\xa4\x3c\x24\x09\x93\x41\x72\xff\x3f\x0d\xfc\x93\x99\x6b\x84\x79\xc0\x50\xdc\x19\x30\x9a\xa9\x98\xf7\x09\xed\xa3\xb3\xcf\x80\x6b\xec\x71\x7e\x17\x18\xb8\xcc\x10\x06\x0b\x33\x5c\x46\xf1\x7c\x52\x2a\xc0\xbb\x69\x6f\xb4\x39\x3a\x94\x50\xbe\x5f\xa7\x55\xea\x0d\x71\xb3\x0a\x84\x31\x51\x5c\x44\x63\x90\x15\x4b\xc2\xa4\x95\x1b\x3f\x15\xf4\x19\xce\x20\xb0\x30\x2b\xd9\x00\x25\xd8\x3c\x47\xa0\x18\xf6\x88\x6a\xb1\xfb\xb7\x57\x7d\x5c\x06\x6b\xab\x23\xd8\x41\x89\xcc\xff\x63\x40\xa3\xca\x41\xdf\x5c\x6d\x99\x4b\x26\xb8\xfc\x34\xc6\x90\xdf\xb2\x29\xc8\x37\x60\x22\x4b\xdc\xe8\xe8\x67\xd1\xf5\xa0\x97\x73\x6d\x3f\x19\xd8\x22\x9f\x91\x43\xac\x03\x70\x93\xd4\xcc\x32\xab\x10\x4b\x58\x28\xf1\xcc\x84\x49\x5a\x68\xd7\x67\xb7\xfb\xd7\x25\xd4\x34\x71\x9a\x36\x01\xb5\xfb\x23\x36\x4a\x5e\x41\x51\xc6\xf9\x15\xce\x53\xf7\xde\xbb\xb9\xf1\x5b\x81\x1c\xb0\x2b\xb8\x73\x94\xff\xb6\x1e\x8b\x8a\xe5\x74\x9d\xc7\x43\x2b\x51\x6b\x8a\x62\x79\x90\x53\x7b\x9c\xdf\xd2\xa0\x94\x39\xb7\xdc\x04\x39\x97\xe0\xf5\x90\x36\xab\x34\x70\xaf\x1b\xc7\x67\x10\x11\xe5\xb4\x72\xe3\xf6\xad\x45\x6b\xa7\x06\xd5\x50\x66\x1c\xbc\xf6\x10\x7e\x9b\x7e\xe4\x9a\x82\x05\x2d\x90\x1b\xb7\x9f\xb1\x8d\x82\x21\x6a\xee\xfa\x2e\x76\x39\x0f\x80\x94\x3c\xc8\x56\xa0\x08\xc7\x25\x6b\x84\xd8\x85\x7f\xa6\x34\xad\x7d\xd4\x50\x13\x86\xbb\xab\xe2\x38\xa5\x8a\xec\xb7\x7a\x0d\xe5\xff\xaa\xa5\x63\xa1\x96\x8b\x72\xb9\x2b\xa5\x8d\x1a\x1e\xf6\xf9\xed\x04\x9f\xf3\x8b\x7f\xc3\x42\x27\x46\x16\x31\xfe\xc6\x53\xe7\x81\xf1\x57\xec\x73\x86\x36\x2b\x66\x77\x8a\xfc\x89\x82\xcd\xae\x50\xe1\x29\xf4\x32\x9b\xfe\x35\xcd\x9d\xa3\xd5\x75\x22\x04\xfa\x72\x75\xcc\xbc\x01\xab\xf8\x5c\x6c\xf3\xab\x9e\xab\xb2\xea\x7a\x1c\x77\x9e\x67\x3d\x0f\x95\x16\xb1\x85\x15\x4d\xc8\x3c\xc5\xf6\x93\x70\xe3\x14\x19\x8b\x7f\xa8\x3c\xe5\xc5\xc9\x1c\x2c\x50\xe5\x44\x89\xb3\xa6\x70\xa3\x30\xa4\xe4\x9f\xca\x51\x7c\x83\xa9\x53\x2c\xbc\x7e\xdc\x84\x0c\xd0\x10\xb3\x7e\xcc\x75\x37\x45\x30\x16\xed\x1a\xb4\x45\xe4\x5f\xc1\x23\x8b\x14\xe2\xf8\xf9\x31\x66\xcb\xf7\xd3\x8b\x85\x28\xba\xa0\xfa\xd3\xe9\xe7\x6f\x4b\x32\xee\xbb\x60\x52\x68\x81\x62\x0b\xca\x5b\x11\xac\x06\x3d\xbe\x21\x69\xe5\x43\x78\x43\xf6\xd2\xd4\x86\x85\x5a\xd5\xf1\x92\xb2\x68\xb2\xf3\xeb\x25\xde\xea\xbd\x2d\xe8\x9c\x48\xba\x28\xf1\xee\x2c\x84\x65\x86\x56\xc3\x37\x33\x9b\x53\xac\xf9\x88\xba\xf2\x9a\xc5\xc9\x19\x9e\xc7\x91\x2b\x28\x94\x09\x34\xbc\x02\xb1\x31\xd1\x46\x13\x54\x62\x6b\x69\x08\x35\xba\x09\xab\xaf\xa0\xca\x7f\x51\x55\x79\xe5\x33\xc4\xbb\xfd\xa2\xbc\x9f\x2f\xae\xdd\x35\x38\xce\x8c\x1e\x36\x06\xea\x98\x39\x5e\x0f\xf8\x84\x92\x04\x5f\x47\xcc\xa8\x5f\x4a\xf1\x6f\x95\x0a\xbb\xf3\xf2\x22\x9d\xe5\x8e\xa2\xb4\x56\x92\xd4\xba\x84\x3e\x70\xe5\xae\xed\x29\xf6\x88\x07\x13\x8a\xaf\x5c\x99\x4b\x30\xd4\x73\x11\xeb\xb9\x69\x10\x76\x77\xdc\xf0\x07\xf6\x4d\x0b\x32\xc3\x60\x0c\xd3\x2b\xd4\x2c\xa6\x9e\xe4\x6d\x78\x6c\xf0\xcf\x94\x96\xbc\x51\x60\x2c\x98\x9f\xc5\x4f\x76\xc4\xd3\x83\xce\x41\x4a\xf4\x5f\xc9\x48\xe5\xb9\x71\xe3\x02\x0a\xf4\x47\xc5\x89\xb0\x99\x56\xc9\x03\x3d\x09\x04\xd6\x44\x5d\x7e\x9f\xff\x7c\x90\x39\x39\xf7\x9c\x2d\x4c\x30\xb6", 4096); *(uint64_t*)0x200000004ad0 = 0x200000004a40; memcpy((void*)0x200000004a40, "\x88\x4f\x38\x13\x09\x89\x6a\x88\x17\x38\x89\x99\x4e\x74\xc6\x06\x94\xf7\xba\xa4\x5b\xe0\x88\xe5\x9b\xc3\xe9\x39\x72\x82\x57\xe8\xd2\xdb\x71", 35); res = syscall(__NR_shmctl, /*shmid=*/6, /*cmd=*/0xcul, /*buf=*/0x200000004a80ul); if (res != -1) r[10] = *(uint32_t*)0x200000004a88; break; case 19: *(uint32_t*)0x200000004d40 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x23, /*optval=*/0x200000004c40ul, /*optlen=*/0x200000004d40ul); if (res != -1) r[11] = *(uint32_t*)0x200000004c74; break; case 20: *(uint32_t*)0x200000004e00 = 7; *(uint32_t*)0x200000004e04 = 0xee00; *(uint32_t*)0x200000004e08 = -1; *(uint32_t*)0x200000004e0c = 8; *(uint32_t*)0x200000004e10 = 0x80; *(uint32_t*)0x200000004e14 = 5; *(uint16_t*)0x200000004e18 = 0xfffc; *(uint32_t*)0x200000004e1c = 1; *(uint64_t*)0x200000004e20 = 7; *(uint64_t*)0x200000004e28 = 5; *(uint64_t*)0x200000004e30 = 0xbed1; *(uint32_t*)0x200000004e38 = r[5]; *(uint32_t*)0x200000004e3c = r[7]; *(uint16_t*)0x200000004e40 = 1; *(uint16_t*)0x200000004e42 = 0; *(uint64_t*)0x200000004e48 = 0x200000004d80; *(uint64_t*)0x200000004e50 = 0x200000004dc0; memcpy((void*)0x200000004dc0, "\x05\xc9\x21\x56\x87\xa3\xff\x17\x47\xca\xe5\xc1\x8c\xb1\x86\xed\x5c\x62\x98\x43\x37\xf9\x0f\x0a\xb5\x94\x8e\x21\xc6\x3d\x16\x86\xf1\xda\x14\x59\xa8\x97\x18\xa9\xf8\x49\x30\xb8\x92\xc2\xad\x4d\xe6\x1f\x71\x4a\xb8", 53); res = syscall(__NR_shmctl, /*shmid=*/5, /*cmd=*/2, /*buf=*/0x200000004e00ul); if (res != -1) { r[12] = *(uint32_t*)0x200000004e04; r[13] = *(uint32_t*)0x200000004e08; } break; case 21: *(uint32_t*)0x200000004f00 = 7; *(uint32_t*)0x200000004f04 = -1; *(uint32_t*)0x200000004f08 = -1; *(uint32_t*)0x200000004f0c = 1; *(uint32_t*)0x200000004f10 = 0; *(uint32_t*)0x200000004f14 = 0x98; *(uint16_t*)0x200000004f18 = 4; *(uint64_t*)0x200000004f20 = 0x200000004e80; *(uint8_t*)0x200000004e80 = 6; *(uint64_t*)0x200000004f28 = 0x200000004ec0; *(uint8_t*)0x200000004ec0 = 5; *(uint64_t*)0x200000004f30 = 0xc; *(uint64_t*)0x200000004f38 = 0x1ff800000; *(uint64_t*)0x200000004f40 = 8; *(uint64_t*)0x200000004f48 = 0x7f; *(uint64_t*)0x200000004f50 = 3; *(uint16_t*)0x200000004f58 = 0x101; *(uint16_t*)0x200000004f5a = 8; *(uint16_t*)0x200000004f5c = 0x1000; *(uint32_t*)0x200000004f60 = r[5]; *(uint32_t*)0x200000004f64 = r[8]; res = syscall(__NR_msgctl, /*msqid=*/4, /*cmd=*/0ul, /*buf=*/0x200000004f00ul); if (res != -1) { r[14] = *(uint32_t*)0x200000004f04; r[15] = *(uint32_t*)0x200000004f60; } break; case 22: *(uint32_t*)0x200000005080 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/(intptr_t)-1, /*level=*/0x29, /*optname=*/0x22, /*optval=*/0x200000004f80ul, /*optlen=*/0x200000005080ul); if (res != -1) r[16] = *(uint32_t*)0x200000004fb4; break; case 23: *(uint32_t*)0x2000000052c0 = 8; *(uint32_t*)0x2000000052c4 = 0; *(uint32_t*)0x2000000052c8 = 0; *(uint32_t*)0x2000000052cc = 0x7f; *(uint32_t*)0x2000000052d0 = 5; *(uint32_t*)0x2000000052d4 = 0x80000001; *(uint16_t*)0x2000000052d8 = 0x43; *(uint32_t*)0x2000000052dc = 7; *(uint64_t*)0x2000000052e0 = 2; *(uint64_t*)0x2000000052e8 = 0; *(uint64_t*)0x2000000052f0 = -1; *(uint32_t*)0x2000000052f8 = 0xf; *(uint32_t*)0x2000000052fc = r[7]; *(uint16_t*)0x200000005300 = 2; *(uint16_t*)0x200000005302 = 0; *(uint64_t*)0x200000005308 = 0x2000000050c0; memcpy((void*)0x2000000050c0, "\xbc\xc4\xb5\xd8\x6e\x91\xb0\x2b\x73\xe1\x6c\x46\x65\xdc\x30\x88\xf7\xcc\x98\x26\xda\x78\x07\xf9\xa8\x30\x0d\x9d\x89\x80\xde\x67\xa1\xa2\xa1\x53\xe9\x54\x66\xe7\x6d\x2c\x38\xc4\x15\x58\xc0\x8e\xfe\x37\xee\x81\xd9\x90\x46\x74\xce\xd8\x6d\xda\x9b\x2b\x6c\xc7\xc9\x7b\x19\x97\x58\xbe\xf8\xd9\x2d\xd2\x0e\x0e\x69\x86\x4d\x6f\xcd\x03\xa8\x0c\xa0\x12\x01\x9c\xf4\x1e\x51\x66\x47\x50\x38\xfc\xd3\x60\x33\x84\x36\xe7\x82\x7e\xf7\x30\x46\x91\x87\xe6\xa4\x95\xf5\xbf\x01\x8e\xe7\xca\xa7\x1c\x80\x4a\x38\x67\x56\xc3\x24\x2b\x30\xec\xa0\xb8\x41\x16\x6d\x78\x39\xe9\x4a\x56\x39\xd0\x8f\xbc\x06\xda\xc1\xf8\x61\x49\x44\x56\xd8\xd1\x53\xde\x7f\xc3\x03\x87\xd4\x52\x30\x4e\x7c\x30\x69\xbb\xfb\x42\x43\x91\xd0\x4f\xab\x12\x03\x7c\x6d\x6a\xe6\x02\x5d\xf8\x69\xfa\x3a\x45\xe0\x31\x48\xc2\xdd\x05\x2c", 195); *(uint64_t*)0x200000005310 = 0x2000000051c0; memcpy((void*)0x2000000051c0, "\x0b\x7d\x67\x85\x2a\x6f\x3d\x89\x68\xf4\x76\xad\xad\x16\x72\xe6\xdc\xfc\xeb\xe8\xe6\x24\x9d\x8c\xc7\x2d\x1a\x05\xc2\x8a\xcd\x3d\xed\xa6\x43\x14\x81\xc8\x8e\xe1\xc2\xc0\x99\x44\xee\x73\x33\xd9\xd1\x6b\x3f\x9b\xd1\x86\xbe\x36\x21\x0e\x7e\x52\xfd\xac\x24\x09\x97\x73\xc0\x7a\xf6\xf1\xa9\x40\xe4\xba\xec\x3a\xda\x47\x66\xe3\x80\x14\xad\x52\x7a\x5d\xf7\x7c\x90\x61\xc5\xa4\xca\xcc\xc4\x8b\xcf\x15\x62\x20\x7f\x8d\xb0\x4d\x60\x8a\x82\x3c\x71\x97\x9b\xda\xf7\x02\xb9\xa6\xec\x8f\x62\xf2\x3d\x31\x6b\x69\xa8\xe4\x0f\x1c\xd7\x92\x58\x5f\x34\xd8\xff\x6c\x70\x56\x41\xdb\xc0\x9a\x02\x45\xef\xad\x32\x6c\xa8\x4d\x8c\xa3\x9d\x29\xcc\x33\xa4\xa3\xfb\xe7\x6c\x24\x0d\x05\x5e\x26\x1e\x16\xd6\xbb\x5d\x9c\x23\x1f\xe3\xc9\xe8\x4f\xe5\x95\x65\xbe\xfc\x53\xfe\x9d\x11\x9e\xb5\x0c\xe0\x4e\x6e\x3c\x1d\xf2\x16\xae\x69\xc3\x13\xd8\x0b\xb6\xa7\x7e\x21\x9b\x94\x51\x65\x72\xee\xaa\x39\x8b\xfe\xa6\x49\x33\x5a\xe8\x11\x4c\xb0\x57\x42\x36\xf4\x61\x31\x67\xd9\x75\x8b\x53\xb6\x6c\xb6\xba\x75\xd7\x5a\xf9\x2f\x3c\x6e\x63\x8b\x82", 250); res = syscall(__NR_shmctl, /*shmid=*/2, /*cmd=*/5, /*buf=*/0x2000000052c0ul); if (res != -1) { r[17] = *(uint32_t*)0x2000000052c4; r[18] = *(uint32_t*)0x2000000052c8; } break; case 24: memcpy((void*)0x200000005340, "./file0\000", 8); *(uint64_t*)0x200000005380 = 0x355; *(uint64_t*)0x200000005388 = 0x100000001; *(uint64_t*)0x200000005390 = 5; *(uint32_t*)0x200000005398 = 7; *(uint32_t*)0x20000000539c = -1; *(uint32_t*)0x2000000053a0 = 0xee01; *(uint32_t*)0x2000000053a4 = 0; *(uint64_t*)0x2000000053a8 = 7; *(uint64_t*)0x2000000053b0 = 2; *(uint64_t*)0x2000000053b8 = 2; *(uint64_t*)0x2000000053c0 = 6; *(uint64_t*)0x2000000053c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000053d0 = 7; *(uint64_t*)0x2000000053d8 = 4; *(uint64_t*)0x2000000053e0 = 0xfff; *(uint64_t*)0x2000000053e8 = 0x17b; *(uint64_t*)0x2000000053f0 = 0xffffffffffff27a1; memset((void*)0x2000000053f8, 0, 24); res = syscall(__NR_stat, /*filename=*/0x200000005340ul, /*statbuf=*/0x200000005380ul); if (res != -1) r[19] = *(uint32_t*)0x2000000053a0; break; case 25: *(uint32_t*)0x200000006480 = 7; *(uint32_t*)0x200000006484 = 0xee00; *(uint32_t*)0x200000006488 = 0; *(uint32_t*)0x20000000648c = 0; *(uint32_t*)0x200000006490 = 7; *(uint32_t*)0x200000006494 = 8; *(uint16_t*)0x200000006498 = 0x3ff; *(uint32_t*)0x20000000649c = 0x10; *(uint64_t*)0x2000000064a0 = 2; *(uint64_t*)0x2000000064a8 = 8; *(uint64_t*)0x2000000064b0 = 0x7fffffff; *(uint32_t*)0x2000000064b8 = r[8]; *(uint32_t*)0x2000000064bc = 0xffff; *(uint16_t*)0x2000000064c0 = -1; *(uint16_t*)0x2000000064c2 = 0; *(uint64_t*)0x2000000064c8 = 0x200000005440; memcpy((void*)0x200000005440, "\x4c\xf7\x7c\x89\xa8\xa3\x6d\x9b\x71\xd1\x6c\x43\xca\x99\xca\xec\x65\x90\x56\x4d\x89\x51\x86\x4c\xcc\xc3\x48\x10\x2a\x77\x79\xcd\x97\xd9\x51\x00\x3a\xe8\x76\xa9\xa0\x30\x1c\x11\x86\x7f\xf6\x43\x2c\x9c\x54\xbd\x04\xee\x43\x3f\xce\x5f\x5d\xb9\xeb\x71\xb7\x62\x21\xd2\x84\xc7\x8d\xc7\xdb\x27\x84\x0c\xa0\xb1\xe9\xa5\xa1\x19\xf0\xd7\x4f\xf6\x48\x5b\x52\xa9\x86\xa6\x71\x7f\x3c\xfd\x72\x6d\x0a\x6a\x03\x8b\xed\x21\x89\x34\x4a\x3d\x14\xc2\xf1\x19\xbf\x2e\x54\x3f\xe4\xe7\x16\xbc\x4c\x5b\xec\x83\x76\x7d\xa2\xf9\x7d\x1c\xce\x4b\x26\x96\xbc\x5f\x99\x89\xfd\x42\xdc\x97\xa0\xc1\x6c\xdc\x2f\xa9\x67\xad\xaa\xa2\xba\xc7\x30\xe2\xcb\xda\x74\x4d\xc3\x12\x1e\x3f\x01\x5b\x66\xea\xe8\x91\x56\xb2\x62\x63\x9f\x95\xbb\x01\x4a\xba\x78\xbf\x2a\x48\x01\x49\x9b\xf3\x82\x68\xd7\x7d\x99\x49\x4a\xef\x48\x6b\x9b\x38\x8a\x1e\xba\xcb\x4b\x77\x1a\x52\xbf\xa2\x99\x90\xe9\x36\x18\xaf\x03\x76\x2f\x95\x3e\x34\x80\xfe\x01\xdd\xe9\x2c\xa7\x83\x5c\xcd\x5e\x88\x64\xdb\xc9\x10\x0d\x25\xc4\xfa\x63\x2c\x9f\xeb\xdd\xfd\xb1\xe7\x7f\x1b\xcd\x76\x79\xea\x46\x89\xd2\xc8\x50\x4e\x50\xaf\x69\x52\xc8\x89\xd3\x28\xc1\x2c\x66\xc9\x0d\x8e\xad\x36\x92\x70\xd9\x4e\x5a\xa3\x42\xfb\x23\x87\xdc\x7c\xfe\x6e\xde\x70\x54\x64\x98\x5f\x30\x1f\xeb\x34\xb0\x02\xcc\xef\xb8\x0f\xde\x10\xd9\xfc\x1c\xb3\x9b\x5f\x87\x75\x24\x98\x6d\xd1\x24\x47\xa7\xc9\x6f\x63\x50\x7c\xb4\xd8\x80\x68\xed\xfd\x77\x48\xfb\x2b\x66\x7a\xe1\xae\xdb\xb4\x16\x37\x75\x74\xd7\x0a\x3f\x6d\xe4\x6e\x4a\x3e\x5c\x14\x9a\x64\xa4\x36\x46\x66\xbd\x99\xfd\xb0\xe4\x13\xa1\x33\x5b\xa9\x32\x57\x5d\x1e\x92\x28\x50\x8d\x61\x4b\x66\x3a\xb1\x7a\xcb\x21\xb2\xac\x4d\x36\x18\xa6\x59\x43\x80\x4d\x5b\xa5\x2c\xbb\x04\x3a\x96\x19\x86\x12\x02\xb5\x05\x14\x0e\x48\x44\xb8\xce\xb6\xfa\xf5\x02\x42\x23\xd9\x63\x6c\xb0\xbe\x38\x4a\x4c\xc1\xdd\x3d\x4f\x35\x76\x29\x52\x1a\x07\x69\x84\x18\xdd\x1a\x97\xc3\x94\x17\x19\x6f\x86\x1a\xfb\x05\xbd\x70\x2f\x4c\xcd\xc3\xd4\x4b\x5a\x41\x93\x37\x8b\x93\x6f\x53\xc5\xc4\xb0\x9c\x98\x58\xbe\x95\xe3\x49\xba\xeb\x7e\xb4\xda\x30\x94\x00\xa4\xdb\xb0\x8a\x24\xd0\xbb\x37\x72\xbe\xe7\xa3\x87\x3c\xf8\xd7\x6e\x06\xdf\x6f\x7c\xe5\x91\xf4\x0b\xdc\x84\x9e\xa0\x4c\xad\xe8\x86\xf0\x75\xe1\x45\x8f\x02\x1f\x1b\x73\x0b\x0c\xb5\xc3\x28\xb9\x11\x41\x2a\xee\x96\x16\xab\x5f\xdc\x83\x1e\x34\xce\xa6\x9d\xe1\xa4\x08\x06\xaa\xfd\x4e\x64\xd3\xcd\x70\xc1\xa6\xc6\xf6\x36\xd3\xbb\x94\xc9\x95\x97\x7c\x59\x4f\x0f\x4e\x90\xd7\xae\xc4\x3f\xec\x4c\x8a\xa7\x07\xd0\x0d\xfa\x26\xff\x9d\xb8\xa4\x5e\x6a\xc6\x5b\x5e\x5c\xea\xc4\x3f\x78\xb5\x0f\x1e\x4f\x49\x4c\x85\x82\x7b\x3f\x0e\xa1\xf7\xa4\xfe\x3b\xbb\xd3\x90\xe3\x61\x66\x28\xed\x47\x70\xdd\x36\x66\x94\x89\x35\x13\xdc\x1c\xd2\x52\xd3\x88\x7a\x2f\x19\xa8\x46\xd1\x8e\xe7\xba\xf8\xb5\x68\x0e\x61\x80\x0b\xaa\xf0\x04\x18\x10\xa5\xa2\x1f\xe0\x6c\xba\x83\xe0\x62\x1b\x26\x26\xc3\xec\x5b\xa6\x2d\xfe\x1f\x94\xae\x16\x11\x4c\x9f\x89\xe8\x94\x58\xa0\x69\x22\x2b\x43\xb4\x50\x4d\xca\x5f\xd9\x69\xc0\x66\x66\xdc\xf9\x82\x43\x46\x31\x59\x7b\xab\xaa\xd4\x65\xcb\x73\x9e\x72\x83\x5f\x69\xad\x69\x9b\x0e\xfb\xe2\x16\xa1\x2c\xc1\x88\xd5\x4b\xeb\x66\x86\x1c\x78\xc8\x02\x25\x43\x8d\xeb\x75\xb3\xaf\x96\xa6\x0a\x08\x4e\x68\xed\xce\xca\x25\x2c\x22\x22\x5b\x4f\x3e\x56\xe9\x9f\x97\x6c\x2a\x08\x2a\x29\xf4\xa5\xbc\x3d\x0c\x25\x1f\x91\x22\xb5\x84\x66\x1f\x39\xbf\xd1\x8d\xfb\x9d\x57\xa5\x91\xc6\xd7\x01\x3b\x42\x0b\xd1\xe4\xc4\x7e\x80\x4c\xc4\x0e\xdf\xfa\x4d\xc9\x0c\xda\x1d\xe0\xa6\xe5\xf0\xd7\xa4\xd1\xc0\xa0\x2b\xf9\x25\x82\x90\x06\x43\xf9\x7f\x8f\x2c\xc1\x37\x68\x37\x4c\xc1\x36\x10\xf2\x7c\x3a\xb9\xd6\x93\x14\x79\xd0\x21\x5c\x4a\xd6\x69\xef\x80\x2e\x32\x92\x87\x88\xc5\x25\xf7\x52\xed\xae\x47\x7f\xf8\x9e\xa3\xf0\xc8\x7d\x9e\xc7\xeb\x1e\xf5\x12\xdc\xab\x10\x37\x28\x42\x91\x86\x13\x22\xf8\x72\xaa\x26\x1f\xa4\x67\x46\xed\xd8\x39\x85\xee\x32\x0f\xef\x53\xb1\x15\x18\xf5\xd5\x8f\x84\x68\x19\xb8\x8b\x16\x58\x8c\x13\xdd\x01\x90\x58\xa1\xce\x86\x5b\x4e\x68\x5e\x94\x78\x53\x9b\x9b\x9a\xf6\x9a\x13\x12\x6d\x6a\xd3\x0b\x2b\xac\xb1\x44\xc0\x2f\xfb\x15\x39\x66\xd2\x0f\x56\x56\x84\xa8\x74\x91\x31\xc7\xde\xf8\x8f\x2c\x87\xe4\x8e\xac\x6c\x0a\xf5\x76\xcc\x86\x11\x18\xa9\xb7\x18\xdc\xa2\xea\xfb\xc5\x41\x3b\xb6\xe7\x51\x37\x46\x47\x9b\xd8\x01\xf0\x7b\x94\x65\xbd\x80\xd0\xdc\x3d\x83\xee\xb7\xd6\x88\xf9\x13\xbb\xc7\x87\xb2\x3a\x90\xa8\x63\x7c\x57\x98\x84\xa1\x58\x5d\x53\x23\xb0\x4a\x44\x9f\xee\xbd\x0c\xbe\x2b\xc3\x27\x21\x24\x4e\x92\xe5\xd0\x33\xe2\x0d\x0b\x2c\xcf\x8e\xd5\xe2\x39\x00\x19\x9d\xc5\xec\xde\xa4\x29\xa2\x59\x61\xc9\x07\xaf\x8d\x93\xd5\x7d\x5d\x0d\x7f\xf9\x90\x31\x0a\xc0\x92\xdc\x44\x7e\x88\xcf\x81\x61\x7b\x67\x75\x4a\xd8\xee\x0b\x12\x53\x2c\x73\x13\xd1\x5f\xd6\x5c\x9f\x65\xc0\xa9\x4b\x75\x5a\x09\xd2\x40\x78\xbd\xe2\x75\xa4\x44\x57\xec\xa4\xc8\xb2\xb3\xbc\x0d\xfd\x4c\x8a\xcb\x9d\x2c\x6c\x4a\x8d\xaa\x22\xa6\xcd\x96\x1b\x44\x76\xb0\x78\x80\xf8\xcf\x09\x88\xbc\xe7\xdd\x8d\x3c\x3f\xbd\x9c\xfd\xb6\x56\x3b\x68\x10\x34\xb2\x72\xfb\x3c\xde\x59\x1d\xe8\x03\xd0\xb6\x84\x05\xd2\x5d\xea\x80\x1e\xe8\x71\x3a\xeb\x54\x98\x19\x83\x95\x79\x9d\xb2\xab\x19\xfb\xce\xdb\xaa\x3c\xed\x3e\x12\x4d\x29\x3d\x63\xee\x8c\x12\xd9\x31\x07\x9f\xd9\x4c\xa0\xfb\x5c\x45\x69\x32\xa0\x7a\xc6\x65\xb9\x41\x0d\x12\x37\x73\x58\x72\x76\x67\x64\xc0\x5e\x85\x2e\x06\x1d\xc3\x99\xbb\x31\xed\x48\x8d\x1b\xa5\xae\xf5\x3a\xc7\xb4\x53\x6c\x6e\x5f\xc4\x5c\x96\xa9\x93\x85\x51\x2f\xe6\xee\x8a\x22\x78\xa0\x6b\xe1\x9a\x7c\xdd\xf3\xca\x67\x8b\xdd\x73\xc2\x55\xc1\x59\xea\x07\x35\x57\xd6\x66\xf6\x7b\x9d\x1b\x99\x68\xe0\x23\xf6\x36\xc6\x93\xa8\xad\xfc\x92\x3a\xcf\xf1\x08\xed\x43\x70\xbb\x96\x6b\x0f\x4c\x05\x03\x4b\x08\x57\x6c\x2b\xc8\x9c\xee\xb5\x7c\x63\x3d\x2a\x7c\x87\x66\x5b\xe7\xe7\x5f\xfb\x30\xed\xb5\xfe\x9f\xcd\xc7\x25\x6a\x01\x12\xd4\x9f\x52\x03\x18\x00\xb7\x0f\x69\x80\x38\xf0\xf1\xf8\x12\x23\xcb\xe0\xe3\x0b\x47\xe8\x05\x70\x97\x1d\x4f\xa8\x4d\xa5\x80\x99\xf8\x75\xac\x76\x32\x3c\x5a\xc2\x5b\x69\xc5\xea\xf6\x78\x25\xab\x8a\xc9\x8c\xbd\x6d\xc0\x16\x37\x51\xa4\x7a\x1e\x52\x99\x8e\x00\xe0\x5c\x1c\x69\x01\xf5\x04\x34\x03\x18\x72\x79\x02\xb1\xed\x2b\xd2\xcf\xf2\xd2\xed\x09\x60\x1a\x8c\xed\xf4\x52\x8c\x1c\x13\xa6\x70\x37\x5f\xe3\xa6\x85\xc7\xcb\x14\x72\x3b\x55\x9c\xe2\x78\x6c\xa2\x95\x5a\xe3\x51\xef\xf8\x39\x75\x8c\x31\x1e\x99\xed\x53\xff\x12\x83\x72\xbf\x9f\xc3\x8c\x57\x0b\xd9\x00\xb4\x97\xc9\x31\x61\xc3\x4d\x8b\x4e\x48\x06\xeb\xcc\xda\x16\x11\x44\x5e\xa9\xd6\x76\xbd\xc1\x46\xea\x5b\xa1\x00\xfc\x5d\x99\x5b\x2c\xa6\x07\x09\xfa\xbb\xf6\xaa\xbb\x01\xef\x24\x3a\x12\x9a\x3c\x67\x38\xcf\x66\xf6\xd3\xe3\xb0\x03\x20\xbe\x0f\x85\xe7\x54\x87\x89\x37\xe3\x97\x62\xde\xbb\xf5\xa3\xe7\xa8\x11\x10\x35\x66\x34\x0f\xdf\x7d\xac\x84\x50\xe6\x8e\xff\x10\x2c\xbf\xd4\x95\xa8\x01\xde\x06\xe7\x4d\xf5\x7f\xe0\x6e\x15\xed\xfb\xa4\xda\x71\xa4\x33\x39\xc5\x24\x8f\x42\x2e\xe2\x9a\x22\xef\xa4\x93\x69\x0d\x97\x24\x6e\x20\x83\xbe\x24\xc2\x1e\xe4\xf2\xf1\xd6\x0d\x75\x3b\x2d\xa7\x5a\x15\x40\x8a\xf7\xf4\xff\xc3\xf1\x16\x73\xb8\x93\x45\x79\x57\x50\xc2\xea\x6b\x6c\x78\x9c\x9e\x4e\xd0\x93\x05\x61\x71\xe9\xfd\x9a\x67\x54\x86\xa4\xa5\x1a\xfa\x96\x7e\x00\x9c\x5a