ok github.com/google/syzkaller/dashboard/app 0.262s ? github.com/google/syzkaller/dashboard/dashapi [no test files] ? github.com/google/syzkaller/executor [no test files] ok github.com/google/syzkaller/pkg/ast 1.294s ok github.com/google/syzkaller/pkg/bisect 16.691s ok github.com/google/syzkaller/pkg/build 5.146s ? github.com/google/syzkaller/pkg/cmdprof [no test files] ok github.com/google/syzkaller/pkg/compiler 2.928s ok github.com/google/syzkaller/pkg/config (cached) ok github.com/google/syzkaller/pkg/cover 1.171s --- FAIL: TestGenerate (2.30s) --- FAIL: TestGenerate/linux/amd64 (2.14s) csource_test.go:66: seed=1596209247539059461 --- FAIL: TestGenerate/linux/amd64/0 (0.46s) csource_test.go:122: opts: {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x8002, 0x0) io_cancel(0x0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x4c60440ee16d4a1f, 0xd548, r0, &(0x7f0000000040)="a4c6b70d40b18d2f71b9ebf1a97cc4f8bfe52c766208fe1c5ff6e6c20fb4d4104d", 0x21, 0x7, 0x0, 0x1}, &(0x7f00000000c0)) ioctl$TUNSETOFFLOAD(0xffffffffffffffff, 0x400454d0, 0x18) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/avc/cache_stats\x00', 0x0, 0x0) ioctl$DRM_IOCTL_MODE_GETGAMMA(r1, 0xc02064a4, &(0x7f0000000200)={0x6, 0x1, &(0x7f0000000140)=[0x6], &(0x7f0000000180)=[0xb572, 0x2, 0x200, 0x6126, 0xffff, 0x800b], &(0x7f00000001c0)=[0x100, 0x8001, 0x7ff, 0x56, 0x3, 0x6, 0xafa4, 0xfff]}) socket$inet6_sctp(0xa, 0x5, 0x84) r2 = syz_open_dev$vcsa(&(0x7f0000000240)='/dev/vcsa#\x00', 0x8, 0x40040) io_uring_setup(0x4a7d, &(0x7f0000000280)={0x0, 0x431f, 0x2, 0x2, 0x24c, 0x0, r2}) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(0xffffffffffffffff, 0x10e, 0x2, &(0x7f0000000300)=0x14, 0x4) socket$ipx(0x4, 0x2, 0x0) syz_emit_ethernet(0xd6, &(0x7f0000000000)={@dev={[], 0x15}, @remote, @void, {@mpls_uc={0x8847, {[{0x1}, {0x80}], @ipv4=@udp={{0x9, 0x4, 0x3, 0x8, 0xc0, 0x64, 0x0, 0x1, 0x11, 0x0, @private=0xa010102, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@timestamp={0x44, 0x10, 0x90, 0x0, 0xf, [0x3, 0x100, 0x9]}]}}, {0x4e20, 0x4e23, 0x9c, 0x0, @wg=@initiation={0x1, 0x1, "a10791f36e091a364d6a214aed3281686b2e1062e4a21dad7e7ea6823c2ad66b", "a9e3b061cb2d16f0f38c93866bab239c5e95fabc9ad7549cc53f24821564c8e31a773c62bd34e62116070c998cf80ff5", "8a6048e68f5476ba71edf7dea37145a3397262db3b25376fb9b698e1", {"108d38c5f12837a8dff49317e1fbf2b1", "6e6f91a5d2fea35b7d2aa0227b5c79de"}}}}}}}}, 0x0) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_cmd_complete={{0xe, 0x7}, @hci_rp_read_enc_key_size={{0x7}, {0x3, 0xc8, 0xfe}}}}, 0xa) syz_execute_func(&(0x7f0000000140)="ab8f2908955c4432c421b45580858a318ec4a1845756f3673664d9e064461c0dc441b55588a00ffe49f2f042808c3e2808000000c4825dde32f3420f9ade") syz_extract_tcp_res(&(0x7f0000000180), 0x47a0, 0x1ff) syz_genetlink_get_family_id$SEG6(&(0x7f00000001c0)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x2, 0xc4) r3 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x0, 0x1000, 0xffffffffffffffff, 0x0) syz_io_uring_complete(r3) syz_io_uring_setup(0x61d6, &(0x7f0000000200)={0x0, 0x19c8, 0x1, 0x0, 0x90, 0x0, 0xffffffffffffffff}, &(0x7f0000ff9000/0x4000)=nil, &(0x7f0000ff9000/0x1000)=nil, &(0x7f0000000280), &(0x7f00000002c0)) r5 = mmap$IORING_OFF_SQES(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2000004, 0x100, r4, 0x10000000) r6 = openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000300)='/selinux/checkreqprot\x00', 0x22040, 0x0) r7 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(r3, r5, &(0x7f0000000380)=@IORING_OP_EPOLL_CTL=@add={0x1d, 0x1, 0x0, r6, &(0x7f0000000340)={0xa}, r4, 0x1, 0x0, 0x1, {0x0, r7}}, 0x5) syz_kvm_setup_cpu$arm64(r6, 0xffffffffffffffff, &(0x7f0000fe7000/0x18000)=nil, &(0x7f0000000400)=[{0x0, &(0x7f00000003c0)="c66bf51c003b684cd1f56d7dbcd2dea7675293e4d016955fb884320ccefef52142eef0b61d389959e4e475075b6b11cdbe1c", 0x32}], 0x1, 0x0, &(0x7f0000000440), 0x1) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x2000000, 0x1000, 0xffffffffffffffff, 0x8000000) syz_memcpy_off$IO_URING_METADATA_FLAGS(r8, 0x114, &(0x7f0000000480)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f00000004c0)='afs\x00', &(0x7f0000000500)='./file0\x00', 0x1f, 0x7, &(0x7f00000008c0)=[{&(0x7f0000000540), 0x0, 0x32}, {&(0x7f0000000580)="3a7a72ca9b2a422afbeba2d7a84338cb03951839451af3f3031d0030db11a08c0eb2244dab7f4fd9442cd55370fbacdc330d3ee2188137d0ad9772c7ae54fae92d1941e049bdcb3b8f645ea6a7d746404286d56dfd7a41fb29e2987d8d73b3679fae427f5af08185e4ffda153228a3ac82bf94f17752ed78dfe5b9a4", 0x7c, 0xee5}, {&(0x7f0000000600)="a963e9743e9c3d092a0ab1d68a13fe85f80ed94358ab9ad4029dff3433a3223c650d6a96505ec9a3d6cd09ad3f268fcdd1248aa43ef138a79b0c4c116f7178b5fc5cc49fa303201e8c7ef4e322434105ecdc912ae672510b34c01aa3890c90f27200de2b65c4bd20", 0x68, 0x10000}, {&(0x7f0000000680)="6ac443efa9855dda4fa3a982abc060ebf1a6785feba77cd70d486a29f4", 0x1d, 0x2}, {&(0x7f00000006c0)="3229202fd13c8ab6d554d8dfb6a8661805f53c5e81671bf5d702aa4c17cad107cfc6a8fe702b26942c632a4ed0e1010440b51b99785c112a0bda8c286267ac9cb4e695376a13d9937dfe154239c4ea04f38539a8e557dbcc8909420c76b2587b42aa2d61bf395fe913bad86ddf17a8f1b3212d0f0a6bc2e7841ef2e2ee0be05901f028c7c65e1c2cb641f556508fbf322da030de7846ad39004082c128a0ffb60c1b801bfd69a0e5f37b51feb78d97240f45f3ce17a28abbd89bd16cd2d06c74488990aba36ff006e8ae3622ec18fa76b767be88f192f94af15e23d74217738a1d48ef2c3e1c0a557203045e3ba25e9cd38efa64", 0xf4, 0x6}, {&(0x7f00000007c0)="414d78403490275a206495f93cf62229596a76f622d42e737bfa148fc2385d9c82946ce95d9b7665c148bfd723f5248ffcb6a4fc8265de9da9e34ff0577dd719233d7ef9610b9b9d98d4f2cedcc5351cb7234e0a8345f81e603a002c13d898f1084656c51be00526c6b7977b287809591c51a288acec3e570a94cc77420195f2a81a77896f9f081b173c24ada23041ea2e7253698601d83769094d3489", 0x9d, 0x1}, {&(0x7f0000000880)="3cc0a154977d26882d94f1c108a6287b15e835bf2d9ebcfd925c4569c9de9d463b929158990d2f48", 0x28, 0xfffffffffffffbff}], 0x1015005, &(0x7f0000000980)={[{@flock_strict='flock=strict'}, {@flock_write='flock=write'}, {@source={'source', 0x3d, '\xeb'}}, {@autocell='autocell'}]}) syz_open_dev$I2C(&(0x7f00000009c0)='/dev/i2c-#\x00', 0x10000, 0x6840) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000a40)={0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x3, &(0x7f0000000a00)='.\\\x00'}, 0x30) syz_open_procfs(r9, &(0x7f0000000a80)='status\x00') syz_open_pts(0xffffffffffffffff, 0x8000) syz_read_part_table(0x6, 0x0, &(0x7f0000000ac0)) r10 = syz_usb_connect(0x6, 0x714, &(0x7f0000000b00)={{0x12, 0x1, 0x250, 0xa8, 0x9c, 0xcc, 0xff, 0x499, 0x150c, 0xbaf4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x702, 0x3, 0x2, 0x5, 0x80, 0x1f, [{{0x9, 0x4, 0x7d, 0x0, 0xb, 0x5c, 0x68, 0x45, 0xb8, [@generic={0x64, 0xcc88dcc324ea21e6, "25bba193734e4eb87cbd6a4c961ef01e6c960fa27de2e0b2883e73bcb56b371cc2f94a39ee59f21237d7fd38bafea3bebf15967e66fda6114d34b349e1868ef95cc0a06305d016cd2cc723334035a110f9da197afa79a6b045fac5f7d5bb639e4541"}, @uac_control={{0xa, 0x24, 0x1, 0x7, 0x80}}], [{{0x9, 0x5, 0x1, 0x3, 0x200, 0x81, 0x1, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x1000}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0xe8, 0xc6, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0x6}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0x8, 0xb4, 0x3}}, {{0x9, 0x5, 0x2, 0x1, 0x200, 0x2, 0x6, 0x20}}, {{0x9, 0x5, 0x7, 0x2, 0x3ff, 0x29, 0x4, 0x4c}}, {{0x9, 0x5, 0x5, 0x0, 0x200, 0x2, 0x22, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x27}]}}, {{0x9, 0x5, 0xe, 0xc, 0x20, 0x40, 0x9, 0x1f, [@generic={0x4f, 0x1, "f148d84407f5b8dfda7c13b68281b7d14209551093f91b2d8f891d9f3b8ff07a8c2b56bcbfa744ea1da69fb116c71d11fa13b6a2c464e65d7c706ae25e0ad836d328f30928af26fe9d4f3f1dc1"}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x18, 0xfc0}]}}, {{0x9, 0x5, 0x4, 0x0, 0x400, 0x0, 0x80, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x2}, @generic={0xf7, 0x30, "abdddd4f9b3f7c940f59ac5d6ac220f766834597348690edd45dbcad8d7200db7184991d2539df54e5ad82e5d58b0366ea3b341be9a30b4b2bd66bf00479628cb477c82938f8d3c106a7e18b0e5485a0b1611aba1d8ad3c740fc3d9accb5d7b293b90b168c3f2c69798135b562475fe2a3b8f619572251662787bf749f673a35ee80ea76edd0fc7b3177f24f50d68aced6902ecf5e0a1d3126d9530946abac7a85799194748f34eef3e249c0ede1511b67626c06322ba0b3133ad7eab46cc07a995f011d24781983c1709a03ac2ef165a9b91ed9e75e221905a932c3501d40566916d63f2fae4e9798fab8e16a1d364f019c0ebdb0"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x40, 0xfe, 0x20, 0x9, [@generic={0xed, 0x1, "97480b619ece3491718d870d1333f7f3cbe03367ac7f15be1793cf2d635af67af88cfea526ad45ea67c39ade3d19918d55ea598a7807fd2c56addfb52f42756bfc602c04560e981a38783ca3dd8ba431c267592bc004b2f53e49082dac6a7848b929dcf53f151f4c9ae6f8912fffd9199bcdcd8b95fdc2dfaa22d3a731f3c4aa3447d4183b1cb4ccceb36e6937f2275c89ce0ba83f40c2c7dbf13b41770a0f125b10ded7eefe7a1824f9eef4938310a55c121bf1a9259f551672b8a0a52feac5cbc5ab96a5491ef533d7be14764e9da531ffef82f8612a740fb58756f7cb6092abb15aa6cf0494cb7106f1"}, @generic={0xd3, 0x8, "4e8e034ee97501ac382574d2a72527c5e0c832618bc6a1ea16c3f323258971633a0333991ad99754b006c95c4de5f901ec1b8d86bd47c564bd2aef08df3c224a3e6e40846554eed2734d71ce3392967ef55c96b3da0aa5481f31c351cf1859cbee244e751c60cfadc233cb6002ee6ff4cc2c9b76378f5b6e410c014f25cb9fff68f8a6ff5b81b6d09b9c7a2aaf848bd247ed21b13aa8d35bcb7bf2fa6b8cbf55299edbce15e788d1f93cff322399249ac080f2d47bd3f27e7a6de184904811722536d0a2330e3e511146faab9864d1b183"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x2c, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc9, 0xbb}, @generic={0x1f, 0x31, "e44d51a15a720f099dadeb93262552a935424229d3f4d12edc1baa9f88"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x8, 0x49, 0x40, 0x55}}]}}, {{0x9, 0x4, 0xfe, 0x33, 0x2, 0xa2, 0x17, 0x9a, 0x2, [@cdc_ncm={{0x9, 0x24, 0x6, 0x0, 0x1, "fb7ffde8"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x4, 0x9f54, 0x267, 0x1}, {0x6, 0x24, 0x1a, 0x9, 0x9}, [@mbim={0xc, 0x24, 0x1b, 0xffff, 0x1, 0x20, 0x6, 0x6, 0x6}, @mdlm={0x15, 0x24, 0x12, 0x3}, @mbim={0xc, 0x24, 0x1b, 0x91, 0x5, 0x1, 0xff, 0x5, 0x35}, @acm={0x4, 0x24, 0x2, 0x1}]}], [{{0x9, 0x5, 0xa, 0x10, 0x8, 0x80, 0xc1, 0x4, [@generic={0xb8, 0x30, "e384dcf03ac39540e5a22199f71a53ba428c3b720290f0276bcca0cd15405f6c930497af5eb320a433cc553d6e0108edbf793ef0240ff269b4ff96d6822bcb48cebae2a5cead65786ebecd5f300c08606d3322b8360029bd21312dac493361e1b08f2adca4dc49a004fefdf7a3a525ae5de11f0a691a41b869d9b9a5d90d5a7b5ebe9e5773b97efe98e3895377a424e30ef22fd2ffa2532f1bb3c1a4e3b86afc08b2659aa2e556f190e27f83619a1618d371e102c558"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x40, 0x4, 0x0, 0x1f}}]}}, {{0x9, 0x4, 0x74, 0x90, 0xa, 0xff, 0x5d, 0x1, 0x81, [@generic={0x6c, 0x4, "deaf8476cc5855ffb6d22d6ceb2977348ba86dee7d9e22e0c46477b06c0db514bb5383a62a402cc6e0795ddda510cf4238b2c64b657a1111efc0e4aacf9e40802dd0eeb69f271c1e6fe0ee5e9f48122832e6a80a4d7a6611e3fd2dca49d351908ff9a48ca20c78a69c65"}, @hid_hid={0x9, 0x21, 0x7, 0x7, 0x1, {0x22, 0xab5}}], [{{0x9, 0x5, 0x0, 0x0, 0x200, 0x4, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x40, 0x0, 0x7f, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xff}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0xfa, 0x5}]}}, {{0x9, 0x5, 0x3, 0x3, 0x3ff, 0x80, 0x7f, 0x8}}, {{0x9, 0x5, 0x5, 0x1, 0x20, 0x4, 0x3c, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x800}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0xff, 0x14, 0x3f}}, {{0x9, 0x5, 0x4, 0x0, 0x20, 0x1, 0x1, 0x56}}, {{0x9, 0x5, 0xc, 0x10, 0x8, 0x1, 0x5, 0x2, [@generic={0x20, 0x4, "6ddd4104cef7b1f7b2dddabb24ea94be1e8ac9fbba62cd71c1a1cbfa4e73"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x10, 0x0, 0x6, 0xf8, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x3, 0x8000}, @generic={0x98, 0x21, "e7bac6d3443cdfcdf9c24b6978dbfb9dd1824a5964cbfa0fe64296d5794c6159bc30b802a59b5c7a49b534035df56bbc488652ee31c601d5326507016bd445a1c09df231cf5781190daaba0cbd84a172640327b8c1a1d90bfab18f24961ffe12a0486a239c79a259c537652603dcbd4b2b7342ae0d715a7543f4d08bb557bddcd3bca83590b57c30eee2ce95f6c7102f646af828a496"}]}}, {{0x9, 0x5, 0x2, 0x3, 0x400, 0x3, 0x2, 0x8}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xff, 0x4, 0x6}}]}}]}}]}}, &(0x7f0000001540)={0xa, &(0x7f0000001240)={0xa, 0x6, 0x300, 0xff, 0x81, 0x6, 0xf7, 0xc4}, 0xf, &(0x7f0000001280)={0x5, 0xf, 0xf, 0x1, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x8, 0x1f, 0xfff}]}, 0x5, [{0x4, &(0x7f00000012c0)=@lang_id={0x4, 0x3, 0xc07}}, {0x54, &(0x7f0000001300)=@string={0x54, 0x3, "321d457f2f5ab9fcb1118c960631fd85a75ead829136aa2a6cc0311451035fe17b956eb8fa52d495a311a6c03f0ae84c86f0ed78daebfa15db7bc5788c9724baf4582dc0ec1ba6681a76b0a1bfc5de9daecc"}}, {0xd3, &(0x7f0000001380)=@string={0xd3, 0x3, "18336fc5623ba1410634c4050bcf3b488ea41867d059dcdcd2c368d848fe5147323c0ba4e51d7cf2a3d150258f8cc2569bd79e951ea95a318de31d146c37a7cf712f1fcd440390852c8d5216f8d23a9918b0e053521eb670ad3ee0fb8a93a8d7bad7199eebe12a3b02107ac4542bc6497977e3308b407bf364982f4fc9c330f9a75ccb65c8688d5c247ad06c20ccf01465e3ab09fc777f73474c2cd053b848ad3255b5adc81e033d2a0fac5061ea52dacf46e88e8c2e388deb91d2d9fc124255909336418e743bda4cb4f73c6b75af9a9b"}}, {0x4, &(0x7f0000001480)=@lang_id={0x4, 0x3, 0x42b}}, {0x5a, &(0x7f00000014c0)=@string={0x5a, 0x3, "4d85f31420ff1ceda25d118d33a6ebbce888c12d90eb54c827d149c8dcbd99f3893b35d1da6c776b1b5d084b308cdf93474167f266199f440a03fc3e3438031b8725dde6029a629c0843bedf048b8409b153f903d657d22b"}}]}) r11 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000015c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r11, &(0x7f00000017c0)={0x2c, &(0x7f0000001640)={0x0, 0x24, 0x5e, {0x5e, 0x9, "50d3392d02ebd229338b7e7170b984d04907f9cee984f83f84c9518b9dd91785fe2d66e10426ff86d8e7d663538306240171790d7f776664bdfd68d3df43cdf6d0e3ab3d2a62953092a2d7ce2fcdfe2cf50026869a4bcd066af9ddbd"}}, &(0x7f00000016c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x449}}, &(0x7f0000001700)={0x0, 0xf, 0x19, {0x5, 0xf, 0x19, 0x1, [@ss_container_id={0x14, 0x10, 0x4, 0x3f, "0ff611988b42043bdd16f18b9b82f6cf"}]}}, &(0x7f0000001740)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x0, 0x9, 0x68, "60c511fa", "23e3f532"}}, &(0x7f0000001780)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x5, 0x0, 0x2, 0x7, 0x8, 0x5, 0x200}}}, &(0x7f0000001c80)={0x84, &(0x7f0000001800)={0x0, 0x16, 0x92, "e49c4e0fdf521d4bb83a1c78b9b6f32eb6e38fba1432727c391749727c41815dc3fc4193cf0fc247b32c61dd80f26629d7cf714fc080157701405e55e4d1ae2b758c66821044d2e8094f1bd75ccf9600454726e5df9764082d537012ad6fa00a11bf546f5d86af482a8f0b0574287a4c5640bd1a225a60d1961cd56b3b48cf69d776cd8bbac5dc1544bf6b94b3519383f9c5"}, &(0x7f00000018c0)={0x0, 0xa, 0x1, 0xea}, &(0x7f0000001900)={0x0, 0x8, 0x1, 0xc0}, &(0x7f0000001940)={0x20, 0x0, 0x4, {0x3, 0x20d99a38c1aec065}}, &(0x7f0000001980)={0x20, 0x0, 0x8, {0x200, 0x2, [0x0]}}, &(0x7f00000019c0)={0x40, 0x7, 0x2}, &(0x7f0000001a00)={0x40, 0x9, 0x1, 0x7}, &(0x7f0000001a40)={0x40, 0xb, 0x2, ',e'}, &(0x7f0000001a80)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000001ac0)={0x40, 0x13, 0x6, @random="cba5d8d51787"}, &(0x7f0000001b00)={0x40, 0x17, 0x6, @dev={[], 0x1b}}, &(0x7f0000001b40)={0x40, 0x19, 0x2, "09ef"}, &(0x7f0000001b80)={0x40, 0x1a, 0x2, 0x200}, &(0x7f0000001bc0)={0x40, 0x1c, 0x1, 0x20}, &(0x7f0000001c00)={0x40, 0x1e, 0x1, 0x81}, &(0x7f0000001c40)={0x40, 0x21, 0x1, 0x40}}) r12 = syz_usb_connect$uac1(0x6, 0xb6, &(0x7f0000001d40)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xa4, 0x3, 0x1, 0x8, 0x80, 0x1f, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x7f, 0x24}, [@mixer_unit={0xb, 0x24, 0x4, 0x3, 0x3f, "e3a7ba11b773"}, @input_terminal={0xc, 0x24, 0x2, 0x4, 0x203, 0x1, 0x2, 0x7, 0xfd}, @extension_unit={0x7, 0x24, 0x8, 0x2, 0x4, 0x40}, @output_terminal={0x9, 0x24, 0x3, 0x2, 0x101, 0x4, 0x4, 0x5}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {}, {{0x9, 0x5, 0x1, 0x9, 0x200, 0xfc, 0x9, 0x7, {0x7, 0x25, 0x1, 0x0, 0x2, 0x8}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x8, 0x7, 0xff, "6cce23a51a59660a8a"}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x7, 0x2, 0xd6, 0x40, "a5e212", 'l'}]}, {{0x9, 0x5, 0x82, 0x9, 0x3ff, 0x3, 0x0, 0xac, {0x7, 0x25, 0x1, 0x3, 0x4, 0x5}}}}}}}]}}, &(0x7f0000001f40)={0xa, &(0x7f0000001e00)={0xa, 0x6, 0x200, 0xff, 0x2, 0x7, 0x10, 0x6}, 0x5, &(0x7f0000001e40)={0x5, 0xf, 0x5}, 0x2, [{0x52, &(0x7f0000001e80)=@string={0x52, 0x3, "4bcfbc749d26d0fbc20c2e202a042e8bb167cadf5c2bcdbd07dde6671da7dd400306b26f220fef4a3397f0a95a4b8ca5bafd5a4fa8b99d24505f7a27ac07a16bbb02d524c0bbfa3af8e318df58feb143"}}, {0x4, &(0x7f0000001f00)=@lang_id={0x4, 0x3, 0x807}}]}) syz_usb_disconnect(r12) syz_usb_ep_read(r10, 0x6, 0xd6, &(0x7f0000001f80)=""/214) r13 = syz_usb_connect$cdc_ecm(0x4, 0x4f, &(0x7f0000002080)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0xff, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x3d, 0x1, 0x1, 0x9, 0xc0, 0xb3, [{{0x9, 0x4, 0x0, 0x8, 0x3, 0x2, 0x6, 0x0, 0x1, {{0x7, 0x24, 0x6, 0x0, 0x0, "93b5"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x5, 0xdf0, 0xa5e2, 0xff}}, {[], {{0x9, 0x5, 0x82, 0x2, 0x40, 0x0, 0x40, 0x20}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x20, 0xff, 0x4}}}}}]}}]}}, &(0x7f0000002640)={0xa, &(0x7f0000002100)={0xa, 0x6, 0x250, 0x0, 0x81, 0x20, 0x20, 0x3}, 0x5, &(0x7f0000002140)={0x5, 0xf, 0x5}, 0x8, [{0xcd, &(0x7f0000002180)=@string={0xcd, 0x3, "2e833dbc02868212d3ec7352fb0de8a05ecf661859debe23ba735fb90a26853e0d4c9bfcebac70ce40539a98cf8947e06bb75de0a9205e0b791cb4f9e7aa0ae1149e9394ffef266f96e0c75ab728cadbc312570efed737090a6251c09e1a5d38a0c6f1ec4ae055863d69e4dcf36d974d2be3e487c7d2f1db2161e93b7d152ce046f030b36d083289eddd7105ed8eaed49f711017baabde9d5f01cd4738503d322669554fcf3b5a65b0519733b07a7f3cffdc92b0382c66120c41aae88568c752f79d501fd4da58e6879e7e"}}, {0x4, &(0x7f0000002280)=@lang_id={0x4, 0x3, 0x3c0a}}, {0x4, &(0x7f00000022c0)=@lang_id={0x4, 0x3, 0x3801}}, {0x1f, &(0x7f0000002300)=@string={0x1f, 0x3, "a670c3582d38967ac485455e8a40acb6f5df24ab49a4c6bb43d584edf7"}}, {0x4, &(0x7f0000002340)=@lang_id={0x4, 0x3, 0x44f}}, {0xe1, &(0x7f0000002380)=@string={0xe1, 0x3, "be2ce18fae6da9f1aa4b972197be7a6ce4b283c3e0027e6da13d8639f674ea9c64289b33c0e1435b7c1654a569127b26ad53774f2b6b20579fac6faffe12949ee4b0d3cd2d890cff2d7e9bb43b602a394efd4975184f7eecab16a3f187cab4c2ca01ac5bc9c55c8bb981323d919f77355b3ce7428da62af80c76b185e10ac7b1cc950ecc715c3e0a1e142311b62941e06291b30d2d3c7d468dfbe283c91fc0833db068e7bf397c233575790229ce513bbdc4387d81b3027ef68b20de25d9f1ff32b95cba443b9e7fba499143e841a6190c6ecb2906fe4230f839ba8c3c73ea"}}, {0xc1, &(0x7f0000002480)=@string={0xc1, 