\xb5\xda\x74\xfb\x7f\xcd\x00\x04\x4a\xb9\x4b\x28\x7b\x54\x21\x78\x48\xd4\x78\x48\xd6\xa1\x16\xae\xd4\x1d\x45\x4c\xdc\xbf\x4a\xd8\xd8\x6e\x62\x99\x97\xe3\x08\xb8\x6e\x23\xea\x1b\xf1\xa4\xd2\x52\x96\xb1\x9f\xa7\x9f\x2a\x8c\x9b\x13\x70\x2b\x76\x28\xc8\x9f\x71\xba\x6d\x5c\x3a\xa6\x56\xd4\x31\x8c\x4e\xc3\x30\x5b\x9d\x7a\xe2\x93\x74\xe9\x35\x67\x09\xc4\x6d\x40\x1c\x6b\x74\x51\x18\xbc\x70\xd1\xac\x74\xfb\xc5\x7d\x92\x48\xb1\xa9\x15\xde\x03\xdf\x36\x7a\x9a\x10\x44\x75\x27\x75\xe3\xb3\x36\xa9\x35\xbc\x08\x2a\x2c\x88\x29\x9f\xad\x16\x99\x3f\x6e\x3f\x43\x73\xde\x0c\x48\x8a\xf1\xaf\x00\xad\xb9\x40\xcb\x45\xf5\xcf\xd5\x37\x2d\x6c\x0a\x4c\x69\x6f\x96\x63\x6d\x52\xd2\x79\x39\xde\x72\x99\x74\xa9\xa5\xbe\x21\xf9\x9b\x49\xfc\x6d\x4c\x65\xac\xa9\x8c\x28\x74\xf3\x67\x1d\xe2\x92\x64\x94\x1c\xd4\xa4\xa6\xbe\x0b\x20\x21\xac\x02\xad\xcd\x17\x56\xbf\xcf\xf1\x0e\x76\x55\xdb\x95\x8b\xb9\x99\x81\x0d\x8b\x3f\xee\x98\x32\x64\x6d\xed\xbe\xee\x86\x89\x2e\xce\xb4\xfa\x04\xb7\x28\x4f\xdc\xe5\x66\x9d\xc7\xee\xb7\x75\xd0\x09\xca\x17\x6d\x82\xbb\xdd\xd4\x26\x27\x16\xef\xbb\xe1\x8c\x8c\x79\xf6\xc7\x6c\xb5\x9b\xfa\x82\xa1\x9a\x66\x81\xe0\xd5\xa4\x9d\xbd\x64\x29\x33\x64\x8a\xf8\x81\xc5\x69\x40\xe8\xc5\xe1\x8f\xb8\x28\x8c\x35\xe1\x30\xe1\xf6\x28\x17\xaf\x3f\x18\x7d\x00\x2d\x1b\x9a\x1d\x58\x4b\x66\x2e\xbc\x5c\x9c\x95\x20\xc4\xd5\x16\x64\x9f\x2d\x99\x36\x3e\xff\xf1\x16\x34\x8c\xae\xd4\x35\x56\xb5\x8e\xa9\xb7\xc4\x25\x5f\xd2\x7e\xfb\x05\xed\xec\xe7\x55\x35\x96\x3d\x32\xef\x59\x7e\xb1\x33\x49\x5d\xc6\xff\x01\x17\xd9\x23\x02\x7f\x10\x8d\xbc\x64\xcb\xaa\x4b\xed\xd5\x65\xe0\x57\xa0\xe2\x86\x49\x90\x8d\x87\xab\x01\x64\xa1\x15\x5a\xbe\x46\x03\xec\x3f\x81\xc3\xb5\x32\x7e\xd0\xd5\xe1\xfc\x89\x01\x62\x51\x0a\xfc\xa7\xb9\x1d\x61\x85\x75\x73\xf6\x18\x43\x86\xa7\xa7\xcb\xfb\xa8\xef\xf7\x9f\xb8\x83\xd0\x4a\xa6\xbb\x7f\x93\xf7\x76\xa3\x75\x56\x5f\x67\xa0\x37\xe4\x75\xe2\x8b\x57\xf4\x2c\xa0\xfc\x54\xa3\x0b\x9d\x91\xee\xd1\x24\xcd\xc1\xbc\x53\xfe\xaa\x47\x58\x28\xf2\x0d\xb8\xba\x50\x81\x5c\x81\x2a\x1e\x9c\x74\x54\xcd\x41\x44\xeb\x9a\x42\x3e\x6d\x17\x2e\xde\xe0\xba\xd9\x4c\xd1\x50\xbb\xeb\x4d\xea\xbc\x6e\x98\xe3\xe5\xf7\xc6\xbb\x47\xf3\x5f\x11\x0e\xec\x4b\xa6\x32\xe9\xc4\x26\xaf\x69\x9a\x5b\xd6\xc2\x33\x1e\xf0\xc1\x1d\x24\xa5\xa3\xf3\x88\x8f\xae\x3a\x36\xa8\x9f\xb8\xa0\xdb\xdb\xa9\xca\xdf\xb9\xe0\x52\xa9\x3f\x00\xed\x75\x75\x5b\x4d\x78\xd9\x9a\xaa\x84\xf6\x9d\xcc\x6a\x6a\xb0\x5e\xad\xd8\x17\xb9\xf7\x04\xe9\xa7\x69\x7a\x31\x5f\x36\xac\x99\xd2\x99\xb5\xcb\x8a\x2f\x0c\x7c\xd5\x3a\xa1\x6f\xda\xd2\x33\x19\x47\xd8\x1a\x52\x73\x4d\xc3\x8e\xfd\x03\x09\xb4\x83\x7f\xcc\x18\xc8\x8a\x0c\xb8\xbf\x5f\x96\xe4\x20\x91\x92\x26\x6a\x2c\x7f\x60\x37\x1d\x41\xfc\x8c\x7d\x05\x0a\xe4\x3b\xf5\xf6\x74\x07\xb5\x4f\x4b\x73\x1e\x0f\x71\x95\x65\x9c\xd7\x1e\xcc\xcf\x87\xe6\x8e\x1b\x4b\xb8\x74\x70\x73\x36\xca\x5b\xce\x6a\xe7\xd5\x88\xd6\xd6\x8e\x2f\x66\xea\xf0\xfa\xa2\x6d\x48\x8e\xf0\xa1\xa0\xb5\x96\x86\xaf\x81\x20\x55\x8f\xd7\x6c\x9d\x19\x59\x0a\x96\x11\xd5\xf3\xec\xa0\x0e\x14\x81\x94\xd9\xb6\x95\x94\x12\x4b\xe0\x05\xcd\xde\x6d\x57\xb2\x6c\x53\xac\x64\x88\x23\x6d\xe7\xdc\x8e\xf1\x7e\xee\x67\xcd\x94\x8e\x32\xd8\xc1\x1f\x14\xbd\x24\x78\xb5\xd7\xe2\xc1\xd3\x9d\x02\xb4\x75\x95\xce\xbe\x08\x51\xf9\x94\x48\x96\x0d\xd6\x4c\x14\xa8\x4d\xac\x88\x7c\xe5\xb3\x93\x09\xb1\x53\x0b\x71\x29\x5c\x36\xb1\xb1\x95\x92\x24\x2d\x66\x17\xf9\xba\x31\x5c\x8d\x0a\x9d\x39\x79\x25\x41\xd1\x1c\x0e\xc9\x99\x97\x51\x69\xe8\xaf\x06\xa4\x44\xb7\x16\xc4\x52\x40\xb3\x15\xa0\x89\x61\xfa\xc6\xa6\x96\x81\xd8\x32\x19\x8a\xad\x3d\xe1\x0e\xf3\xa4\x88\xf5\x07\xab\x56\xfd\x19\x4f\x6d\x94\x37\x6d\x24\x96\x8d\x5c\xaa\xdf\x3f\x2c\x3e\xfb\x66\x7d\xd1\xd1\x9b\x18\xdc\x8d\xab\x53\xdf\x92\xc2\xdc\x0f\xb4\xad\x49\xaa\x80\x34\xcf\x6f\x9e\xae\x62\x20\xbe\xae\xc0\x87\x84\xca\xc7\x65\xda\x9e\x98\x21\x9e\xca\xe0\xfb\xa0\x94\x24\x0d\x3d\xf3\x4f\x3c\x89\x53\x9b\x20\x6a\x9a\xf3\x8d\xac\x75\x87\x4b\x0b\xee\xed\xc9\xb3\x79\x5d\x5f\x1d\x1f\x90\x65\xa8\x1a\xc5\xe1\x55\x88\xc1\x79\xc4\xb0\xef\xfc\xba\x46\x6b\x91\x70\xb1\x2e\x72\xfb\x52\x5a\xcc\x0e\x2b\xf5\xb8\xc4\x3e\xfb\xdf\x53\x27\x9e\x5c\x9f\xee\x04\xb0\x29\xdb\x52\x20\xba\x82\xd4\x93\x0e\x96\x37\x4b\xaf\x43\x38\xae\xf5\x55\x0f\xb5\x92\x20\x15\xa1\xf9\xf0\x76\xf3\x61\x5e\xe6\xd8\x14\xda\x80\x8d\x1b\xbc\xad\x1b\x17\x6d\x5b\xb2\x0b\x79\x58\x82\x47\x6c\x0c\x72\x34\x5e\xb1\x61\x34\x80\x7a\x82\xb9\xd8\x6c\x9d\x7a\x4d\x84\xd1\x89\xbe\x30\x9b\xa0\x25\x30\x3e\xea\x18\x89\xb0\x5c\xdc\xea\x4c\x20\x73\xcf\xb3\x0b\xb3\xb9\x0f\x35\xbc\xd6\xee\x79\x0f\x13\x60\xf9\x63\xdc\xd6\xbe\x81\x16\x8d\xe7\x5e\x1d\x04\xe8\x15\x0d\x2c\x00\x00\x5d\xf7\xfa\xde\xac\x9e\x5c\x3d\x20\x26\x79\x9c\xbb\x2a\x2d\xb4\x26\x8e\x4d\x1c\xb6\x14\xf1\x58\xef\x12\xa0\xb2\x28\x2e\x42\xba\x33\xff\x9d\x67\xce\xda\x79\x32\x0f\x1d\x89\x72\x77\xf4\x86\x58\x8a\x0d\xc0\xe4\x6c\x1c\x0f\xa2\x23\xbe\x06\xcd\xac\xa9\x09\x48\x33\x58\xbe\x8b\x18\x2b\x37\xe3\x78\x9f\x7c\x93\x95\x9c\x0b\x45\x33\x5b\x2c\x00\xca\xd1\xa7\x0f\x8d\x04\x08\x13\x83\xa7\x9c\x3f\xd5\x95\xfc\x86\x47\xbb\x65\x52\xc6\x08\x1c\x26\xc7\x20\xed\x1b\x22\x9a\x19\x2b\x9a\x91\xfa\x1e\x12\xcd\x31\x84\x0f\x86\xe0\xda\xd7\xfe\xb7\xda\xde\xad\xd2\x32\x70\x9b\xc9\x9a\xa8\xfb\xc3\xa8\x7a\xf0\xd5\xc8\x2e\x53\xac\xeb\x61\x22\xbf\x9b\x71\xb7\xbc\x92\xa0\xa0\x63\x95\x7c\xc6\x66\xfa\xfb\xad\x1f\x68\x8b\xd9\x11\x60\x8b\xfc\x76\x81\xc6\x4d\x81\x91\xc5\xd0\xc8\x0f\x7d\xed\xd5\xa9\xad\x4e\xbc\xcd\x04\xe2\x61\x8d\x9a\xad\x12\x1f\xd9\xaa\x8b\x8d\x68\x48\x72\x0a\x73\x67\x22\xc7\xec\xed\x31\x54\x04\x19\x65\x9c\x09\x11\xa0\x6e\x03\x9e\x95\x9c\x84\xdd\x5c\xc1\x64\x0e\xba\x08\x50\x5e\xa4\x89\xa1\x21\xdd\xca\x4a\x09\xc6\x3b\x2e\x27\x1d\x1e\xdb\x91\xae\xa0\x42\xe9\x2b\xea\x12\x93\x9a\xb6\xd4\x15\x7e\xfa\x94\xa6\x8d\x07\xb5\xf9\xb2\x05\x8b\xcc\xae\xf5\x82\x6e\xbd\x37\x65\x7a\x99\xbe\x45\x13\x4a\xa3\x0a\x84\xa4\xc4\xe0\x8e\x46\x3b\x75\x64\x5c\x2b\x72\x6c\x14\xf3\x57\x50\xef\xa6\x80\x40\x8d\x1e\xa9\xf3\xf5\x6f\xeb\x10\x60\xc7\xb8\xe8\x11\x46\x81\xc2\x49\x92\xaa\x2e\x1e\x65\x21\x9a\x03\x6a\xfc\x03\x4d\xba\x75\xa3\x90\xaf\xce\x29\x63\xd7\x56\xc7\xea\xf6\x7d\x21\x3c\x75\x37\x19\x35\xf9\xea\xb4\xd4\x28\xc5\x43\x22\xe3\x24\x98\xa4\x34\x02\x54\xcc\x41\xfb\xb5\x5c\xf6\x3b\x4f\x3f\x43\xc8\x93\x01\x01\xf3\xae\x35\x42\xfb\x96\xac\x77\x62\x63\x78\x9a\x98\x4a\x3a\x62\xbb\x46\xc5\xa4\xa4\x1b\x85\xf9\xd6\x6b\x47\xfb\x28\xea\x76\x5b\xbc\xdb\x52\xb0\x1f\x4c\x15\xeb\xe1\x88\xb4\x54\xc3\xae\x27\x7d\xc8\xa9\xf8\xa1\xc6\x34\x16\x3c\x63\x1b\xd5\x43\x0a\x8a\x80\xb8\x0b\x37\x33\x41\x3a\x1e\x00\xeb\x3f\xff\x34\xbc\x5a\xa8\xd9\x07\xd7\x9d\xe8\x86\x6c\xbc\x6f\x10\x66\x13\x56\x27\x77\x16\xc8\x84\x74\xbe\x9b\x39\x30\x18\xa7\xd8\xb9\xb3\xe1\xce\x4b\x7a\x32\x6b\x77\xf6\x2f\xcf\xa9\x49\x4e\x1b\x7c\x02\x80\xc3\xa2\x5e\xe3\x46\xc9\x4a\xe4\xcb\x3a\xf3\xfe\x09\x53\x4e\x63\x83\x6d\x5a\x00\xa6\x28\x08\x74\x2f\x5c\xc9\x26\x08\x8a\x6e\xd1\x1e\xa2\x05\x1a\x33\xc6\x0b\x2d\xed\xd2\x06\x9f\xc9\xfc\x2f\x2c\xd4\x53\x66\x61\x8e\x11\x00\x02\x16\xef\x80\x17\x16\x3a\xa8\x28\xea\xe1\xd1\x5f\x02\x06\x7a\xa4\x6a\xf4\x67\x75\x0c\xfd\xd3\x6f\x7e\xcb\xa0\xfd\x1f\x73\x82\xc2\xa7\x8a\xa4\x0c\xcb\x03\x7e\xd7\x24\x90\x75\x9f\x08\xe4\xa2\x57\xb7\x3e\x1b\x45\x19\xec\x47\x20\xd9\x08\x1d\xd4\x64\xa4\x7a\xd4\x68\xf8\x88\x1c\xa3\x02\x3e\x75\x31\x00\xae\x0a\x1b\x29\x89\xac\x57\x4e\xbb\x9a\xc9\x13\x4b\xf1\x62\x02\xce\x61\xae\xaa\xfd\xf7\x68\x9b\xb9\x21\xc4\xa3\x9a\x46\xf0\x3a\x14\xde\xcf\xfe\xc7\x8c\xf9\xff\xd0\x1b\x4f\xca\x7d\x7b\xd4\x00\x30\xfe\xfa\x02\x59\x1a\x28\x45\x1b\xd3\x5d\xa7\x46\xdb\x7b\x5c\xdf\xd5\xee\x9e\xb6\xc5\x1b\x3b\xe0\x5f\xb0\xcd\x5d\x39\xe8\x10\x3b\x0e\x90\x3e\xec\x11\x0b\x3f\xf1\xf9\xdf\x98\x12\x32\xa5\x58\x23\x42\x81\x03\x9b\x46\x63\x76\x41\x84\x9d\x64\x12\xfe\xb7\x4a\x37\xb1\x39\x3c\x31\x51\x3c\xd9\x94\xad\x23\x9e\x20\xad\xdc\x7b\x6b\xe2\xbe\x44\x88\x57\xba\xcb\x20\xcb\x14\x69\xfe\x94\x46\x94\x6b\x6d\x60\x34\x9f\xf3\x92\x19\xf7\xc0\x02\xec\xb4\xdb\xfd\x31\x7f\x79\xd9\x50\xb3\x95\xdd\x77\xcf\xd4\x9a\x6f\xad\x36\xbe\x0b\xd4\x59\x1e\x4d\x2c\xa8\x37\xfe\x73\x74\xa3\x67\x92\xcc\xb0\xb2\xb0\x27\xc6\x9d\xcb\x08\x52\x74\x93\x09\xb9\x37\x17\x72\x72\xf4\xa8\x0d\x8e\x2a\x24\x99\x7f\xfc\xa2\x08\xb7\xf5\x28\xbe\x82\x11\x65\x56\xd2\x35\xf1\x7d\x57\x4d\x17\xac\xc1\xc4\xb5\x83\x63\xf0\x3f\x6b\x21\x77\xa2\xd9\xbd\x31\xd7\xda\x8b\x2d\x37\xea\x2a\x5e\xac\xe2\xb4\xf3\xea\xb5\x49\xcc\x55\xb3\x8e\x0f\x17\x31\xcc\x82\xef\x54\x8a\x5c\xb6\xa7\x56\x4b\x44\x2a\x86\xda\x73\x12\xa9\x4a\x13\x15\xe2\x70\xf3\x90\xa1\x97\xb9\x1e\x43\x5f\xa7\x04\x43\xf3\x87\xcf\x53\x73\x8f\x77\x5a\x23\x62\xa8\x72\x17\xb5\x74\xf8\xf6\x3c\xa6\x36\x13\x37\x52\x05\xdc\x19\x44\x98\xa0\xc9\x29\xff\x13\x00\x14\xd7\x42\x6a\xf7\xc0\xd0\x98\xd6\x9a\xff\x0d\xa1\x02\x7b\x12\x3c\x02\x3e\x73\x2e\x0c\xa1\xeb\x69\x5b\x42\x10\xad\xca\xef\x92\x85\xfe\xc8\xc8\x3f\xea\x7e\xfb\x3b\x5a\x09\xab\x0e\x26\xa2\xc0\x92\x6e\x15\x8e\xe1\x70\x89\xef\x7f\x8e\xab\x53\x75\x71\x8b\xa2\xe8\xab\x68\x3d\x2a\x1e\xef\xe2\x5c\x2e\x30\x3f\x41\x9e\xd0\x14\x23\x79\x98\x67\xe0\x2e\xb0\x1a\xe2\x00\x02\x20\x71\x36\xa6\x0a\x87\x50\x77\x39\x3a\x01\x9a\xe7\xdf\x3a\xad\xc5\xd4\xae\xd4\xd4\x59\xce\xdd\xe9\x66\xd8\x4f\xa6\x4c\x2e\x56\x48\x60\x17\x2b\xe4\x1b\x9f\xbd\xcc\x9b\xb2\x9c\xc2\xaf\x86\xbc\xb8\xda\x14\xd1\xd7\xef\xd6\xd9\x0f\xef\xd4\x73\xfb\xac\x5b\x05\x59\xac\x2b\xdc\x11\x0c\x7f\xda\xa9\x21\xd9\x20\x73\x1f\x36\x2f\x95\xd4\x26\x68\x0b\x73\x31\x2d\xa5\x8f\xac\xc4\xd0\xa1\xd7\xba\x59\x0b\x3e\x91\xc0\x3b\xf3\xb5\xf5\x00\xa5\xca\xe4\x6b\xed\x37\x37\x02\x12\x9e\xe2\xf2\x5b\x05\x00\x21\x9b\xbe\xc0\x50\x28\x59\x49\xf2\xde\x49\x48\x32\x89\x64\x32\x9b\x1a\x46\xa3\x84\x21\xc1\x37\xcb\x95\xb9\x92\x90\xb4\xf6\xcb\x46\xb5\x76\x69\x7c\x95\xb9\x37\x8e\x7c\x15\xca\xa0\x4a\xb0\xe8\xa0\x4b\x8d\xf8\xbc\x46\xd6\x15\xfa\x29", 4096); *(uint64_t*)0x2000000064d0 = 0x200000006440; memcpy((void*)0x200000006440, "\x1c\x3d\x61\xef\xc1\x46\x7b\x6b\x61\xe9\xe5\xf0\x6f\xa3\xd1\xdc\xc0\xe7\x00\x35\xdc\xc9\xc6\xc3\xb0\x0d\xf5\x89\x00", 29); res = syscall(__NR_shmctl, /*shmid=*/0x8001, /*cmd=*/0xfffffee8, /*buf=*/0x200000006480ul); if (res != -1) r[20] = *(uint32_t*)0x200000006484; break; case 26: res = syscall(__NR_getgid); if (res != -1) r[21] = res; break; case 27: res = syscall(__NR_geteuid); if (res != -1) r[22] = res; break; case 28: *(uint64_t*)0x200000006a80 = 0xfff; *(uint64_t*)0x200000006a88 = 0xd; *(uint32_t*)0x200000006a90 = r[6]; *(uint64_t*)0x200000006a98 = 7; *(uint64_t*)0x200000006aa0 = 2; memset((void*)0x200000006aa8, 0, 16); *(uint64_t*)0x200000006ab8 = 0xf; *(uint16_t*)0x200000006ac0 = 0; *(uint16_t*)0x200000006ac2 = 0x46; *(uint32_t*)0x200000006ac4 = -1; *(uint32_t*)0x200000006ac8 = 0; *(uint32_t*)0x200000006acc = 0xfffffffd; *(uint32_t*)0x200000006ad0 = 0xf7; *(uint64_t*)0x200000006ad8 = 0x7f; *(uint64_t*)0x200000006ae0 = 8; *(uint32_t*)0x200000006ae8 = 9; *(uint64_t*)0x200000006af0 = 3; *(uint32_t*)0x200000006af8 = 0x200; *(uint64_t*)0x200000006b00 = 4; *(uint32_t*)0x200000006b08 = 5; *(uint64_t*)0x200000006b10 = 0x62; *(uint32_t*)0x200000006b18 = 5; *(uint32_t*)0x200000006b1c = 0xff; *(uint32_t*)0x200000006b20 = 0x6cbf; *(uint32_t*)0x200000006b24 = 0x48; *(uint16_t*)0x200000006b28 = 0; *(uint16_t*)0x200000006b2a = 0x8001; *(uint16_t*)0x200000006b2c = 0x7f; *(uint16_t*)0x200000006b2e = 6; *(uint16_t*)0x200000006b30 = 8; memset((void*)0x200000006b32, 0, 2); *(uint32_t*)0x200000006b34 = 0x40; *(uint32_t*)0x200000006b38 = 0xffff; *(uint16_t*)0x200000006b3c = 0xa; *(uint16_t*)0x200000006b3e = 0xb04b; res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc0c0586d, /*arg=*/0x200000006a80ul); if (res != -1) { r[23] = *(uint32_t*)0x200000006a90; r[24] = *(uint32_t*)0x200000006ac8; } break; case 29: memcpy((void*)0x2000000016c0, "\x27\xfe\x2f\xfe\x47\x40\x4c\x4a\xc0\xa1\xec\xab\x30\xbb\xcb\x86\x4e\xad\x78\xfe\xd0\xc0\xe1\x75\xac\x99\x94\xf2\x2c\x05\xa4\x71\x88\x98\x8b\x3f\xf7\xcd\xde\xc1\xf6\xf3\x9e\x60\x61\x60\xf4\xf1\x99\xd3\x74\x5e\x26\xe2\x74\x8d\x68\xe3\x5a\x99\xf1\xbc\x4a\xc3\x20\x84\x63\x4f\x2c\x0b\xa5\xd1\xe0\x00\x0e\x2d\x5b\xee\x77\x7a\x2a\xb5\x09\xe7\xc9\x4c\x43\xf2\x97\xb8\x25\x93\x43\x78\xff\xa3\xbb\x79\x42\x25\x6f\xc5\x2a\x69\xe2\x38\x20\xcd\x52\x0e\x75\x59\xed\x9a\x31\xa9\x54\xdf\x95\x5d\xe5\xbc\x7c\x18\x55\xd9\x74\xb9\x5f\xf0\x0a\x84\xdc\x2d\x9a\xd6\x79\x64\x33\x44\x34\xd5\x28\xbc\xe5\x93\x48\x08\xb4\x8f\x8e\x25\x1a\x17\x9e\xb4\x7d\xee\x2a\x10\x8b\x50\x09\x2f\x55\x98\x16\x13\x6c\xff\xe9\xbd\x6e\x0a\x34\x00\x4e\x62\xd5\x0f\x73\xc1\x4b\x23\xce\x17\x51\x8f\x95\x4c\x4b\xc6\x1e\x61\x75\x75\x6c\x12\x04\xe2\xf2\x7c\x18\x2b\x9e\x3a\x7e\x3b\x82\x3d\xc2\xd2\x10\xe5\x23\x2c\x7a\xd0\xe8\xd8\xe0\x49\xf0\xe9\x20\x60\xb6\x20\x49\x9b\x0b\x8f\x4b\x4b\x97\x1d\x29\xa9\x7a\xe9\x4c\xe3\xce\xa6\xfb\x4e\x42\x96\xf7\x2e\x3d\xea\xbf\xf5\x62\xe7\x92\x43\x93\x3c\xfc\x53\x00\xe3\xc4\x1c\x6a\xb9\xc0\x55\x9a\xe2\x4b\x21\xce\x45\xbc\x69\xb7\xa1\xeb\x56\xc0\x8b\x82\x2b\xa1\x0f\xbc\xb0\xbd\x23\x8f\x6f\xcd\x60\xed\x24\x09\x2b\x3f\x47\xf1\x90\x0e\x3d\x33\x73\x37\x96\x49\xda\xa3\x95\x9b\xcb\x31\x9d\x7a\x74\xab\x3e\x62\xbb\x5f\xbd\xfa\x42\xf9\xd3\xb3\xe7\x34\x0e\xfd\x12\xd9\xdb\x73\x8b\x9a\x7a\x58\x1d\x91\x4f\x4d\xeb\x34\x00\x5a\xac\xae\xe8\x65\xdd\x59\x5a\xd5\xf0\x07\xc4\x8b\x51\x68\xe6\x99\xe5\x2d\xec\xc6\x66\x50\x9f\x0b\xac\x51\x6d\x5d\x8b\x1e\xcc\x1c\x99\xe6\x01\xb8\xf8\x5a\xf1\xc6\x76\x23\xfd\x2c\xff\x7b\x88\x38\x41\xae\xcd\xdf\x3a\x85\x23\x99\x80\xd3\xea\x2a\xe6\x37\x8d\x59\xcc\x24\x2b\x2a\xbc\xda\x91\xe9\x18\x48\x7c\xfe\xa0\x37\x83\x90\x17\xee\xfb\xed\x85\xe0\xde\x24\x14\x8b\x3c\x67\xec\xad\xc8\xbb\xe5\x1f\xfd\xd0\x69\x6a\x55\xd8\xff\x21\x52\x31\x78\xa6\x82\x9e\xc4\xd3\xf2\x59\x77\x43\x3b\x85\xe9\x23\x8f\xe5\xd8\xb1\x43\x7c\x54\xa9\x33\x82\xfa\x15\x25\x49\xcf\xca\x4e\x47\x00\x70\x5f\x3c\xe5\xa2\x60\xa4\xb9\x43\xdd\x3e\x53\x2c\xc1\x96\xc8\x12\x95\x18\x22\x55\x66\xe9\x3e\x29\xa8\xc6\xf0\x2f\x05\x4a\x94\xee\x5f\xe2\x1e\x5a\xd5\xbf\x55\xdd\x7f\xde\x9a\xc6\x41\xf3\x47\xa9\x92\xe8\x19\x7f\xe5\xfc\x4b\x9c\x65\xef\x4d\x68\x79\x21\xdf\xf0\xf6\xcb\x82\xa3\xa9\x6f\x6d\xf1\xcf\xae\xdf\xfc\xed\x7c\xb0\x6b\x21\xde\x9b\x83\xcd\xe5\xf9\x6b\xda\xd6\xee\x4c\x61\x7b\x9d\xa7\x66\xcc\x44\x37\x12\xf8\x4e\xf7\xc3\x87\x08\x07\x0b\xd1\x9d\xb9\x0a\xbe\x25\x10\x09\xd9\xbb\xcc\xe7\xc4\x19\xbf\x7e\xfa\x7e\xa7\x00\x86\xa9\x5a\x27\xe7\x35\x9d\x3b\xcf\x81\x89\x9b\xb6\xb7\x56\x0c\x58\x22\x7d\xb9\x2b\xbe\x34\x2e\x60\x01\x9f\xf0\xcd\xbe\xec\x13\xbd\xb5\x6c\x5b\x5f\xdf\xdb\xce\x7e\x2f\x5a\x7d\x97\x1d\xbb\xc6\x4c\x59\xc5\x11\x1d\x0b\x45\x2a\xf5\x79\x80\xe2\x17\x85\xd5\xaf\x08\x84\x82\x2d\x12\xf4\x08\x1e\x83\x81\xd1\x6e\x0f\x41\x19\x36\x27\x4b\x90\x30\x21\x5c\x4b\x0b\x47\x07\x4d\xab\x09\xb9\xfa\x23\x22\xa8\x80\x50\xa6\x24\x48\xff\xb2\xbd\xbb\x9d\x6b\x87\x52\x1b\x3b\xfe\xb5\xde\x77\x36\xa4\xde\x11\xff\x4e\x56\xd4\x1a\xae\xd9\x00\x61\xe8\xf1\x3c\x37\x89\xa4\x4a\x63\xe7\x69\x02\xc4\xee\x9b\x6f\xc7\x35\xab\x8f\xf9\x52\x5a\xf0\xab\x52\x16\x7e\x04\xd3\x47\x96\x67\x85\x2b\x75\x5d\x00\x74\xcc\x95\x07\x80\x94\xdf\xe0\x39\x26\x00\x7f\xcf\x4b\x2b\x68\xe2\x62\xd1\x17\xdf\x6c\x91\x81\x27\xcd\x6a\x56\x42\xb8\x0c\x30\xbf\x91\x6a\x1e\x51\x52\x02\x29\xe1\xe0\xec\xe3\x5a\xc9\xb9\x09\xfd\x5f\xf9\x2b\x93\x0a\xa5\x5a\xe6\x0a\x2a\x7f\x52\x74\xe0\x47\xae\x70\xcd\x1d\x89\x4c\x3a\x93\x09\x4d\x5e\x88\xca\x4f\xf4\xa1\xf7\xa7\x4c\x25\x72\xc5\x91\xf2\x54\xec\x09\x46\xde\x4f\x96\x24\x83\x88\xb0\x6f\x7f\x0a\x7d\xaa\x49\x0f\x43\x59\x18\x4a\x76\xa5\x6a\x9b\xbc\xa5\x93\xc6\xf6\xfe\x47\x9c\x67\x5f\xb0\x2c\x63\x54\x7d\x08\x04\x96\x3b\xbb\xfe\x5c\x66\x87\x69\xf3\xcf\x16\xbe\x9c\xd5\x11\x78\x03\x0d\x64\xcc\x2b\xb9\xd8\x26\x34\x39\x9d\xb8\x85\x9e\x48\x87\xc8\xce\xce\x4c\x85\x2f\x5c\xb7\x6c\xe7\x0a\x6c\x4e\xdd\x0e\x8a\x46\x5c\xbf\x78\x27\xb2\x1b\x55\x38\x57\x97\x71\xfb\x56\xb7\x99\x74\xaa\x36\x28\x85\x16\xbd\x08\xa9\x39\x49\x00\x16\x0f\x75\xd6\xbb\xe8\x9d\xe7\x0f\x8b\x5c\xea\xcc\x94\x19\xfc\x5a\x3d\x5e\xe5\xea\x78\x3d\x0c\xa8\x08\xa6\x24\x8c\x13\xad\x17\xc8\x73\xbc\x93\xe0\xe5\x0a\x39\x48\x7f\xb2\x5e\xc3\x23\x30\x70\xd7\x77\x6e\x7c\xe8\xba\x02\x2c\xcd\x8e\x2d\xb5\x64\x55\x94\xe0\xb2\xd8\x74\xed\xe7\x39\xf9\x3b\x61\x7f\xfe\xfa\xf3\xd8\x46\x8e\x66\xee\xcc\x85\x61\xfd\xb8\x1d\xd4\xfe\x7c\x77\x9d\xd9\x3c\xce\x31\x7a\x8f\x5c\xb8\x65\x51\xc2\x61\x66\xc7\x82\x4c\x87\x14\x0d\x96\x47\x50\x8c\xbb\xc1\x5c\x1d\x3b\x72\x08\x60\x91\x68\x90\x9e\x89\x0e\x9e\x9f\xd2\x67\x1d\x3a\x9a\x75\x27\xa7\x34\x47\x1f\x2c\x74\x80\x92\x6d\x8d\x18\xba\x6e\x24\xda\x6d\x6c\xee\x42\x2a\xeb\xfb\x14\xd1\xf1\x2a\x91\x5f\xfb\x73\x75\xcc\xb3\xec\xc9\x86\x3c\x45\x53\x4a\x97\xa9\x22\x43\x32\x17\xdd\xe2\x20\x35\x45\xaa\x98\x3e\x2a\x6c\x54\x65\x11\xd8\x62\x64\x28\xaa\xbe\x7c\xec\x1d\x0e\x81\x24\xde\x19\x83\xd5\xab\x1e\xd6\xe9\xde\xe8\x2f\x0d\xf4\x69\x9f\x4a\xb7\x07\x06\xc3\x4c\x75\x4d\x0c\xd8\xb6\xde\x54\x1c\xa8\xa7\x1d\x5f\x98\x25\xfc\x13\x15\x84\x80\xd5\x98\x0e\x64\x15\xcc\xa0\x5c\x57\x57\x89\x41\x69\x22\x3b\x43\xcc\x29\x63\x09\x18\x24\xcf\x95\x3f\xcf\x54\x53\x05\x58\xad\x5c\xe4\x22\xfc\xe9\x9f\x5f\x26\x50\xb7\xde\xc7\x02\xfe\x12\xbb\xb0\x8c\x28\x51\x9f\x08\xb6\x35\x4c\xf5\x8d\x01\xf0\x27\x23\x70\x70\xcb\x43\x8f\xe4\x80\x7b\x7b\x1f\x7e