0x3, "f17db2ea26d90ba93d1dbd3d9482882172cc158b4cc43c36d12bb94e06fc7aba0d96ba62a38b39b77bb66a8b4ba6fe260c877464dc1012449a3a6ab5b80e667a3a01db8dd1dc3468b0d72893adf25bd1a7b9dcddf569122a73026b76fd0e25d7440ca5db635b3fc9013fd79099a7d7e81db8745bc9d0a6c938791d2cbfd10f1c628ca17af993b702c1ede30da1882567ce287f66b23ebf408a2d9c63e1cb0b2795273efa8153561c3c3eeb71d12aa087e9255526b528f538af4abd41cf8901"}}, {0xc0, &(0x7f0000002580)=@string={0xc0, 0x3, "6f57d6a596202ebf5a75b9724911f91a3d92ae1ac81abb9c1b134a76e66590f6eb8dd84cc10960b8d223947d1c2e771b94e729d83418f414213ff8b906770330bea70e59fe4d8ba537fbcfd3c4bfc4ea3b640c3112926d8c78eee839720900c505cc013c1263dcf27b6c0f87fcb87f40cb6bde3154ccd63e65a48c86c58a3857f68f8808203fb28d95e74a1865eb8f82fe953562a14751ed18f251e5115370d2bc19145ccf3abeae4c81fb1d97f62e035db73d11ab7ec596bc7a368655c6"}}]}) syz_usb_ep_write(r13, 0x8, 0x77, &(0x7f00000026c0)="01df4294f01fe1f943b780ccad76ab8a48353cbce5481283fb7d07e32952055449b6581b3693b67edea7f103542fd1dccf21a4f8ce11f52482a550dd3199da830c3e19ff1a996ce1424b13495e704be3f8c106d08338a69db29c70d040ba405016d90255d81d115d9c6c9c13b95789ba2d4ee0f005d95b") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 #define SQ_ARRAY_OFFSET(sq_entries,cq_entries) (round_up(CQ_CQES_OFFSET + cq_entries * SIZEOF_IO_URING_CQE, 64)) uint32_t round_up(uint32_t x, uint32_t a) { return (x + a - 1) & ~(a - 1); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = SQ_ARRAY_OFFSET(sq_ring_entries, cq_ring_entries); if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_bpf #define __NR_bpf 321 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[14] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x20000000, "/dev/dsp\000", 9); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0x8002ul, 0ul); if (res != -1) r[0] = res; *(uint64_t*)0x20000080 = 0; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 0; *(uint16_t*)0x20000090 = 0x4a1f; *(uint16_t*)0x20000092 = 0xd548; *(uint32_t*)0x20000094 = r[0]; *(uint64_t*)0x20000098 = 0x20000040; memcpy((void*)0x20000040, "\xa4\xc6\xb7\x0d\x40\xb1\x8d\x2f\x71\xb9\xeb\xf1\xa9\x7c\xc4\xf8\xbf\xe5\x2c\x76\x62\x08\xfe\x1c\x5f\xf6\xe6\xc2\x0f\xb4\xd4\x10\x4d", 33); *(uint64_t*)0x200000a0 = 0x21; *(uint64_t*)0x200000a8 = 7; *(uint64_t*)0x200000b0 = 0; *(uint32_t*)0x200000b8 = 1; *(uint32_t*)0x200000bc = -1; syscall(__NR_io_cancel, 0ul, 0x20000080ul, 0x200000c0ul); syscall(__NR_ioctl, -1, 0x400454d0, 0x18ul); memcpy((void*)0x20000100, "/selinux/avc/cache_stats\000", 25); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000100ul, 0ul, 0ul); if (res != -1) r[1] = res; *(uint32_t*)0x20000200 = 6; *(uint32_t*)0x20000204 = 1; *(uint64_t*)0x20000208 = 0x20000140; *(uint16_t*)0x20000140 = 6; *(uint64_t*)0x20000210 = 0x20000180; *(uint16_t*)0x20000180 = 0xb572; *(uint16_t*)0x20000182 = 2; *(uint16_t*)0x20000184 = 0x200; *(uint16_t*)0x20000186 = 0x6126; *(uint16_t*)0x20000188 = -1; *(uint16_t*)0x2000018a = 0x800b; *(uint64_t*)0x20000218 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x100; *(uint16_t*)0x200001c2 = 0x8001; *(uint16_t*)0x200001c4 = 0x7ff; *(uint16_t*)0x200001c6 = 0x56; *(uint16_t*)0x200001c8 = 3; *(uint16_t*)0x200001ca = 6; *(uint16_t*)0x200001cc = 0xafa4; *(uint16_t*)0x200001ce = 0xfff; syscall(__NR_ioctl, r[1], 0xc02064a4, 0x20000200ul); syscall(__NR_socket, 0xaul, 5ul, 0x84); memcpy((void*)0x20000240, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20000240, 8, 0x40040); if (res != -1) r[2] = res; *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0x431f; *(uint32_t*)0x20000288 = 2; *(uint32_t*)0x2000028c = 2; *(uint32_t*)0x20000290 = 0x24c; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = r[2]; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; *(uint32_t*)0x200002b8 = 0; *(uint32_t*)0x200002bc = 0; *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0; *(uint32_t*)0x200002c8 = 0; *(uint32_t*)0x200002cc = 0; *(uint32_t*)0x200002d0 = 0; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = 0; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; syscall(__NR_io_uring_setup, 0x4a7d, 0x20000280ul); *(uint32_t*)0x20000300 = 0x14; syscall(__NR_setsockopt, -1, 0x10e, 2, 0x20000300ul, 4ul); syscall(__NR_socket, 4ul, 2ul, 0); *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0x15; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0x8847); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 1, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 24, 8); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0x80, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 24, 8); STORE_BY_BITMASK(uint8_t, , 0x20000016, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000017, 3, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000017, 8, 2, 6); *(uint16_t*)0x20000018 = htobe16(0xc0); *(uint16_t*)0x2000001a = htobe16(0x64); *(uint16_t*)0x2000001c = htobe16(0); *(uint8_t*)0x2000001e = 1; *(uint8_t*)0x2000001f = 0x11; *(uint16_t*)0x20000020 = htobe16(0); *(uint32_t*)0x20000022 = htobe32(0xa010102); *(uint8_t*)0x20000026 = 0xac; *(uint8_t*)0x20000027 = 0x1e; *(uint8_t*)0x20000028 = 1; *(uint8_t*)0x20000029 = 1; *(uint8_t*)0x2000002a = 0x44; *(uint8_t*)0x2000002b = 0x10; *(uint8_t*)0x2000002c = 0x90; STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0xf, 4, 4); *(uint32_t*)0x2000002e = htobe32(3); *(uint32_t*)0x20000032 = htobe32(0x100); *(uint32_t*)0x20000036 = htobe32(9); *(uint16_t*)0x2000003a = htobe16(0x4e20); *(uint16_t*)0x2000003c = htobe16(0x4e23); *(uint16_t*)0x2000003e = htobe16(0x9c); *(uint16_t*)0x20000040 = htobe16(0); *(uint32_t*)0x20000042 = 1; *(uint32_t*)0x20000046 = 1; memcpy((void*)0x2000004a, "\xa1\x07\x91\xf3\x6e\x09\x1a\x36\x4d\x6a\x21\x4a\xed\x32\x81\x68\x6b\x2e\x10\x62\xe4\xa2\x1d\xad\x7e\x7e\xa6\x82\x3c\x2a\xd6\x6b", 32); memcpy((void*)0x2000006a, "\xa9\xe3\xb0\x61\xcb\x2d\x16\xf0\xf3\x8c\x93\x86\x6b\xab\x23\x9c\x5e\x95\xfa\xbc\x9a\xd7\x54\x9c\xc5\x3f\x24\x82\x15\x64\xc8\xe3\x1a\x77\x3c\x62\xbd\x34\xe6\x21\x16\x07\x0c\x99\x8c\xf8\x0f\xf5", 48); memcpy((void*)0x2000009a, "\x8a\x60\x48\xe6\x8f\x54\x76\xba\x71\xed\xf7\xde\xa3\x71\x45\xa3\x39\x72\x62\xdb\x3b\x25\x37\x6f\xb9\xb6\x98\xe1", 28); memcpy((void*)0x200000b6, "\x10\x8d\x38\xc5\xf1\x28\x37\xa8\xdf\xf4\x93\x17\xe1\xfb\xf2\xb1", 16); memcpy((void*)0x200000c6, "\x6e\x6f\x91\xa5\xd2\xfe\xa3\x5b\x7d\x2a\xa0\x22\x7b\x5c\x79\xde", 16); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x20000022, 4); csum_inet_update(&csum_1, (const uint8_t*)0x20000026, 4); uint16_t csum_1_chunk_2 = 0x1100; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 2); uint16_t csum_1_chunk_3 = 0x9c00; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 2); csum_inet_update(&csum_1, (const uint8_t*)0x2000003a, 156); *(uint16_t*)0x20000040 = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x20000016, 36); *(uint16_t*)0x20000020 = csum_inet_digest(&csum_2); *(uint8_t*)0x20000100 = 4; *(uint8_t*)0x20000101 = 0xe; *(uint8_t*)0x20000102 = 7; *(uint8_t*)0x20000103 = 7; *(uint16_t*)0x20000104 = 0x1408; *(uint8_t*)0x20000106 = 3; *(uint16_t*)0x20000107 = 0xc8; *(uint8_t*)0x20000109 = 0xfe; memcpy((void*)0x20000140, "\xab\x8f\x29\x08\x95\x5c\x44\x32\xc4\x21\xb4\x55\x80\x85\x8a\x31\x8e\xc4\xa1\x84\x57\x56\xf3\x67\x36\x64\xd9\xe0\x64\x46\x1c\x0d\xc4\x41\xb5\x55\x88\xa0\x0f\xfe\x49\xf2\xf0\x42\x80\x8c\x3e\x28\x08\x00\x00\x00\xc4\x82\x5d\xde\x32\xf3\x42\x0f\x9a\xde", 62); syz_execute_func(0x20000140); memcpy((void*)0x200001c0, "SEG6\000", 5); syz_genetlink_get_family_id(0x200001c0); syz_init_net_socket(3, 2, 0xc4); res = syscall(__NR_mmap, 0x20ffc000ul, 0x1000ul, 0ul, 0x1000ul, -1, 0ul); if (res != -1) r[3] = res; syz_io_uring_complete(r[3]); *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0x19c8; *(uint32_t*)0x20000208 = 1; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0x90; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = -1; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; *(uint32_t*)0x20000238 = 0; *(uint32_t*)0x2000023c = 0; *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; res = -1; res = syz_io_uring_setup(0x61d6, 0x20000200, 0x20ff9000, 0x20ff9000, 0x20000280, 0x200002c0); if (res != -1) r[4] = *(uint32_t*)0x20000218; res = syscall(__NR_mmap, 0x20ffc000ul, 0x3000ul, 0x2000004ul, 0x100ul, r[4], 0x10000000ul); if (res != -1) r[5] = res; memcpy((void*)0x20000300, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000300ul, 0x22040ul, 0ul); if (res != -1) r[6] = res; res = syscall(__NR_io_uring_register, -1, 9ul, 0ul, 0ul); if (res != -1) r[7] = res; *(uint8_t*)0x20000380 = 0x1d; *(uint8_t*)0x20000381 = 1; *(uint16_t*)0x20000382 = 0; *(uint32_t*)0x20000384 = r[6]; *(uint64_t*)0x20000388 = 0x20000340; *(uint32_t*)0x20000340 = 0xa; *(uint64_t*)0x20000344 = 0; *(uint32_t*)0x20000390 = r[4]; *(uint32_t*)0x20000394 = 1; *(uint32_t*)0x20000398 = 0; *(uint64_t*)0x200003a0 = 1; *(uint16_t*)0x200003a8 = 0; *(uint16_t*)0x200003aa = r[7]; *(uint8_t*)0x200003ac = 0; *(uint8_t*)0x200003ad = 0; *(uint8_t*)0x200003ae = 0; *(uint8_t*)0x200003af = 0; *(uint8_t*)0x200003b0 = 0; *(uint8_t*)0x200003b1 = 0; *(uint8_t*)0x200003b2 = 0; *(uint8_t*)0x200003b3 = 0; *(uint8_t*)0x200003b4 = 0; *(uint8_t*)0x200003b5 = 0; *(uint8_t*)0x200003b6 = 0; *(uint8_t*)0x200003b7 = 0; *(uint8_t*)0x200003b8 = 0; *(uint8_t*)0x200003b9 = 0; *(uint8_t*)0x200003ba = 0; *(uint8_t*)0x200003bb = 0; *(uint8_t*)0x200003bc = 0; *(uint8_t*)0x200003bd = 