\xbc\x27\xf2\x74\xfd\x50\xef\x37\xad\x06\x0a\x7a\xdc\xdf\x65\x96\x2f\x8a\x52\xc0\x4b\x56\x9d\x7d\xb3\xd8\x6a\x0f\xeb\x6c\x78\xed\x1a\xdb\x36\x18\x66\xf7\xd5\x60\x65\x69\xd9\x10\xc6\x72\x7c\xdd\x76\xc6\xbb\x2a\x40\x5e\xd1\x2d\xfc\x2e\xdc\x81\x66\x67\x87\xf3\xa3\xa2\x39\xc6\x2f\x65\xd2\xd9\x8d\x8b\x07\xc5\x91\x13\x55\xa3\xa6\x20\x66\x46\xfe\x74\xc0\x75\xa6\x77\x80\x72\x87\x0f\xd6\x52\xaa\x4d\xf9\xaa\x3b\x96\xf1\x45\xc3\xaf\xa7\x4f\x5a\xaa\x8d\x7f\xf0\x42\x7c\x93\x89\xdd\x54\x62\xaf\x0e\xb6\x82\x8f\x3a\xa5\x4c\x75\x2b\xb4\xc8\x9d\x18\x21\x07\x61\x72\xa9\x25\xf1\x46\xae\xf7\x89\xde\xb1\x4c\x6b\x6c\xb2\x87\x33\x88\xcb\xe0\xbe\x06\x28\x71\x04\x8c\x49\x67\x9d\x72\xc3\xf3\x25\xc7\x7e\xa3\x19\xed\x28\xfa\x27\x86\x10\x40\xf6\xbe\x5d\x4f\x32\xcf\x29\xca\xc1\x12\x43\xda\x04\x2b\xec\xf2\x12\x5d\x21\xe7\x35\x49\x3a\xc7\x69\x4a\xa9\x61\xee\x92\x44\x3f\xc5\x88\xc2\xad\xc0\xf9\x7a\xc7\xb5\xfa\xe1\x0d\x43\xdd\xb8\x1f\x31\x12\x85\x82\x18\x5b\x9a\xa1\x24\xfe\x6e\xd7\x80\xac\x95\x4f\x84\x42\x17\x67\xf9\x0f\x5c\x0b\x56\x94\x43\xd6\x3b\xea\xc0\x68\x4e\xd6\x8b\xc5\x03\x9a\x27\x56\x7b\xd2\x33\xb8\xf2\x67\x5e\x1a\xfa\x14\x0d\xf8\xe1\xe6\x4f\x0a\x90\xec\x55\x3b\x52\x17\x27\x39\xd0\xd6\xb3\x88\x49\x47\xf2\x66\x69\x29\xcb\x5d\xd7\x93\x19\x42\xc0\x6e\x9d\xf9\xec\x79\x17\xf1\xd9\x3a\x2f\x0f\xbe\x5c\xd0\xf5\x73\xc0\x10\x2f\xf0\x20\x5e\x4d\x59\xdd\xd6\x03\xdb\x5d\xa5\x66\x94\xbd\x92\x87\x3e\xe2\x1f\xe7\x78\x6a\x87\x42\x8b\xdf\x19\xa1\xa8\x7d\x72\xba\x69\x7f\xbe\x0e\xd9\x75\xdb\x5b\xb3\xa7\x05\x17\x7f\x3a\x13\x69\xe2\x9d\xec\x75\x81\xd4\x3a\xea\x38\x55\x94\x3f\xf4\xef\xa4\xd7\xaf\x36\x22\xc3\x19\xd7\x8b\x31\x08\x37\x88\xd2\x03\x10\x20\x82\x99\xca\x03\x47\xaf\xff\xe5\x4e\xca\xf1\xfb\xec\xe6\xe0\x93\x5a\xbc\x7a\xa8\xf8\x55\x3f\x99\x96\xff\x1d\x46\xb8\x8b\x78\xdf\x2f\xe2\x67\xf1\x69\x9f\x2e\xbf\x19\x25\xb8\xe5\x0c\xb4\x6c\x8a\x10\x3c\xfb\x55\x65\x10\x15\x5d\xdb\x84\x27\x6e\x1e\x0a\xef\x3f\x41\x1c\x7a\xf3\xd2\x05\x93\xb6\xfe\xc7\x00\x6a\xa7\xa4\xee\x33\x80\x2a\xad\x16\x89\x49\xda\xd9\xfa\x91\x18\x88\xd7\xf6\x1b\xf1\x6d\xb2\x26\x50\x03\x41\x6f\xb5\x76\xde\x44\xf8\x0b\x9c\x90\x1a\xce\x45\x4d\x2b\x04\xb3\x74\xf3\xdc\xfc\x38\xfd\xd6\xed\xcf\xab\x24\xd3\x67\xaf\xf3\xf6\xd8\x29\x8a\x41\x33\xd0\x81\x56\x3d\xe1\x36\x5b\xea\xff\x74\xda\x25\x2b\x24\x8f\xa6\x1d\x80\xe7\x2c\xbb\xd5\x85\x33\xe7\x51\x8d\xba\xe1\xa9\x25\xd9\x91\x2b\xfe\x70\xfb\xc6\x4b\x8c\x81\xce\x26\x25\x30\xbd\x11\xae\x83\xf3\x66\xe3\x8c\x53\xbf\xd5\xa0\xda\xc9\x78\x5b\x92\x2b\xcd\xd1\xa3\xb6\x83\xf4\x3f\x8d\x48\x5d\xfc\xc6\xdd\x00\xb6\xcd\xde\xa0\x64\xf8\x46\xfb\x26\x93\xd4\x8f\xa9\x7b\x52\x63\xf5\x37\xea\xbf\x6c\x0e\x54\x9a\x78\xd2\xbc\xad\xb2\xe8\xfd\xb2\xb1\xb0\xf4\x7f\xd4\x9d\xc6\x1c\xa1\x05\x8b\xb8\x88\x2a\xa1\xca\x2e\xd3\x41\xfe\xb7\x37\xd5\xea\xae\x0e\xa0\x8f\x94\x5a\x04\xa3\x8b\x6e\x31\x37\xf9\x61\xa7\x56\x3a\xd1\x3c\xec\x30\x07\x2b\x91\x43\xe4\xf9\xc7\x82\x4e\x7c\xbd\xa2\xdf\x89\xb7\x4c\x14\x2d\xad\xaf\x5c\xa2\x4b\x6f\xe9\x09\xce\x3a\x1f\xf3\x7e\xe5\xa0\xb6\x61\xd3\x07\x39\xef\x0c\x37\x2c\xf7\xa1\xb4\xc6\xa0\xe5\x19\xb4\x8b\x40\xdc\x79\x4c\xd6\x13\x56\x75\x66\x09\xf6\x8d\xd5\x8f\x72\x4b\xdd\x86\xdb\x7f\x26\x49\xb9\x0e\x16\x35\x30\xca\x69\xf0\x69\x6a\xdd\xfc\xef\x84\xef\xc9\xf9\xe0\x4d\x9d\x6e\x18\xed\x17\xf7\x4f\xf8\x07\xe9\x2b\x0f\x33\x0f\xb6\xe0\x6e\x0e\x2f\x19\x3e\xa0\x3a\x18\x1c\x86\x73\x95\x0a\x19\xeb\xa2\x2f\xd6\xb1\xb5\x6e\xbb\x33\x6e\x02\x48\xc6\x4f\x93\x6c\xaf\xd3\x31\x1f\xd5\x0c\x50\xfc\x91\x61\x56\xbb\x28\x15\x6d\x15\xd7\xf4\xd5\xa7\x98\xd8\x62\x6a\xfc\x6b\xa7\xd2\x17\xd2\xc9\xf1\xa9\x8f\xed\xe6\x2b\x1b\xac\xfc\x31\x4d\xfa\x89\xe8\xcb\xb8\xc3\x7b\xd5\x26\xdd\x53\xed\xe8\x1b\x19\x53\xce\xf5\x17\x70\x3b\xab\xce\x44\x6e\x86\x3b\xf9\xd2\x46\xb0\x3b\x88\x50\x2c\x7f\xdb\xac\x4d\x87\xf1\xea\xad\x86\xed\x17\x0d\x71\x0d\x81\xea\xf3\x95\xae\xf6\x0d\xc1\x64\xd9\x11\x66\x01\xa5\xa5\x8c\x79\xa8\x92\x75\xc9\x5d\x28\x91\x2e\x87\x08\xfe\xe2\x47\x2e\x6b\x87\xd2\xe0\x77\xd3\x62\xc0\xba\x8f\x4b\xc6\xa5\xe3\x87\x45\xea\xe9\x10\x46\xbc\x61\xe6\xa0\x40\xcb\xfe\x38\x20\x4f\x17\xe6\x04\xf0\xe1\x40\x5e\x8e\xe0\x7d\x71\x41\xb6\x98\xbc\x2b\xe7\x69\x0a\x8f\x0b\xf3\x1d\x58\xae\x90\x6c\xb7\x0e\x4f\xe5\xfe\x03\x56\x31\xd7\x65\x33\xb7\xa7\xb0\x32\xe1\xb1\xee\xe2\x14\x28\x08\x4a\xfb\xcc\x93\x0a\x9f\x28\xe9\xf1\x7e\x26\x9a\x69\x97\xaf\x83\x8f\x95\xe2\xfb\x39\x5b\x54\x0a\x1d\x49\xf3\xd4\x29\x02\x74\xd2\xd3\x1f\x76\x08\x35\xff\x73\x51\xd2\x5b\x62\xe1\x35\xad\xf5\x9e\x01\x18\x87\x2d\x17\x84\x3d\x99\x15\x4f\x46\x60\xfa\x8f\x48\xb6\xc4\x86\x8b\x1f\xbc\x6b\x84\xda\x61\xf9\x81\x23\x16\x7b\x06\x73\x70\xa5\x4f\xc6\xc5\xa6\x88\xe3\x1d\x42\x01\xac\x4c\x4d\x56\x46\xf9\xa4\xa4\xa8\x04\xa1\x75\x16\x7c\xf7\x9d\xda\x22\xf4\xd6\x86\x72\x81\xcb\x0b\x3e\x09\x99\xfa\xd7\xbf\x26\x51\x2d\x13\x14\x40\xa8\xf9\xec\x75\xfe\x9d\xf6\x80\x54\x78\x55\xd8\xc9\xb3\xb3\xf0\xd5\x14\x19\x7c\x2a\xf0\xd6\x72\x99\x13\x73\xb8\xd4\xac\x1d\xd5\x1e\x1f\x90\x74\x50\xd6\x21\x01\xb5\xe2\x61\x3e\xa2\x89\xc1\x94\xd0\x73\x5e\x1c\x5e\x16\x69\x09\xeb\x71\xee\x2a\x4e\xe5\xff\x99\x14\x0c\x0b\xec\xca\x26\x72\xfa\xf6\x94\x49\x38\xc6\x18\x09\xd8\xbf\x2f\xaa\x56\x1f\x9b\x56\xda\xb8\x5d\xed\x7e\xe7\x35\xd3\x00\xc8\xda\x84\xc5\x7f\x06\x7b\x2f\xe5\x09\x29\xca\xe1\x39\x87\x5a\xbb\xab\x08\x47\x42\xc9\x07\x06\xbc\x31\xfc\x4c\x68\x53\x88\x89\x71\x87\x69\xd1\xc6\xda\x0e\xe1\x82\x6e\xcd\xe1\xf6\x0e\xa6\x6c\xed\x44\xc2\x4f\xe2\x87\x5d\xcb\xc8\x7a\x35\x72\xaf\x96\x45\x5e\xdf\x31\xe0\x51\xe5\x42\x2a\x8e\x29\x10\xc7\xd9\x75\xdf\x64\x48\xda\x0c\x0f\x83\x3f\x61\xf7\x15\x05\x98\xfb\x47\xfa\xe9\x38\x35\x7a\x7b\x64\x5e\x40\x6d\xf9\xa4\xa3\x0c\xdd\x1c\xef\x6d\xdb\x26\x3c\x9f\x06\xb2\x68\x76\x7a\x9a\x0f\x92\xc4\xea\x13\x80\xe5\xe3\x6f\x5f\x2a\x3e\x90\xbf\x87\xd6\x81\x8c\x5a\xef\xc3\x43\x9c\x4f\x4d\xe2\xcf\xb4\xdb\x14\x57\x56\x84\x8b\x27\xb6\x18\xc2\x2f\xee\xa3\xf9\xf4\x60\x15\x57\xf5\x3c\x2a\xae\x71\xdb\xc0\xe9\x46\x82\x43\xf1\xbf\x3b\x08\x6b\x4d\xca\xb2\x73\x4d\x61\x28\xc5\x44\x15\x46\x90\x3d\x2f\xea\x40\xc7\xca\x48\x40\xac\x4b\x1b\x3e\xa8\x89\x7c\xf0\x37\x62\x3e\x42\x7f\xb1\xef\x9c\x0e\x7d\xeb\x9e\xba\x0f\x8e\x5a\x5b\x29\xd4\x22\x92\x3f\x2f\xc8\xc5\xdc\x13\x69\xfe\x52\x67\x09\x24\x7c\x27\x76\xf5\xb7\x68\x7c\xcf\x42\x0b\x0d\xc8\x44\x61\x10\x5c\x2a\x31\xcc\xe9\xde\xcc\xa3\x0b\x74\x6b\xfe\x43\x44\x0d\x49\xc4\x77\x5a\x2d\xfc\x88\xf0\x49\xe2\x3a\x30\xe2\xde\x2c\xe6\x34\x54\x9b\xbc\x0c\x26\x30\x97\xeb\xb8\x04\x4b\x4b\x9b\xb6\xf5\xf9\x5a\x4a\x49\x9a\x3d\xce\x9c\x11\xb9\x94\x87\xd9\x96\xeb\x57\xd6\x54\x09\x0b\x43\x6d\xfe\x0b\x94\x79\x6e\x93\xfe\xae\x2b\x63\xd0\x13\x20\xaf\x73\x23\xa8\x00\x6b\xc7\x5f\x95\xa0\xc6\xce\x53\x69\x18\x02\xa0\x97\x10\x88\x81\xbd\xa6\x4a\x2c\xf8\xed\x8f\x67\x52\xe1\x98\x15\xe7\x1e\x2b\x85\x54\xfa\xc0\x30\x18\x75\x26\x21\x09\x33\x11\x51\x91\x5f\x6b\x19\x36\x2c\x2d\x82\xc3\x04\x74\x78\x52\x5a\x64\x9a\xe4\xc9\xa4\x1f\x75\x60\x83\xf1\x38\x15\x6f\x6e\xc4\xea\x04\xb4\x4f\x65\x2a\xb1\xe6\x6c\x5c\x63\x0e\x61\x30\x06\x2a\x26\x0b\xe5\x53\xf1\x0b\x8b\x70\x0e\x6c\x6b\x08\x9f\x0b\x09\xce\x11\x7c\xa7\x8d\x45\xae\xc4\x33\x97\x64\xdc\x2e\x39\xb5\xbb\x95\x56\x02\xd5\x73\x23\xe4\x0d\x49\xec\xf8\x98\x71\x84\xa1\x2d\x21\x99\x3c\x03\xb4\x58\xfc\xa9\x8c\x77\x30\x71\xc2\x24\x2d\x90\x59\x65\x99\x33\x6e\x1c\x69\xff\x55\x1a\xf3\xef\x27\xaa\xa7\x4c\x54\x7f\x23\x1a\x1e\xf6\x4a\x2f\xbe\x54\x98\xf5\xbf\xfd\x9e\x59\x7b\x8d\x87\x1a\x07\x3e\x82\xf1\x3f\x5b\xdf\x21\x89\xd3\x61\x64\x9d\xbe\x14\x4e\x7c\x2f\xb2\x6a\x51\x88\x84\xc4\xf2\x76\xaf\xa0\x44\x50\xb3\xb1\x26\x15\x11\xa1\x86\x15\x07\xe9\x4b\xe4\xb0\xc3\x01\xe6\x24\x71\xbb\x95\x33\x63\xe5\x4a\x80\xac\x90\xb2\x55\x1b\x01\x2d\x74\xa5\x62\x1e\x26\x5b\xf9\x12\x60\xa4\x67\xfe\x76\x06\xe7\x95\x92\x27\x2a\xa2\x08\xb1\x29\x35\xa8\x99\x1d\xfb\x81\x7a\x5c\xb0\x5a\xcb\xa7\x9d\xcc\xb9\x7d\x0a\x0f\x9e\xb5\x82\x5e\x16\xd1\x24\xa7\x72\x24\xc9\xa0\x9a\x53\x35\xf1\xce\xd7\x85\x63\x6a\xe3\x58\x15\x98\xaf\x5c\x28\xe5\x4e\xa8\xdc\xc4\xc7\x22\xe4\xa6\x58\xa3\x3f\xa7\xc4\x73\xf3\xb5\xe7\x4e\xd5\x62\x56\x80\xf0\x7c\x7d\x47\x29\x66\xab\x64\x6a\xc3\xac\x2d\x67\x46\x9c\x43\xdb\xab\x6b\x88\x67\x79\xde\xf7\x94\x17\x69\x8c\xfe\xd9\x47\x2f\xdc\xab\x0f\x80\x79\xf2\x21\x28\x54\x41\x88\x1e\xaa\xe4\xc2\x11\xa8\x14\xe6\xd4\xe6\xc2\x5d\x49\xa5\x70\x67\x38\xb0\x3b\x35\xc0\xd2\x84\xfc\xd6\x75\x50\x5b\x0a\xdc\x88\xd0\x43\x90\xf3\xa1\xb0\xc8\x27\x85\xba\x7b\xf0\x29\xaa\x46\x18\x71\x31\xdb\xdc\x36\xaa\xed\x98\x0b\x90\x88\x8e\x67\xe8\xa8\xbe\x7c\x1f\x7c\x5e\x3a\xd4\x44\x2e\x97\xaa\x77\xc7\xe1\xd2\x86\xc2\x9d\x8b\x76\x1e\xc9\x12\x50\x52\x9b\xff\xfc\x56\xce\x2d\x1f\x4e\x79\xcf\x74\x23\x7f\x02\x05\x0a\xfb\x6e\x25\xd5\x43\x65\x45\xda\x66\x62\x29\x70\xe8\x9e\x4c\xb9\xe7\x7e\x0e\x9a\x66\x72\xfe\xb0\x33\x28\x56\x8d\x75\xd5\x14\x65\x77\x2b\x5e\x40\x8e\x40\xeb\xc9\x67\x6e\x7e\x5e\xe7\xab\x0c\xbf\xca\x5f\xf0\xc0\x23\xb3\x93\x52\x94\x64\x66\x8b\x77\x4a\xe1\xb5\xce\xf7\x6d\x67\xf1\xd7\x35\xb8\x72\x81\x55\x5b\x39\x6c\x78\x58\x70\x1c\x6d\x42\xb0\xf3\x65\xb2\x53\xe7\xbc\xcb\x64\xc2\xdc\x39\xbf\xed\x64\x59\x06\xae\x68\xbc\x5e\xbc\x3c\xda\x73\xf3\x86\xb4\xb9\x79\x53\xb3\xca\x6c\x73\x5f\x7c\x47\xe4\x76\x29\x25\xd3\x59\x94\x80\xe7\xc1\x76\x33\xe5\x27\x6a\xf7\x5a\x60\x33\x2b\xab\x2d\x8c\x03\x9e\x4f\x98\x0a\x7d\xe8\x12\x29\xbd\x17\x4f\x6e\x50\xe5\xde\x20\xd2\x0b\x51\x8c\x41\x8b\x6e\xb6\xa0\x6e\xe9\x37\x89\xfb\x6f\x4a\x6e\xcb\x8b\x01\x69\x1a\xd1\xeb\x2a\xe9\x51\xa4\x2f\x97\x6e\x01\x8a\xc4\xb5\x85\xbb\xc3\xf4\x2d\xa7\x9e\x55\xd1\xb7\xf2\x4e\x90\x9f\xce\xe2\x34\x36\xb7\x27\xdd\x9c\xe4\x7b\x41\xb3\xbc\xaa\x88\x37\x15\xd3\x16\xac\xdc\x55\xe0\xfc\xab\x97\xef\x90\xda\x85\x9a\x80\xeb\xeb\xc6\xdf\xd0\xaf\x95\x24\xe8\xa3\x6b\x3f\x71\xeb\xd7\x03\xb0\xaf\xcb\xd7\xac\xc6\xaa\x41\x36\x48\xad\x93\x5e\x70\x94\xa2\x93\xf1\xad\x65\x9b\xf5\x59\x51\x51\x1b\x8f\xea\xa0\x39\x0b\x98\x2c\x91\xb1\xa1\xbc\x04\xcb\x1e\x15\x8b\x13\x2e\x8f\xf2\xfe\x46\x66\x7f\x10\x31\x2a\x25\x46\x8f\x07\x32\x48\x10\xa9\x7d\xdf\xad\x6d\xf0\xd6\x1e\xe5\xdb\x19\x29\x58\x02\x27\xea\x26\x06\x82\xa8\x93\x7d\x03\x79\xbb\xcd\x79\x6a\xa1\x3f\xe9\x2f\x79\x3e\x95\x8d\x28\xd8\xe4\x56\x4b\xfd\xd4\x94\x4d\x7e\xba\xdd\xdd\x67\x33\x92\xc6\x77\x2d\x09\x61\xce\xbe\x60\xa3\xd9\xe9\xf9\x6e\x4a\x4c\xa0\x7e\x55\xd3\x1e\x9d\x94\x25\xe0\x01\x71\xab\xa0\x2f\x0a\xef\x4b\x8f\x5e\x43\xec\x62\x32\x7a\x95\x0f\xe2\x92\x42\x7d\x51\x34\x76\xc3\x18\x39\xa5\xd1\x1e\x03\xf7\x94\x9c\xb2\xd8\x34\x3e\xf4\xb9\x82\x68\x79\x71\x90\x34\x4a\x7a\x68\x91\xcd\xdd\xe2\x9f\xae\xf1\x33\x3f\x7f\xb7\x50\x69\xa7\x4e\x80\x6a\x41\x21\xad\xdf\x98\x68\x35\x28\x1f\x48\x68\xf1\x5c\x73\x43\xe1\x30\x7d\x23\x7b\xb5\x0a\x7e\xc6\x76\x4b\x9f\x43\x25\xb6\xe4\x13\x57\xed\xc3\x3d\x24\x7a\x58\x3e\x28\x57\x35\xfa\xff\xc5\xbe\xbc\x40\x04\x76\xaf\x6c\x5c\xdd\x34\x91\x37\x47\x08\x60\xd1\x59\xa9\x76\xef\x3c\x47\x61\x28\x5e\xbb\x8c\x53\xa7\xef\x56\x9e\xe2\xe7\x10\xd4\x18\x19\xeb\x85\xcb\x3e\x38\xc6\xd6\xcc\xd0\x35\x87\xfb\x08\x28\xf6\x31\xc1\x99\x00\x15\x3a\x6f\x1e\xdb\x81\x2a\x58\xea\xd0\x41\xc6\x3a\x6a\xc6\x28\x38\x06\xd3\xcf\xb6\x9b\x65\x59\x1a\x82\x9b\xab\xa9\x7a\x36\x7c\x9b\x0f\x24\x97\xb4\x4f\x3c\xa8\x5a\x07\x31\xe5\x94\x2b\x57\xec\xf9\xc2\xde\xe0\x1e\xf7\xea\x53\x3f\x8b\xa3\x17\xf7\x4c\x30\xf4\x9b\xd6\x94\x89\x73\x53\x61\x09\x22\x92\x20\x55\x09\xc5\x74\x20\x06\x63\xf7\x71\xcf\x4d\x1d\x48\x4f\xe5\xa9\xc4\xcd\x3b\x0c\xc4\x32\xe9\x25\xb3\x02\xfa\xb0\x57\x4b\x53\x60\x6f\x27\x77\x56\x3d\x67\x94\xfb\x5f\xe4\x87\xd5\xce\x7b\x5b\xea\xb3\x99\xbf\x77\x27\xb6\x7e\xeb\xf9\xb9\xda\xcf\x5c\x56\x78\xec\x98\x21\xa3\x4d\xc0\x30\xd0\x36\xd0\x4d\x70\x25\xed\x5b\x17\x82\x96\x5c\xf2\x62\xbb\xa0\xb3\xde\x34\x97\x4d\x1e\x77\xa6\x3e\x9b\xb5\x2d\xc6\x59\xde\x69\x0e\x47\xb3\x5f\x4b\xbc\xa6\x6f\x8d\x5e\x0a\x27\x1a\x04\xa2\x89\x43\x5f\x5d\xc9\x01\x3c\x06\x52\x63\x3d\xcc\xe4\x10\x2f\xcb\xe4\x7f\xb4\xc5\xeb\x9a\x6e\xaf\xf5\x46\x3c\x73\xc1\x1e\x37\xe8\xdf\x9d\xab\x09\x32\x33\x49\x22\xfe\xd8\x0d\x5e\x3e\xd1\x25\xdd\xe3\x76\x4f\x48\xd4\x96\xf4\xf3\xb4\x9f\x03\x22\xa9\xb9\xb9\x68\xff\x75\xef\xed\xb3\x69\xb4\xb1\xc9\xaf\xc5\xd2\x7e\x68\xd7\x6d\x17\xc2\x16\xc4\xfe\xd8\x2d\xc2\x48\x7a\xab\xc6\x60\xbb\x55\xb2\xee\x17\xd6\x83\x65\xda\x84\x08\xc4\x5a\xf3\x87\x83\xac\x2b\xe5\x47\x72\xbb\xea\x41\xf5\x86\x84\x56\xee\x66\xa2\x7a\x36\xbe\x49\x9a\x5e\x5d\xd3\x39\x6f\x48\x05\xe2\x2a\x2c\xdc\x22\x90\x79\xc2\xa5\x3c\x92\x99\x55\x92\x69\xed\x1c\x51\x22\x13\x54\x4f\x2b\xf3\x31\x38\x8e\x1c\xb8\x5e\x55\x50\x91\x5f\x8f\x27\xa4\x7b\xa9\xfc\x9a\x50\xce\x01\xcd\x2b\x53\xb3\x7f\x35\x79\x66\xf1\xd0\x0b\xd3\x40\xe0\x50\xc9\xd8\x4f\x29\x14\xb8\xab\xd4\x29\x48\x26\xe7\x50\x0b\x0d\xca\xe9\xcd\x4d\x28\x4d\x17\x34\x56\x53\xcc\xb4\x69\xc5\xee\x3a\x31\x05\x8e\xae\x14\xfe\xd7\x55\x85\xcd\xe2\xfd\x71\xb8\x8e\xbf\x51\x73\x59\x77\x4e\x90\x23\x46\x6e\xa5\xa4\x79\x56\xb8\x22\x56\x71\x79\x2d\xf4\x5b\x9f\x38\xb1\x0a\xb0\x3f\x9e\xde\x1d\xdb\x2e\x15\x7d\x61\xc0\x95\xd9\xb8\x2b\x97\x7c\xc0\x9d\x92\x97\x45\x56\x0f\xe8\x10\x65\x03\xff\x7d\xd2\x28\xdb\x22\xb2\x51\x77\x68\x97\xee\x15\xb1\x80\xb4\xb4\x63\x1f\x85\xec\xf6\xa6\x07\x4e\xfd\x2c\xdf\x40\xa4\x48\xda\xd6\x23\x31\xc2\x7e\xd8\xb3\x37\x7f\xde\x4b\x15\x33\x12\x6a\x4d\xc7\x08\xb7\x72\x02\xf6\xf8\xc0\x15\x96\x6e\xf7\x11\xc4\xc4\x96\xe9\x03\x4c\xf1\x5a\x33\xbc\x99\x8a\x43\x26\x5e\xdf\xe4\x36\x34\x2d\x7e\xb4\x97\x3b\xe8\xab\x0a\xe6\x71\x9a\x1a\xaa\x41\xe0\xd7\x6d\x95\x2b\x06\x80\x8d\xff\x02\xfd\x81\x60\x34\x29\xa3\x6f\xf7\x44\x0e\x0b\x21\x5d\x9e\xbc\x90\x8e\xfc\x14\x5b\x6e\x1b\x7f\xeb\x53\xbd\x5e\x17\x5c\x7d\x1a\x77\x64\xf9\x04\x07\x44\xb8\x1d\xb8\x6f\xd2\x2c\x0a\x38\xa2\xda\xf7\x44\x0b\xbf\xe8\x83\x50\x09\xd4\xae\xbb\xb1\x1a\x0e\x91\x48\xbc\x04\x95\x1f\xc0\x6e\xc1\xc2\xa2\x68\xa0\x5c\xc2\xcc\x76\x79\x1b\x82\x26\x9f\x96\x3d\x3d\x2f\x56\x4a\xe0\x37\x89\x60\x19\x40\xd5\x6f\x28\xe5\xab\x01\x52\xac\xf6\x63\xe4\x81\x19\x52\x09\xef\xc1\xa3\xa1\xb4\x72\x53\x6e\x0a\xcf\x9a\xe3\x83\xb5\x95\x1d\xfb\xb6\xbd\x4d\x1e\xb5\x55\x01\x02\xc3\xd7\xfa\x23\x65\xa3\x6f\xb7\xc5\x94\x9c\xc7\x27\xce\x57\x31\x1d\xec\x52\xa4\xc3\xb9\x1f\x0d\x5e\xc3\x67\x7c\x26\x5d\x58\x35\x53\x5f\x16\x00\x69\x85\xce\x84\x6e\xf1\x2a\x46\xcb\x86\x62\xcf\xf8\x5a\xf2\xff\xd4\xb3\xb3\x50\x85\x70\x5d\x45\xdf\x3e\x8c\x60\xee\x49\x63\x82\x3c\xea\x99\xdd\x55\xc0\xc3\x3d\xa9\xde\x35\x4f\x70\x9f\x2a\x45\x83\x56\x13\x25\xc4\xa5\x95\x4a\x34\xe2\xab\x32\x73\x8c\x2f\x3f\xbf\xb2\x78\x6a\xa5\x78\x28\xef\x30\x91\x12\x2e\x59\x32\x05\x8c\x12\xd5\x0d\x0e\x89\xee\x5d\xc1\xe3\xee\x41\x35\xd3\x8c\x0c\x98\x4d\xaf\x39\x47\x67\x02\x72\x71\x4d\xe8\x93\x57\x20\xc1\xf3\xd3\xdd\x9f\xc5\x75\x29\xa7\x50\x13\xd8\x59\x46\x48\x42\x33\xce\x69\x25\x77\x18\xd3\xcd\x66\x7c\xd0\x88\x6d\x1f\x3c\x25\x7c\xca\xc6\xb4\x8e\xe5\xcd\xc0\x3e\xb6\xc6\xaa\x2a\x78\xd6\x8e\x2a\x9c\x22\x53\x95\x44\x50\x91\x57\x62\xf3\xf2\xfa\xde\x0a\xc7\x85\x93\xcc\x38\xe5\x5c\xef\x3b\xc0\xbf\xb9\x38\xeb\xd0\xa6\x1c\x73\x9c\x02\x4a\xdd\xaf\x44\x34\x06\xa7\xb6\x02\x63\x60\xa7\xfc\x87\xc2\x74\xa9\xbd\xcd\xb2\xeb\x5c\xf4\x70\xb5\x3f\x7f\xc1\xbd\x4e\xd0\x5c\xea\xa6\x65\x28\xce\xf7\x9e\x9d\xe7\x8d\xa4\x2b\x16\x7c\x82\xcf\x4d\xad\xca\x57\x07\xd0\xa1\x66\xb0\xf4\x1b\x7f\x7e\x34\x21\xa8\xf8\x8f\x6d\x88\xd2\x4c\xfd\x99\x81\xb5\x0b\x6c\x34\x2b\xb4\x9c\xce\x4b\x82\x3f\x3c\xfd\xb1\x7b\xba\x24\xfd\xb1\x60\x1b\xa0\x60\xa4\x79\x2c\x09\x09\xa7\xc7\xce\xbf\x0c\x33\xe8\xff\x27\xfb\x6e\x32\x7c\x88\x77\xfb\x31\xef\xd8\xbb\x0b\x9f\xca\x28\x29\xca\xc2\xc1\x43\xf4\xa5\xbd\x0a\xfb\xa4\x32\x45\x48\xaf\x32\xf0\x5f\x58\x1a\xe2\x64\xc9\xe2\x0d\x0f\x16\x04\xe1\x12\xc6\xe2\xbc\x51\x8b\x78\x09\x7c\x14\x5d\x87\x1a\x3c\x02\x87\x37\x1b\x0c\xf6\xbd\xcf\x17\x26\x63\x71\xc7\x46\x4d\x87\xa5\x5f\x52\xe0\x1e\x29\x78\x66\xd6\xd4\x98\x86\x8a\xc0\x16\x48\x24\x9c\x1e\xdd\x31\x45\x80\xbf\xc3\x58\x34\xb1\x5d\x10\x8d\xdb\xaf\x6c\xa3\x53\x6a\xa4\x31\x61\x01\x9c\x3a\xf0\xb3\x31\xd9\xd0\x71\xeb\x0a\x50\x44\x23\x55\xa2\xa2\xe1\x95\x47\x4e\x13\xb7\x97\x1d\x95\x6a\xd5\x4e\xd5\x90\xb4\x29\xd6\xa1\xec\x7e\x38\xd4\x1a\x27\x53\x6b\xbb\xfa\xda\xd1\xb3\x5f\xc8\xf8\x27\xa9\x2e\x0b\xaf\xfa\xbb\x81\x18\x16\xcf\xb4\xcd\xac\x4b\x98\xc5\xf6\xf7\x1c\xdc\xf3\x06\x49\x53\x6f\x78\x00\xeb\x6b\x7c\xee\x22\x2d\x64\x16\x5e\x0c\xa9\x50\x46\x93\xb6\xd8\x45\x9b\xc3\x27\xe5\xda\x2e\x6f\x38\xa4\xee\x24\x72\xca\x5e\x6c\xaa\x08\x11\xd0\x42\xf8\xfb\x32\xa9\x9b\xd3\x61\x01\xcf\x19\xac\xce\xee\xd7\x3b\x44\xe3\xde\xb2\x23\xcf\x28\x2e\xcd\x4c\x43\x9f\x55\xf5\xc2\x74\xe2\xc7\x56\xc6\x7c\x23\xc0\x0e\xf7\xbf\xfa\x4b\x60\x12\xa1\x33\x4d\x0c\x97\xf8\x16\xa6\x12\x3c\xbc\xb7\x7a\xce\x8e\x7b\xe0\x51\x52\x69\x24\x86\x22\x02\x8b\x7a\x9c\x0e\x49\xf1\xc8\xdd\xe8\x66\xd3\xbb\x0c\x53\xdb\x9c\x67\xb1\x0b\x20\xd4\xbb\x26\x3f\x2c\x5a\x01\x85\xba\xcc\xfa\x7b\x8f\xe8\x25\x65\x70\x78\xfa\xba\xb0\x03\xb9\x31\x8a\x84\xf7\x65\xda\xaf\xc3\x7f\x49\x6e\xfb\xbc\xe9\xfa\x5d\x2c\x1f\x0a\x4b\x2a\xd0\xcf\x92\x69\x61\x84\x40\x71\x3b\xc3\xd9\x29\x85\xff\xbd\x6c\xc1\x9a\xfc\x86\x70\x30\x44\x37\x0e\xab\xc4\xde\x11\xf3\xbc\xbf\xb2\x21\xdd\xdc\x51\xbb\xa3\x52\xdc\x28\xfd\x49\xc0\x84\x04\x7f\xb0\xed\x8b\x97\x42\xa9\x6e\x53\xef\x4c\xcb\x94\xce\x4c\xad\x74\x6e\x9c\xae\xee\xc8\x43\xf7\x2b\x77\x9c\xc5\x8d\x25\xfe\x93\x1c\x1a\xf8\xa7\x95\xe1\x95\x68\x5c\x92\x18\x58\x03\xad\xbe\xc6\x06\x6c\xdd\xd8\x7e\x0b\x9a\x53\x80\xaf\xcd\x80\x79\x8f\x58\x08\x59\xea\xb3\x17\xcb\x27\x83\x11\x2a\xf7\xb3\x62\xa5\x9a\xe7\xa8\x24\x74\x94\x40\xe6\x66\x61\xb7\x88\xb8\x56\x05\x49\xa0\xb1\x35\x0d\xfb\x7a\x5e\x88\x92\x8d\x55\x8c\xbc\x8a\x26\xa0\xd7\x4e\x67\x63\x4e\xe9\xec\x1c\x1c\xa0\x8a\xfc\x5b\xeb\x43\xda\x65\xf4\xae\x0a\xc7\xeb\x25\x74\x42\xc9\x99\x0e\xdc\xf9\x3b\x1d\xad\xfe\xa9\x0b\xc2\x92\xbb\xf1\xd8\x23\xc6\x1e\xe9\x69\x24\x9f\x67\xbe\x07\xd7\x0d\xf8\xaf\xc7\xc3\xe5\xbf\x14\x5f\x28\xa2\xd0\x6c\x88\x0e\xff\x9a\x18\x11\x27\xc1\x34\x60\xa0\x6b\x36\x64\xa9\x4c\x88\x8b\x07\xaf\x77\xe8\x4d\x60\xde\xab\x76\x42\x28\xff\xea\x21\x63\x3f\x02\x04\xa5\xd7\xec\x4a\x0b\x30\x3f\xb0\x8f\xb7\x67\x28\xc4\x3d\x90\x73\x80\x01\x83\xc8\xb9\x9e\x22\xd6\x05\xa5\xe6\x39\x9c\x04\x9f\x7f\x88\x7c\xb9\xd7\xfb\xa9\x4d\xb3\x23\x08\x4b\xf9\x4d\xf5\x44\xf6\xce\x2d\xd4\x9a\x21\xd2\xca\xb5\x4d\xf0\x43\x97\x48\x2a\x64\xd2\x90\x0b\xb4\x0f\xa8\x7f\x42\xec\x75\xd6\x8b\xab\x17\x71\x4a\x93\x4b\xcd\xf3\x6f\x87\x07\x4f\x60\x28\xf9\xd6\x1a\x00\xad\xff\xc0\x6d\x62\x4b\xc6\x42\x97\x05\x96\x82\xcc\x8a\xdc\x7e\x2f\xb2\x10\xbd\x22\xfb\xd4\xad\x3d\x35\x15\xf7\x1b\x93\x31\x26\x75\x9e\xc4\xc0\x01\xed\x5c\xdb\xac\xe7\xcc\xe4\x31\x9b\x7a\xb5\x0f\xfc\x8f\x2f\x8f\x1b\xb8\x1a\xc0\x7f\x81\xdf\xff\x33\x54\x50\xac\xf0\x8e\x13\x91\x2d\x3c\x5f\x3a\xa1\x25\x81\x81\x1e\xbd\xb4\x41\x6e\xad\xa2\x59\x65\x1c\x07\x0b\x06\xea\x7e\x18\xa8\xf0\xc4\x00\x57\x5a\x0e\x7f\xdc\x4c\x88\x64\x5d\x35\xc2\xd3\x6a\x8c\xe6\xa2\x97\x2f\x35\x5d\x1a\x5d\x83\x2c\xd7\xef\x2c\x61\x1f\xd1\x10\x59\xda\x39\x0e\xc8\xc8\x74\x91\xd4\x96\x4f\xa4\x0b\x80\x83\x90\x57\x36\x2e\x67\x64\x55\xc7\x17\x2a\x23\x15\x4e\xfe\xba\x6f\xc9\xab\x4c\x15\xa7\x37\xe2\x99\xc1\xf1\x4d\xaa\x8f\x34\x97\xe3\x37\x0a\x52\x3e\xc1\x5c\x52\xba\xd9\x87\x10\x90\x03\xf8\xdc\xee\x4a\xc6\xc9\x0b\x0f\x8e\x4b\x74\x91\x97\x87\x88\xa9\xc1\xb2\x3a\x14\x39\x6b\x50\x8a\xa9\x51\x75\xfe\x3b\xd6\xa8\xb4\xa9\xc2\x17\xf4\xc9\x84\x2c\x1c\x33\x9d\x4d\x95\xdb\x83\xce\x6e\x7e\x7a\xc8\x8e\xae\x04\x13\x96\x10\x55\x22\x0b\x65\x69\x3d\x49\xa2\xf6\x96\xf6\x41\x42\x19\x25\xb4\x2f\x77\xb0\xf9\x43\x12\x39\x52\x7f\xd6\xd8\x6d\x6f\x9a\xbd\xf3\xd2\x7c\x0a\x79\xa6\xb0\x5a\x61\xdd\x7d\x99\x3d\xe2\xd4\xee\x99\x73\xb7\x78\xff\x19\x5d\x12\x40\xdb\x18\x36\xa5\x25\x8b\x4f\x57\x44\x97\xca\x2f\x9b\x34\x97\x78\x00\xe7\x28\x29\x7d\x98\x3e\x1e\x58\x5f\xaf\x45\x38\x1b\x47\x6d\x25\x31\xe8\x6c\xc6\xe8\x35\xa9\x72\xc3\xa5\xbb\xcc\xba\x7d\x85\x2e\xdc\x83\xbb\xad\x4c\x85\x20\x64\x00\x70\x87\xbb\xd3\x6b\xf8\xa8\x00\xf9\x1e\xea\x0a\x72\xd9\xa7\x5f\x5d\xb3\x5b\x10\x98\x68\x6d\x51\x34\x0a\x17\x2c\x70\x1b\xc4\x7b\x14\x0c\xe5\x2e\xf4\x75\x02\xd0\x07\x1e\x54\x55\x97\x97\x5a\x55\xca\x1e\x91\x21\x76\x45\xe3\xcf\xeb\xf4\xa6\x20\x1a\x84\x81\xf6\x51\x13\x86\x0f\x59\x28\x63\xaf\x1d\xd4\x73\x38\x3b\x1b\x79\xab\x32\xcf\xcd\x46\xe6\xac\xe2\x95\x8d\x42\xcc\xe5\xf9\xb2\x34\x76\x81\xf7\x70\x7a\xb4\xa3\x5f\x9a\xf5\x21\xd4\xc1\xba\xd7\x51\x30\x33\xa5\xf7\xaf\x2b\x7a\x2d\x3a\x49\x14\xd3\x84\x62\xb1\x6b\x85\xd6\x9f\xa6\x0c\x0c\x5e\xf5\x4b\xa2\xfb\x78\xfb\x15\x6a\x94\x7c\xf8\x0b\x1d\xac\xcd\x58\x9f\xdd\x07\x91\xb3\xa9\xeb\x83\x5b\x61\x53\x4a\x16\xf8\xf4\xb1\xca\xbb\xd3\x86\xb4\xc2\x1b\xa9\x7d\xe9\x16\xd2\xcf\x48\xb7\x20\x8c\x1b\xda\x77\xec\xf8\x16\x77\xcb\xce\x25\x58\x2c\xca\xb9\xa6\x5a\x2b\x73\xdd\x34\xb0\x02\xc2\x34\x94\x8a\x42\xb5\x66\x4d\x56\xd8\x24\x42\x9a\x78\xb6\x97\x03\x67\xec\x17\x0d\x1b\x11\x0b\x22\x23\x17\x58\x72\xbd\xc8\x66\x31\x8d\xe0\x66\xfe\xa5\x60\x15\x1d\x88\x25\xde\xe8\x2d\x34\x4b\x81\x6f\xb5\x5a\xaa\x52\x4e\x86\x08\x62\xac\x0c\x36\xcb\x6b\x6e\x81\xf4\x12\x3d\xa5\x9c\xb3\xef\xfe\x29\xce\x76\x98\xe2\xaa\x0c\x60\x36\x82\x0c\x45\x7f\x40\x42\x33\xe3\x22\x61\x31\x9a\x46\xbc\x8b\xd3\xde\x3c\x94\x8d\xc5\x2e\x27\xca\x52\x7d\xf7\xad\x68\xe6\xc4\xd4\xba\x8f\x6b\x43\x13\xa2\x94\x02\x98\x10\x59\xa1\x48\x79\x7f\xa0\x88\x02\x57\xfe\x04\x27\x01\x19\x28\xaf\x75\x2f\x81\xb8\x18\x68\x02\x10\x8f\x05\x90\x19\x50\x39\xc8\x38\x25\x72\x02\x42\x14\x10\xb8\xa3\x59\xe6\x9d\xdc\xd4\x74\x70\xf4\xd0\x5a\xe2\x89\x83\x4b\xe3\x04\xca\xf4\x9b\xbb\xac\xfd\xbe\x92\x7f\x42\x3b\xe9\xb8\x78\x82\xb0\xfa\xb4\xf5\x0b\xc7\xcd\xbf\xf6\xef\x10\x1f\x33\xf7\x03\x55\x6d\x45\xb6\xac\xe1\x64\x3c\xd7\xe7\x5a\xcf\x74\x06\x3e\x3e\x34\xe9\x63\xdb\x19\xf0\xd1\x9f\x14\x82\x9c\x91\xc4\x50\x66\x1d\x0e\x80\x9d\x5b\x79\x09\x69\x5b\xa1\x54\x46\xc8\x76\xa1\x67\xec\xca\x09\xfc\x00\xe1\x73\x7c\xbd\x4e\xf4\xf7\x0a\x50\xe3\xa0\x0f\xc9\x6f\x0e\x10\x23\xe5\xc8\x1e\x67\xd2\x47\xae\x0e\xc7\xec\x26\x72\x52\x80\x4a\x65\xb3\x01\xb9\x1a\x59\x9b\x8c\xe3\x7d\x95\xa9\x3d\xd9\xa9\x11\xdf\xb3\x95\xf3\x61\x92\x4e\x82\xea\x28\x1e\xfd\x7a\x2e\x01\x5a\xad\xaf\x64\x85\xfc\xea\xee\x0a\xb9\x05\xe1\x39\x6c\x12\x56\x03\xaf\xf4\xca\x16\x5f\x74\x9c\x23\x31\x02\x50\xf8\x00\xb2\xa8\x79\x17\xb9\x42\x1b\x0b\x4c\xde\xc9\xd8\x64\x14\xeb\x82\x23\x74\xb0\xd4\x32\x53\x58\xb2\xbf\x43\xe0\xe3\x12\x58\x88\x79\x76\x5c\x25\xc0\x98\xd1\x71\x86\x53\xbe\xa5\x27\x68\xdd\x7f\x10\x0f\xbd\x2b\x6a\xfc\xcf\x02\x13\x46\x9a\x7f\xa2\x5b\x5f\x77\xc6\xb5\x6c\xa0\x9d\xf8\x86\xa1\x6e\xd2\x4f\x51\xe2\x1d\x07\x8f\x25\xc4\x88\x87\xda\x12\xde\xa5\x7c\x8f\x48\x25\xf2\x7a\xe3\xd9\x16\x01\x96\xeb\x6b\xe0\x9f\x7b\xe8\xb2\x39\xa0\x5d\xbf\x6a\xae\xca\x96\x37\x09\x0d\x1e\x6f\x76\xeb\x93\x69\x27\x4c\x3a\xad\xa3\x36\x24\x3b\x8b\x9c\x59\xc3\xf9\xc9\x1a\xb4\x3f\xc9\x27\x3b\xb5\xbf\x2b\x59\xde\x8f\xbc\x50\x6c\x94\x36\x56\x5e\x4c\x9b\xa2\x96\x50\xb3\x78\x4d\x87\xf3\x37\xa4\xa4\xb5\x28\xca\x2a\x28\x0c\xed\xc3\x69\xb0\x09\x0c\x3f\x69\xc7\x60\x4a\x6d\xf3\x1f\xba\x78\x1c\x07\xd5\x8d\xba\xdd\x7c\x85\xa6\x26\xf8\x85\xf0\x9a\x91\x22\x4e\x79\xbd\x68\x79\x3f\x16\x7e\xbd\x8d\xa1\x0e\x5d\xa7\x8c\xfa\x7e\xbf\x10\xa8\xf2\xc9\x00\x3f\xb1\xcd\xd8\x7e\x46\x98\x61\xf3\xed\x23\xd2\x5b\xcb\x14\x53\x0a\x8f\xf8\xd9\x1e\x9e\x0c\x7c\x39\x76\xc3\xaf\xc7\xbd\x50\x05\xcc\xef\x59\xfa\xec\x52\xba\x35\x69\x3d\x0f\x0d\xce\xba\x84\x3a\xdd\x5a\x74\x7e\x0a\xa7\x2f\x09\xf2\xf4\x52\x81\xc9\xd4\xc6\xf1\xbb\x78\x37\x9a\xec\x78\x2c\x64\x81\x0d\xe3\x23\xc8\xab\xac\xc9\xfb\x7e\x7d\xbc\x1e\x29\x13\xa8\x5d\xf0\xbd\xb6\xac\x70\x1a\x68\x26\x9e\x79\xab\x28\x45\x8c\x02\x91\xe1\x84\x0b\x34\xac\xe2\xd0\xdc\xa9\x02\x9f\x6d\x95\x0e\x6e\xf1\xe5\xcb\xb9\x52\x4d\xb5\x01\xdc\x30\x22\x73\x3c\xb1\x0b\xb7\x4e\x9e\x69\x82\x45\xa9\x8d\xff\xe2\x37\x8c\x42\x54\x81\x19\xdd\x60\xf2\xb0\x21\x95\x3b\x30\x0f\x38\x97\x26\x61\xc3\xeb\xdf\x64\xa3\xaf\xb3\xc6\x29\xcc\xa5\xec\x93\x8c\x31\xee\x8c\xb6\x82\xdd\x38\xf3\x58\x18\x12\xf7\xba\x64\x31\xc1\x60\x65\x90\x39\xe7\xcf\xe7\x85\x9b\x1a\xa8\x13\x08\x33\xf1\xf6\x37\x24\xf8\x63\xb3\xe2\xa1\x8f\x9e\xbd\x1e\xa6\x14\xd3\x0d\x28\xbd\x4f\x5b\x8c\x26\x17\xbe\xcd\x8a\x4d\x8b\x3a\x9b\x42\xb8\x5d\x8e\x80\xc8\xfa\xf7\xd9\xcf\x56\x37\xdd\x98\x82\x6a\x10\xb6\x92\x40\x29\x33\xd2\xae\x0e\xa9\x08\xff\x5d\x6c\x22\xfc\x33\x5b\xe0\x06\x14\xa0\xf5\xe7\x00\x4e\xbe\xf7\x1f\xd2\x3d\x3f\x90\x11\x59\x84\xf0\xe4\x6e\x82\xac\x8b\x03\xe5\xd2\xbf\xea\xa2\x19\x23\x33\xc1\xa0\xa9\xfb\x19\xa7\x5b\xdc\x8f\x90\x58\x33\x6e\x86\xf3\xf7\xb3\x0f\x0b\xed\x24\xc4\xb2\x30\xcd\xfc\x92\xa9\x88\x5b\xe5\x1c\x0b\x85\x1c\xd7\xa0\x4a\x62\xfb\x3c\xe4\x7e\x76\x5a\x11\x4e\xf7\x68\x6b\xc7\xd8\x2e\xf5\xe1\xca\x02\x14\xb9\x5b\x64\xe5\x7f\x85\x12\x15\xce\x5a\x47\xdd\xfb\x91\x93\x2c\x85\x4c\x65\x25\xeb\xe7\xf6\xe1\x68\x45\xfa\x22\x5a\x74\x09\x3f\x6a\x26\x80\x08\x5a\x8f\xef\x66\x54\x1f\xc3\x64\x3f\xc8\x14\xc5\xa8\x06\x41\x5f\x70\x68\x8a\x4b\xe7\x7b\xea\xf7\x5d\x71\x02\x6e\x4d\xff\x38\x00\x12\x4b\xde\xc0\xe0\x65\x46\x3e\xdc\x69\x64\x1f\x67\xc7\xc4\x2b\x8e\x02\x5f\x81\x40\x6f\xd4\x89\x6d\x5d\xb8\xe1\x9f\xec\x09\x98\x09\xad\x50\xa9\x8a\x83\xb3\xca\xa8\xfd\x87\x31\x05\x14\xf4\xa7\xaf\xd9\xa9\x70\xc4\x56\x23\x1d\x91\x6b\x26\xd5\xc6\x2b\xc4\x83\x4a\xf9\xbc\x27\x77\xa7\xc7\xd3\xbb\xf5\xf2\xc6\xd8\x28\x93\x5f\x3b\x82\x77\x43\xc0\x92\x22\x32\x8e\x8e\x82\x91\xbb\x28\x3e\xba\x7d\x4b\xc8\x97\x87\x7f\x6e\x50\xa5\xfa\xbc\x77\xab\xf3\x15\x34\xd7\x00\x96\x2e\xde\xcb\x1d\xf4\xee\x12\x28\xa7\x29\xdf\x7d\xa8\x57\x71\xa3\xf1\xe3\x04\x29\xfa\xc9\x93\xd9\x73\x8d\x9d\x67\x28\xbf\x49\x2b\x47\x91\x43\x8c\x3c\xf6\xd5\x9a\xf8\x09\x97\x4a\xec\x44\x80\x98\xc2\x6c\xb3\x79\x1e\x43\x72\x40\x76\xef\x5c\xa9\xc7\x0c\xb3\xf5\x8a\xcc\xb5\x39\x94\x37\x86\xce\x98\xb0\x92\xc9\x65\xa1\x47\xd1\x87\x0a\xd4\x54\x68\x6b\xa5\x79\xc9\xd1\x0a\x61\x31\xd4\xd9\x80\xff\x68\x89\x8f\xb1\x1a\x0a\x9f\x61\xe6\x0a\x86\x42\x7f\x60\x66\x00\x88\x98\x4e\xed\x16\xac\xf6\xd3\x14\x30\x18\x3b\x81\x91\x2a\xdc\xde\x80\x84\x45\x71\x22\xec\xdd\x70\x54\xcf\x3d\xdd\xee\x25\xa9\x75\xfb\x24\x48\xe7\x1a\x27\xae\xdf\x68\x68\x5e\x9e\x8b\xf6\x07\x05\x6d\x68\xd7\x20\x60\x75\x99\xcb\x49\x97\xa1\xd5\x91\xa1\xcc\x17\x4e\xdd\xc6\x6f\x39\x16\x0a\x2e\x55\xee\xe6\xc8\x2b\x21\x8c\x5b\x96\x3a\x02\x68\x11\x7f\xcc\xda\x93\x14\xd7\xde\x3b\x1b\xfd\xf1\xde\x33\x83\x10\x41\x8d\xbb\x11\xf7\x3b\xfc\x1a\x70\x5a\x7f\x12\x56\x0c\x6a\x83\x6e\xbc\x1c\x92\x7d\x14\x27\xeb\x6d\x71\x04\xf9\x42\x70\x5a\x25\xe7\xa7\x94\x88\x76\x8c\x70\x7c\xdd\xb0\x59\xd0\x6f\x4f\x55\xd6\x41\x14\x65\x8b\xb3\x27\x07\x2a\x0f\x24\x8f\x91\x91\xae\xbf\x83\x8c\xcf\x46\x4e\x3d\xb3\x8b\xd0\x15\xc1\xfe\x7e\x0a\x1c\xe8\xc8\x54\xe0\x64\xad\x28\xdf\x20\x85\x4e\xca\xf4\x42\x88\x1d\x5b\x92\x2d\xb3\x32\x7a\x73\xa8\x00\x7f\x84\xaa\xcb\x94\x1b\xc1\x23\x27\x42\xd0\xad\x98\xeb\x8f\x05\xa8\x12\xc7\x95\x7f\xb4\xb6\x88\x52\x2e\xa6\xa1\xd5\xef\x22\xda\xbf\x25\x37\xb5\xf6\x8d\x81\xe0\x6b\x51\x78\x39\xb4\x74\x23\x85\x64\x96\x79\x29\xfa\x82\x31\xeb\x8e\xaa\x9b\xf7\x95\x54\x91\x79\x39\x33\x6f\x71\xed\xad\x5c\x01\x1d\xe4\xa9\x88\x7c\x9d\x8b\xfe\x58\x8c\x17\x47\xb4\x7e\xca\xe6\x41\xae\x07\x6a\x53\xcb\x66\x1d\x34\x46\x59\xed\x82\xa4\xf1\x06\x12\xea\x2e\xe0\x0a\x44\x4d\xe7\xe4\xb1\xa0\xc5\x61\x4d\x4a\x63\x69\xb4\x8c\xfa\xe5\x31\x6e\x83\x89\xcb\x72\x0a\x11\x11\x71\x38\x3a\x78\x79\x80\x31\xaf\x5e\x49\x76\xb8\x91\x75\xac\x1e\xfa\x79\xca\x7d\xd7\x28\xd2\x1c\xf2\x85\x3f\x69\x87\x03\x79\xdc\xd6\x91\xf4\x12\xb0\xda\xbb\x49\xf7\x4d\x48\xf9\x31\x3b\xe4\x58\x95\xe8\xd4\xe7\x8e\x23\xe3\x57\xa9\xa2\x29\x4b\xef\xb1\x73\xce\xcc\xdd\xb7\xde\xc8\x47\x81\x92\x0e\x95\x1e\xcc\x86\x3b\xdc\x84\x3a\xf7\x53\x5e\x72\x1a\x7a\x7f\x5b\xd6\xe0\xd3\x7f\xe9\xe5\xb5\xaf\x3f\x2a\xaa\x62\x96\x71\x12\xc0\xfe\x84\x8d\x3c\x38\xa6\x46\xde\xd7\xde\xba\x1a\xb9\x8d\x40\x88\x1b\xa2\xfc\x91\x8a\x86\x64\xbb\xab\xea\x14\xbe\x6f\x5b\xb9\x2e\x25\x4c\x47\x1b\x32\x4a\x02\x6c\x66\x1d\xe4\xb9\x7b\xa0\xae\x1f\x67\x06\x3f\x41\xa5\x61\x9d\xa8\xa4\x9a\x7a\xd6\xcf\x81\x53\x97\x7a\x4c\x63\x17\x1b\xba\x20\x88\x4b\x73\x44\xc4\x05\xd6\x1b\x9c\xe3\xce\x90\xdd\x0b\x6d\x86\xbe\x27\xc0\x28\xa2\xa4\x8f\xe0\x40\xd6\xf9\xd2\xf5\xdc\x24\x66\xcb\x9f\x74\x5e\x5a\x98\xe5\x26\x64\x98\xb1\x4d\x16\xe3\xfc\xee\x12\x02\x6c\x0f\x46\xb7\xfd\x1d\x30\x07\x65\x05\xcd\x64\xc1\xd6\x0c\x5c\xac\x8c\xb4\x00\xea\x6b\x75\x22\xc1\x65\xb0\x09\x4f\xf0\xff\x65\x6d\x08\x16\x73\x05\x6b\x73\xee\xe3\xef\xcb\xfb\xa2\x60\xff\x87\xe4\x30\x4c\x8e\xb1\x4a\xea\xdf\xda\xa0\x95\x70\xf6\x30\x64\x6c", 8192); *(uint64_t*)0x200000006c80 = 0x2000000036c0; *(uint32_t*)0x2000000036c0 = 0x50; *(uint32_t*)0x2000000036c4 = 0; *(uint64_t*)0x2000000036c8 = 8; *(uint32_t*)0x2000000036d0 = 7; *(uint32_t*)0x2000000036d4 = 0x2d; *(uint32_t*)0x2000000036d8 = 7; *(uint32_t*)0x2000000036dc = 0x8000008; *(uint16_t*)0x2000000036e0 = 7; *(uint16_t*)0x2000000036e2 = 0xfc00; *(uint32_t*)0x2000000036e4 = 0x3ff; *(uint32_t*)0x2000000036e8 = 0x59; *(uint16_t*)0x2000000036ec = 0; *(uint16_t*)0x2000000036ee = 0; *(uint32_t*)0x2000000036f0 = 0xe0; *(uint32_t*)0x2000000036f4 = 0x10000; memset((void*)0x2000000036f8, 0, 24); *(uint64_t*)0x200000006c88 = 0x200000003740; *(uint32_t*)0x200000003740 = 0x18; *(uint32_t*)0x200000003744 = 0; *(uint64_t*)0x200000003748 = 6; *(uint64_t*)0x200000003750 = 0x80000001; *(uint64_t*)0x200000006c90 = 0x200000003780; *(uint32_t*)0x200000003780 = 0x18; *(uint32_t*)0x200000003784 = 0; *(uint64_t*)0x200000003788 = 4; *(uint64_t*)0x200000003790 = 2; *(uint64_t*)0x200000006c98 = 0x2000000037c0; *(uint32_t*)0x2000000037c0 = 0x18; *(uint32_t*)0x2000000037c4 = 0xffffffda; *(uint64_t*)0x2000000037c8 = 0x37; *(uint32_t*)0x2000000037d0 = 0; *(uint32_t*)0x2000000037d4 = 0; *(uint64_t*)0x200000006ca0 = 0x200000003800; *(uint32_t*)0x200000003800 = 0x18; *(uint32_t*)0x200000003804 = 0; *(uint64_t*)0x200000003808 = 1; *(uint32_t*)0x200000003810 = 0xff; *(uint32_t*)0x200000003814 = 0; *(uint64_t*)0x200000006ca8 = 0x200000003840; *(uint32_t*)0x200000003840 = 0x28; *(uint32_t*)0x200000003844 = 0x26; *(uint64_t*)0x200000003848 = 0x7fffffffffffffff; *(uint64_t*)0x200000003850 = 0x7a; *(uint64_t*)0x200000003858 = 8; *(uint32_t*)0x200000003860 = 0; *(uint32_t*)0x200000003864 = 0; *(uint64_t*)0x200000006cb0 = 0x200000003880; *(uint32_t*)0x200000003880 = 0x60; *(uint32_t*)0x200000003884 = 0xfffffff5; *(uint64_t*)0x200000003888 = 1; *(uint64_t*)0x200000003890 = 0x81; *(uint64_t*)0x200000003898 = 6; *(uint64_t*)0x2000000038a0 = 0x3ff; *(uint64_t*)0x2000000038a8 = 2; *(uint64_t*)0x2000000038b0 = 4; *(uint32_t*)0x2000000038b8 = 4; *(uint32_t*)0x2000000038bc = 8; *(uint32_t*)0x2000000038c0 = 2; *(uint32_t*)0x2000000038c4 = 0; memset((void*)0x2000000038c8, 0, 24); *(uint64_t*)0x200000006cb8 = 0x200000003900; *(uint32_t*)0x200000003900 = 0x18; *(uint32_t*)0x200000003904 = 0; *(uint64_t*)0x200000003908 = 0; *(uint32_t*)0x200000003910 = 0xb; *(uint32_t*)0x200000003914 = 0; *(uint64_t*)0x200000006cc0 = 0x200000003940; *(uint32_t*)0x200000003940 = 0x12; *(uint32_t*)0x200000003944 = 0xaeab5fde; *(uint64_t*)0x200000003948 = 9; memcpy((void*)0x200000003950, "^\000", 2); *(uint64_t*)0x200000006cc8 = 0x200000003980; *(uint32_t*)0x200000003980 = 0x20; *(uint32_t*)0x200000003984 = 0; *(uint64_t*)0x200000003988 = 0; *(uint64_t*)0x200000003990 = 0; *(uint32_t*)0x200000003998 = 2; *(uint32_t*)0x20000000399c = 0; *(uint64_t*)0x200000006cd0 = 0x2000000039c0; *(uint32_t*)0x2000000039c0 = 0x78; *(uint32_t*)0x2000000039c4 = 0; *(uint64_t*)0x2000000039c8 = 0xfffffffffffffff7; *(uint64_t*)0x2000000039d0 = 3; *(uint32_t*)0x2000000039d8 = 0x67; *(uint32_t*)0x2000000039dc = 0; *(uint64_t*)0x2000000039e0 = 3; *(uint64_t*)0x2000000039e8 = 2; *(uint64_t*)0x2000000039f0 = 5; *(uint64_t*)0x2000000039f8 = 2; *(uint64_t*)0x200000003a00 = 0; *(uint64_t*)0x200000003a08 = 0x5b; *(uint32_t*)0x200000003a10 = 0x200; *(uint32_t*)0x200000003a14 = 6; *(uint32_t*)0x200000003a18 = 0xf0b7; *(uint32_t*)0x200000003a1c = 0x1000; *(uint32_t*)0x200000003a20 = 1; *(uint32_t*)0x200000003a24 = -1; *(uint32_t*)0x200000003a28 = -1; *(uint32_t*)0x200000003a2c = 4; *(uint32_t*)0x200000003a30 = 6; *(uint32_t*)0x200000003a34 = 0; *(uint64_t*)0x200000006cd8 = 0x200000004b00; *(uint32_t*)0x200000004b00 = 0x90; *(uint32_t*)0x200000004b04 = 0; *(uint64_t*)0x200000004b08 = 7; *(uint64_t*)0x200000004b10 = 1; *(uint64_t*)0x200000004b18 = 3; *(uint64_t*)0x200000004b20 = 0x10000; *(uint64_t*)0x200000004b28 = 0x200; *(uint32_t*)0x200000004b30 = 8; *(uint32_t*)0x200000004b34 = 0xa87; *(uint64_t*)0x200000004b38 = 4; *(uint64_t*)0x200000004b40 = 1; *(uint64_t*)0x200000004b48 = 7; *(uint64_t*)0x200000004b50 = 1; *(uint64_t*)0x200000004b58 = 0xfffffffffffffffd; *(uint64_t*)0x200000004b60 = 4; *(uint32_t*)0x200000004b68 = 9; *(uint32_t*)0x200000004b6c = 0xffff; *(uint32_t*)0x200000004b70 = 0x10000000; *(uint32_t*)0x200000004b74 = 0; *(uint32_t*)0x200000004b78 = 0xf40; *(uint32_t*)0x200000004b7c = 0; *(uint32_t*)0x200000004b80 = r[10]; *(uint32_t*)0x200000004b84 = 0x8001; *(uint32_t*)0x200000004b88 = 9; *(uint32_t*)0x200000004b8c = 0; *(uint64_t*)0x200000006ce0 = 0x200000004bc0; *(uint32_t*)0x200000004bc0 = 0x48; *(uint32_t*)0x200000004bc4 = 0; *(uint64_t*)0x200000004bc8 = 0x5c; *(uint64_t*)0x200000004bd0 = 1; *(uint64_t*)0x200000004bd8 = 4; *(uint32_t*)0x200000004be0 = 6; *(uint32_t*)0x200000004be4 = 8; memset((void*)0x200000004be8, 255, 6); *(uint64_t*)0x200000004bf0 = 1; *(uint64_t*)0x200000004bf8 = 8; *(uint32_t*)0x200000004c00 = 0; *(uint32_t*)0x200000004c04 = 0xb; *(uint64_t*)0x200000006ce8 = 0x200000006500; *(uint32_t*)0x200000006500 = 0x478; *(uint32_t*)0x200000006504 = 0; *(uint64_t*)0x200000006508 = 2; *(uint64_t*)0x200000006510 = 1; *(uint64_t*)0x200000006518 = 1; *(uint64_t*)0x200000006520 = 0xf; *(uint64_t*)0x200000006528 = 9; *(uint32_t*)0x200000006530 = 0x7fffffff; *(uint32_t*)0x200000006534 = 0x3ff; *(uint64_t*)0x200000006538 = 5; *(uint64_t*)0x200000006540 = 0xb3fc; *(uint64_t*)0x200000006548 = 3; *(uint64_t*)0x200000006550 = 0xa2d9; *(uint64_t*)0x200000006558 = 3; *(uint64_t*)0x200000006560 = 0x80000000; *(uint32_t*)0x200000006568 = 4; *(uint32_t*)0x20000000656c = 5; *(uint32_t*)0x200000006570 = 2; *(uint32_t*)0x200000006574 = 0x6000; *(uint32_t*)0x200000006578 = 0xfff; *(uint32_t*)0x20000000657c = -1; *(uint32_t*)0x200000006580 = 0xee01; *(uint32_t*)0x200000006584 = 5; *(uint32_t*)0x200000006588 = 6; *(uint32_t*)0x20000000658c = 0; *(uint64_t*)0x200000006590 = 5; *(uint64_t*)0x200000006598 = 9; *(uint32_t*)0x2000000065a0 = 6; *(uint32_t*)0x2000000065a4 = 