0; *(uint8_t*)0x200003be = 0; *(uint8_t*)0x200003bf = 0; syz_io_uring_submit(r[3], r[5], 0x20000380, 5); *(uint64_t*)0x20000400 = 0; *(uint64_t*)0x20000408 = 0x200003c0; memcpy((void*)0x200003c0, "\xc6\x6b\xf5\x1c\x00\x3b\x68\x4c\xd1\xf5\x6d\x7d\xbc\xd2\xde\xa7\x67\x52\x93\xe4\xd0\x16\x95\x5f\xb8\x84\x32\x0c\xce\xfe\xf5\x21\x42\xee\xf0\xb6\x1d\x38\x99\x59\xe4\xe4\x75\x07\x5b\x6b\x11\xcd\xbe\x1c", 50); *(uint64_t*)0x20000410 = 0x32; *(uint64_t*)0x20000440 = 1; *(uint64_t*)0x20000448 = 0; syz_kvm_setup_cpu(r[6], -1, 0x20fe7000, 0x20000400, 1, 0, 0x20000440, 1); res = syscall(__NR_mmap, 0x20ffb000ul, 0x4000ul, 0x2000000ul, 0x1000ul, -1, 0x8000000ul); if (res != -1) r[8] = res; *(uint32_t*)0x20000480 = 1; syz_memcpy_off(r[8], 0x114, 0x20000480, 0, 4); memcpy((void*)0x200004c0, "afs\000", 4); memcpy((void*)0x20000500, "./file0\000", 8); *(uint64_t*)0x200008c0 = 0x20000540; *(uint64_t*)0x200008c8 = 0; *(uint64_t*)0x200008d0 = 0x32; *(uint64_t*)0x200008d8 = 0x20000580; memcpy((void*)0x20000580, "\x3a\x7a\x72\xca\x9b\x2a\x42\x2a\xfb\xeb\xa2\xd7\xa8\x43\x38\xcb\x03\x95\x18\x39\x45\x1a\xf3\xf3\x03\x1d\x00\x30\xdb\x11\xa0\x8c\x0e\xb2\x24\x4d\xab\x7f\x4f\xd9\x44\x2c\xd5\x53\x70\xfb\xac\xdc\x33\x0d\x3e\xe2\x18\x81\x37\xd0\xad\x97\x72\xc7\xae\x54\xfa\xe9\x2d\x19\x41\xe0\x49\xbd\xcb\x3b\x8f\x64\x5e\xa6\xa7\xd7\x46\x40\x42\x86\xd5\x6d\xfd\x7a\x41\xfb\x29\xe2\x98\x7d\x8d\x73\xb3\x67\x9f\xae\x42\x7f\x5a\xf0\x81\x85\xe4\xff\xda\x15\x32\x28\xa3\xac\x82\xbf\x94\xf1\x77\x52\xed\x78\xdf\xe5\xb9\xa4", 124); *(uint64_t*)0x200008e0 = 0x7c; *(uint64_t*)0x200008e8 = 0xee5; *(uint64_t*)0x200008f0 = 0x20000600; memcpy((void*)0x20000600, "\xa9\x63\xe9\x74\x3e\x9c\x3d\x09\x2a\x0a\xb1\xd6\x8a\x13\xfe\x85\xf8\x0e\xd9\x43\x58\xab\x9a\xd4\x02\x9d\xff\x34\x33\xa3\x22\x3c\x65\x0d\x6a\x96\x50\x5e\xc9\xa3\xd6\xcd\x09\xad\x3f\x26\x8f\xcd\xd1\x24\x8a\xa4\x3e\xf1\x38\xa7\x9b\x0c\x4c\x11\x6f\x71\x78\xb5\xfc\x5c\xc4\x9f\xa3\x03\x20\x1e\x8c\x7e\xf4\xe3\x22\x43\x41\x05\xec\xdc\x91\x2a\xe6\x72\x51\x0b\x34\xc0\x1a\xa3\x89\x0c\x90\xf2\x72\x00\xde\x2b\x65\xc4\xbd\x20", 104); *(uint64_t*)0x200008f8 = 0x68; *(uint64_t*)0x20000900 = 0x10000; *(uint64_t*)0x20000908 = 0x20000680; memcpy((void*)0x20000680, "\x6a\xc4\x43\xef\xa9\x85\x5d\xda\x4f\xa3\xa9\x82\xab\xc0\x60\xeb\xf1\xa6\x78\x5f\xeb\xa7\x7c\xd7\x0d\x48\x6a\x29\xf4", 29); *(uint64_t*)0x20000910 = 0x1d; *(uint64_t*)0x20000918 = 2; *(uint64_t*)0x20000920 = 0x200006c0; memcpy((void*)0x200006c0, "\x32\x29\x20\x2f\xd1\x3c\x8a\xb6\xd5\x54\xd8\xdf\xb6\xa8\x66\x18\x05\xf5\x3c\x5e\x81\x67\x1b\xf5\xd7\x02\xaa\x4c\x17\xca\xd1\x07\xcf\xc6\xa8\xfe\x70\x2b\x26\x94\x2c\x63\x2a\x4e\xd0\xe1\x01\x04\x40\xb5\x1b\x99\x78\x5c\x11\x2a\x0b\xda\x8c\x28\x62\x67\xac\x9c\xb4\xe6\x95\x37\x6a\x13\xd9\x93\x7d\xfe\x15\x42\x39\xc4\xea\x04\xf3\x85\x39\xa8\xe5\x57\xdb\xcc\x89\x09\x42\x0c\x76\xb2\x58\x7b\x42\xaa\x2d\x61\xbf\x39\x5f\xe9\x13\xba\xd8\x6d\xdf\x17\xa8\xf1\xb3\x21\x2d\x0f\x0a\x6b\xc2\xe7\x84\x1e\xf2\xe2\xee\x0b\xe0\x59\x01\xf0\x28\xc7\xc6\x5e\x1c\x2c\xb6\x41\xf5\x56\x50\x8f\xbf\x32\x2d\xa0\x30\xde\x78\x46\xad\x39\x00\x40\x82\xc1\x28\xa0\xff\xb6\x0c\x1b\x80\x1b\xfd\x69\xa0\xe5\xf3\x7b\x51\xfe\xb7\x8d\x97\x24\x0f\x45\xf3\xce\x17\xa2\x8a\xbb\xd8\x9b\xd1\x6c\xd2\xd0\x6c\x74\x48\x89\x90\xab\xa3\x6f\xf0\x06\xe8\xae\x36\x22\xec\x18\xfa\x76\xb7\x67\xbe\x88\xf1\x92\xf9\x4a\xf1\x5e\x23\xd7\x42\x17\x73\x8a\x1d\x48\xef\x2c\x3e\x1c\x0a\x55\x72\x03\x04\x5e\x3b\xa2\x5e\x9c\xd3\x8e\xfa\x64", 244); *(uint64_t*)0x20000928 = 0xf4; *(uint64_t*)0x20000930 = 6; *(uint64_t*)0x20000938 = 0x200007c0; memcpy((void*)0x200007c0, "\x41\x4d\x78\x40\x34\x90\x27\x5a\x20\x64\x95\xf9\x3c\xf6\x22\x29\x59\x6a\x76\xf6\x22\xd4\x2e\x73\x7b\xfa\x14\x8f\xc2\x38\x5d\x9c\x82\x94\x6c\xe9\x5d\x9b\x76\x65\xc1\x48\xbf\xd7\x23\xf5\x24\x8f\xfc\xb6\xa4\xfc\x82\x65\xde\x9d\xa9\xe3\x4f\xf0\x57\x7d\xd7\x19\x23\x3d\x7e\xf9\x61\x0b\x9b\x9d\x98\xd4\xf2\xce\xdc\xc5\x35\x1c\xb7\x23\x4e\x0a\x83\x45\xf8\x1e\x60\x3a\x00\x2c\x13\xd8\x98\xf1\x08\x46\x56\xc5\x1b\xe0\x05\x26\xc6\xb7\x97\x7b\x28\x78\x09\x59\x1c\x51\xa2\x88\xac\xec\x3e\x57\x0a\x94\xcc\x77\x42\x01\x95\xf2\xa8\x1a\x77\x89\x6f\x9f\x08\x1b\x17\x3c\x24\xad\xa2\x30\x41\xea\x2e\x72\x53\x69\x86\x01\xd8\x37\x69\x09\x4d\x34\x89", 157); *(uint64_t*)0x20000940 = 0x9d; *(uint64_t*)0x20000948 = 1; *(uint64_t*)0x20000950 = 0x20000880; memcpy((void*)0x20000880, "\x3c\xc0\xa1\x54\x97\x7d\x26\x88\x2d\x94\xf1\xc1\x08\xa6\x28\x7b\x15\xe8\x35\xbf\x2d\x9e\xbc\xfd\x92\x5c\x45\x69\xc9\xde\x9d\x46\x3b\x92\x91\x58\x99\x0d\x2f\x48", 40); *(uint64_t*)0x20000958 = 0x28; *(uint64_t*)0x20000960 = 0xfffffffffffffbff; memcpy((void*)0x20000980, "flock=strict", 12); *(uint8_t*)0x2000098c = 0x2c; memcpy((void*)0x2000098d, "flock=write", 11); *(uint8_t*)0x20000998 = 0x2c; memcpy((void*)0x20000999, "source", 6); *(uint8_t*)0x2000099f = 0x3d; memcpy((void*)0x200009a0, "\353", 1); *(uint8_t*)0x200009a1 = 0x2c; memcpy((void*)0x200009a2, "autocell", 8); *(uint8_t*)0x200009aa = 0x2c; *(uint8_t*)0x200009ab = 0; syz_mount_image(0x200004c0, 0x20000500, 0x1f, 7, 0x200008c0, 0x1015005, 0x20000980); memcpy((void*)0x200009c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200009c0, 0x10000, 0x6840); *(uint32_t*)0x20000a40 = -1; *(uint32_t*)0x20000a44 = -1; *(uint32_t*)0x20000a48 = 0; *(uint32_t*)0x20000a4c = 3; *(uint64_t*)0x20000a50 = 0x20000a00; memcpy((void*)0x20000a00, ".\\\000", 3); *(uint32_t*)0x20000a58 = 0; *(uint32_t*)0x20000a5c = 0; *(uint64_t*)0x20000a60 = 0; *(uint64_t*)0x20000a68 = 0; res = syscall(__NR_bpf, 0x14ul, 0x20000a40ul, 0x30ul); if (res != -1) r[9] = *(uint32_t*)0x20000a40; memcpy((void*)0x20000a80, "status\000", 7); syz_open_procfs(r[9], 0x20000a80); syz_open_pts(-1, 0x8000); syz_read_part_table(6, 0, 0x20000ac0); *(uint8_t*)0x20000b00 = 0x12; *(uint8_t*)0x20000b01 = 1; *(uint16_t*)0x20000b02 = 0x250; *(uint8_t*)0x20000b04 = 0xa8; *(uint8_t*)0x20000b05 = 0x9c; *(uint8_t*)0x20000b06 = 0xcc; *(uint8_t*)0x20000b07 = -1; *(uint16_t*)0x20000b08 = 0x499; *(uint16_t*)0x20000b0a = 0x150c; *(uint16_t*)0x20000b0c = 0xbaf4; *(uint8_t*)0x20000b0e = 1; *(uint8_t*)0x20000b0f = 2; *(uint8_t*)0x20000b10 = 3; *(uint8_t*)0x20000b11 = 1; *(uint8_t*)0x20000b12 = 9; *(uint8_t*)0x20000b13 = 2; *(uint16_t*)0x20000b14 = 0x702; *(uint8_t*)0x20000b16 = 3; *(uint8_t*)0x20000b17 = 2; *(uint8_t*)0x20000b18 = 5; *(uint8_t*)0x20000b19 = 0x80; *(uint8_t*)0x20000b1a = 0x1f; *(uint8_t*)0x20000b1b = 9; *(uint8_t*)0x20000b1c = 4; *(uint8_t*)0x20000b1d = 0x7d; *(uint8_t*)0x20000b1e = 0; *(uint8_t*)0x20000b1f = 0xb; *(uint8_t*)0x20000b20 = 0x5c; *(uint8_t*)0x20000b21 = 0x68; *(uint8_t*)0x20000b22 = 0x45; *(uint8_t*)0x20000b23 = 0xb8; *(uint8_t*)0x20000b24 = 0x64; *(uint8_t*)0x20000b25 = 0xe6; memcpy((void*)0x20000b26, "\x25\xbb\xa1\x93\x73\x4e\x4e\xb8\x7c\xbd\x6a\x4c\x96\x1e\xf0\x1e\x6c\x96\x0f\xa2\x7d\xe2\xe0\xb2\x88\x3e\x73\xbc\xb5\x6b\x37\x1c\xc2\xf9\x4a\x39\xee\x59\xf2\x12\x37\xd7\xfd\x38\xba\xfe\xa3\xbe\xbf\x15\x96\x7e\x66\xfd\xa6\x11\x4d\x34\xb3\x49\xe1\x86\x8e\xf9\x5c\xc0\xa0\x63\x05\xd0\x16\xcd\x2c\xc7\x23\x33\x40\x35\xa1\x10\xf9\xda\x19\x7a\xfa\x79\xa6\xb0\x45\xfa\xc5\xf7\xd5\xbb\x63\x9e\x45\x41", 98); *(uint8_t*)0x20000b88 = 0xa; *(uint8_t*)0x20000b89 = 0x24; *(uint8_t*)0x20000b8a = 1; *(uint16_t*)0x20000b8b = 7; *(uint8_t*)0x20000b8d = 0x80; *(uint8_t*)0x20000b8e = 2; *(uint8_t*)0x20000b8f = 1; *(uint8_t*)0x20000b90 = 2; *(uint8_t*)0x20000b91 = 9; *(uint8_t*)0x20000b92 = 5; *(uint8_t*)0x20000b93 = 1; *(uint8_t*)0x20000b94 = 3; *(uint16_t*)0x20000b95 = 0x200; *(uint8_t*)0x20000b97 = 0x81; *(uint8_t*)0x20000b98 = 1; *(uint8_t*)0x20000b99 = 9; *(uint8_t*)0x20000b9a = 7; *(uint8_t*)0x20000b9b = 0x25; *(uint8_t*)0x20000b9c = 1; *(uint8_t*)0x20000b9d = 1; *(uint8_t*)0x20000b9e = 9; *(uint16_t*)0x20000b9f = 0x1000; *(uint8_t*)0x20000ba1 = 9; *(uint8_t*)0x20000ba2 = 5; *(uint8_t*)0x20000ba3 = 6; *(uint8_t*)0x20000ba4 = 8; *(uint16_t*)0x20000ba5 = 0x400; *(uint8_t*)0x20000ba7 = 0xe8; *(uint8_t*)0x20000ba8 = 0xc6; *(uint8_t*)0x20000ba9 = -1; *(uint8_t*)0x20000baa = 7; *(uint8_t*)0x20000bab = 0x25; *(uint8_t*)0x20000bac = 1; *(uint8_t*)0x20000bad = 1; *(uint8_t*)0x20000bae = 0x81; *(uint16_t*)0x20000baf = 6; *(uint8_t*)0x20000bb1 = 9; *(uint8_t*)0x20000bb2 = 5; *(uint8_t*)0x20000bb3 = 0xd; *(uint8_t*)0x20000bb4 = 0; *(uint16_t*)0x20000bb5 = 0x20; *(uint8_t*)0x20000bb7 = 8; *(uint8_t*)0x20000bb8 = 0xb4; *(uint8_t*)0x20000bb9 = 3; *(uint8_t*)0x20000bba = 9; *(uint8_t*)0x20000bbb = 5; *(uint8_t*)0x20000bbc = 2; *(uint8_t*)0x20000bbd = 1; *(uint16_t*)0x20000bbe = 0x200; *(uint8_t*)0x20000bc0 = 2; *(uint8_t*)0x20000bc1 = 6; *(uint8_t*)0x20000bc2 = 0x20; *(uint8_t*)0x20000bc3 = 9; *(uint8_t*)0x20000bc4 = 5; *(uint8_t*)0x20000bc5 = 7; *(uint8_t*)0x20000bc6 = 2; *(uint16_t*)0x20000bc7 = 0x3ff; *(uint8_t*)0x20000bc9 = 0x29; *(uint8_t*)0x20000bca = 4; *(uint8_t*)0x20000bcb = 0x4c; *(uint8_t*)0x20000bcc = 9; *(uint8_t*)0x20000bcd = 5; *(uint8_t*)0x20000bce = 5; *(uint8_t*)0x20000bcf = 0; *(uint16_t*)0x20000bd0 = 0x200; *(uint8_t*)0x20000bd2 = 2; *(uint8_t*)0x20000bd3 = 0x22; *(uint8_t*)0x20000bd4 = 5; *(uint8_t*)0x20000bd5 = 7; *(uint8_t*)0x20000bd6 = 0x25; *(uint8_t*)0x20000bd7 = 1; *(uint8_t*)0x20000bd8 = 0; *(uint8_t*)0x20000bd9 = 7; *(uint16_t*)0x20000bda = 0x27; *(uint8_t*)0x20000bdc = 9; *(uint8_t*)0x20000bdd = 5; *(uint8_t*)0x20000bde = 