6; memcpy((void*)0x2000000065a8, "wlan1\000", 6); *(uint64_t*)0x2000000065b0 = 3; *(uint64_t*)0x2000000065b8 = 1; *(uint64_t*)0x2000000065c0 = 4; *(uint64_t*)0x2000000065c8 = 0xf; *(uint32_t*)0x2000000065d0 = 1; *(uint32_t*)0x2000000065d4 = 5; *(uint64_t*)0x2000000065d8 = 4; *(uint64_t*)0x2000000065e0 = 0xffc; *(uint64_t*)0x2000000065e8 = 2; *(uint64_t*)0x2000000065f0 = 0xffffffffffffdbca; *(uint64_t*)0x2000000065f8 = 0x35; *(uint64_t*)0x200000006600 = 0x5fa; *(uint32_t*)0x200000006608 = 8; *(uint32_t*)0x20000000660c = 5; *(uint32_t*)0x200000006610 = 0x16d; *(uint32_t*)0x200000006614 = 0x6000; *(uint32_t*)0x200000006618 = 0x8000; *(uint32_t*)0x20000000661c = r[11]; *(uint32_t*)0x200000006620 = 0xee00; *(uint32_t*)0x200000006624 = 8; *(uint32_t*)0x200000006628 = 2; *(uint32_t*)0x20000000662c = 0; *(uint64_t*)0x200000006630 = 2; *(uint64_t*)0x200000006638 = 0x3e8; *(uint32_t*)0x200000006640 = 0x16; *(uint32_t*)0x200000006644 = 5; memcpy((void*)0x200000006648, "bpf_lsm_path_truncate\000", 22); *(uint64_t*)0x200000006660 = 6; *(uint64_t*)0x200000006668 = 3; *(uint64_t*)0x200000006670 = 0xcff0; *(uint64_t*)0x200000006678 = 0xfffffffffffffbff; *(uint32_t*)0x200000006680 = 3; *(uint32_t*)0x200000006684 = 3; *(uint64_t*)0x200000006688 = 5; *(uint64_t*)0x200000006690 = 4; *(uint64_t*)0x200000006698 = 8; *(uint64_t*)0x2000000066a0 = 9; *(uint64_t*)0x2000000066a8 = 0x10; *(uint64_t*)0x2000000066b0 = 5; *(uint32_t*)0x2000000066b8 = 0x91; *(uint32_t*)0x2000000066bc = 0xfff; *(uint32_t*)0x2000000066c0 = 0xfffffffd; *(uint32_t*)0x2000000066c4 = 0xc000; *(uint32_t*)0x2000000066c8 = 3; *(uint32_t*)0x2000000066cc = r[12]; *(uint32_t*)0x2000000066d0 = 0xee00; *(uint32_t*)0x2000000066d4 = 0x80; *(uint32_t*)0x2000000066d8 = 0x40; *(uint32_t*)0x2000000066dc = 0; *(uint64_t*)0x2000000066e0 = 0; *(uint64_t*)0x2000000066e8 = 8; *(uint32_t*)0x2000000066f0 = 6; *(uint32_t*)0x2000000066f4 = 0x80000001; memcpy((void*)0x2000000066f8, "wlan1\000", 6); *(uint64_t*)0x200000006700 = 3; *(uint64_t*)0x200000006708 = 2; *(uint64_t*)0x200000006710 = 8; *(uint64_t*)0x200000006718 = 9; *(uint32_t*)0x200000006720 = 0x80000000; *(uint32_t*)0x200000006724 = 0xd149; *(uint64_t*)0x200000006728 = 3; *(uint64_t*)0x200000006730 = 4; *(uint64_t*)0x200000006738 = 5; *(uint64_t*)0x200000006740 = 0xe; *(uint64_t*)0x200000006748 = 0x7a; *(uint64_t*)0x200000006750 = 0xd52; *(uint32_t*)0x200000006758 = 0; *(uint32_t*)0x20000000675c = 5; *(uint32_t*)0x200000006760 = 6; *(uint32_t*)0x200000006764 = 0xa000; *(uint32_t*)0x200000006768 = 2; *(uint32_t*)0x20000000676c = r[14]; *(uint32_t*)0x200000006770 = 0; *(uint32_t*)0x200000006774 = 0x7fffffff; *(uint32_t*)0x200000006778 = 5; *(uint32_t*)0x20000000677c = 0; *(uint64_t*)0x200000006780 = 4; *(uint64_t*)0x200000006788 = 0x7ff; *(uint32_t*)0x200000006790 = 2; *(uint32_t*)0x200000006794 = 0x78d; memcpy((void*)0x200000006798, "\300\'", 2); *(uint64_t*)0x2000000067a0 = 2; *(uint64_t*)0x2000000067a8 = 0; *(uint64_t*)0x2000000067b0 = 6; *(uint64_t*)0x2000000067b8 = 0x7fffffff; *(uint32_t*)0x2000000067c0 = 5; *(uint32_t*)0x2000000067c4 = 5; *(uint64_t*)0x2000000067c8 = 2; *(uint64_t*)0x2000000067d0 = 0xc; *(uint64_t*)0x2000000067d8 = 0xbde5; *(uint64_t*)0x2000000067e0 = 5; *(uint64_t*)0x2000000067e8 = 8; *(uint64_t*)0x2000000067f0 = 0x10; *(uint32_t*)0x2000000067f8 = 9; *(uint32_t*)0x2000000067fc = 6; *(uint32_t*)0x200000006800 = 0xe31; *(uint32_t*)0x200000006804 = 0x2000; *(uint32_t*)0x200000006808 = 0x5b8; *(uint32_t*)0x20000000680c = r[16]; *(uint32_t*)0x200000006810 = r[18]; *(uint32_t*)0x200000006814 = 6; *(uint32_t*)0x200000006818 = 8; *(uint32_t*)0x20000000681c = 0; *(uint64_t*)0x200000006820 = 2; *(uint64_t*)0x200000006828 = 0x80; *(uint32_t*)0x200000006830 = 0; *(uint32_t*)0x200000006834 = 0xb6; *(uint64_t*)0x200000006838 = 5; *(uint64_t*)0x200000006840 = 2; *(uint64_t*)0x200000006848 = 0x80000001; *(uint64_t*)0x200000006850 = 2; *(uint32_t*)0x200000006858 = 6; *(uint32_t*)0x20000000685c = 0xff; *(uint64_t*)0x200000006860 = 3; *(uint64_t*)0x200000006868 = 5; *(uint64_t*)0x200000006870 = 8; *(uint64_t*)0x200000006878 = 3; *(uint64_t*)0x200000006880 = 0x8001; *(uint64_t*)0x200000006888 = 5; *(uint32_t*)0x200000006890 = 1; *(uint32_t*)0x200000006894 = 7; *(uint32_t*)0x200000006898 = 2; *(uint32_t*)0x20000000689c = 0x1000; *(uint32_t*)0x2000000068a0 = 1; *(uint32_t*)0x2000000068a4 = 0xee01; *(uint32_t*)0x2000000068a8 = r[19]; *(uint32_t*)0x2000000068ac = 0x10001; *(uint32_t*)0x2000000068b0 = 6; *(uint32_t*)0x2000000068b4 = 0; *(uint64_t*)0x2000000068b8 = 0; *(uint64_t*)0x2000000068c0 = 6; *(uint32_t*)0x2000000068c8 = 5; *(uint32_t*)0x2000000068cc = 6; memset((void*)0x2000000068d0, 170, 5); *(uint64_t*)0x2000000068d8 = 3; *(uint64_t*)0x2000000068e0 = 1; *(uint64_t*)0x2000000068e8 = 0x8000000000000000; *(uint64_t*)0x2000000068f0 = 0x2e; *(uint32_t*)0x2000000068f8 = 5; *(uint32_t*)0x2000000068fc = 7; *(uint64_t*)0x200000006900 = 6; *(uint64_t*)0x200000006908 = 5; *(uint64_t*)0x200000006910 = 5; *(uint64_t*)0x200000006918 = 0xb; *(uint64_t*)0x200000006920 = 0; *(uint64_t*)0x200000006928 = 2; *(uint32_t*)0x200000006930 = 0xffff; *(uint32_t*)0x200000006934 = 0; *(uint32_t*)0x200000006938 = 8; *(uint32_t*)0x20000000693c = 0x2000; *(uint32_t*)0x200000006940 = 9; *(uint32_t*)0x200000006944 = r[20]; *(uint32_t*)0x200000006948 = r[21]; *(uint32_t*)0x20000000694c = 2; *(uint32_t*)0x200000006950 = 7; *(uint32_t*)0x200000006954 = 0; *(uint64_t*)0x200000006958 = 6; *(uint64_t*)0x200000006960 = 0xfffffffffffffffb; *(uint32_t*)0x200000006968 = 5; *(uint32_t*)0x20000000696c = 6; memset((void*)0x200000006970, 170, 5); *(uint64_t*)0x200000006cf0 = 0x200000006980; *(uint32_t*)0x200000006980 = 0xa0; *(uint32_t*)0x200000006984 = 0; *(uint64_t*)0x200000006988 = 0xd05; *(uint64_t*)0x200000006990 = 5; *(uint64_t*)0x200000006998 = 3; *(uint64_t*)0x2000000069a0 = 0x8000000000000001; *(uint64_t*)0x2000000069a8 = 7; *(uint32_t*)0x2000000069b0 = 5; *(uint32_t*)0x2000000069b4 = 2; *(uint64_t*)0x2000000069b8 = 3; *(uint64_t*)0x2000000069c0 = 4; *(uint64_t*)0x2000000069c8 = 5; *(uint64_t*)0x2000000069d0 = 3; *(uint64_t*)0x2000000069d8 = 8; *(uint64_t*)0x2000000069e0 = 1; *(uint32_t*)0x2000000069e8 = 0x8001; *(uint32_t*)0x2000000069ec = 0; *(uint32_t*)0x2000000069f0 = 0xfff; *(uint32_t*)0x2000000069f4 = 0x8000; *(uint32_t*)0x2000000069f8 = 0x101; *(uint32_t*)0x2000000069fc = r[22]; *(uint32_t*)0x200000006a00 = 0xee00; *(uint32_t*)0x200000006a04 = 7; *(uint32_t*)0x200000006a08 = 0xac; *(uint32_t*)0x200000006a0c = 0; *(uint64_t*)0x200000006a10 = 0; *(uint32_t*)0x200000006a18 = 0x10; *(uint32_t*)0x200000006a1c = 0; *(uint64_t*)0x200000006cf8 = 0x200000006a40; *(uint32_t*)0x200000006a40 = 0x20; *(uint32_t*)0x200000006a44 = 0; *(uint64_t*)0x200000006a48 = 0xffffffff; *(uint32_t*)0x200000006a50 = 4; *(uint32_t*)0x200000006a54 = 0; *(uint32_t*)0x200000006a58 = 9; *(uint32_t*)0x200000006a5c = 0xa; *(uint64_t*)0x200000006d00 = 0x200000006b40; *(uint32_t*)0x200000006b40 = 0x130; *(uint32_t*)0x200000006b44 = 0; *(uint64_t*)0x200000006b48 = 0x1ff; *(uint64_t*)0x200000006b50 = 0x6276287e; *(uint32_t*)0x200000006b58 = 7; *(uint32_t*)0x200000006b5c = 0; memset((void*)0x200000006b60, 0, 16); *(uint32_t*)0x200000006b70 = 0x800; *(uint32_t*)0x200000006b74 = 2; *(uint64_t*)0x200000006b78 = 3; *(uint32_t*)0x200000006b80 = 0x1e; *(uint32_t*)0x200000006b84 = -1; *(uint32_t*)0x200000006b88 = r[24]; *(uint16_t*)0x200000006b8c = 0x4000; memset((void*)0x200000006b8e, 0, 2); *(uint64_t*)0x200000006b90 = 0x800; *(uint64_t*)0x200000006b98 = 9; *(uint64_t*)0x200000006ba0 = 8; *(uint64_t*)0x200000006ba8 = 0x32f3fcde; *(uint64_t*)0x200000006bb0 = 6; *(uint32_t*)0x200000006bb8 = 1; *(uint32_t*)0x200000006bbc = 0; *(uint64_t*)0x200000006bc0 = 4; *(uint32_t*)0x200000006bc8 = 0xe30; *(uint32_t*)0x200000006bcc = 0; *(uint64_t*)0x200000006bd0 = 0x4d; *(uint32_t*)0x200000006bd8 = 3; *(uint32_t*)0x200000006bdc = 0; *(uint64_t*)0x200000006be0 = 6; *(uint32_t*)0x200000006be8 = 8; *(uint32_t*)0x200000006bec = 0; *(uint32_t*)0x200000006bf0 = 6; *(uint32_t*)0x200000006bf4 = 2; *(uint32_t*)0x200000006bf8 = 0xfb; *(uint32_t*)0x200000006bfc = 2; memset((void*)0x200000006c00, 0, 112); syz_fuse_handle_req(/*fd=*/r[9], /*buf=*/0x2000000016c0, /*len=*/0x2000, /*res=*/0x200000006c80); break; case 30: memcpy((void*)0x200000006d40, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x200000006d40, /*fd=*/r[23]); break; case 31: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 32: *(uint32_t*)0x200000006d84 = 0xd0f0; *(uint32_t*)0x200000006d88 = 0x20; *(uint32_t*)0x200000006d8c = 0; *(uint32_t*)0x200000006d90 = 0x1e5; *(uint32_t*)0x200000006d98 = -1; memset((void*)0x200000006d9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x28c2, /*params=*/0x200000006d80, /*ring_ptr=*/0x200000006e00, /*sqes_ptr=*/0x200000006e40); if (res != -1) r[25] = *(uint64_t*)0x200000006e00; break; case 33: syz_io_uring_complete(/*ring_ptr=*/r[25]); break; case 34: *(uint32_t*)0x200000006e84 = 0x979d; *(uint32_t*)0x200000006e88 = 4; *(uint32_t*)0x200000006e8c = 1; *(uint32_t*)0x200000006e90 = 0x206; *(uint32_t*)0x200000006e98 = r[9]; memset((void*)0x200000006e9c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x7c1f, /*params=*/0x200000006e80, /*ring_ptr=*/0x200000006f00, /*sqes_ptr=*/0x200000006f40); if (res != -1) { r[26] = res; r[27] = *(uint64_t*)0x200000006f00; r[28] = *(uint64_t*)0x200000006f40; } break; case 35: res = syscall(__NR_io_uring_register, /*fd=*/r[26], /*opcode=*/9ul, /*arg=*/0ul, /*nr_args=*/0ul); if (res != -1) r[29] = res; break; case 36: *(uint8_t*)0x200000007000 = 0x1c; *(uint8_t*)0x200000007001 = 0x14; *(uint16_t*)0x200000007002 = 0; *(uint32_t*)0x200000007004 = r[23]; *(uint64_t*)0x200000007008 = 0x200000006f80; *(uint64_t*)0x200000006f80 = 0x818480; *(uint64_t*)0x200000006f88 = 0; *(uint64_t*)0x200000006f90 = 0x35; *(uint64_t*)0x200000007010 = 0x200000006fc0; memcpy((void*)0x200000006fc0, "./file0\000", 8); *(uint32_t*)0x200000007018 = 0x18; *(uint32_t*)0x20000000701c = 0; *(uint64_t*)0x200000007020 = 0x23456; *(uint16_t*)0x200000007028 = 0; *(uint16_t*)0x20000000702a = r[29]; memset((void*)0x20000000702c, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[27], /*sqes_ptr=*/r[28], /*sqe=*/0x200000007000); break; case 37: res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[9], /*usermem=*/0x200000bfd000); if (res != -1) r[30] = res; break; case 38: *(uint64_t*)0x200000007400 = 0; *(uint64_t*)0x200000007408 = 0x200000007040; *(uint64_t*)0x200000007040 = 0x65; *(uint64_t*)0x200000007048 = 0x20; *(uint64_t*)0x200000007050 = 0x92e; *(uint64_t*)0x200000007058 = 8; *(uint64_t*)0x200000007060 = 0x130; *(uint64_t*)0x200000007068 = 0x18; *(uint64_t*)0x200000007070 = 1; *(uint64_t*)0x200000007078 = 0x68; *(uint64_t*)0x200000007080 = 0x20; *(uint64_t*)0x200000007088 = 1; *(uint64_t*)0x200000007090 = 0; *(uint64_t*)0x200000007098 = 0x17d; *(uint64_t*)0x2000000070a0 = 0x20; *(uint64_t*)0x2000000070a8 = 0xffffffff; *(uint64_t*)0x2000000070b0 = 0xbd0d; *(uint64_t*)0x2000000070b8 = 0x183; *(uint64_t*)0x2000000070c0 = 0x18; *(uint64_t*)0x2000000070c8 = 1; *(uint64_t*)0x2000000070d0 = 0xa; *(uint64_t*)0x2000000070d8 = 0x6a; memcpy((void*)0x2000000070e0, "\x36\x49\x0f\xc7\xaa\xd6\x61\x97\xc0\x26\x66\x0f\x38\x80\x94\x5e\x00\x80\x00\x00\x0f\x01\xba\x00\x80\x00\x00\x8f\xc9\xb8\x9b\x29\x47\x0f\xc7\xae\x20\x00\x00\x00\x45\x0f\x09\xc4\xe2\xd1\x39\x67\xc4\x36\x0f\x01\x7f\x05\x66\x64\x2e\x64\x3e\xd8\xf1\xc7\x44\x24\x00\x25\xfd\x00\x00\xc7\x44\x24\x02\x54\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x14\x24", 89); *(uint8_t*)0x200000007139 = 0xc3; *(uint64_t*)0x20000000713a = 0x180; *(uint64_t*)0x200000007142 = 0x38; *(uint64_t*)0x20000000714a = 0; *(uint64_t*)0x200000007152 = 0xb5; *(uint64_t*)0x20000000715a = 7; *(uint64_t*)0x200000007162 = 5; *(uint64_t*)0x20000000716a = 0; *(uint64_t*)0x200000007172 = 0x12f; *(uint64_t*)0x20000000717a = 0x18; *(uint64_t*)0x200000007182 = 3; *(uint64_t*)0x20000000718a = 0x12c; *(uint64_t*)0x200000007192 = 0x18; *(uint64_t*)0x20000000719a = 0; *(uint64_t*)0x2000000071a2 = 0x154; *(uint64_t*)0x2000000071aa = 0x38; *(uint64_t*)0x2000000071b2 = 3; *(uint64_t*)0x2000000071ba = 4; *(uint64_t*)0x2000000071c2 = 5; *(uint64_t*)0x2000000071ca = 0x1ff; *(uint64_t*)0x2000000071d2 = 8; *(uint64_t*)0x2000000071da = 0x130; *(uint64_t*)0x2000000071e2 = 0x18; *(uint64_t*)0x2000000071ea = 0; *(uint64_t*)0x2000000071f2 = 0x6a; *(uint64_t*)0x2000000071fa = 0x28; *(uint64_t*)0x200000007202 = 0xc636; *(uint64_t*)0x20000000720a = 5; *(uint64_t*)0x200000007212 = 4; *(uint64_t*)0x20000000721a = 0x12c; *(uint64_t*)0x200000007222 = 0x18; *(uint64_t*)0x20000000722a = 0; *(uint64_t*)0x200000007232 = 0x12f; *(uint64_t*)0x20000000723a = 0x18; *(uint64_t*)0x200000007242 = 1; *(uint64_t*)0x20000000724a = 0x65; *(uint64_t*)0x200000007252 = 0x20; *(uint64_t*)0x20000000725a = 0x8a3; *(uint64_t*)0x200000007262 = 9; *(uint64_t*)0x20000000726a = 0x68; *(uint64_t*)0x200000007272 = 0x20; *(uint64_t*)0x20000000727a = 4; *(uint64_t*)0x200000007282 = 6; *(uint64_t*)0x20000000728a = 0x12f; *(uint64_t*)0x200000007292 = 0x18; *(uint64_t*)0x20000000729a = 3; *(uint64_t*)0x2000000072a2 = 0x12d; *(uint64_t*)0x2000000072aa = 0x18; *(uint64_t*)0x2000000072b2 = 2; *(uint64_t*)0x2000000072ba = 0x17d; *(uint64_t*)0x2000000072c2 = 0x20; *(uint64_t*)0x2000000072ca = 0x8080000; *(uint64_t*)0x2000000072d2 = 0x943e; *(uint64_t*)0x2000000072da = 0x17c; *(uint64_t*)0x2000000072e2 = 0x38; *(uint64_t*)0x2000000072ea = 3; *(uint64_t*)0x2000000072f2 = 0x31; *(uint64_t*)0x2000000072fa = 0xc; *(uint64_t*)0x200000007302 = 6; *(uint64_t*)0x20000000730a = 8; *(uint64_t*)0x200000007312 = 0x180; *(uint64_t*)0x20000000731a = 0x38; *(uint64_t*)0x200000007322 = 2; *(uint64_t*)0x20000000732a = 0x36; *(uint64_t*)0x200000007332 = 1; *(uint64_t*)0x20000000733a = 2; *(uint64_t*)0x200000007342 = 3; *(uint64_t*)0x20000000734a = 0x130; *(uint64_t*)0x200000007352 = 0x18; *(uint64_t*)0x20000000735a = 1; *(uint64_t*)0x200000007362 = 0x130; *(uint64_t*)0x20000000736a = 0x18; *(uint64_t*)0x200000007372 = 0; *(uint64_t*)0x20000000737a = 0x180; *(uint64_t*)0x200000007382 = 0x38; *(uint64_t*)0x20000000738a = 3; *(uint64_t*)0x200000007392 = 0x72; *(uint64_t*)0x20000000739a = 2; *(uint64_t*)0x2000000073a2 = 5; *(uint64_t*)0x2000000073aa = 2; *(uint64_t*)0x2000000073b2 = 0x12f; *(uint64_t*)0x2000000073ba = 0x18; *(uint64_t*)0x2000000073c2 = 2; *(uint64_t*)0x2000000073ca = 0x12f; *(uint64_t*)0x2000000073d2 = 0x18; *(uint64_t*)0x2000000073da = 2; *(uint64_t*)0x200000007410 = 0x3a2; syz_kvm_add_vcpu(/*vm=*/r[30], /*text=*/0x200000007400); break; case 39: res = syscall(__NR_ioctl, /*fd=*/r[9], /*cmd=*/0xae01, /*type=*/5ul); if (res != -1) r[31] = res; break; case 40: *(uint64_t*)0x200000007680 = 0; *(uint64_t*)0x200000007688 = 0x200000007440; memcpy((void*)0x200000007440, "\xcd\xfa\xef\x13\x00\x00\x00\x3e\x00\x00\x10\x62\x04\x00\x10\x7a\x00\x00\x10\x66\xc1\x00\x10\x62\xa6\x03\x00\x7e\xb9\xf0\x00\x3e\xe9\x0e\x10\x62\x04\x00\x10\x7a\xa3\x30\x10\x66\x88\x26\x10\x62\xa6\x03\x00\x7e\x24\x00\x00\x4c\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x0c\xf6\x63\x60\xba\xaa\x80\x3c\x42\xab\x84\x60\x04\x00\x84\x78\xa5\xa4\x84\x64\xdb\xea\x84\x60\xc7\xb2\xa0\x3c\x4e\xd4\xa5\x60\x04\x00\xa5\x78\x8e\xd5\xa5\x64\xc9\xc4\xa5\x60\xf6\x27\xc0\x3c\x0e\x37\xc6\x60\x04\x00\xc6\x78\x10\x50\xc6\x64\xf3\x3c\xc6\x60\x64\xae\xe0\x3c\x0f\xe0\xe7\x60\x04\x00\xe7\x78\xf8\x33\xe7\x64\x27\xe1\xe7\x60\xf9\xfe\x00\x3d\x88\x3a\x08\x61\x04\x00\x08\x79\xf6\x6c\x08\x65\xcb\x9b\x08\x61\xe7\x22\x20\x3d\xa3\x5b\x29\x61\x04\x00\x29\x79\xbb\xbc\x29\x65\x5e\x83\x29\x61\xd9\x75\x40\x3d\x52\x94\x4a\x61\x04\x00\x4a\x79\xdb\x25\x4a\x65\xf3\x5e\x4a\x61\x02\x00\x00\x44\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x50\xf3\x63\x60\x42\x00\x00\x44\x0d\x0b\xc0\x3e\xa1\xda\xd6\x62\x04\x00\xd6\x7a\xeb\x5a\xd6\x66\x62\x96\xd6\x62\x9c\xb0\x00\x7c\xec\x06\x00\x7c\xa4\x00\x00\x4c\x3d\x6a\xa0\x3e\x17\x1b\xb5\x62\x04\x00\xb5\x7a\x72\x93\xb5\x66\x34\x54\xb5\x62\xa6\x03\xa0\x7e\xd4\x8d\xa0\x3e\x12\xd2\xb5\x62\x04\x00\xb5\x7a\xf6\xf5\xb5\x66\x15\xe0\xb5\x62\xa6\x03\xa0\x7e\x24\x00\x00\x4c\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x05\xc0\x3f\x00\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf2\x78\xbd\x63\x00\x00\xc0\x3f\x21\x8c\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xf6\x78\xbd\x63\x00\x00\xc0\x3f\x0a\x00\xde\x63\x00\x00\xdd\x93\x00\x00\xa0\x3f\x00\x00\xbd\x63\x04\x00\xbd\x7b\x49\x30\xbd\x67\xfa\x78\xbd\x63\x97\x4b\xc0\x3f\x5c\x3b\xde\x63\x00\x00\xdd\x93\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x00\xf0\x63\x60\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x49\x30\x84\x64\xf2\x78\x84\x60\x22\x00\x00\x44\x00\x00\x80\x3f\x00\x00\x9c\x63\x04\x00\x9c\x7b\x00\x00\x9c\x67\x1a\x00\x9c\x63\x24\x01\xc0\x7f", 