0xe; *(uint8_t*)0x20000bdf = 0xc; *(uint16_t*)0x20000be0 = 0x20; *(uint8_t*)0x20000be2 = 0x40; *(uint8_t*)0x20000be3 = 9; *(uint8_t*)0x20000be4 = 0x1f; *(uint8_t*)0x20000be5 = 0x4f; *(uint8_t*)0x20000be6 = 1; memcpy((void*)0x20000be7, "\xf1\x48\xd8\x44\x07\xf5\xb8\xdf\xda\x7c\x13\xb6\x82\x81\xb7\xd1\x42\x09\x55\x10\x93\xf9\x1b\x2d\x8f\x89\x1d\x9f\x3b\x8f\xf0\x7a\x8c\x2b\x56\xbc\xbf\xa7\x44\xea\x1d\xa6\x9f\xb1\x16\xc7\x1d\x11\xfa\x13\xb6\xa2\xc4\x64\xe6\x5d\x7c\x70\x6a\xe2\x5e\x0a\xd8\x36\xd3\x28\xf3\x09\x28\xaf\x26\xfe\x9d\x4f\x3f\x1d\xc1", 77); *(uint8_t*)0x20000c34 = 7; *(uint8_t*)0x20000c35 = 0x25; *(uint8_t*)0x20000c36 = 1; *(uint8_t*)0x20000c37 = 0x82; *(uint8_t*)0x20000c38 = 0x18; *(uint16_t*)0x20000c39 = 0xfc0; *(uint8_t*)0x20000c3b = 9; *(uint8_t*)0x20000c3c = 5; *(uint8_t*)0x20000c3d = 4; *(uint8_t*)0x20000c3e = 0; *(uint16_t*)0x20000c3f = 0x400; *(uint8_t*)0x20000c41 = 0; *(uint8_t*)0x20000c42 = 0x80; *(uint8_t*)0x20000c43 = 7; *(uint8_t*)0x20000c44 = 7; *(uint8_t*)0x20000c45 = 0x25; *(uint8_t*)0x20000c46 = 1; *(uint8_t*)0x20000c47 = 2; *(uint8_t*)0x20000c48 = 4; *(uint16_t*)0x20000c49 = 2; *(uint8_t*)0x20000c4b = 0xf7; *(uint8_t*)0x20000c4c = 0x30; memcpy((void*)0x20000c4d, "\xab\xdd\xdd\x4f\x9b\x3f\x7c\x94\x0f\x59\xac\x5d\x6a\xc2\x20\xf7\x66\x83\x45\x97\x34\x86\x90\xed\xd4\x5d\xbc\xad\x8d\x72\x00\xdb\x71\x84\x99\x1d\x25\x39\xdf\x54\xe5\xad\x82\xe5\xd5\x8b\x03\x66\xea\x3b\x34\x1b\xe9\xa3\x0b\x4b\x2b\xd6\x6b\xf0\x04\x79\x62\x8c\xb4\x77\xc8\x29\x38\xf8\xd3\xc1\x06\xa7\xe1\x8b\x0e\x54\x85\xa0\xb1\x61\x1a\xba\x1d\x8a\xd3\xc7\x40\xfc\x3d\x9a\xcc\xb5\xd7\xb2\x93\xb9\x0b\x16\x8c\x3f\x2c\x69\x79\x81\x35\xb5\x62\x47\x5f\xe2\xa3\xb8\xf6\x19\x57\x22\x51\x66\x27\x87\xbf\x74\x9f\x67\x3a\x35\xee\x80\xea\x76\xed\xd0\xfc\x7b\x31\x77\xf2\x4f\x50\xd6\x8a\xce\xd6\x90\x2e\xcf\x5e\x0a\x1d\x31\x26\xd9\x53\x09\x46\xab\xac\x7a\x85\x79\x91\x94\x74\x8f\x34\xee\xf3\xe2\x49\xc0\xed\xe1\x51\x1b\x67\x62\x6c\x06\x32\x2b\xa0\xb3\x13\x3a\xd7\xea\xb4\x6c\xc0\x7a\x99\x5f\x01\x1d\x24\x78\x19\x83\xc1\x70\x9a\x03\xac\x2e\xf1\x65\xa9\xb9\x1e\xd9\xe7\x5e\x22\x19\x05\xa9\x32\xc3\x50\x1d\x40\x56\x69\x16\xd6\x3f\x2f\xae\x4e\x97\x98\xfa\xb8\xe1\x6a\x1d\x36\x4f\x01\x9c\x0e\xbd\xb0", 245); *(uint8_t*)0x20000d42 = 9; *(uint8_t*)0x20000d43 = 5; *(uint8_t*)0x20000d44 = 2; *(uint8_t*)0x20000d45 = 0; *(uint16_t*)0x20000d46 = 0x40; *(uint8_t*)0x20000d48 = 0xfe; *(uint8_t*)0x20000d49 = 0x20; *(uint8_t*)0x20000d4a = 9; *(uint8_t*)0x20000d4b = 0xed; *(uint8_t*)0x20000d4c = 1; memcpy((void*)0x20000d4d, "\x97\x48\x0b\x61\x9e\xce\x34\x91\x71\x8d\x87\x0d\x13\x33\xf7\xf3\xcb\xe0\x33\x67\xac\x7f\x15\xbe\x17\x93\xcf\x2d\x63\x5a\xf6\x7a\xf8\x8c\xfe\xa5\x26\xad\x45\xea\x67\xc3\x9a\xde\x3d\x19\x91\x8d\x55\xea\x59\x8a\x78\x07\xfd\x2c\x56\xad\xdf\xb5\x2f\x42\x75\x6b\xfc\x60\x2c\x04\x56\x0e\x98\x1a\x38\x78\x3c\xa3\xdd\x8b\xa4\x31\xc2\x67\x59\x2b\xc0\x04\xb2\xf5\x3e\x49\x08\x2d\xac\x6a\x78\x48\xb9\x29\xdc\xf5\x3f\x15\x1f\x4c\x9a\xe6\xf8\x91\x2f\xff\xd9\x19\x9b\xcd\xcd\x8b\x95\xfd\xc2\xdf\xaa\x22\xd3\xa7\x31\xf3\xc4\xaa\x34\x47\xd4\x18\x3b\x1c\xb4\xcc\xce\xb3\x6e\x69\x37\xf2\x27\x5c\x89\xce\x0b\xa8\x3f\x40\xc2\xc7\xdb\xf1\x3b\x41\x77\x0a\x0f\x12\x5b\x10\xde\xd7\xee\xfe\x7a\x18\x24\xf9\xee\xf4\x93\x83\x10\xa5\x5c\x12\x1b\xf1\xa9\x25\x9f\x55\x16\x72\xb8\xa0\xa5\x2f\xea\xc5\xcb\xc5\xab\x96\xa5\x49\x1e\xf5\x33\xd7\xbe\x14\x76\x4e\x9d\xa5\x31\xff\xef\x82\xf8\x61\x2a\x74\x0f\xb5\x87\x56\xf7\xcb\x60\x92\xab\xb1\x5a\xa6\xcf\x04\x94\xcb\x71\x06\xf1", 235); *(uint8_t*)0x20000e38 = 0xd3; *(uint8_t*)0x20000e39 = 8; memcpy((void*)0x20000e3a, "\x4e\x8e\x03\x4e\xe9\x75\x01\xac\x38\x25\x74\xd2\xa7\x25\x27\xc5\xe0\xc8\x32\x61\x8b\xc6\xa1\xea\x16\xc3\xf3\x23\x25\x89\x71\x63\x3a\x03\x33\x99\x1a\xd9\x97\x54\xb0\x06\xc9\x5c\x4d\xe5\xf9\x01\xec\x1b\x8d\x86\xbd\x47\xc5\x64\xbd\x2a\xef\x08\xdf\x3c\x22\x4a\x3e\x6e\x40\x84\x65\x54\xee\xd2\x73\x4d\x71\xce\x33\x92\x96\x7e\xf5\x5c\x96\xb3\xda\x0a\xa5\x48\x1f\x31\xc3\x51\xcf\x18\x59\xcb\xee\x24\x4e\x75\x1c\x60\xcf\xad\xc2\x33\xcb\x60\x02\xee\x6f\xf4\xcc\x2c\x9b\x76\x37\x8f\x5b\x6e\x41\x0c\x01\x4f\x25\xcb\x9f\xff\x68\xf8\xa6\xff\x5b\x81\xb6\xd0\x9b\x9c\x7a\x2a\xaf\x84\x8b\xd2\x47\xed\x21\xb1\x3a\xa8\xd3\x5b\xcb\x7b\xf2\xfa\x6b\x8c\xbf\x55\x29\x9e\xdb\xce\x15\xe7\x88\xd1\xf9\x3c\xff\x32\x23\x99\x24\x9a\xc0\x80\xf2\xd4\x7b\xd3\xf2\x7e\x7a\x6d\xe1\x84\x90\x48\x11\x72\x25\x36\xd0\xa2\x33\x0e\x3e\x51\x11\x46\xfa\xab\x98\x64\xd1\xb1\x83", 209); *(uint8_t*)0x20000f0b = 9; *(uint8_t*)0x20000f0c = 5; *(uint8_t*)0x20000f0d = 0xb; *(uint8_t*)0x20000f0e = 0; *(uint16_t*)0x20000f0f = 0x10; *(uint8_t*)0x20000f11 = 0x2c; *(uint8_t*)0x20000f12 = 9; *(uint8_t*)0x20000f13 = 6; *(uint8_t*)0x20000f14 = 7; *(uint8_t*)0x20000f15 = 0x25; *(uint8_t*)0x20000f16 = 1; *(uint8_t*)0x20000f17 = 0x80; *(uint8_t*)0x20000f18 = 0xc9; *(uint16_t*)0x20000f19 = 0xbb; *(uint8_t*)0x20000f1b = 0x1f; *(uint8_t*)0x20000f1c = 0x31; memcpy((void*)0x20000f1d, "\xe4\x4d\x51\xa1\x5a\x72\x0f\x09\x9d\xad\xeb\x93\x26\x25\x52\xa9\x35\x42\x42\x29\xd3\xf4\xd1\x2e\xdc\x1b\xaa\x9f\x88", 29); *(uint8_t*)0x20000f3a = 9; *(uint8_t*)0x20000f3b = 5; *(uint8_t*)0x20000f3c = 0xc; *(uint8_t*)0x20000f3d = 0; *(uint16_t*)0x20000f3e = 8; *(uint8_t*)0x20000f40 = 0x49; *(uint8_t*)0x20000f41 = 0x40; *(uint8_t*)0x20000f42 = 0x55; *(uint8_t*)0x20000f43 = 9; *(uint8_t*)0x20000f44 = 4; *(uint8_t*)0x20000f45 = 0xfe; *(uint8_t*)0x20000f46 = 0x33; *(uint8_t*)0x20000f47 = 2; *(uint8_t*)0x20000f48 = 0xa2; *(uint8_t*)0x20000f49 = 0x17; *(uint8_t*)0x20000f4a = 0x9a; *(uint8_t*)0x20000f4b = 2; *(uint8_t*)0x20000f4c = 9; *(uint8_t*)0x20000f4d = 0x24; *(uint8_t*)0x20000f4e = 6; *(uint8_t*)0x20000f4f = 0; *(uint8_t*)0x20000f50 = 1; memcpy((void*)0x20000f51, "\xfb\x7f\xfd\xe8", 4); *(uint8_t*)0x20000f55 = 5; *(uint8_t*)0x20000f56 = 0x24; *(uint8_t*)0x20000f57 = 0; *(uint16_t*)0x20000f58 = 1; *(uint8_t*)0x20000f5a = 0xd; *(uint8_t*)0x20000f5b = 0x24; *(uint8_t*)0x20000f5c = 0xf; *(uint8_t*)0x20000f5d = 1; *(uint32_t*)0x20000f5e = 4; *(uint16_t*)0x20000f62 = 0x9f54; *(uint16_t*)0x20000f64 = 0x267; *(uint8_t*)0x20000f66 = 1; *(uint8_t*)0x20000f67 = 6; *(uint8_t*)0x20000f68 = 0x24; *(uint8_t*)0x20000f69 = 0x1a; *(uint16_t*)0x20000f6a = 9; *(uint8_t*)0x20000f6c = 9; *(uint8_t*)0x20000f6d = 0xc; *(uint8_t*)0x20000f6e = 0x24; *(uint8_t*)0x20000f6f = 0x1b; *(uint16_t*)0x20000f70 = -1; *(uint16_t*)0x20000f72 = 1; *(uint8_t*)0x20000f74 = 0x20; *(uint8_t*)0x20000f75 = 6; *(uint16_t*)0x20000f76 = 6; *(uint8_t*)0x20000f78 = 6; *(uint8_t*)0x20000f79 = 0x15; *(uint8_t*)0x20000f7a = 0x24; *(uint8_t*)0x20000f7b = 0x12; *(uint16_t*)0x20000f7c = 3; *(uint64_t*)0x20000f7e = 0x14f5e048ba817a3; *(uint64_t*)0x20000f86 = 0x2a397ecbffc007a6; *(uint8_t*)0x20000f8e = 0xc; *(uint8_t*)0x20000f8f = 0x24; *(uint8_t*)0x20000f90 = 0x1b; *(uint16_t*)0x20000f91 = 0x91; *(uint16_t*)0x20000f93 = 5; *(uint8_t*)0x20000f95 = 1; *(uint8_t*)0x20000f96 = -1; *(uint16_t*)0x20000f97 = 5; *(uint8_t*)0x20000f99 = 0x35; *(uint8_t*)0x20000f9a = 4; *(uint8_t*)0x20000f9b = 0x24; *(uint8_t*)0x20000f9c = 2; *(uint8_t*)0x20000f9d = 1; *(uint8_t*)0x20000f9e = 9; *(uint8_t*)0x20000f9f = 5; *(uint8_t*)0x20000fa0 = 0xa; *(uint8_t*)0x20000fa1 = 0x10; *(uint16_t*)0x20000fa2 = 8; *(uint8_t*)0x20000fa4 = 0x80; *(uint8_t*)0x20000fa5 = 0xc1; *(uint8_t*)0x20000fa6 = 4; *(uint8_t*)0x20000fa7 = 0xb8; *(uint8_t*)0x20000fa8 = 0x30; memcpy((void*)0x20000fa9, "\xe3\x84\xdc\xf0\x3a\xc3\x95\x40\xe5\xa2\x21\x99\xf7\x1a\x53\xba\x42\x8c\x3b\x72\x02\x90\xf0\x27\x6b\xcc\xa0\xcd\x15\x40\x5f\x6c\x93\x04\x97\xaf\x5e\xb3\x20\xa4\x33\xcc\x55\x3d\x6e\x01\x08\xed\xbf\x79\x3e\xf0\x24\x0f\xf2\x69\xb4\xff\x96\xd6\x82\x2b\xcb\x48\xce\xba\xe2\xa5\xce\xad\x65\x78\x6e\xbe\xcd\x5f\x30\x0c\x08\x60\x6d\x33\x22\xb8\x36\x00\x29\xbd\x21\x31\x2d\xac\x49\x33\x61\xe1\xb0\x8f\x2a\xdc\xa4\xdc\x49\xa0\x04\xfe\xfd\xf7\xa3\xa5\x25\xae\x5d\xe1\x1f\x0a\x69\x1a\x41\xb8\x69\xd9\xb9\xa5\xd9\x0d\x5a\x7b\x5e\xbe\x9e\x57\x73\xb9\x7e\xfe\x98\xe3\x89\x53\x77\xa4\x24\xe3\x0e\xf2\x2f\xd2\xff\xa2\x53\x2f\x1b\xb3\xc1\xa4\xe3\xb8\x6a\xfc\x08\xb2\x65\x9a\xa2\xe5\x56\xf1\x90\xe2\x7f\x83\x61\x9a\x16\x18\xd3\x71\xe1\x02\xc5\x58", 182); *(uint8_t*)0x2000105f = 9; *(uint8_t*)0x20001060 = 5; *(uint8_t*)0x20001061 = 0x80; *(uint8_t*)0x20001062 = 1; *(uint16_t*)0x20001063 = 0x40; *(uint8_t*)0x20001065 = 4; *(uint8_t*)0x20001066 = 0; *(uint8_t*)0x20001067 = 0x1f; *(uint8_t*)0x20001068 = 9; *(uint8_t*)0x20001069 = 4; *(uint8_t*)0x2000106a = 0x74; *(uint8_t*)0x2000106b = 0x90; *(uint8_t*)0x2000106c = 0xa; *(uint8_t*)0x2000106d = -1; *(uint8_t*)0x2000106e = 0x5d; *(uint8_t*)0x2000106f = 1; *(uint8_t*)0x20001070 = 0x81; *(uint8_t*)0x20001071 = 0x6c; *(uint8_t*)0x20001072 = 4; memcpy((void*)0x20001073, "\xde\xaf\x84\x76\xcc\x58\x55\xff\xb6\xd2\x2d\x6c\xeb\x29\x77\x34\x8b\xa8\x6d\xee\x7d\x9e\x22\xe0\xc4\x64\x77\xb0\x6c\x0d\xb5\x14\xbb\x53\x83\xa6\x2a\x40\x2c\xc6\xe0\x79\x5d\xdd\xa5\x10\xcf\x42\x38\xb2\xc6\x4b\x65\x7a\x11\x11\xef\xc0\xe4\xaa\xcf\x9e\x40\x80\x2d\xd0\xee\xb6\x9f\x27\x1c\x1e\x6f\xe0\xee\x5e\x9f\x48\x12\x28\x32\xe6\xa8\x0a\x4d\x7a\x66\x11\xe3\xfd\x2d\xca\x49\xd3\x51\x90\x8f\xf9\xa4\x8c\xa2\x0c\x78\xa6\x9c\x65", 106); *(uint8_t*)0x200010dd = 9; *(uint8_t*)0x200010de = 0x21; *(uint16_t*)0x200010df = 7; *(uint8_t*)0x200010e1 = 7; *(uint8_t*)0x200010e2 = 1; *(uint8_t*)0x200010e3 = 0x22; *(uint16_t*)0x200010e4 = 0xab5; *(uint8_t*)0x200010e6 = 9; *(uint8_t*)0x200010e7 = 5; *(uint8_t*)0x200010e8 = 0; *(uint8_t*)0x200010e9 = 0; *(uint16_t*)0x200010ea = 0x200; *(uint8_t*)0x200010ec = 4; *(uint8_t*)0x200010ed = 7; *(uint8_t*)0x200010ee = 0; *(uint8_t*)0x200010ef = 9; *(uint8_t*)0x200010f0 = 5; *(uint8_t*)0x200010f1 = 0x80; *(uint8_t*)0x200010f2 = 0xc; *(uint16_t*)0x200010f3 = 0x40; *(uint8_t*)0x200010f5 = 0; *(uint8_t*)0x200010f6 = 0x7f; *(uint8_t*)0x200010f7 = -1; *(uint8_t*)0x200010f8 = 7; *(uint8_t*)0x200010f9 = 0x25; *(uint8_t*)0x200010fa = 1; *(uint8_t*)0x200010fb = 0; *(uint8_t*)0x200010fc = 0; *(uint16_t*)0x200010fd = 0xff; *(uint8_t*)0x200010ff = 7; *(uint8_t*)0x20001100 = 0x25; *(uint8_t*)0x20001101 = 1; *(uint8_t*)0x20001102 = 2; *(uint8_t*)0x20001103 = 0xfa; *(uint16_t*)0x20001104 = 5; *(uint8_t*)0x20001106 = 9; *(uint8_t*)0x20001107 = 5; *(uint8_t*)0x20001108 = 3; *(uint8_t*)0x20001109 = 3; *(uint16_t*)0x2000110a = 0x3ff; *(uint8_t*)0x2000110c = 0x80; *(uint8_t*)0x2000110d = 0x7f; *(uint8_t*)0x2000110e = 8; *(uint8_t*)0x2000110f = 9; *(uint8_t*)0x20001110 = 5; *(uint8_t*)0x20001111 = 5; *(uint8_t*)0x20001112 = 1; *(uint16_t*)0x20001113 = 0x20; *(uint8_t*)0x20001115 = 4; *(uint8_t*)0x20001116 = 0x3c; *(uint8_t*)0x20001117 = 4; *(uint8_t*)0x20001118 = 7; *(uint8_t*)0x20001119 = 0x25; *(uint8_t*)0x2000111a = 1; *(uint8_t*)0x2000111b = 0x80; *(uint8_t*)0x2000111c = 0x40; *(uint16_t*)0x2000111d = 0x800; *(uint8_t*)0x2000111f = 9; *(uint8_t*)0x20001120 = 5; *(uint8_t*)0x20001121 = 0xd; *(uint8_t*)0x20001122 = 0; *(uint16_t*)0x20001123 = 0x20; *(uint8_t*)0x20001125 = -1; *(uint8_t*)0x20001126 = 0x14; *(uint8_t*)0x20001127 = 0x3f; *(uint8_t*)0x20001128 = 9; *(uint8_t*)0x20001129 = 5; *(uint8_t*)0x2000112a = 4; *(uint8_t*)0x2000112b = 0; *(uint16_t*)0x2000112c = 0x20; *(uint8_t*)0x2000112e = 1; *(uint8_t*)0x2000112f = 1; *(uint8_t*)0x20001130 = 0x56; *(uint8_t*)0x20001131 = 9; *(uint8_t*)0x20001132 = 5; *(uint8_t*)0x20001133 = 0xc; *(uint8_t*)0x20001134 = 0x10; *(uint16_t*)0x20001135 = 8; *(uint8_t*)0x20001137 = 1; *(uint8_t*)0x20001138 = 5; *(uint8_t*)0x20001139 = 2; *(uint8_t*)0x2000113a = 0x20; *(uint8_t*)0x2000113b = 4; memcpy((void*)0x2000113c, "\x6d\xdd\x41\x04\xce\xf7\xb1\xf7\xb2\xdd\xda\xbb\x24\xea\x94\xbe\x1e\x8a\xc9\xfb\xba\x62\xcd\x71\xc1\xa1\xcb\xfa\x4e\x73", 30); *(uint8_t*)0x2000115a = 9; *(uint8_t*)0x2000115b = 5; *(uint8_t*)0x2000115c = 7; *(uint8_t*)0x2000115d = 4; *(uint16_t*)0x2000115e = 0x10; *(uint8_t*)0x20001160 = 0; *(uint8_t*)0x20001161 = 6; *(uint8_t*)0x20001162 = 0xf8; *(uint8_t*)0x20001163 = 7; *(uint8_t*)0x20001164 = 0x25; *(uint8_t*)0x20001165 = 1; *(uint8_t*)0x20001166 = 0x80; *(uint8_t*)0x20001167 = 3; *(uint16_t*)0x20001168 = 0x8000; *(uint8_t*)0x2000116a = 0x98; *(uint8_t*)0x2000116b = 0x21; memcpy((void*)0x2000116c, "\xe7\xba\xc6\xd3\x44\x3c\xdf\xcd\xf9\xc2\x4b\x69\x78\xdb\xfb\x9d\xd1\x82\x4a\x59\x64\xcb\xfa\x0f\xe6\x42\x96\xd5\x79\x4c\x61\x59\xbc\x30\xb8\x02\xa5\x9b\x5c\x7a\x49\xb5\x34\x03\x5d\xf5\x6b\xbc\x48\x86\x52\xee\x31\xc6\x01\xd5\x32\x65\x07\x01\x6b\xd4\x45\xa1\xc0\x9d\xf2\x31\xcf\x57\x81\x19\x0d\xaa\xba\x0c\xbd\x84\xa1\x72\x64\x03\x27\xb8\xc1\xa1\xd9\x0b\xfa\xb1\x8f\x24\x96\x1f\xfe\x12\xa0\x48\x6a\x23\x9c\x79\xa2\x59\xc5\x37\x65\x26\x03\xdc\xbd\x4b\x2b\x73\x42\xae\x0d\x71\x5a\x75\x43\xf4\xd0\x8b\xb5\x57\xbd\xdc\xd3\xbc\xa8\x35\x90\xb5\x7c\x30\xee\xe2\xce\x95\xf6\xc7\x10\x2f\x64\x6a\xf8\x28\xa4\x96", 150); *(uint8_t*)0x20001202 = 9; *(uint8_t*)0x20001203 = 5; *(uint8_t*)0x20001204 = 2; *(uint8_t*)0x20001205 = 3; *(uint16_t*)0x20001206 = 0x400; *(uint8_t*)0x20001208 = 3; *(uint8_t*)0x20001209 = 2; *(uint8_t*)0x2000120a = 8; *(uint8_t*)0x2000120b = 9; *(uint8_t*)0x2000120c = 5; *(uint8_t*)0x2000120d = 6; *(uint8_t*)0x2000120e = 0x10; *(uint16_t*)0x2000120f = 0x20; *(uint8_t*)0x20001211 = -1; *(uint8_t*)0x20001212 = 4; *(uint8_t*)0x20001213 = 6; *(uint32_t*)0x20001540 = 0xa; *(uint64_t*)0x20001544 = 0x20001240; *(uint8_t*)0x20001240 = 0xa; *(uint8_t*)0x20001241 = 6; *(uint16_t*)0x20001242 = 0x300; *(uint8_t*)0x20001244 = -1; *(uint8_t*)0x20001245 = 0x81; *(uint8_t*)0x20001246 = 6; *(uint8_t*)0x20001247 = 0xf7; *(uint8_t*)0x20001248 = 0xc4; *(uint8_t*)0x20001249 = 0; *(uint32_t*)0x2000154c = 0xf; *(uint64_t*)0x20001550 = 0x20001280; *(uint8_t*)0x20001280 = 5; *(uint8_t*)0x20001281 = 0xf; *(uint16_t*)0x20001282 = 0xf; *(uint8_t*)0x20001284 = 1; *(uint8_t*)0x20001285 = 0xa; *(uint8_t*)0x20001286 = 0x10; *(uint8_t*)0x20001287 = 3; *(uint8_t*)0x20001288 = 0; *(uint16_t*)0x20001289 = 0; *(uint8_t*)0x2000128b = 8; *(uint8_t*)0x2000128c = 0x1f; *(uint16_t*)0x2000128d = 0xfff; *(uint32_t*)0x20001558 = 5; *(uint32_t*)0x2000155c = 4; *(uint64_t*)0x20001560 = 0x200012c0; *(uint8_t*)0x200012c0 = 4; *(uint8_t*)0x200012c1 = 3; *(uint16_t*)0x200012c2 = 0xc07; *(uint32_t*)0x20001568 = 0x54; *(uint64_t*)0x2000156c = 0x20001300; *(uint8_t*)0x20001300 = 0x54; *(uint8_t*)0x20001301 = 3; memcpy((void*)0x20001302, "\x32\x1d\x45\x7f\x2f\x5a\xb9\xfc\xb1\x11\x8c\x96\x06\x31\xfd\x85\xa7\x5e\xad\x82\x91\x36\xaa\x2a\x6c\xc0\x31\x14\x51\x03\x5f\xe1\x7b\x95\x6e\xb8\xfa\x52\xd4\x95\xa3\x11\xa6\xc0\x3f\x0a\xe8\x4c\x86\xf0\xed\x78\xda\xeb\xfa\x15\xdb\x7b\xc5\x78\x8c\x97\x24\xba\xf4\x58\x2d\xc0\xec\x1b\xa6\x68\x1a\x76\xb0\xa1\xbf\xc5\xde\x9d\xae\xcc", 82); *(uint32_t*)0x20001574 = 0xd3; *(uint64_t*)0x20001578 = 0x20001380; *(uint8_t*)0x20001380 = 0xd3; *(uint8_t*)0x20001381 = 3; memcpy((void*)0x20001382, "\x18\x33\x6f\xc5\x62\x3b\xa1\x41\x06\x34\xc4\x05\x0b\xcf\x3b\x48\x8e\xa4\x18\x67\xd0\x59\xdc\xdc\xd2\xc3\x68\xd8\x48\xfe\x51\x47\x32\x3c\x0b\xa4\xe5\x1d\x7c\xf2\xa3\xd1\x50\x25\x8f\x8c\xc2\x56\x9b\xd7\x9e\x95\x1e\xa9\x5a\x31\x8d\xe3\x1d\x14\x6c\x37\xa7\xcf\x71\x2f\x1f\xcd\x44\x03\x90\x85\x2c\x8d\x52\x16\xf8\xd2\x3a\x99\x18\xb0\xe0\x53\x52\x1e\xb6\x70\xad\x3e\xe0\xfb\x8a\x93\xa8\xd7\xba\xd7\x19\x9e\xeb\xe1\x2a\x3b\x02\x10\x7a\xc4\x54\x2b\xc6\x49\x79\x77\xe3\x30\x8b\x40\x7b\xf3\x64\x98\x2f\x4f\xc9\xc3\x30\xf9\xa7\x5c\xcb\x65\xc8\x68\x8d\x5c\x24\x7a\xd0\x6c\x20\xcc\xf0\x14\x65\xe3\xab\x09\xfc\x77\x7f\x73\x47\x4c\x2c\xd0\x53\xb8\x48\xad\x32\x55\xb5\xad\xc8\x1e\x03\x3d\x2a\x0f\xac\x50\x61\xea\x52\xda\xcf\x46\xe8\x8e\x8c\x2e\x38\x8d\xeb\x91\xd2\xd9\xfc\x12\x42\x55\x90\x93\x36\x41\x8e\x74\x3b\xda\x4c\xb4\xf7\x3c\x6b\x75\xaf\x9a\x9b", 209); *(uint32_t*)0x20001580 = 4; *(uint64_t*)0x20001584 = 0x20001480; *(uint8_t*)0x20001480 = 4; *(uint8_t*)0x20001481 = 3; *(uint16_t*)0x20001482 = 0x42b; *(uint32_t*)0x2000158c = 0x5a; *(uint64_t*)0x20001590 = 0x200014c0; *(uint8_t*)0x200014c0 = 0x5a; *(uint8_t*)0x200014c1 = 3; memcpy((void*)0x200014c2, "\x4d\x85\xf3\x14\x20\xff\x1c\xed\xa2\x5d\x11\x8d\x33\xa6\xeb\xbc\xe8\x88\xc1\x2d\x90\xeb\x54\xc8\x27\xd1\x49\xc8\xdc\xbd\x99\xf3\x89\x3b\x35\xd1\xda\x6c\x77\x6b\x1b\x5d\x08\x4b\x30\x8c\xdf\x93\x47\x41\x67\xf2\x66\x19\x9f\x44\x0a\x03\xfc\x3e\x34\x38\x03\x1b\x87\x25\xdd\xe6\x02\x9a\x62\x9c\x08\x43\xbe\xdf\x04\x8b\x84\x09\xb1\x53\xf9\x03\xd6\x57\xd2\x2b", 88); res = -1; res = syz_usb_connect(6, 0x714, 0x20000b00, 0x20001540); if (res != -1) r[10] = res; *(uint8_t*)0x200015c0 = 0x12; *(uint8_t*)0x200015c1 = 1; *(uint16_t*)0x200015c2 = 0x200; *(uint8_t*)0x200015c4 = -1; *(uint8_t*)0x200015c5 = -1; *(uint8_t*)0x200015c6 = -1; *(uint8_t*)0x200015c7 = 0x40; *(uint16_t*)0x200015c8 = 0xcf3; *(uint16_t*)0x200015ca = 0x9271; *(uint16_t*)0x200015cc = 0x108; *(uint8_t*)0x200015ce = 1; *(uint8_t*)0x200015cf = 2; *(uint8_t*)0x200015d0 = 3; *(uint8_t*)0x200015d1 = 1; *(uint8_t*)0x200015d2 = 9; *(uint8_t*)0x200015d3 = 2; *(uint16_t*)0x200015d4 = 0x48; *(uint8_t*)0x200015d6 = 1; *(uint8_t*)0x200015d7 = 1; *(uint8_t*)0x200015d8 = 0; *(uint8_t*)0x200015d9 = 0x80; *(uint8_t*)0x200015da = 0xfa; *(uint8_t*)0x200015db = 9; *(uint8_t*)0x200015dc = 4; *(uint8_t*)0x200015dd = 0; *(uint8_t*)0x200015de = 0; *(uint8_t*)0x200015df = 6; *(uint8_t*)0x200015e0 = -1; *(uint8_t*)0x200015e1 = 0; *(uint8_t*)0x200015e2 = 0; *(uint8_t*)0x200015e3 = 0; *(uint8_t*)0x200015e4 = 9; *(uint8_t*)0x200015e5 = 5; *(uint8_t*)0x200015e6 = 1; *(uint8_t*)0x200015e7 = 2; *(uint16_t*)0x200015e8 = 0x200; *(uint8_t*)0x200015ea = 0; *(uint8_t*)0x200015eb = 0; *(uint8_t*)0x200015ec = 0; *(uint8_t*)0x200015ed = 9; *(uint8_t*)0x200015ee = 5; *(uint8_t*)0x200015ef = 0x82; *(uint8_t*)0x200015f0 = 2; *(uint16_t*)0x200015f1 = 0x200; *(uint8_t*)0x200015f3 = 0; *(uint8_t*)0x200015f4 = 0; *(uint8_t*)0x200015f5 = 0; *(uint8_t*)0x200015f6 = 9; *(uint8_t*)0x200015f7 = 5; *(uint8_t*)0x200015f8 = 0x83; *(uint8_t*)0x200015f9 = 3; *(uint16_t*)0x200015fa = 0x40; *(uint8_t*)0x200015fc = 1; *(uint8_t*)0x200015fd = 0; *(uint8_t*)0x200015fe = 0; *(uint8_t*)0x200015ff = 9; *(uint8_t*)0x20001600 = 5; *(uint8_t*)0x20001601 = 4; *(uint8_t*)0x20001602 = 3; *(uint16_t*)0x20001603 = 0x40; *(uint8_t*)0x20001605 = 1; *(uint8_t*)0x20001606 = 0; *(uint8_t*)0x20001607 = 0; *(uint8_t*)0x20001608 = 9; *(uint8_t*)0x20001609 = 5; *(uint8_t*)0x2000160a = 5; *(uint8_t*)0x2000160b = 2; *(uint16_t*)0x2000160c = 0x200; *(uint8_t*)0x2000160e = 0; *(uint8_t*)0x2000160f = 0; *(uint8_t*)0x20001610 = 0; *(uint8_t*)0x20001611 = 9; *(uint8_t*)0x20001612 = 5; *(uint8_t*)0x20001613 = 6; *(uint8_t*)0x20001614 = 2; *(uint16_t*)0x20001615 = 0x200; *(uint8_t*)0x20001617 = 0; *(uint8_t*)0x20001618 = 0; *(uint8_t*)0x20001619 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200015c0, 