524); *(uint64_t*)0x200000007690 = 0x20c; *(uint64_t*)0x2000000076c0 = 1; *(uint64_t*)0x2000000076c8 = 6; syz_kvm_setup_cpu(/*fd=*/r[31], /*cpufd=*/r[23], /*usermem=*/0x200000fe5000, /*text=*/0x200000007680, /*ntext=*/1, /*flags=KVM_SETUP_PPC64_IR*/2, /*opts=*/0x2000000076c0, /*nopt=*/1); break; case 41: syz_kvm_setup_syzos_vm(/*fd=*/r[23], /*usermem=*/0x200000c00000); break; case 42: *(uint32_t*)0x200000007700 = 0; syz_memcpy_off(/*ring_ptr=*/0, /*flag_off=SQ_FLAGS_OFFSET*/0x114, /*src=*/0x200000007700, /*src_off=*/0, /*nbytes=*/4); break; case 43: memcpy((void*)0x200000007740, "fuse\000", 5); memcpy((void*)0x200000007780, "./file0\000", 8); memcpy((void*)0x2000000077c0, "fd", 2); *(uint8_t*)0x2000000077c2 = 0x3d; sprintf((char*)0x2000000077c3, "0x%016llx", (long long)r[23]); *(uint8_t*)0x2000000077d5 = 0x2c; memcpy((void*)0x2000000077d6, "rootmode", 8); *(uint8_t*)0x2000000077de = 0x3d; sprintf((char*)0x2000000077df, "%023llo", (long long)0x6000); *(uint8_t*)0x2000000077f6 = 0x2c; memcpy((void*)0x2000000077f7, "user_id", 7); *(uint8_t*)0x2000000077fe = 0x3d; sprintf((char*)0x2000000077ff, "%020llu", (long long)r[22]); *(uint8_t*)0x200000007813 = 0x2c; memcpy((void*)0x200000007814, "group_id", 8); *(uint8_t*)0x20000000781c = 0x3d; sprintf((char*)0x20000000781d, "%020llu", (long long)r[13]); *(uint8_t*)0x200000007831 = 0x2c; memcpy((void*)0x200000007832, "max_read", 8); *(uint8_t*)0x20000000783a = 0x3d; sprintf((char*)0x20000000783b, "0x%016llx", (long long)3); *(uint8_t*)0x20000000784d = 0x2c; memcpy((void*)0x20000000784e, "default_permissions", 19); *(uint8_t*)0x200000007861 = 0x2c; memcpy((void*)0x200000007862, "allow_other", 11); *(uint8_t*)0x20000000786d = 0x2c; memcpy((void*)0x20000000786e, "default_permissions", 19); *(uint8_t*)0x200000007881 = 0x2c; memcpy((void*)0x200000007882, "allow_other", 11); *(uint8_t*)0x20000000788d = 0x2c; memcpy((void*)0x20000000788e, "default_permissions", 19); *(uint8_t*)0x2000000078a1 = 0x2c; memcpy((void*)0x2000000078a2, "default_permissions", 19); *(uint8_t*)0x2000000078b5 = 0x2c; memcpy((void*)0x2000000078b6, "allow_other", 11); *(uint8_t*)0x2000000078c1 = 0x2c; memcpy((void*)0x2000000078c2, "permit_directio", 15); *(uint8_t*)0x2000000078d1 = 0x2c; memcpy((void*)0x2000000078d2, "uid<", 4); sprintf((char*)0x2000000078d6, "%020llu", (long long)r[17]); *(uint8_t*)0x2000000078ea = 0x2c; memcpy((void*)0x2000000078eb, "appraise", 8); *(uint8_t*)0x2000000078f3 = 0x2c; memcpy((void*)0x2000000078f4, "smackfshat", 10); *(uint8_t*)0x2000000078fe = 0x3d; memcpy((void*)0x2000000078ff, "\300\'", 2); *(uint8_t*)0x200000007901 = 0x2c; memcpy((void*)0x200000007902, "appraise", 8); *(uint8_t*)0x20000000790a = 0x2c; *(uint8_t*)0x20000000790b = 0; memcpy((void*)0x200000007940, "\xa4\xb2\x22\xdf\x2b\xa1\x0d\xf2\x4f\x54\x81\xe0\xdc\x5e\x93\xb8\x1b\x1b\x82\xe9\xa2\x14\xca\xbc\xe3\x44\x80\x0a\xd5\x4d\xe6\x10\xfa\x1e\xda\x44\xb9\x04\x05\x26\xf2\xdc\x7c\x73\x1c\x54\x73\xc8\xc6\xdc\x94\x19\x2a\x03\x48\x4e\x6d\x62\xbb\x49\x12\x86\x12\x54\x3a\x9d\x01\x6e\xd9\xa3\x73\x0e\x51\x08\x0f\x5c\x86\x0d\x03\xa7\x7e\xd5\x01\x64\xbc\xf9\x9c\x42\xd3\x56\x8a\x97\x4a\x92\x7a\x87\x9d\xe4\x1e\xdc\x2f\x55\x52\x36\x58\x86\x12\x1a\x31\x09\x5b\x97\xaa\x08\xee\x29\x77\x11\x1f\x7c\xc5\x6a\x77\xc0\xf2\xa1\x6b\x32\xb1\x9d\xf5\x0a\x24\x9c\xd3\x05\x8e\x60\xa6\xae\x8c\x96\x34\x9d\x5e\x5c\x00\x97\x59\x4c\xe0\x1c\x1f\xbe\xe5\xee\x94\x60\x6f\xef\x67\x32\x31\xe6\x57\x00\xbc\x71\x5f\x1f\x01\x19\xc8\x4e\xd2\x7b\x8a\xf3\x8e\xd1\x53\xd3\x94\xd6\xb2\x2c\xca\x54\xdb\x55\xa3\x1b\xc2\x5b\x45\xe8\x1d\xec\xa7\xbe\xdb\x69\x66\x91\xae\x6b\x92\xf0\x9e\xea\x3e\x2b\x5e\x8a\xf2\xf9\x96\x33\x9d\xec\x59\x2e\xde\xc5\x89\x7e\x94\xeb", 228); syz_mount_image(/*fs=*/0x200000007740, /*dir=*/0x200000007780, /*flags=MS_PRIVATE*/0x40000, /*opts=*/0x2000000077c0, /*chdir=*/1, /*size=*/0, /*img=*/0x200000007940); break; case 44: memcpy((void*)0x200000007a40, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000007a40, /*id=*/7, /*flags=*/0); break; case 45: memcpy((void*)0x200000007a80, "net/psched\000", 11); syz_open_procfs(/*pid=*/r[4], /*file=*/0x200000007a80); break; case 46: syz_open_pts(/*fd=*/r[9], /*flags=O_PATH|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|FASYNC|0x402*/0x292c02); break; case 47: syz_pidfd_open(/*pid=*/r[15], /*flags=*/0); break; case 48: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=*/0ul); if (res != -1) r[32] = res; break; case 49: syz_pkey_set(/*key=*/r[32], /*val=PKEY_DISABLE_WRITE|PKEY_DISABLE_ACCESS*/3); break; case 50: syz_socket_connect_nvme_tcp(); break; case 51: *(uint8_t*)0x200000007ac0 = 0x12; *(uint8_t*)0x200000007ac1 = 1; *(uint16_t*)0x200000007ac2 = 0x250; *(uint8_t*)0x200000007ac4 = 0x58; *(uint8_t*)0x200000007ac5 = 6; *(uint8_t*)0x200000007ac6 = 0x54; *(uint8_t*)0x200000007ac7 = 8; *(uint16_t*)0x200000007ac8 = 0x13d3; *(uint16_t*)0x200000007aca = 0x3348; *(uint16_t*)0x200000007acc = 0x15b2; *(uint8_t*)0x200000007ace = 1; *(uint8_t*)0x200000007acf = 2; *(uint8_t*)0x200000007ad0 = 3; *(uint8_t*)0x200000007ad1 = 1; *(uint8_t*)0x200000007ad2 = 9; *(uint8_t*)0x200000007ad3 = 2; *(uint16_t*)0x200000007ad4 = 0x283; *(uint8_t*)0x200000007ad6 = 2; *(uint8_t*)0x200000007ad7 = 9; *(uint8_t*)0x200000007ad8 = 2; *(uint8_t*)0x200000007ad9 = 0x10; *(uint8_t*)0x200000007ada = 8; *(uint8_t*)0x200000007adb = 9; *(uint8_t*)0x200000007adc = 4; *(uint8_t*)0x200000007add = 0x26; *(uint8_t*)0x200000007ade = 0xb; *(uint8_t*)0x200000007adf = 5; *(uint8_t*)0x200000007ae0 = 0x83; *(uint8_t*)0x200000007ae1 = 0x18; *(uint8_t*)0x200000007ae2 = 0x74; *(uint8_t*)0x200000007ae3 = 0xee; *(uint8_t*)0x200000007ae4 = 9; *(uint8_t*)0x200000007ae5 = 5; *(uint8_t*)0x200000007ae6 = 0xb; *(uint8_t*)0x200000007ae7 = 3; *(uint16_t*)0x200000007ae8 = 8; *(uint8_t*)0x200000007aea = 4; *(uint8_t*)0x200000007aeb = 0xfb; *(uint8_t*)0x200000007aec = 0x6a; *(uint8_t*)0x200000007aed = 0xbd; *(uint8_t*)0x200000007aee = 0xc; memcpy((void*)0x200000007aef, "\x8b\x82\xbd\x3f\xc8\x13\x7d\x3d\x25\x9c\xe7\xbc\x14\x0d\xe0\x82\x3d\xe2\x22\x2e\xed\x4c\x57\x0e\xdc\xb8\x45\x53\xcd\x1e\xfd\x64\x9d\xd3\x52\xdd\x37\x5d\x81\xda\x8d\xa8\xe6\x86\x3f\xb4\x82\xec\xb3\xa1\x6f\x12\x22\x10\xbf\xf2\x5c\x59\xa3\xaf\xc6\x54\x28\x48\xc0\x6e\x1b\x98\x3f\xbc\x8d\xd0\xde\x62\x7c\xfd\xdf\x9f\x90\x5f\x5c\xb6\xed\x4a\x25\xec\x59\x47\x59\x9b\x15\xb5\x38\xc7\xbb\x0b\x0d\x65\xd4\xa3\x1b\x31\x9f\x73\x83\x95\x5c\xe7\x66\xef\x4c\x66\xd1\x8b\xc7\x5d\x69\xb2\xdd\x7d\x13\x6c\x78\xea\xec\x1e\x22\x03\xeb\x91\x8d\xd6\x16\x09\xde\x40\xf4\xf6\x93\x91\x7e\xeb\x17\xfc\x38\x7b\xb4\x27\x34\x1f\x64\x16\xe0\xb8\xc4\x6a\x24\x45\xa5\xc4\x9b\xd9\xc8\x6d\xfe\x21\xc5\x98\xac\xf1\x7e\xa9\x8f\xfe\xce\x20\x2a\x21\xdc\x93\xa0\xb8\x30\xd2\x9a\xf8\x7c", 187); *(uint8_t*)0x200000007baa = 0xc7; *(uint8_t*)0x200000007bab = 6; memcpy((void*)0x200000007bac, "\xf5\x45\x9e\x11\x78\x00\xd2\x2a\x25\xa4\x86\xd1\x44\x2f\x5c\xbd\x4d\x3d\x77\x6c\xd0\x61\xd2\xc1\x85\xf9\x92\x4e\xae\x6a\x4d\x7b\x14\xc5\x8b\x59\x98\x63\xd3\x21\xe3\xea\x80\xa2\x5f\x6d\x8b\xe5\x1d\x5c\xa7\x0c\x27\x6c\xe0\xe6\xd9\x03\x8f\x88\x77\x6b\x96\x14\x28\x7d\xb7\xee\x21\x13\xf0\xe7\xe1\xf0\x18\x73\xb6\x13\xd7\x63\xda\x5f\x87\xf8\x6c\xd1\x86\x0b\xd6\x23\x46\x3f\xc6\xd9\x3d\x9f\x94\x8d\x0d\x4d\x70\xd7\x2a\x8a\xc1\xde\xc1\xad\xce\xb8\x71\x67\x29\x90\x64\x28\xd5\xb6\xe2\x4b\x01\x49\x9b\xfa\x6a\x0a\xa0\x48\x2e\xed\x8c\x77\x51\xa1\xc7\xec\x94\x4d\xb1\x92\x54\xa7\x4b\x61\x14\x2e\x72\x5a\x7a\x29\x0c\x41\x42\x87\x5d\x34\x7b\x3e\x48\x3f\x4e\x2d\xb8\x37\x3e\xf8\xfe\xad\x81\x18\xce\x07\xd8\x12\x33\x2b\x21\x1d\xa9\x73\x3d\x44\x4f\x7d\x70\x6a\x64\x39\xc2\x9a\xea\xed\xd0\x30\x00\xa2\xa8", 197); *(uint8_t*)0x200000007c71 = 9; *(uint8_t*)0x200000007c72 = 5; *(uint8_t*)0x200000007c73 = 0xa; *(uint8_t*)0x200000007c74 = 0xc; *(uint16_t*)0x200000007c75 = 0x400; *(uint8_t*)0x200000007c77 = 0xc; *(uint8_t*)0x200000007c78 = 0; *(uint8_t*)0x200000007c79 = 0xb5; *(uint8_t*)0x200000007c7a = 7; *(uint8_t*)0x200000007c7b = 0x25; *(uint8_t*)0x200000007c7c = 1; *(uint8_t*)0x200000007c7d = 1; *(uint8_t*)0x200000007c7e = 0xb; *(uint16_t*)0x200000007c7f = 7; *(uint8_t*)0x200000007c81 = 9; *(uint8_t*)0x200000007c82 = 5; *(uint8_t*)0x200000007c83 = 2; *(uint8_t*)0x200000007c84 = 0x10; *(uint16_t*)0x200000007c85 = 0x20; *(uint8_t*)0x200000007c87 = 7; *(uint8_t*)0x200000007c88 = 5; *(uint8_t*)0x200000007c89 = 5; *(uint8_t*)0x200000007c8a = 0x24; *(uint8_t*)0x200000007c8b = 7; memcpy((void*)0x200000007c8c, "\xad\x98\x31\x4a\x82\xd7\xae\xbb\xfc\xe8\x51\x78\x75\x22\x71\xb1\x58\xc0\x5d\xea\x1b\xf5\xa2\x45\x9c\x43\x1d\xf1\x80\xc1\xf3\xb2\xbe\x3b", 34); *(uint8_t*)0x200000007cae = 9; *(uint8_t*)0x200000007caf = 5; *(uint8_t*)0x200000007cb0 = 3; *(uint8_t*)0x200000007cb1 = 2; *(uint16_t*)0x200000007cb2 = 8; *(uint8_t*)0x200000007cb4 = 7; *(uint8_t*)0x200000007cb5 = 0xf3; *(uint8_t*)0x200000007cb6 = 4; *(uint8_t*)0x200000007cb7 = 9; *(uint8_t*)0x200000007cb8 = 5; *(uint8_t*)0x200000007cb9 = 5; *(uint8_t*)0x200000007cba = 0; *(uint16_t*)0x200000007cbb = 0x40; *(uint8_t*)0x200000007cbd = 2; *(uint8_t*)0x200000007cbe = 3; *(uint8_t*)0x200000007cbf = 2; *(uint8_t*)0x200000007cc0 = 0x6a; *(uint8_t*)0x200000007cc1 = 0xa; memcpy((void*)0x200000007cc2, "\xf7\xdd\x67\x50\x5d\x35\x3d\x93\xb6\xe1\xf3\xac\x2d\x8f\x9f\x76\x60\x12\xd2\x04\xe5\x58\xa7\x07\x6c\x6a\x1d\xd6\x64\x8b\x29\x28\xac\xaf\x80\x17\x10\xc8\x55\x50\x67\xe0\x71\x5e\x60\x77\x2d\x9a\x84\xc7\x14\xf6\x3d\x52\x7b\x9f\x15\x32\xa5\xac\x65\x11\x62\x7f\x9e\x84\x00\xe6\x2a\xd6\xbd\x25\xec\x51\xec\x63\x0a\xfc\x10\xe1\xf0\xf2\xfe\x01\xc9\x58\x8e\x28\x97\xef\x26\xd5\xea\x8b\xcf\x97\x0e\x51\xfc\x28\xd8\x4a\x62\x8c", 104); *(uint8_t*)0x200000007d2a = 9; *(uint8_t*)0x200000007d2b = 4; *(uint8_t*)0x200000007d2c = 0x48; *(uint8_t*)0x200000007d2d = 0xe; *(uint8_t*)0x200000007d2e = 3; *(uint8_t*)0x200000007d2f = 0xca; *(uint8_t*)0x200000007d30 = 0x1e; *(uint8_t*)0x200000007d31 = 0x4a; *(uint8_t*)0x200000007d32 = 0xf5; *(uint8_t*)0x200000007d33 = 9; *(uint8_t*)0x200000007d34 = 5; *(uint8_t*)0x200000007d35 = 0xb; *(uint8_t*)0x200000007d36 = 4; *(uint16_t*)0x200000007d37 = 0x400; *(uint8_t*)0x200000007d39 = 5; *(uint8_t*)0x200000007d3a = 0xf7; *(uint8_t*)0x200000007d3b = 0xf6; *(uint8_t*)0x200000007d3c = 9; *(uint8_t*)0x200000007d3d = 5; *(uint8_t*)0x200000007d3e = 0xe; *(uint8_t*)0x200000007d3f = 0x10; *(uint16_t*)0x200000007d40 = 0x3ff; *(uint8_t*)0x200000007d42 = 1; *(uint8_t*)0x200000007d43 = 0xd; *(uint8_t*)0x200000007d44 = 0x80; *(uint8_t*)0x200000007d45 = 9; *(uint8_t*)0x200000007d46 = 5; *(uint8_t*)0x200000007d47 = 5; *(uint8_t*)0x200000007d48 = 0x10; *(uint16_t*)0x200000007d49 = 0x10; *(uint8_t*)0x200000007d4b = 0x95; *(uint8_t*)0x200000007d4c = 3; *(uint8_t*)0x200000007d4d = 0; *(uint8_t*)0x200000007d4e = 7; *(uint8_t*)0x200000007d4f = 0x25; *(uint8_t*)0x200000007d50 = 1; *(uint8_t*)0x200000007d51 = 0x82; *(uint8_t*)0x200000007d52 = 0xae; *(uint16_t*)0x200000007d53 = 0x12; *(uint32_t*)0x200000007ec0 = 0xa; *(uint64_t*)0x200000007ec4 = 0x200000007d80; *(uint8_t*)0x200000007d80 = 0xa; *(uint8_t*)0x200000007d81 = 6; *(uint16_t*)0x200000007d82 = 0x110; *(uint8_t*)0x200000007d84 = 4; *(uint8_t*)0x200000007d85 = 1; *(uint8_t*)0x200000007d86 = 6; *(uint8_t*)0x200000007d87 = 8; *(uint8_t*)0x200000007d88 = 0xe; *(uint8_t*)0x200000007d89 = 0; *(uint32_t*)0x200000007ecc = 0x3b; *(uint64_t*)0x200000007ed0 = 0x200000007dc0; *(uint8_t*)0x200000007dc0 = 5; *(uint8_t*)0x200000007dc1 = 0xf; *(uint16_t*)0x200000007dc2 = 0x3b; *(uint8_t*)0x200000007dc4 = 4; *(uint8_t*)0x200000007dc5 = 0x14; *(uint8_t*)0x200000007dc6 = 0x10; *(uint8_t*)0x200000007dc7 = 4; *(uint8_t*)0x200000007dc8 = 6; memcpy((void*)0x200000007dc9, "\xfd\xf4\x04\x3a\xe7\xf5\x9e\x3e\x81\xfe\x30\x3d\x4d\xe3\xea\x16", 16); *(uint8_t*)0x200000007dd9 = 7; *(uint8_t*)0x200000007dda = 0x10; *(uint8_t*)0x200000007ddb = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007ddc, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 8, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007ddd, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007dde, 6, 0, 16); *(uint8_t*)0x200000007de0 = 7; *(uint8_t*)0x200000007de1 = 0x10; *(uint8_t*)0x200000007de2 = 2; STORE_BY_BITMASK(uint32_t, , 0x200000007de3, 0x10, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 7, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de4, 0xd, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200000007de5, 0x95d7, 0, 16); *(uint8_t*)0x200000007de7 = 0x14; *(uint8_t*)0x200000007de8 = 0x10; *(uint8_t*)0x200000007de9 = 4; *(uint8_t*)0x200000007dea = 3; memcpy((void*)0x200000007deb, "\xbc\x6a\x92\x66\xbf\x50\x6e\x90\x62\x0d\x9c\x90\x0e\x18\x01\x43", 16); *(uint32_t*)0x200000007ed8 = 1; *(uint32_t*)0x200000007edc = 0x98; *(uint64_t*)0x200000007ee0 = 0x200000007e00; *(uint8_t*)0x200000007e00 = 0x98; *(uint8_t*)0x200000007e01 = 3; memcpy((void*)0x200000007e02, "\xd9\x5f\x3f\xca\xaa\x58\xf9\xd3\x6d\x03\xe3\xa2\xd5\x56\x6a\x51\x91\xf7\x42\xf7\x23\xfa\x49\xe3\x64\xe0\x3b\x0d\x28\x8a\x7f\xcb\x45\x79\xb5\x8c\x56\xd8\x24\xbe\x57\xf9\xad\x0f\x87\x03\xd3\x01\x1c\xac\x46\x84\x33\xfa\x22\xc2\x3b\xfa\xf1\x5d\xad\x54\x1e\xfb\x01\x38\xc4\x6b\xb8\xf8\x86\x92\x15\x15\x5c\x26\x85\xd6\x9b\x75\xff\xe6\x8c\x0c\xbd\x6e\x71\x74\x3a\xbd\x43\x55\xe1\x2d\x9d\xcb\x7d\xff\x16\xbb\x07\x5d\xa5\x53\xc1\x78\x13\x9e\xde\x2c\x28\x5a\x4a\x28\x45\xe8\x88\x9c\x23\x45\x04\xd9\x68\xd8\x70\xb6\x08\x4a\x7b\x4a\xb0\xdc\xdb\x83\xd4\x3b\xb2\xf4\xe7\xa0\x15\x6b\x80\xa6\x89\x19\xcb\xb7\xda\x84", 150); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0x295, /*dev=*/0x200000007ac0, /*conn_descs=*/0x200000007ec0); if (res != -1) r[33] = res; break; case 52: *(uint8_t*)0x200000007f00 = 0x12; *(uint8_t*)0x200000007f01 = 1; *(uint16_t*)0x200000007f02 = 0x200; *(uint8_t*)0x200000007f04 = -1; *(uint8_t*)0x200000007f05 = -1; *(uint8_t*)0x200000007f06 = -1; *(uint8_t*)0x200000007f07 = 0x40; *(uint16_t*)0x200000007f08 = 0xcf3; *(uint16_t*)0x200000007f0a = 0x9271; *(uint16_t*)0x200000007f0c = 0x108; *(uint8_t*)0x200000007f0e = 1; *(uint8_t*)0x200000007f0f = 2; *(uint8_t*)0x200000007f10 = 3; *(uint8_t*)0x200000007f11 = 1; *(uint8_t*)0x200000007f12 = 9; *(uint8_t*)0x200000007f13 = 2; *(uint16_t*)0x200000007f14 = 0x48; *(uint8_t*)0x200000007f16 = 1; *(uint8_t*)0x200000007f17 = 1; *(uint8_t*)0x200000007f18 = 0; *(uint8_t*)0x200000007f19 = 0x80; *(uint8_t*)0x200000007f1a = 0xfa; *(uint8_t*)0x200000007f1b = 9; *(uint8_t*)0x200000007f1c = 4; *(uint8_t*)0x200000007f1d = 0; *(uint8_t*)0x200000007f1e = 0; *(uint8_t*)0x200000007f1f = 6; *(uint8_t*)0x200000007f20 = -1; *(uint8_t*)0x200000007f21 = 0; *(uint8_t*)0x200000007f22 = 0; *(uint8_t*)0x200000007f23 = 0; *(uint8_t*)0x200000007f24 = 9; *(uint8_t*)0x200000007f25 = 5; *(uint8_t*)0x200000007f26 = 1; *(uint8_t*)0x200000007f27 = 2; *(uint16_t*)0x200000007f28 = 0x200; *(uint8_t*)0x200000007f2a = 0; *(uint8_t*)0x200000007f2b = 0; *(uint8_t*)0x200000007f2c = 0; *(uint8_t*)0x200000007f2d = 9; *(uint8_t*)0x200000007f2e = 5; *(uint8_t*)0x200000007f2f = 0x82; *(uint8_t*)0x200000007f30 = 2; *(uint16_t*)0x200000007f31 = 0x200; *(uint8_t*)0x200000007f33 = 0; *(uint8_t*)0x200000007f34 = 0; *(uint8_t*)0x200000007f35 = 0; *(uint8_t*)0x200000007f36 = 9; *(uint8_t*)0x200000007f37 = 5; *(uint8_t*)0x200000007f38 = 0x83; *(uint8_t*)0x200000007f39 = 3; *(uint16_t*)0x200000007f3a = 0x40; *(uint8_t*)0x200000007f3c = 1; *(uint8_t*)0x200000007f3d = 0; *(uint8_t*)0x200000007f3e = 0; *(uint8_t*)0x200000007f3f = 9; *(uint8_t*)0x200000007f40 = 5; *(uint8_t*)0x200000007f41 = 4; *(uint8_t*)0x200000007f42 = 3; *(uint16_t*)0x200000007f43 = 0x40; *(uint8_t*)0x200000007f45 = 1; *(uint8_t*)0x200000007f46 = 0; *(uint8_t*)0x200000007f47 = 0; *(uint8_t*)0x200000007f48 = 9; *(uint8_t*)0x200000007f49 = 5; *(uint8_t*)0x200000007f4a = 5; *(uint8_t*)0x200000007f4b = 2; *(uint16_t*)0x200000007f4c = 0x200; *(uint8_t*)0x200000007f4e = 0; *(uint8_t*)0x200000007f4f = 0; *(uint8_t*)0x200000007f50 = 0; *(uint8_t*)0x200000007f51 = 9; *(uint8_t*)0x200000007f52 = 5; *(uint8_t*)0x200000007f53 = 6; *(uint8_t*)0x200000007f54 = 2; *(uint16_t*)0x200000007f55 = 0x200; *(uint8_t*)0x200000007f57 = 0; *(uint8_t*)0x200000007f58 = 0; *(uint8_t*)0x200000007f59 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000007f00, /*conn_descs=*/0); if (res != -1) r[34] = res; break; case 53: *(uint8_t*)0x200000007f80 = 0x12; *(uint8_t*)0x200000007f81 = 1; *(uint16_t*)0x200000007f82 = 0x110; *(uint8_t*)0x200000007f84 = 0; *(uint8_t*)0x200000007f85 = 0; *(uint8_t*)0x200000007f86 = 0; *(uint8_t*)0x200000007f87 = 0x40; *(uint16_t*)0x200000007f88 = 0x1d6b; *(uint16_t*)0x200000007f8a = 0x101; *(uint16_t*)0x200000007f8c = 0x40; *(uint8_t*)0x200000007f8e = 1; *(uint8_t*)0x200000007f8f = 2; *(uint8_t*)0x200000007f90 = 3; *(uint8_t*)0x200000007f91 = 1; *(uint8_t*)0x200000007f92 = 9; *(uint8_t*)0x200000007f93 = 2; *(uint16_t*)0x200000007f94 = 