0); if (res != -1) r[11] = res; *(uint32_t*)0x200017c0 = 0x2c; *(uint64_t*)0x200017c4 = 0x20001640; *(uint8_t*)0x20001640 = 0; *(uint8_t*)0x20001641 = 0x24; *(uint32_t*)0x20001642 = 0x5e; *(uint8_t*)0x20001646 = 0x5e; *(uint8_t*)0x20001647 = 9; memcpy((void*)0x20001648, "\x50\xd3\x39\x2d\x02\xeb\xd2\x29\x33\x8b\x7e\x71\x70\xb9\x84\xd0\x49\x07\xf9\xce\xe9\x84\xf8\x3f\x84\xc9\x51\x8b\x9d\xd9\x17\x85\xfe\x2d\x66\xe1\x04\x26\xff\x86\xd8\xe7\xd6\x63\x53\x83\x06\x24\x01\x71\x79\x0d\x7f\x77\x66\x64\xbd\xfd\x68\xd3\xdf\x43\xcd\xf6\xd0\xe3\xab\x3d\x2a\x62\x95\x30\x92\xa2\xd7\xce\x2f\xcd\xfe\x2c\xf5\x00\x26\x86\x9a\x4b\xcd\x06\x6a\xf9\xdd\xbd", 92); *(uint64_t*)0x200017cc = 0x200016c0; *(uint8_t*)0x200016c0 = 0; *(uint8_t*)0x200016c1 = 3; *(uint32_t*)0x200016c2 = 4; *(uint8_t*)0x200016c6 = 4; *(uint8_t*)0x200016c7 = 3; *(uint16_t*)0x200016c8 = 0x449; *(uint64_t*)0x200017d4 = 0x20001700; *(uint8_t*)0x20001700 = 0; *(uint8_t*)0x20001701 = 0xf; *(uint32_t*)0x20001702 = 0x19; *(uint8_t*)0x20001706 = 5; *(uint8_t*)0x20001707 = 0xf; *(uint16_t*)0x20001708 = 0x19; *(uint8_t*)0x2000170a = 1; *(uint8_t*)0x2000170b = 0x14; *(uint8_t*)0x2000170c = 0x10; *(uint8_t*)0x2000170d = 4; *(uint8_t*)0x2000170e = 0x3f; memcpy((void*)0x2000170f, "\x0f\xf6\x11\x98\x8b\x42\x04\x3b\xdd\x16\xf1\x8b\x9b\x82\xf6\xcf", 16); *(uint64_t*)0x200017dc = 0x20001740; *(uint8_t*)0x20001740 = 0x20; *(uint8_t*)0x20001741 = 0x29; *(uint32_t*)0x20001742 = 0xf; *(uint8_t*)0x20001746 = 0xf; *(uint8_t*)0x20001747 = 0x29; *(uint8_t*)0x20001748 = 0; *(uint16_t*)0x20001749 = 0; *(uint8_t*)0x2000174b = 9; *(uint8_t*)0x2000174c = 0x68; memcpy((void*)0x2000174d, "\x60\xc5\x11\xfa", 4); memcpy((void*)0x20001751, "\x23\xe3\xf5\x32", 4); *(uint64_t*)0x200017e4 = 0x20001780; *(uint8_t*)0x20001780 = 0x20; *(uint8_t*)0x20001781 = 0x2a; *(uint32_t*)0x20001782 = 0xc; *(uint8_t*)0x20001786 = 0xc; *(uint8_t*)0x20001787 = 0x2a; *(uint8_t*)0x20001788 = 5; *(uint16_t*)0x20001789 = 0; *(uint8_t*)0x2000178b = 2; *(uint8_t*)0x2000178c = 7; *(uint8_t*)0x2000178d = 8; *(uint16_t*)0x2000178e = 5; *(uint16_t*)0x20001790 = 0x200; *(uint32_t*)0x20001c80 = 0x84; *(uint64_t*)0x20001c84 = 0x20001800; *(uint8_t*)0x20001800 = 0; *(uint8_t*)0x20001801 = 0x16; *(uint32_t*)0x20001802 = 0x92; memcpy((void*)0x20001806, "\xe4\x9c\x4e\x0f\xdf\x52\x1d\x4b\xb8\x3a\x1c\x78\xb9\xb6\xf3\x2e\xb6\xe3\x8f\xba\x14\x32\x72\x7c\x39\x17\x49\x72\x7c\x41\x81\x5d\xc3\xfc\x41\x93\xcf\x0f\xc2\x47\xb3\x2c\x61\xdd\x80\xf2\x66\x29\xd7\xcf\x71\x4f\xc0\x80\x15\x77\x01\x40\x5e\x55\xe4\xd1\xae\x2b\x75\x8c\x66\x82\x10\x44\xd2\xe8\x09\x4f\x1b\xd7\x5c\xcf\x96\x00\x45\x47\x26\xe5\xdf\x97\x64\x08\x2d\x53\x70\x12\xad\x6f\xa0\x0a\x11\xbf\x54\x6f\x5d\x86\xaf\x48\x2a\x8f\x0b\x05\x74\x28\x7a\x4c\x56\x40\xbd\x1a\x22\x5a\x60\xd1\x96\x1c\xd5\x6b\x3b\x48\xcf\x69\xd7\x76\xcd\x8b\xba\xc5\xdc\x15\x44\xbf\x6b\x94\xb3\x51\x93\x83\xf9\xc5", 146); *(uint64_t*)0x20001c8c = 0x200018c0; *(uint8_t*)0x200018c0 = 0; *(uint8_t*)0x200018c1 = 0xa; *(uint32_t*)0x200018c2 = 1; *(uint8_t*)0x200018c6 = 0xea; *(uint64_t*)0x20001c94 = 0x20001900; *(uint8_t*)0x20001900 = 0; *(uint8_t*)0x20001901 = 8; *(uint32_t*)0x20001902 = 1; *(uint8_t*)0x20001906 = 0xc0; *(uint64_t*)0x20001c9c = 0x20001940; *(uint8_t*)0x20001940 = 0x20; *(uint8_t*)0x20001941 = 0; *(uint32_t*)0x20001942 = 4; *(uint16_t*)0x20001946 = 3; *(uint16_t*)0x20001948 = 0xc065; *(uint64_t*)0x20001ca4 = 0x20001980; *(uint8_t*)0x20001980 = 0x20; *(uint8_t*)0x20001981 = 0; *(uint32_t*)0x20001982 = 8; *(uint16_t*)0x20001986 = 0x200; *(uint16_t*)0x20001988 = 2; *(uint32_t*)0x2000198a = 0; *(uint64_t*)0x20001cac = 0x200019c0; *(uint8_t*)0x200019c0 = 0x40; *(uint8_t*)0x200019c1 = 7; *(uint32_t*)0x200019c2 = 2; *(uint16_t*)0x200019c6 = 0; *(uint64_t*)0x20001cb4 = 0x20001a00; *(uint8_t*)0x20001a00 = 0x40; *(uint8_t*)0x20001a01 = 9; *(uint32_t*)0x20001a02 = 1; *(uint8_t*)0x20001a06 = 7; *(uint64_t*)0x20001cbc = 0x20001a40; *(uint8_t*)0x20001a40 = 0x40; *(uint8_t*)0x20001a41 = 0xb; *(uint32_t*)0x20001a42 = 2; memcpy((void*)0x20001a46, ",e", 2); *(uint64_t*)0x20001cc4 = 0x20001a80; *(uint8_t*)0x20001a80 = 0x40; *(uint8_t*)0x20001a81 = 0xf; *(uint32_t*)0x20001a82 = 2; *(uint16_t*)0x20001a86 = 0xa; *(uint64_t*)0x20001ccc = 0x20001ac0; *(uint8_t*)0x20001ac0 = 0x40; *(uint8_t*)0x20001ac1 = 0x13; *(uint32_t*)0x20001ac2 = 6; memcpy((void*)0x20001ac6, "\xcb\xa5\xd8\xd5\x17\x87", 6); *(uint64_t*)0x20001cd4 = 0x20001b00; *(uint8_t*)0x20001b00 = 0x40; *(uint8_t*)0x20001b01 = 0x17; *(uint32_t*)0x20001b02 = 6; *(uint8_t*)0x20001b06 = 0xaa; *(uint8_t*)0x20001b07 = 0xaa; *(uint8_t*)0x20001b08 = 0xaa; *(uint8_t*)0x20001b09 = 0xaa; *(uint8_t*)0x20001b0a = 0xaa; *(uint8_t*)0x20001b0b = 0x1b; *(uint64_t*)0x20001cdc = 0x20001b40; *(uint8_t*)0x20001b40 = 0x40; *(uint8_t*)0x20001b41 = 0x19; *(uint32_t*)0x20001b42 = 2; memcpy((void*)0x20001b46, "\x09\xef", 2); *(uint64_t*)0x20001ce4 = 0x20001b80; *(uint8_t*)0x20001b80 = 0x40; *(uint8_t*)0x20001b81 = 0x1a; *(uint32_t*)0x20001b82 = 2; *(uint16_t*)0x20001b86 = 0x200; *(uint64_t*)0x20001cec = 0x20001bc0; *(uint8_t*)0x20001bc0 = 0x40; *(uint8_t*)0x20001bc1 = 0x1c; *(uint32_t*)0x20001bc2 = 1; *(uint8_t*)0x20001bc6 = 0x20; *(uint64_t*)0x20001cf4 = 0x20001c00; *(uint8_t*)0x20001c00 = 0x40; *(uint8_t*)0x20001c01 = 0x1e; *(uint32_t*)0x20001c02 = 1; *(uint8_t*)0x20001c06 = 0x81; *(uint64_t*)0x20001cfc = 0x20001c40; *(uint8_t*)0x20001c40 = 0x40; *(uint8_t*)0x20001c41 = 0x21; *(uint32_t*)0x20001c42 = 1; *(uint8_t*)0x20001c46 = 0x40; syz_usb_control_io(r[11], 0x200017c0, 0x20001c80); *(uint8_t*)0x20001d40 = 0x12; *(uint8_t*)0x20001d41 = 1; *(uint16_t*)0x20001d42 = 0x300; *(uint8_t*)0x20001d44 = 0; *(uint8_t*)0x20001d45 = 0; *(uint8_t*)0x20001d46 = 0; *(uint8_t*)0x20001d47 = 0x40; *(uint16_t*)0x20001d48 = 0x1d6b; *(uint16_t*)0x20001d4a = 0x101; *(uint16_t*)0x20001d4c = 0x40; *(uint8_t*)0x20001d4e = 1; *(uint8_t*)0x20001d4f = 2; *(uint8_t*)0x20001d50 = 3; *(uint8_t*)0x20001d51 = 1; *(uint8_t*)0x20001d52 = 9; *(uint8_t*)0x20001d53 = 2; *(uint16_t*)0x20001d54 = 0xa4; *(uint8_t*)0x20001d56 = 3; *(uint8_t*)0x20001d57 = 1; *(uint8_t*)0x20001d58 = 8; *(uint8_t*)0x20001d59 = 0x80; *(uint8_t*)0x20001d5a = 0x1f; *(uint8_t*)0x20001d5b = 9; *(uint8_t*)0x20001d5c = 4; *(uint8_t*)0x20001d5d = 0; *(uint8_t*)0x20001d5e = 0; *(uint8_t*)0x20001d5f = 0; *(uint8_t*)0x20001d60 = 1; *(uint8_t*)0x20001d61 = 1; *(uint8_t*)0x20001d62 = 0; *(uint8_t*)0x20001d63 = 0; *(uint8_t*)0x20001d64 = 0xa; *(uint8_t*)0x20001d65 = 0x24; *(uint8_t*)0x20001d66 = 1; *(uint16_t*)0x20001d67 = 0x7f; *(uint8_t*)0x20001d69 = 0x24; *(uint8_t*)0x20001d6a = 2; *(uint8_t*)0x20001d6b = 1; *(uint8_t*)0x20001d6c = 2; *(uint8_t*)0x20001d6d = 0xb; *(uint8_t*)0x20001d6e = 0x24; *(uint8_t*)0x20001d6f = 4; *(uint8_t*)0x20001d70 = 3; *(uint8_t*)0x20001d71 = 0x3f; memcpy((void*)0x20001d72, "\xe3\xa7\xba\x11\xb7\x73", 6); *(uint8_t*)0x20001d78 = 0xc; *(uint8_t*)0x20001d79 = 0x24; *(uint8_t*)0x20001d7a = 2; *(uint8_t*)0x20001d7b = 4; *(uint16_t*)0x20001d7c = 0x203; *(uint8_t*)0x20001d7e = 1; *(uint8_t*)0x20001d7f = 2; *(uint16_t*)0x20001d80 = 7; *(uint8_t*)0x20001d82 = 0xfd; *(uint8_t*)0x20001d83 = 0; *(uint8_t*)0x20001d84 = 7; *(uint8_t*)0x20001d85 = 0x24; *(uint8_t*)0x20001d86 = 8; *(uint8_t*)0x20001d87 = 2; *(uint16_t*)0x20001d88 = 4; *(uint8_t*)0x20001d8a = 0x40; *(uint8_t*)0x20001d8b = 9; *(uint8_t*)0x20001d8c = 0x24; *(uint8_t*)0x20001d8d = 3; *(uint8_t*)0x20001d8e = 2; *(uint16_t*)0x20001d8f = 0x101; *(uint8_t*)0x20001d91 = 4; *(uint8_t*)0x20001d92 = 4; *(uint8_t*)0x20001d93 = 5; *(uint8_t*)0x20001d94 = 9; *(uint8_t*)0x20001d95 = 4; *(uint8_t*)0x20001d96 = 1; *(uint8_t*)0x20001d97 = 0; *(uint8_t*)0x20001d98 = 0; *(uint8_t*)0x20001d99 = 1; *(uint8_t*)0x20001d9a = 2; *(uint8_t*)0x20001d9b = 0; *(uint8_t*)0x20001d9c = 0; *(uint8_t*)0x20001d9d = 9; *(uint8_t*)0x20001d9e = 4; *(uint8_t*)0x20001d9f = 1; *(uint8_t*)0x20001da0 = 1; *(uint8_t*)0x20001da1 = 1; *(uint8_t*)0x20001da2 = 1; *(uint8_t*)0x20001da3 = 2; *(uint8_t*)0x20001da4 = 0; *(uint8_t*)0x20001da5 = 0; *(uint8_t*)0x20001da6 = 9; *(uint8_t*)0x20001da7 = 5; *(uint8_t*)0x20001da8 = 1; *(uint8_t*)0x20001da9 = 9; *(uint16_t*)0x20001daa = 0x200; *(uint8_t*)0x20001dac = 0xfc; *(uint8_t*)0x20001dad = 9; *(uint8_t*)0x20001dae = 7; *(uint8_t*)0x20001daf = 7; *(uint8_t*)0x20001db0 = 0x25; *(uint8_t*)0x20001db1 = 1; *(uint8_t*)0x20001db2 = 0; *(uint8_t*)0x20001db3 = 2; *(uint16_t*)0x20001db4 = 8; *(uint8_t*)0x20001db6 = 9; *(uint8_t*)0x20001db7 = 4; *(uint8_t*)0x20001db8 = 2; *(uint8_t*)0x20001db9 = 0; *(uint8_t*)0x20001dba = 0; *(uint8_t*)0x20001dbb = 1; *(uint8_t*)0x20001dbc = 2; *(uint8_t*)0x20001dbd = 0; *(uint8_t*)0x20001dbe = 0; *(uint8_t*)0x20001dbf = 9; *(uint8_t*)0x20001dc0 = 4; *(uint8_t*)0x20001dc1 = 2; *(uint8_t*)0x20001dc2 = 1; *(uint8_t*)0x20001dc3 = 1; *(uint8_t*)0x20001dc4 = 1; *(uint8_t*)0x20001dc5 = 2; *(uint8_t*)0x20001dc6 = 0; *(uint8_t*)0x20001dc7 = 0; *(uint8_t*)0x20001dc8 = 0x12; *(uint8_t*)0x20001dc9 = 0x24; *(uint8_t*)0x20001dca = 2; *(uint8_t*)0x20001dcb = 2; *(uint16_t*)0x20001dcc = 8; *(uint16_t*)0x20001dce = 7; *(uint8_t*)0x20001dd0 = -1; memcpy((void*)0x20001dd1, "\x6c\xce\x23\xa5\x1a\x59\x66\x0a\x8a", 9); *(uint8_t*)0x20001dda = 0xc; *(uint8_t*)0x20001ddb = 0x24; *(uint8_t*)0x20001ddc = 2; *(uint8_t*)0x20001ddd = 