0xd3; *(uint8_t*)0x200000007f96 = 3; *(uint8_t*)0x200000007f97 = 1; *(uint8_t*)0x200000007f98 = 1; *(uint8_t*)0x200000007f99 = 0x80; *(uint8_t*)0x200000007f9a = 0x80; *(uint8_t*)0x200000007f9b = 9; *(uint8_t*)0x200000007f9c = 4; *(uint8_t*)0x200000007f9d = 0; *(uint8_t*)0x200000007f9e = 0; *(uint8_t*)0x200000007f9f = 0; *(uint8_t*)0x200000007fa0 = 1; *(uint8_t*)0x200000007fa1 = 1; *(uint8_t*)0x200000007fa2 = 0; *(uint8_t*)0x200000007fa3 = 0; *(uint8_t*)0x200000007fa4 = 0xa; *(uint8_t*)0x200000007fa5 = 0x24; *(uint8_t*)0x200000007fa6 = 1; *(uint16_t*)0x200000007fa7 = 0; *(uint8_t*)0x200000007fa9 = 0x7c; *(uint8_t*)0x200000007faa = 2; *(uint8_t*)0x200000007fab = 1; *(uint8_t*)0x200000007fac = 2; *(uint8_t*)0x200000007fad = 0xd; *(uint8_t*)0x200000007fae = 0x24; *(uint8_t*)0x200000007faf = 8; *(uint8_t*)0x200000007fb0 = 2; *(uint16_t*)0x200000007fb1 = 8; *(uint8_t*)0x200000007fb3 = 9; memcpy((void*)0x200000007fb4, "\x0c\xff\xda\x3f\x22\x7b", 6); *(uint8_t*)0x200000007fba = 9; *(uint8_t*)0x200000007fbb = 4; *(uint8_t*)0x200000007fbc = 1; *(uint8_t*)0x200000007fbd = 0; *(uint8_t*)0x200000007fbe = 0; *(uint8_t*)0x200000007fbf = 1; *(uint8_t*)0x200000007fc0 = 2; *(uint8_t*)0x200000007fc1 = 0; *(uint8_t*)0x200000007fc2 = 0; *(uint8_t*)0x200000007fc3 = 9; *(uint8_t*)0x200000007fc4 = 4; *(uint8_t*)0x200000007fc5 = 1; *(uint8_t*)0x200000007fc6 = 1; *(uint8_t*)0x200000007fc7 = 1; *(uint8_t*)0x200000007fc8 = 1; *(uint8_t*)0x200000007fc9 = 2; *(uint8_t*)0x200000007fca = 0; *(uint8_t*)0x200000007fcb = 0; *(uint8_t*)0x200000007fcc = 0x12; *(uint8_t*)0x200000007fcd = 0x24; *(uint8_t*)0x200000007fce = 2; *(uint8_t*)0x200000007fcf = 2; *(uint16_t*)0x200000007fd0 = 6; *(uint16_t*)0x200000007fd2 = 0x9a; *(uint8_t*)0x200000007fd4 = 0x20; memcpy((void*)0x200000007fd5, "\x2d\xa5\xee\x78\xa2\x8e\x1f\x1a\x41", 9); *(uint8_t*)0x200000007fde = 0xd; *(uint8_t*)0x200000007fdf = 0x24; *(uint8_t*)0x200000007fe0 = 2; *(uint8_t*)0x200000007fe1 = 1; *(uint8_t*)0x200000007fe2 = 0xf8; *(uint8_t*)0x200000007fe3 = 3; *(uint8_t*)0x200000007fe4 = 0x69; *(uint8_t*)0x200000007fe5 = 0x6d; memcpy((void*)0x200000007fe6, "e)", 2); memcpy((void*)0x200000007fe8, "\xbf\x07\x94", 3); *(uint8_t*)0x200000007feb = 0xb; *(uint8_t*)0x200000007fec = 0x24; *(uint8_t*)0x200000007fed = 2; *(uint8_t*)0x200000007fee = 1; *(uint8_t*)0x200000007fef = 5; *(uint8_t*)0x200000007ff0 = 4; *(uint8_t*)0x200000007ff1 = 0x5b; *(uint8_t*)0x200000007ff2 = 3; memset((void*)0x200000007ff3, 68, 1); memcpy((void*)0x200000007ff4, "\x26\x18", 2); *(uint8_t*)0x200000007ff6 = 9; *(uint8_t*)0x200000007ff7 = 0x24; *(uint8_t*)0x200000007ff8 = 2; *(uint8_t*)0x200000007ff9 = 2; *(uint16_t*)0x200000007ffa = 0x7b4; *(uint16_t*)0x200000007ffc = 8; *(uint8_t*)0x200000007ffe = 4; *(uint8_t*)0x200000007fff = 0xc; *(uint8_t*)0x200000008000 = 0x24; *(uint8_t*)0x200000008001 = 2; *(uint8_t*)0x200000008002 = 1; *(uint8_t*)0x200000008003 = 0; *(uint8_t*)0x200000008004 = 3; *(uint8_t*)0x200000008005 = 8; *(uint8_t*)0x200000008006 = 8; memset((void*)0x200000008007, 170, 1); memcpy((void*)0x200000008008, "\xe8\xe5\xb4", 3); *(uint8_t*)0x20000000800b = 9; *(uint8_t*)0x20000000800c = 5; *(uint8_t*)0x20000000800d = 1; *(uint8_t*)0x20000000800e = 9; *(uint16_t*)0x20000000800f = 0x40; *(uint8_t*)0x200000008011 = 6; *(uint8_t*)0x200000008012 = 5; *(uint8_t*)0x200000008013 = 0; *(uint8_t*)0x200000008014 = 7; *(uint8_t*)0x200000008015 = 0x25; *(uint8_t*)0x200000008016 = 1; *(uint8_t*)0x200000008017 = 0x80; *(uint8_t*)0x200000008018 = 1; *(uint16_t*)0x200000008019 = 4; *(uint8_t*)0x20000000801b = 9; *(uint8_t*)0x20000000801c = 4; *(uint8_t*)0x20000000801d = 2; *(uint8_t*)0x20000000801e = 0; *(uint8_t*)0x20000000801f = 0; *(uint8_t*)0x200000008020 = 1; *(uint8_t*)0x200000008021 = 2; *(uint8_t*)0x200000008022 = 0; *(uint8_t*)0x200000008023 = 0; *(uint8_t*)0x200000008024 = 9; *(uint8_t*)0x200000008025 = 4; *(uint8_t*)0x200000008026 = 2; *(uint8_t*)0x200000008027 = 1; *(uint8_t*)0x200000008028 = 1; *(uint8_t*)0x200000008029 = 1; *(uint8_t*)0x20000000802a = 2; *(uint8_t*)0x20000000802b = 0; *(uint8_t*)0x20000000802c = 0; *(uint8_t*)0x20000000802d = 7; *(uint8_t*)0x20000000802e = 0x24; *(uint8_t*)0x20000000802f = 1; *(uint8_t*)0x200000008030 = 3; *(uint8_t*)0x200000008031 = 0x1e; *(uint16_t*)0x200000008032 = 4; *(uint8_t*)0x200000008034 = 7; *(uint8_t*)0x200000008035 = 0x24; *(uint8_t*)0x200000008036 = 1; *(uint8_t*)0x200000008037 = 0x6f; *(uint8_t*)0x200000008038 = 7; *(uint16_t*)0x200000008039 = 0; *(uint8_t*)0x20000000803b = 0xa; *(uint8_t*)0x20000000803c = 0x24; *(uint8_t*)0x20000000803d = 2; *(uint8_t*)0x20000000803e = 2; *(uint16_t*)0x20000000803f = 8; *(uint16_t*)0x200000008041 = 2; *(uint8_t*)0x200000008043 = 8; memset((void*)0x200000008044, 102, 1); *(uint8_t*)0x200000008045 = 0x10; *(uint8_t*)0x200000008046 = 0x24; *(uint8_t*)0x200000008047 = 2; *(uint8_t*)0x200000008048 = 2; *(uint16_t*)0x200000008049 = 9; *(uint16_t*)0x20000000804b = 0x401; *(uint8_t*)0x20000000804d = 5; memcpy((void*)0x20000000804e, "\x53\xb1\x1d\xbc\x8c\xd3\x10", 7); *(uint8_t*)0x200000008055 = 9; *(uint8_t*)0x200000008056 = 5; *(uint8_t*)0x200000008057 = 0x82; *(uint8_t*)0x200000008058 = 9; *(uint16_t*)0x200000008059 = 8; *(uint8_t*)0x20000000805b = 0; *(uint8_t*)0x20000000805c = 0x28; *(uint8_t*)0x20000000805d = 6; *(uint8_t*)0x20000000805e = 7; *(uint8_t*)0x20000000805f = 0x25; *(uint8_t*)0x200000008060 = 1; *(uint8_t*)0x200000008061 = 0x80; *(uint8_t*)0x200000008062 = 5; *(uint16_t*)0x200000008063 = 0xd; *(uint32_t*)0x2000000081c0 = 0xa; *(uint64_t*)0x2000000081c4 = 0x200000008080; *(uint8_t*)0x200000008080 = 0xa; *(uint8_t*)0x200000008081 = 6; *(uint16_t*)0x200000008082 = 0x110; *(uint8_t*)0x200000008084 = 0x59; *(uint8_t*)0x200000008085 = 0xa5; *(uint8_t*)0x200000008086 = 5; *(uint8_t*)0x200000008087 = 0x10; *(uint8_t*)0x200000008088 = 1; *(uint8_t*)0x200000008089 = 0; *(uint32_t*)0x2000000081cc = 0x39; *(uint64_t*)0x2000000081d0 = 0x2000000080c0; *(uint8_t*)0x2000000080c0 = 5; *(uint8_t*)0x2000000080c1 = 0xf; *(uint16_t*)0x2000000080c2 = 0x39; *(uint8_t*)0x2000000080c4 = 5; *(uint8_t*)0x2000000080c5 = 0xb; *(uint8_t*)0x2000000080c6 = 0x10; *(uint8_t*)0x2000000080c7 = 1; *(uint8_t*)0x2000000080c8 = 4; *(uint16_t*)0x2000000080c9 = 8; *(uint8_t*)0x2000000080cb = 3; *(uint8_t*)0x2000000080cc = 0xb8; *(uint16_t*)0x2000000080cd = 9; *(uint8_t*)0x2000000080cf = 4; *(uint8_t*)0x2000000080d0 = 0x14; *(uint8_t*)0x2000000080d1 = 0x10; *(uint8_t*)0x2000000080d2 = 4; *(uint8_t*)0x2000000080d3 = 2; memcpy((void*)0x2000000080d4, "\x9d\x9a\xb0\x97\x8e\x2a\xac\xe2\x6d\xe6\x63\x06\xe6\xe2\x96\x3d", 16); *(uint8_t*)0x2000000080e4 = 0xb; *(uint8_t*)0x2000000080e5 = 0x10; *(uint8_t*)0x2000000080e6 = 1; *(uint8_t*)0x2000000080e7 = 4; *(uint16_t*)0x2000000080e8 = 0; *(uint8_t*)0x2000000080ea = 6; *(uint8_t*)0x2000000080eb = 4; *(uint16_t*)0x2000000080ec = 1; *(uint8_t*)0x2000000080ee = 5; *(uint8_t*)0x2000000080ef = 3; *(uint8_t*)0x2000000080f0 = 0x10; *(uint8_t*)0x2000000080f1 = 0xb; *(uint8_t*)0x2000000080f2 = 7; *(uint8_t*)0x2000000080f3 = 0x10; *(uint8_t*)0x2000000080f4 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000080f5, 2, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 5, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f6, 6, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000080f7, 0xfff2, 0, 16); *(uint32_t*)0x2000000081d8 = 1; *(uint32_t*)0x2000000081dc = 0x84; *(uint64_t*)0x2000000081e0 = 0x200000008100; *(uint8_t*)0x200000008100 = 0x84; *(uint8_t*)0x200000008101 = 3; memcpy((void*)0x200000008102, "\x00\x0a\x6c\x9f\x4a\x15\xea\xbc\x97\xa9\x2a\xb6\x65\x23\x1b\x2c\xf9\x05\x73\x21\xeb\x43\x0c\x65\x21\xf4\x97\xa8\xc3\xce\x81\x62\x68\xcb\x33\x7f\xa4\x8d\xee\xcf\xeb\x28\xb2\x30\x5f\xcf\x2d\x2e\x98\x8c\xc8\xb8\xb9\x80\xa1\x33\x2d\xc4\x06\xbc\x34\x69\x5f\xa2\x4d\xc3\x60\x9f\x61\x9d\x7a\xc2\x84\xcc\x3a\xe7\xf0\xaf\xe4\x44\xd5\x78\xc9\x51\xd9\xae\xdc\x4c\x68\x2e\x10\x0c\xfe\xb6\x61\x9b\x98\xa9\x6b\x19\x78\xd8\xed\xe7\x57\x4e\x96\x9f\x8a\xe8\xe3\xdf\xb8\x35\xbd\xe5\xcc\xd9\x22\x13\x3e\x53\x03\x6f\xf4\x4e\xda\x52\xa0\xa9", 130); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_HIGH*/3, /*dev_len=*/0xe5, /*dev=*/0x200000007f80, /*conn_descs=*/0x2000000081c0); if (res != -1) r[35] = res; break; case 54: *(uint32_t*)0x200000008380 = 0x2c; *(uint64_t*)0x200000008384 = 0x200000008200; *(uint8_t*)0x200000008200 = 0x40; *(uint8_t*)0x200000008201 = 0x22; *(uint32_t*)0x200000008202 = 0x31; *(uint8_t*)0x200000008206 = 0x31; *(uint8_t*)0x200000008207 = 5; memcpy((void*)0x200000008208, "\x74\xe8\x3d\xcf\x53\xdd\x2d\x0e\xca\xc0\xaa\x34\x67\xb1\x8d\xfa\x71\xb2\x6c\xdd\x40\x3d\x95\x5c\x0f\xfe\x22\x81\x7b\x01\xfe\x57\x95\xd5\x1c\xf2\x4a\x6a\xe3\xb8\xe3\x2f\x1b\x7a\xc5\xf8\xca", 47); *(uint64_t*)0x20000000838c = 0x200000008240; *(uint8_t*)0x200000008240 = 0; *(uint8_t*)0x200000008241 = 3; *(uint32_t*)0x200000008242 = 0x1e; *(uint8_t*)0x200000008246 = 0x1e; *(uint8_t*)0x200000008247 = 3; memcpy((void*)0x200000008248, "\x89\x57\xa5\x01\xd8\x3c\x69\xe5\x4f\x70\xf6\x2f\x93\x2a\x50\xb6\x55\x06\xc3\x88\xc1\x28\x23\x9d\x36\x22\x9e\xe2", 28); *(uint64_t*)0x200000008394 = 0x200000008280; *(uint8_t*)0x200000008280 = 0; *(uint8_t*)0x200000008281 = 0xf; *(uint32_t*)0x200000008282 = 0x4f; *(uint8_t*)0x200000008286 = 5; *(uint8_t*)0x200000008287 = 0xf; *(uint16_t*)0x200000008288 = 0x4f; *(uint8_t*)0x20000000828a = 6; *(uint8_t*)0x20000000828b = 0x1c; *(uint8_t*)0x20000000828c = 0x10; *(uint8_t*)0x20000000828d = 0xa; *(uint8_t*)0x20000000828e = 0; STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20000000828f, 5, 5, 27); *(uint16_t*)0x200000008293 = 0xf000; *(uint16_t*)0x200000008295 = 0x409; *(uint32_t*)0x200000008297 = 0xc000; *(uint32_t*)0x20000000829b = 0x17f; *(uint32_t*)0x20000000829f = 0xff3f30; *(uint32_t*)0x2000000082a3 = 0xffffaf; *(uint8_t*)0x2000000082a7 = 0x10; *(uint8_t*)0x2000000082a8 = 0x10; *(uint8_t*)0x2000000082a9 = 0xa; *(uint8_t*)0x2000000082aa = 9; STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000082ab, 4, 5, 27); *(uint16_t*)0x2000000082af = 0xff0f; *(uint16_t*)0x2000000082b1 = 0xf87; *(uint32_t*)0x2000000082b3 = 0xc030; *(uint8_t*)0x2000000082b7 = 7; *(uint8_t*)0x2000000082b8 = 0x10; *(uint8_t*)0x2000000082b9 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000082ba, 4, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 1, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bb, 4, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000082bc, 5, 0, 16); *(uint8_t*)0x2000000082be = 0xa; *(uint8_t*)0x2000000082bf = 0x10; *(uint8_t*)0x2000000082c0 = 3; *(uint8_t*)0x2000000082c1 = 0; *(uint16_t*)0x2000000082c2 = 4; *(uint8_t*)0x2000000082c4 = 0xd2; *(uint8_t*)0x2000000082c5 = 3; *(uint16_t*)0x2000000082c6 = 5; *(uint8_t*)0x2000000082c8 = 0xa; *(uint8_t*)0x2000000082c9 = 0x10; *(uint8_t*)0x2000000082ca = 3; *(uint8_t*)0x2000000082cb = 0; *(uint16_t*)0x2000000082cc = 0; *(uint8_t*)0x2000000082ce = 1; *(uint8_t*)0x2000000082cf = 7; *(uint16_t*)0x2000000082d0 = 2; *(uint8_t*)0x2000000082d2 = 3; *(uint8_t*)0x2000000082d3 = 0x10; *(uint8_t*)0x2000000082d4 = 0xb; *(uint64_t*)0x20000000839c = 0x200000008300; *(uint8_t*)0x200000008300 = 0x20; *(uint8_t*)0x200000008301 = 0x29; *(uint32_t*)0x200000008302 = 0xf; *(uint8_t*)0x200000008306 = 0xf; *(uint8_t*)0x200000008307 = 0x29; *(uint8_t*)0x200000008308 = 8; *(uint16_t*)0x200000008309 = 1; *(uint8_t*)0x20000000830b = 7; *(uint8_t*)0x20000000830c = 4; memcpy((void*)0x20000000830d, "\b\r$}", 4); memcpy((void*)0x200000008311, "\x67\x01\x6d\xee", 4); *(uint64_t*)0x2000000083a4 = 0x200000008340; *(uint8_t*)0x200000008340 = 0x20; *(uint8_t*)0x200000008341 = 0x2a; *(uint32_t*)0x200000008342 = 0xc; *(uint8_t*)0x200000008346 = 0xc; *(uint8_t*)0x200000008347 = 0x2a; *(uint8_t*)0x200000008348 = 0x16; *(uint16_t*)0x200000008349 = 0x80; *(uint8_t*)0x20000000834b = 9; *(uint8_t*)0x20000000834c = 3; *(uint8_t*)0x20000000834d = 3; *(uint16_t*)0x20000000834e = 2; *(uint16_t*)0x200000008350 = 0xf000; *(uint32_t*)0x2000000087c0 = 0x84; *(uint64_t*)0x2000000087c4 = 0x2000000083c0; *(uint8_t*)0x2000000083c0 = 0; *(uint8_t*)0x2000000083c1 = 0x11; *(uint32_t*)0x2000000083c2 = 0x1f; memcpy((void*)0x2000000083c6, "\x16\xd6\x0d\x77\x43\x50\x14\x52\xff\xd5\x73\x04\x24\xbc\x4a\x97\x0c\xc6\x49\x0b\xb9\xcc\x85\x93\x86\x99\xed\xf2\x7a\x0c\x7d", 31); *(uint64_t*)0x2000000087cc = 0x200000008400; *(uint8_t*)0x200000008400 = 0; *(uint8_t*)0x200000008401 = 0xa; *(uint32_t*)0x200000008402 = 1; *(uint8_t*)0x200000008406 = 9; *(uint64_t*)0x2000000087d4 = 0x200000008440; *(uint8_t*)0x200000008440 = 0; *(uint8_t*)0x200000008441 = 8; *(uint32_t*)0x200000008442 = 1; *(uint8_t*)0x200000008446 = 4; *(uint64_t*)0x2000000087dc = 0x200000008480; *(uint8_t*)0x200000008480 = 0x20; *(uint8_t*)0x200000008481 = 0; *(uint32_t*)0x200000008482 = 4; *(uint16_t*)0x200000008486 = 0xe554; *(uint16_t*)0x200000008488 = 1; *(uint64_t*)0x2000000087e4 = 0x2000000084c0; *(uint8_t*)0x2000000084c0 = 0x20; *(uint8_t*)0x2000000084c1 = 0; *(uint32_t*)0x2000000084c2 = 4; *(uint16_t*)0x2000000084c6 = 0x200; *(uint16_t*)0x2000000084c8 = 0x2b; *(uint64_t*)0x2000000087ec = 0x200000008500; *(uint8_t*)0x200000008500 = 0x40; *(uint8_t*)0x200000008501 = 7; *(uint32_t*)0x200000008502 = 2; *(uint16_t*)0x200000008506 = 0xfd37; *(uint64_t*)0x2000000087f4 = 0x200000008540; *(uint8_t*)0x200000008540 = 0x40; *(uint8_t*)0x200000008541 = 9; *(uint32_t*)0x200000008542 = 1; *(uint8_t*)0x200000008546 = 0; *(uint64_t*)0x2000000087fc = 0x200000008580; *(uint8_t*)0x200000008580 = 0x40; *(uint8_t*)0x200000008581 = 0xb; *(uint32_t*)0x200000008582 = 2; memcpy((void*)0x200000008586, "E\"", 2); *(uint64_t*)0x200000008804 = 0x2000000085c0; *(uint8_t*)0x2000000085c0 = 0x40; *(uint8_t*)0x2000000085c1 = 0xf; *(uint32_t*)0x2000000085c2 = 2; *(uint16_t*)0x2000000085c6 = 2; *(uint64_t*)0x20000000880c = 0x200000008600; *(uint8_t*)0x200000008600 = 0x40; *(uint8_t*)0x200000008601 = 0x13; *(uint32_t*)0x200000008602 = 6; memcpy((void*)0x200000008606, "\x2f\xa6\xdd\xe0\x3a\x0f", 6); *(uint64_t*)0x200000008814 = 0x200000008640; *(uint8_t*)0x200000008640 = 0x40; *(uint8_t*)0x200000008641 = 0x17; *(uint32_t*)0x200000008642 = 6; memcpy((void*)0x200000008646, "\xde\x1c\x10\x2b\x02\x7e", 6); *(uint64_t*)0x20000000881c = 0x200000008680; *(uint8_t*)0x200000008680 = 0x40; *(uint8_t*)0x200000008681 = 0x19; *(uint32_t*)0x200000008682 = 2; memcpy((void*)0x200000008686, "\x0d\x97", 2); *(uint64_t*)0x200000008824 = 0x2000000086c0; *(uint8_t*)0x2000000086c0 = 0x40; *(uint8_t*)0x2000000086c1 = 0x1a; *(uint32_t*)0x2000000086c2 = 2; *(uint16_t*)0x2000000086c6 = 2; *(uint64_t*)0x20000000882c = 0x200000008700; *(uint8_t*)0x200000008700 = 0x40; *(uint8_t*)0x200000008701 = 0x1c; *(uint32_t*)0x200000008702 = 1; *(uint8_t*)0x200000008706 = 0xfd; *(uint64_t*)0x200000008834 = 0x200000008740; *(uint8_t*)0x200000008740 = 0x40; *(uint8_t*)0x200000008741 = 0x1e; *(uint32_t*)0x200000008742 = 1; *(uint8_t*)0x200000008746 = 0xfd; *(uint64_t*)0x20000000883c = 0x200000008780; *(uint8_t*)0x200000008780 = 0x40; *(uint8_t*)0x200000008781 = 0x21; *(uint32_t*)0x200000008782 = 1; *(uint8_t*)0x200000008786 = 0xc9; syz_usb_control_io(/*fd=*/r[35], /*descs=*/0x200000008380, /*resps=*/0x2000000087c0); break; case 55: syz_usb_disconnect(/*fd=*/r[33]); break; case 56: syz_usb_ep_read(/*fd=*/r[34], /*ep=*/7, /*len=*/0xfc, /*data=*/0x200000008880); break; case 57: *(uint8_t*)0x200000008980 = 0x12; *(uint8_t*)0x200000008981 = 1; *(uint16_t*)0x200000008982 = 0x200; *(uint8_t*)0x200000008984 = 7; *(uint8_t*)0x200000008985 = 1; *(uint8_t*)0x200000008986 = 1; *(uint8_t*)0x200000008987 = 0x20; *(uint16_t*)0x200000008988 = 0x525; *(uint16_t*)0x20000000898a = 0xa4a8; *(uint16_t*)0x20000000898c = 0x40; *(uint8_t*)0x20000000898e = 1; *(uint8_t*)0x20000000898f = 2; *(uint8_t*)0x200000008990 = 3; *(uint8_t*)0x200000008991 = 1; *(uint8_t*)0x200000008992 = 9; *(uint8_t*)0x200000008993 = 2; *(uint16_t*)0x200000008994 = 0x24; *(uint8_t*)0x200000008996 = 1; *(uint8_t*)0x200000008997 = 1; *(uint8_t*)0x200000008998 = 0xf4; *(uint8_t*)0x200000008999 = 0x60; *(uint8_t*)0x20000000899a = 4; *(uint8_t*)0x20000000899b = 9; *(uint8_t*)0x20000000899c = 4; *(uint8_t*)0x20000000899d = 0; *(uint8_t*)0x20000000899e = 3; *(uint8_t*)0x20000000899f = 2; *(uint8_t*)0x2000000089a0 = 0; *(uint8_t*)0x2000000089a1 = 0; *(uint8_t*)0x2000000089a2 = 0; *(uint8_t*)0x2000000089a3 = 0x81; *(uint8_t*)0x2000000089a4 = 9; *(uint8_t*)0x2000000089a5 = 5; *(uint8_t*)0x2000000089a6 = 1; *(uint8_t*)0x2000000089a7 = 2; *(uint16_t*)0x2000000089a8 = 0x400; *(uint8_t*)0x2000000089aa = 0; *(uint8_t*)0x2000000089ab = 8; *(uint8_t*)0x2000000089ac = 2; *(uint8_t*)0x2000000089ad = 9; *(uint8_t*)0x2000000089ae = 5; *(uint8_t*)0x2000000089af = 0x82; *(uint8_t*)0x2000000089b0 = 2; *(uint16_t*)0x2000000089b1 = 0x3ff; *(uint8_t*)0x2000000089b3 = 4; *(uint8_t*)0x2000000089b4 = 0x48; *(uint8_t*)0x2000000089b5 = 8; *(uint32_t*)0x200000008f00 = 0xa; *(uint64_t*)0x200000008f04 = 0x2000000089c0; *(uint8_t*)0x2000000089c0 = 0xa; *(uint8_t*)0x2000000089c1 = 6; *(uint16_t*)0x2000000089c2 = 0x250; *(uint8_t*)0x2000000089c4 = 0x7d; *(uint8_t*)0x2000000089c5 = 0xdd; *(uint8_t*)0x2000000089c6 = 3; *(uint8_t*)0x2000000089c7 = 0x20; *(uint8_t*)0x2000000089c8 = 0xfa; *(uint8_t*)0x2000000089c9 = 0; *(uint32_t*)0x200000008f0c = 0x154; *(uint64_t*)0x200000008f10 = 0x200000008a00; *(uint8_t*)0x200000008a00 = 5; *(uint8_t*)0x200000008a01 = 0xf; *(uint16_t*)0x200000008a02 = 0x154; *(uint8_t*)0x200000008a04 = 6; *(uint8_t*)0x200000008a05 = 0xe8; *(uint8_t*)0x200000008a06 = 0x10; *(uint8_t*)0x200000008a07 = 1; memcpy((void*)0x200000008a08, "\xd0\x31\xa9\x16\x5b\x9e\x27\x3f\xf6\xff\xe5\x55\x84\x9a\xf6\xdc\xa6\x6e\x17\xa6\x8e\xe5\xac\x78\x4d\xca\x23\xe4\xa5\x6d\x46\x16\x9a\xd0\x6e\xad\x2b\x8b\xcd\x99\x7e\xac\x2e\xcb\x8b\x2a\x25\x26\xaa\x20\x0d\xb5\x57\x58\xd0\x86\x59\x46\x92\x83\xd6\xec\xfb\xa9\x82\xc3\x00\xae\x82\xcc\xf4\xa8\xbf\x07\x3d\xbd\xe4\x53\x76\xb4\xf6\xfc\x55\x9b\xe5\x19\xf8\x2e\x8e\x5b\x2c\xf5\x9c\x3a\x3a\xf4\xf2\x90\x70\x7e\x76\x7a\x4e\x27\x68\x51\x09\x0d\x90\xbe\x0a\xb6\x6f\x78\x8e\x77\x60\xcd\x71\xab\x86\x5e\xa8\xb6\xbc\xc5\xf3\x5f\x60\x53\x81\x54\xa0\x99\xc3\x54\xa3\x59\x34\x17\x68\x2f\xc3\x9d\x2a\x6a\x25\x5e\xf4\xbb\x65\xf8\xd9\x7a\xf2\x9b\xeb\x0f\x87\x34\xa6\x8e\xd8\x4e\xf0\x8d\xf6\x9e\x9b\x35\xfa\x2e\x3f\xe6\x5e\x99\x38\xff\x44\x1d\xc3\xe7\x98\x2a\x81\xcc\xca\xf9\x62\x1d\x5d\xbc\x66\x3b\x80\xab\x44\x8c\x97\x5c\xbc\x19\xbb\x6c\x39\x01\xa0\x2c\x16\xb3\x2d\xfa\xf9\xf5\xc2\x20\xfa\x21\x43\x49\x37\xb4\x62\x03\x81\x05\xe6\xd0\x86", 229); *(uint8_t*)0x200000008aed = 0x4b; *(uint8_t*)0x200000008aee = 0x10; *(uint8_t*)0x200000008aef = 3; memcpy((void*)0x200000008af0, "\x10\xbe\xd1\x91\x2f\x7d\xc9\x4a\xc6\xd8\x7c\xbc\x68\x96\x2c\x89\xe7\x77\xcc\x51\xa2\x57\xd0\xca\xd3\x3c\xdc\xf3\x36\xa3\x1a\xc3\x9b\x86\x71\x44\xc2\xc9\x6b\xe4\x0f\xcc\xac\x19\x63\x3a\x54\x77\x87\xbc\x6e\x4f\xe9\x1e\x91\xfa\x47\x59\xdb\x2a\x86\x7d\x85\x9c\xd5\xa6\x0c\x84\xc1\xa3\x8e\x09", 72); *(uint8_t*)0x200000008b38 = 0xb; *(uint8_t*)0x200000008b39 = 0x10; *(uint8_t*)0x200000008b3a = 1; *(uint8_t*)0x200000008b3b = 2; *(uint16_t*)0x200000008b3c = 9; *(uint8_t*)0x200000008b3e = 0x77; *(uint8_t*)0x200000008b3f = 9; *(uint16_t*)0x200000008b40 = 0x2cf; *(uint8_t*)0x200000008b42 = 0; *(uint8_t*)0x200000008b43 = 0xb; *(uint8_t*)0x200000008b44 = 0x10; *(uint8_t*)0x200000008b45 = 1; *(uint8_t*)0x200000008b46 = 0xc; *(uint16_t*)0x200000008b47 = 5; *(uint8_t*)0x200000008b49 = 8; *(uint8_t*)0x200000008b4a = 5; *(uint16_t*)0x200000008b4b = 9; *(uint8_t*)0x200000008b4d = 0x16; *(uint8_t*)0x200000008b4e = 3; *(uint8_t*)0x200000008b4f = 0x10; *(uint8_t*)0x200000008b50 = 0xb; *(uint8_t*)0x200000008b51 = 3; *(uint8_t*)0x200000008b52 = 0x10; *(uint8_t*)0x200000008b53 = 0xb; *(uint32_t*)0x200000008f18 = 0xa; *(uint32_t*)0x200000008f1c = 4; *(uint64_t*)0x200000008f20 = 0x200000008b80; *(uint8_t*)0x200000008b80 = 4; *(uint8_t*)0x200000008b81 = 3; *(uint16_t*)0x200000008b82 = 0x40e; *(uint32_t*)0x200000008f28 = 4; *(uint64_t*)0x200000008f2c = 0x200000008bc0; *(uint8_t*)0x200000008bc0 = 4; *(uint8_t*)0x200000008bc1 = 3; *(uint16_t*)0x200000008bc2 = 0x427; *(uint32_t*)0x200000008f34 = 4; *(uint64_t*)0x200000008f38 = 0x200000008c00; *(uint8_t*)0x200000008c00 = 4; *(uint8_t*)0x200000008c01 = 3; *(uint16_t*)0x200000008c02 = 0x415; *(uint32_t*)0x200000008f40 = 4; *(uint64_t*)0x200000008f44 = 0x200000008c40; *(uint8_t*)0x200000008c40 = 4; *(uint8_t*)0x200000008c41 = 3; *(uint16_t*)0x200000008c42 = 0x1c0a; *(uint32_t*)0x200000008f4c = 4; *(uint64_t*)0x200000008f50 = 0x200000008c80; *(uint8_t*)0x200000008c80 = 4; *(uint8_t*)0x200000008c81 = 3; *(uint16_t*)0x200000008c82 = 0x83e; *(uint32_t*)0x200000008f58 = 4; *(uint64_t*)0x200000008f5c = 0x200000008cc0; *(uint8_t*)0x200000008cc0 = 4; *(uint8_t*)0x200000008cc1 = 3; *(uint16_t*)0x200000008cc2 = 0x300a; *(uint32_t*)0x200000008f64 = 4; *(uint64_t*)0x200000008f68 = 0x200000008d00; *(uint8_t*)0x200000008d00 = 4; *(uint8_t*)0x200000008d01 = 3; *(uint16_t*)0x200000008d02 = 0x300a; *(uint32_t*)0x200000008f70 = 4; *(uint64_t*)0x200000008f74 = 0x200000008d40; *(uint8_t*)0x200000008d40 = 4; *(uint8_t*)0x200000008d41 = 3; *(uint16_t*)0x200000008d42 = 0x423; *(uint32_t*)0x200000008f7c = 0x9f; *(uint64_t*)0x200000008f80 = 0x200000008d80; *(uint8_t*)0x200000008d80 = 0x9f; *(uint8_t*)0x200000008d81 = 3; memcpy((void*)0x200000008d82, "\xd4\x8e\x87\x24\x64\x9a\x28\x41\x92\x3d\x48\xb8\xb2\x35\xfd\xc4\x31\x5e\x0d\xfb\xe1\xb8\xa8\xa0\x83\x53\xaf\x5b\x63\x0b\xeb\x6e\xca\x1d\x6b\xe0\x3d\x88\xd5\x58\x79\x33\xd6\xad\xe1\x22\xb2\xad\x4c\x55\x80\x40\xe7\xf2\x03\xd8\xc7\xaf\x79\x0a\xf8\x5d\xe3\x6e\x84\x1e\xb9\x48\x0a\xfa\x1a\xaf\x9a\x22\x6f\x4d\xe2\x8c\xd4\x44\x15\x57\x41\x1c\x77\x37\xf7\x4d\x7d\x60\x31\x3c\xd3\xd0\x51\x28\x4f\xce\xb5\xb3\x27\x83\x73\xf6\x3c\x72\xa8\x4e\x8d\xe4\xe2\x3b\xf6\x4e\x2a\x69\xc0\x57\x91\x06\xc9\x33\x18\x03\xe2\xef\x32\xfd\x09\x88\x9a\xdc\xe7\xbc\xd7\xeb\x61\x34\xc4\x65\xed\x17\x38\x6d\x3f\x97\xa4\xe8\xa4\xe9\xc4\x19\xf9\xc6\xeb\x2d\x32", 157); *(uint32_t*)0x200000008f88 = 0xa4; *(uint64_t*)0x200000008f8c = 0x200000008e40; *(uint8_t*)0x200000008e40 = 0xa4; *(uint8_t*)0x200000008e41 = 3; memcpy((void*)0x200000008e42, "\x81\x10\x3e\x0d\x22\x88\x43\x34\x4b\x9a\x28\x85\x67\x53\x24\xf5\x79\xdf\x27\x8e\x6d\x25\x06\x59\x98\xbd\xbb\x69\xb8\xee\xd0\xe1\xdb\x8d\xf1\x6b\x19\x64\x6d\x92\xc5\xd0\x35\x21\xf7\x73\xc1\x6c\x24\xde\xea\xe5\x56\xbe\x69\xb0\x4e\x1e\x96\x6f\xeb\xfb\xf3\x7f\x3b\xbc\x6d\xd6\x4c\x83\xf4\xc2\xa8\x7d\xaf\x95\xfb\x91\xe1\x0a\x36\xc0\x06\x9f\x4d\x51\x7b\xf3\x96\x21\x11\xd8\xf9\xc8\x45\x32\x3c\x0b\x91\xe6\x8d\xea\x34\xb2\x77\xb4\x10\x72\x0b\xdf\x4a\x58\x64\xfe\x06\x9b\xde\xe8\x4f\xa9\xe4\x46\x55\x49\x71\x3f\xb3\x33\xaa\xed\x85\x5b\xaf\x29\x53\x27\xe1\xfb\x65\x17\x29\xfe\x4a\xcf\x1d\x9e\xbf\x80\xd6\x4c\x29\xfc\xd3\x68\xee\x16\x11\xe5\x50\xd7\xb6\x7a", 162); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_SUPER*/5, /*dev_len=*/0x36, /*dev=*/0x200000008980, /*conn_descs=*/0x200000008f00); if (res != -1) r[36] = res; break; case 58: memcpy((void*)0x200000008fc0, "\x18\x15\x12\xf6\x08\x38\x97\xf1\xb9\x4a\xd0\x1c\x9d\x8c\xc9\xeb\x6d\x7c\x14\x9c\x5e\xdf\x5e\xcf\x21\xcf\x4a\x2b\x2a\x9f\xf0\x2e\x0d\x8f\x8a\x4f\x60\xf7\xb3\x1a\xd0\xb2\x55\x2e\x14\x87\x8f\x84\x0f\x51\xa9\x7c\x25\x63\xb6\x19\xb1\x01\xea\x77\x61\x3b\x97\x52\x36\x7f\x0f\x6e\x6a\x62\x37\x81\xa3\x83\xe4\x99\xdc\x26\xfe\xd6\x0a\xfe\x6f\x15\x6d\x32\x6b\xc1\x41\xd6\x61\x5d\x18\xb6\x1a\x5c\x06\xcb\x49\xd9\xe0\x08\xe0\x5f\x65\x37\x6a\xef\xb5\xec\x21\xed\xc4\x68\xb8\x43\x4a\x0c\x9e\x39\xd1\x20\xbc\xd3\x11\x32\xf0\x75\x5c\x1f\xca\xf9\x1f\xec\xb2\x73\x3f\x98\x18\x42\x56\xd2\xf7\x9e\x80\x45\x2d\xc8\x6c\xf3\x19\x85\x08\x2e\x38\x60\x17\xeb\xe8\x21\x25\xc7\x8b\xee\x42\xf9\x49\xca\x67\x98\x67\x34\x33\xfb\x0a\x20\xd9\x16\x1b\x69\x8f\x04\x66\xb0\xea\x53\x58\x7a\x3f\x08\xcc\x34\x35\xbb\x7c\x19\x3f\x4a\xdc\xd2\xe5\xe1\x04\xf3\x3e\x3e\x1c\xdd\x33\xba\x95\x1f\xc9\xf7\x6b\x10\x8a\x40\x74\xc8\x07\x2b\x16\x46\x59\x62\xeb\x28\xe1\x38\xc9\x18\x8c\x3e\x54\xa0\x0a\xfb\x4f\xb1\x71\x0a\x27\x3a\x1f\x1c\x53\x0a\xda\x0d\x50", 251); syz_usb_ep_write(/*fd=*/r[36], /*ep=*/0xf9, /*len=*/0xfb, /*data=*/0x200000008fc0); break; case 59: syz_usbip_server_init(/*speed=USB_SPEED_FULL*/2); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :5997:17: error: '__NR_socketcall' undeclared (first use in this function) :5997:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor955364798 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/17 (1.33s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/16 (1.32s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/2 (1.33s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/32 (1.10s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/8 (1.35s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/21 (0.98s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/7 (0.85s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/1 (1.41s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/22 (1.10s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/10 (1.44s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/28 (1.44s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/19 (0.99s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/18 (0.99s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/14 (1.47s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/26 (1.16s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/0 (1.50s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/23 (1.15s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/33 (1.23s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/29 (1.08s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/31 (1.24s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/12 (1.22s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/9 (1.56s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/20 (1.24s) csource_test.go:155: FAIL FAIL github.com/google/syzkaller/pkg/csource 55.153s ok github.com/google/syzkaller/pkg/db 4.220s ? github.com/google/syzkaller/pkg/debugtracer [no test files] ? github.com/google/syzkaller/pkg/declextract [no test files] ok github.com/google/syzkaller/pkg/email (cached) ok github.com/google/syzkaller/pkg/email/lore (cached) ok github.com/google/syzkaller/pkg/flatrpc (cached) ok github.com/google/syzkaller/pkg/fuzzer 26.285s ok github.com/google/syzkaller/pkg/fuzzer/queue 0.050s ok github.com/google/syzkaller/pkg/gce (cached) ? github.com/google/syzkaller/pkg/gcpsecret [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/gcs/mocks [no test files] ok github.com/google/syzkaller/pkg/hash 0.028s ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/html/pages 0.391s ok github.com/google/syzkaller/pkg/html/urlutil (cached) ? github.com/google/syzkaller/pkg/ifaceprobe [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ok github.com/google/syzkaller/pkg/ifuzz/arm64 (cached) ? github.com/google/syzkaller/pkg/ifuzz/arm64/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/arm64/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/iset [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86 [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/generated [no test files] ok github.com/google/syzkaller/pkg/image 7.699s ok github.com/google/syzkaller/pkg/instance 1.890s ? github.com/google/syzkaller/pkg/kcidb [no test files] ok github.com/google/syzkaller/pkg/kconfig (cached) ? github.com/google/syzkaller/pkg/kcov [no test files] ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/kfuzztest (cached) ? github.com/google/syzkaller/pkg/kfuzztest-executor [no test files] ? github.com/google/syzkaller/pkg/kfuzztest-manager [no test files] ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/manager 2.637s ok github.com/google/syzkaller/pkg/mgrconfig 4.125s ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report 11.278s ok github.com/google/syzkaller/pkg/report/crash (cached) ok github.com/google/syzkaller/pkg/repro 6.306s ok github.com/google/syzkaller/pkg/rpcserver 17.515s ? github.com/google/syzkaller/pkg/rpcserver/mocks [no test files] ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest 40.806s ok github.com/google/syzkaller/pkg/serializer (cached) ok github.com/google/syzkaller/pkg/signal (cached) ok github.com/google/syzkaller/pkg/stat (cached) ok github.com/google/syzkaller/pkg/stat/sample (cached) ? github.com/google/syzkaller/pkg/stat/syzbotstats [no test files] ok github.com/google/syzkaller/pkg/subsystem (cached) ok github.com/google/syzkaller/pkg/subsystem/linux (cached) ok github.com/google/syzkaller/pkg/subsystem/lists (cached) ok github.com/google/syzkaller/pkg/symbolizer (cached) ? github.com/google/syzkaller/pkg/testutil [no test files] ok github.com/google/syzkaller/pkg/tool (cached) ? github.com/google/syzkaller/pkg/updater [no test files] ok github.com/google/syzkaller/pkg/validator (cached) ok github.com/google/syzkaller/pkg/vcs 11.320s ok github.com/google/syzkaller/pkg/vminfo 10.635s ok github.com/google/syzkaller/prog 43.295s ok github.com/google/syzkaller/prog/test 1.497s ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/darwin [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ? github.com/google/syzkaller/sys/generated [no test files] ok github.com/google/syzkaller/sys/linux 2.294s ok github.com/google/syzkaller/sys/netbsd 0.437s ok github.com/google/syzkaller/sys/openbsd 0.436s ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/syz-agent [no test files] ok github.com/google/syzkaller/syz-ci 5.671s ok github.com/google/syzkaller/syz-cluster/controller (cached) ok github.com/google/syzkaller/syz-cluster/dashboard (cached) ok github.com/google/syzkaller/syz-cluster/email-reporter 0.143s ? github.com/google/syzkaller/syz-cluster/pkg/api [no test files] ? github.com/google/syzkaller/syz-cluster/pkg/app [no test files] ok github.com/google/syzkaller/syz-cluster/pkg/blob (cached) ok github.com/google/syzkaller/syz-cluster/pkg/controller (cached) ok github.com/google/syzkaller/syz-cluster/pkg/db (cached) ok github.com/google/syzkaller/syz-cluster/pkg/emailclient (cached) ok github.com/google/syzkaller/syz-cluster/pkg/fuzzconfig 2.839s ok github.com/google/syzkaller/syz-cluster/pkg/report (cached) ok github.com/google/syzkaller/syz-cluster/pkg/reporter (cached) ? github.com/google/syzkaller/syz-cluster/pkg/service [no test files] ok github.com/google/syzkaller/syz-cluster/pkg/triage (cached) ? github.com/google/syzkaller/syz-cluster/pkg/workflow [no test files] ? github.com/google/syzkaller/syz-cluster/reporter-server [no test files] ok github.com/google/syzkaller/syz-cluster/series-tracker (cached) ? github.com/google/syzkaller/syz-cluster/tools/db-mgmt [no test files] ? github.com/google/syzkaller/syz-cluster/tools/send-test-email [no test files] ? github.com/google/syzkaller/syz-cluster/workflow/boot-step [no test files] ? github.com/google/syzkaller/syz-cluster/workflow/build-step [no test files] ok github.com/google/syzkaller/syz-cluster/workflow/fuzz-step 2.808s ? github.com/google/syzkaller/syz-cluster/workflow/triage-step [no test files] ok github.com/google/syzkaller/syz-hub (cached) ok github.com/google/syzkaller/syz-hub/state 0.265s ? github.com/google/syzkaller/syz-kfuzztest [no test files] ok github.com/google/syzkaller/syz-manager 2.908s ? github.com/google/syzkaller/tools/arm64 [no test files] ? github.com/google/syzkaller/tools/kfuzztest-gen [no test files] ? github.com/google/syzkaller/tools/syz-aflow [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-build [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-codesearch [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-covermerger [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ok github.com/google/syzkaller/tools/syz-db 1.933s ? github.com/google/syzkaller/tools/syz-db-export [no test files] ok github.com/google/syzkaller/tools/syz-declextract 3.748s ? github.com/google/syzkaller/tools/syz-diff [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fillreports [no test files] ? github.com/google/syzkaller/tools/syz-fix-analyzer [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-gemini-seed [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ok github.com/google/syzkaller/tools/syz-imagegen 0.019s ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ok github.com/google/syzkaller/tools/syz-kconf 1.304s ok github.com/google/syzkaller/tools/syz-linter 2.498s ? github.com/google/syzkaller/tools/syz-lore [no test files] ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-minconfig [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-query-subsystems [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ok github.com/google/syzkaller/tools/syz-testbed 2.219s ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser 0.025s ok github.com/google/syzkaller/tools/syz-trace2syz/proggen 1.223s ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm 13.220s ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/cuttlefish [no test files] ok github.com/google/syzkaller/vm/dispatcher 0.413s ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated 1.457s ok github.com/google/syzkaller/vm/proxyapp 4.509s ? github.com/google/syzkaller/vm/proxyapp/mocks [no test files] ? github.com/google/syzkaller/vm/proxyapp/proxyrpc [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ? github.com/google/syzkaller/vm/starnix [no test files] ? github.com/google/syzkaller/vm/virtualbox [no test files] ok github.com/google/syzkaller/vm/vmimpl 1.245s ? github.com/google/syzkaller/vm/vmm [no test files] ? github.com/google/syzkaller/vm/vmware [no test files] FAIL