1; *(uint8_t*)0x20001dde = 7; *(uint8_t*)0x20001ddf = 2; *(uint8_t*)0x20001de0 = 0xd6; *(uint8_t*)0x20001de1 = 0x40; memcpy((void*)0x20001de2, "\xa5\xe2\x12", 3); memcpy((void*)0x20001de5, "l", 1); *(uint8_t*)0x20001de6 = 9; *(uint8_t*)0x20001de7 = 5; *(uint8_t*)0x20001de8 = 0x82; *(uint8_t*)0x20001de9 = 9; *(uint16_t*)0x20001dea = 0x3ff; *(uint8_t*)0x20001dec = 3; *(uint8_t*)0x20001ded = 0; *(uint8_t*)0x20001dee = 0xac; *(uint8_t*)0x20001def = 7; *(uint8_t*)0x20001df0 = 0x25; *(uint8_t*)0x20001df1 = 1; *(uint8_t*)0x20001df2 = 3; *(uint8_t*)0x20001df3 = 4; *(uint16_t*)0x20001df4 = 5; *(uint32_t*)0x20001f40 = 0xa; *(uint64_t*)0x20001f44 = 0x20001e00; *(uint8_t*)0x20001e00 = 0xa; *(uint8_t*)0x20001e01 = 6; *(uint16_t*)0x20001e02 = 0x200; *(uint8_t*)0x20001e04 = -1; *(uint8_t*)0x20001e05 = 2; *(uint8_t*)0x20001e06 = 7; *(uint8_t*)0x20001e07 = 0x10; *(uint8_t*)0x20001e08 = 6; *(uint8_t*)0x20001e09 = 0; *(uint32_t*)0x20001f4c = 5; *(uint64_t*)0x20001f50 = 0x20001e40; *(uint8_t*)0x20001e40 = 5; *(uint8_t*)0x20001e41 = 0xf; *(uint16_t*)0x20001e42 = 5; *(uint8_t*)0x20001e44 = 0; *(uint32_t*)0x20001f58 = 2; *(uint32_t*)0x20001f5c = 0x52; *(uint64_t*)0x20001f60 = 0x20001e80; *(uint8_t*)0x20001e80 = 0x52; *(uint8_t*)0x20001e81 = 3; memcpy((void*)0x20001e82, "\x4b\xcf\xbc\x74\x9d\x26\xd0\xfb\xc2\x0c\x2e\x20\x2a\x04\x2e\x8b\xb1\x67\xca\xdf\x5c\x2b\xcd\xbd\x07\xdd\xe6\x67\x1d\xa7\xdd\x40\x03\x06\xb2\x6f\x22\x0f\xef\x4a\x33\x97\xf0\xa9\x5a\x4b\x8c\xa5\xba\xfd\x5a\x4f\xa8\xb9\x9d\x24\x50\x5f\x7a\x27\xac\x07\xa1\x6b\xbb\x02\xd5\x24\xc0\xbb\xfa\x3a\xf8\xe3\x18\xdf\x58\xfe\xb1\x43", 80); *(uint32_t*)0x20001f68 = 4; *(uint64_t*)0x20001f6c = 0x20001f00; *(uint8_t*)0x20001f00 = 4; *(uint8_t*)0x20001f01 = 3; *(uint16_t*)0x20001f02 = 0x807; res = -1; res = syz_usb_connect(6, 0xb6, 0x20001d40, 0x20001f40); if (res != -1) r[12] = res; syz_usb_disconnect(r[12]); syz_usb_ep_read(r[10], 6, 0xd6, 0x20001f80); *(uint8_t*)0x20002080 = 0x12; *(uint8_t*)0x20002081 = 1; *(uint16_t*)0x20002082 = 0x110; *(uint8_t*)0x20002084 = 2; *(uint8_t*)0x20002085 = 0; *(uint8_t*)0x20002086 = 0; *(uint8_t*)0x20002087 = -1; *(uint16_t*)0x20002088 = 0x525; *(uint16_t*)0x2000208a = 0xa4a1; *(uint16_t*)0x2000208c = 0x40; *(uint8_t*)0x2000208e = 1; *(uint8_t*)0x2000208f = 2; *(uint8_t*)0x20002090 = 3; *(uint8_t*)0x20002091 = 1; *(uint8_t*)0x20002092 = 9; *(uint8_t*)0x20002093 = 2; *(uint16_t*)0x20002094 = 0x3d; *(uint8_t*)0x20002096 = 1; *(uint8_t*)0x20002097 = 1; *(uint8_t*)0x20002098 = 9; *(uint8_t*)0x20002099 = 0xc0; *(uint8_t*)0x2000209a = 0xb3; *(uint8_t*)0x2000209b = 9; *(uint8_t*)0x2000209c = 4; *(uint8_t*)0x2000209d = 0; *(uint8_t*)0x2000209e = 8; *(uint8_t*)0x2000209f = 3; *(uint8_t*)0x200020a0 = 2; *(uint8_t*)0x200020a1 = 6; *(uint8_t*)0x200020a2 = 0; *(uint8_t*)0x200020a3 = 1; *(uint8_t*)0x200020a4 = 7; *(uint8_t*)0x200020a5 = 0x24; *(uint8_t*)0x200020a6 = 6; *(uint8_t*)0x200020a7 = 0; *(uint8_t*)0x200020a8 = 0; memcpy((void*)0x200020a9, "\x93\xb5", 2); *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 0x24; *(uint8_t*)0x200020ad = 0; *(uint16_t*)0x200020ae = 1; *(uint8_t*)0x200020b0 = 0xd; *(uint8_t*)0x200020b1 = 0x24; *(uint8_t*)0x200020b2 = 0xf; *(uint8_t*)0x200020b3 = 1; *(uint32_t*)0x200020b4 = 5; *(uint16_t*)0x200020b8 = 0xdf0; *(uint16_t*)0x200020ba = 0xa5e2; *(uint8_t*)0x200020bc = -1; *(uint8_t*)0x200020bd = 9; *(uint8_t*)0x200020be = 5; *(uint8_t*)0x200020bf = 0x82; *(uint8_t*)0x200020c0 = 2; *(uint16_t*)0x200020c1 = 0x40; *(uint8_t*)0x200020c3 = 0; *(uint8_t*)0x200020c4 = 0x40; *(uint8_t*)0x200020c5 = 0x20; *(uint8_t*)0x200020c6 = 9; *(uint8_t*)0x200020c7 = 5; *(uint8_t*)0x200020c8 = 3; *(uint8_t*)0x200020c9 = 2; *(uint16_t*)0x200020ca = 8; *(uint8_t*)0x200020cc = 0x20; *(uint8_t*)0x200020cd = -1; *(uint8_t*)0x200020ce = 4; *(uint32_t*)0x20002640 = 0xa; *(uint64_t*)0x20002644 = 0x20002100; *(uint8_t*)0x20002100 = 0xa; *(uint8_t*)0x20002101 = 6; *(uint16_t*)0x20002102 = 0x250; *(uint8_t*)0x20002104 = 0; *(uint8_t*)0x20002105 = 0x81; *(uint8_t*)0x20002106 = 0x20; *(uint8_t*)0x20002107 = 0x20; *(uint8_t*)0x20002108 = 3; *(uint8_t*)0x20002109 = 0; *(uint32_t*)0x2000264c = 5; *(uint64_t*)0x20002650 = 0x20002140; *(uint8_t*)0x20002140 = 5; *(uint8_t*)0x20002141 = 0xf; *(uint16_t*)0x20002142 = 5; *(uint8_t*)0x20002144 = 0; *(uint32_t*)0x20002658 = 8; *(uint32_t*)0x2000265c = 0xcd; *(uint64_t*)0x20002660 = 0x20002180; *(uint8_t*)0x20002180 = 0xcd; *(uint8_t*)0x20002181 = 3; memcpy((void*)0x20002182, "\x2e\x83\x3d\xbc\x02\x86\x82\x12\xd3\xec\x73\x52\xfb\x0d\xe8\xa0\x5e\xcf\x66\x18\x59\xde\xbe\x23\xba\x73\x5f\xb9\x0a\x26\x85\x3e\x0d\x4c\x9b\xfc\xeb\xac\x70\xce\x40\x53\x9a\x98\xcf\x89\x47\xe0\x6b\xb7\x5d\xe0\xa9\x20\x5e\x0b\x79\x1c\xb4\xf9\xe7\xaa\x0a\xe1\x14\x9e\x93\x94\xff\xef\x26\x6f\x96\xe0\xc7\x5a\xb7\x28\xca\xdb\xc3\x12\x57\x0e\xfe\xd7\x37\x09\x0a\x62\x51\xc0\x9e\x1a\x5d\x38\xa0\xc6\xf1\xec\x4a\xe0\x55\x86\x3d\x69\xe4\xdc\xf3\x6d\x97\x4d\x2b\xe3\xe4\x87\xc7\xd2\xf1\xdb\x21\x61\xe9\x3b\x7d\x15\x2c\xe0\x46\xf0\x30\xb3\x6d\x08\x32\x89\xed\xdd\x71\x05\xed\x8e\xae\xd4\x9f\x71\x10\x17\xba\xab\xde\x9d\x5f\x01\xcd\x47\x38\x50\x3d\x32\x26\x69\x55\x4f\xcf\x3b\x5a\x65\xb0\x51\x97\x33\xb0\x7a\x7f\x3c\xff\xdc\x92\xb0\x38\x2c\x66\x12\x0c\x41\xaa\xe8\x85\x68\xc7\x52\xf7\x9d\x50\x1f\xd4\xda\x58\xe6\x87\x9e\x7e", 203); *(uint32_t*)0x20002668 = 4; *(uint64_t*)0x2000266c = 0x20002280; *(uint8_t*)0x20002280 = 4; *(uint8_t*)0x20002281 = 3; *(uint16_t*)0x20002282 = 0x3c0a; *(uint32_t*)0x20002674 = 4; *(uint64_t*)0x20002678 = 0x200022c0; *(uint8_t*)0x200022c0 = 4; *(uint8_t*)0x200022c1 = 3; *(uint16_t*)0x200022c2 = 0x3801; *(uint32_t*)0x20002680 = 0x1f; *(uint64_t*)0x20002684 = 0x20002300; *(uint8_t*)0x20002300 = 0x1f; *(uint8_t*)0x20002301 = 3; memcpy((void*)0x20002302, "\xa6\x70\xc3\x58\x2d\x38\x96\x7a\xc4\x85\x45\x5e\x8a\x40\xac\xb6\xf5\xdf\x24\xab\x49\xa4\xc6\xbb\x43\xd5\x84\xed\xf7", 29); *(uint32_t*)0x2000268c = 4; *(uint64_t*)0x20002690 = 0x20002340; *(uint8_t*)0x20002340 = 4; *(uint8_t*)0x20002341 = 3; *(uint16_t*)0x20002342 = 0x44f; *(uint32_t*)0x20002698 = 0xe1; *(uint64_t*)0x2000269c = 0x20002380; *(uint8_t*)0x20002380 = 0xe1; *(uint8_t*)0x20002381 = 3; memcpy((void*)0x20002382, "\xbe\x2c\xe1\x8f\xae\x6d\xa9\xf1\xaa\x4b\x97\x21\x97\xbe\x7a\x6c\xe4\xb2\x83\xc3\xe0\x02\x7e\x6d\xa1\x3d\x86\x39\xf6\x74\xea\x9c\x64\x28\x9b\x33\xc0\xe1\x43\x5b\x7c\x16\x54\xa5\x69\x12\x7b\x26\xad\x53\x77\x4f\x2b\x6b\x20\x57\x9f\xac\x6f\xaf\xfe\x12\x94\x9e\xe4\xb0\xd3\xcd\x2d\x89\x0c\xff\x2d\x7e\x9b\xb4\x3b\x60\x2a\x39\x4e\xfd\x49\x75\x18\x4f\x7e\xec\xab\x16\xa3\xf1\x87\xca\xb4\xc2\xca\x01\xac\x5b\xc9\xc5\x5c\x8b\xb9\x81\x32\x3d\x91\x9f\x77\x35\x5b\x3c\xe7\x42\x8d\xa6\x2a\xf8\x0c\x76\xb1\x85\xe1\x0a\xc7\xb1\xcc\x95\x0e\xcc\x71\x5c\x3e\x0a\x1e\x14\x23\x11\xb6\x29\x41\xe0\x62\x91\xb3\x0d\x2d\x3c\x7d\x46\x8d\xfb\xe2\x83\xc9\x1f\xc0\x83\x3d\xb0\x68\xe7\xbf\x39\x7c\x23\x35\x75\x79\x02\x29\xce\x51\x3b\xbd\xc4\x38\x7d\x81\xb3\x02\x7e\xf6\x8b\x20\xde\x25\xd9\xf1\xff\x32\xb9\x5c\xba\x44\x3b\x9e\x7f\xba\x49\x91\x43\xe8\x41\xa6\x19\x0c\x6e\xcb\x29\x06\xfe\x42\x30\xf8\x39\xba\x8c\x3c\x73\xea", 223); *(uint32_t*)0x200026a4 = 0xc1; *(uint64_t*)0x200026a8 = 0x20002480; *(uint8_t*)0x20002480 = 0xc1; *(uint8_t*)0x20002481 = 3; memcpy((void*)0x20002482, "\xf1\x7d\xb2\xea\x26\xd9\x0b\xa9\x3d\x1d\xbd\x3d\x94\x82\x88\x21\x72\xcc\x15\x8b\x4c\xc4\x3c\x36\xd1\x2b\xb9\x4e\x06\xfc\x7a\xba\x0d\x96\xba\x62\xa3\x8b\x39\xb7\x7b\xb6\x6a\x8b\x4b\xa6\xfe\x26\x0c\x87\x74\x64\xdc\x10\x12\x44\x9a\x3a\x6a\xb5\xb8\x0e\x66\x7a\x3a\x01\xdb\x8d\xd1\xdc\x34\x68\xb0\xd7\x28\x93\xad\xf2\x5b\xd1\xa7\xb9\xdc\xdd\xf5\x69\x12\x2a\x73\x02\x6b\x76\xfd\x0e\x25\xd7\x44\x0c\xa5\xdb\x63\x5b\x3f\xc9\x01\x3f\xd7\x90\x99\xa7\xd7\xe8\x1d\xb8\x74\x5b\xc9\xd0\xa6\xc9\x38\x79\x1d\x2c\xbf\xd1\x0f\x1c\x62\x8c\xa1\x7a\xf9\x93\xb7\x02\xc1\xed\xe3\x0d\xa1\x88\x25\x67\xce\x28\x7f\x66\xb2\x3e\xbf\x40\x8a\x2d\x9c\x63\xe1\xcb\x0b\x27\x95\x27\x3e\xfa\x81\x53\x56\x1c\x3c\x3e\xeb\x71\xd1\x2a\xa0\x87\xe9\x25\x55\x26\xb5\x28\xf5\x38\xaf\x4a\xbd\x41\xcf\x89\x01", 191); *(uint32_t*)0x200026b0 = 0xc0; *(uint64_t*)0x200026b4 = 0x20002580; *(uint8_t*)0x20002580 = 0xc0; *(uint8_t*)0x20002581 = 3; memcpy((void*)0x20002582, "\x6f\x57\xd6\xa5\x96\x20\x2e\xbf\x5a\x75\xb9\x72\x49\x11\xf9\x1a\x3d\x92\xae\x1a\xc8\x1a\xbb\x9c\x1b\x13\x4a\x76\xe6\x65\x90\xf6\xeb\x8d\xd8\x4c\xc1\x09\x60\xb8\xd2\x23\x94\x7d\x1c\x2e\x77\x1b\x94\xe7\x29\xd8\x34\x18\xf4\x14\x21\x3f\xf8\xb9\x06\x77\x03\x30\xbe\xa7\x0e\x59\xfe\x4d\x8b\xa5\x37\xfb\xcf\xd3\xc4\xbf\xc4\xea\x3b\x64\x0c\x31\x12\x92\x6d\x8c\x78\xee\xe8\x39\x72\x09\x00\xc5\x05\xcc\x01\x3c\x12\x63\xdc\xf2\x7b\x6c\x0f\x87\xfc\xb8\x7f\x40\xcb\x6b\xde\x31\x54\xcc\xd6\x3e\x65\xa4\x8c\x86\xc5\x8a\x38\x57\xf6\x8f\x88\x08\x20\x3f\xb2\x8d\x95\xe7\x4a\x18\x65\xeb\x8f\x82\xfe\x95\x35\x62\xa1\x47\x51\xed\x18\xf2\x51\xe5\x11\x53\x70\xd2\xbc\x19\x14\x5c\xcf\x3a\xbe\xae\x4c\x81\xfb\x1d\x97\xf6\x2e\x03\x5d\xb7\x3d\x11\xab\x7e\xc5\x96\xbc\x7a\x36\x86\x55\xc6", 190); res = -1; res = syz_usb_connect(4, 0x4f, 0x20002080, 0x20002640); if (res != -1) r[13] = res; memcpy((void*)0x200026c0, "\x01\xdf\x42\x94\xf0\x1f\xe1\xf9\x43\xb7\x80\xcc\xad\x76\xab\x8a\x48\x35\x3c\xbc\xe5\x48\x12\x83\xfb\x7d\x07\xe3\x29\x52\x05\x54\x49\xb6\x58\x1b\x36\x93\xb6\x7e\xde\xa7\xf1\x03\x54\x2f\xd1\xdc\xcf\x21\xa4\xf8\xce\x11\xf5\x24\x82\xa5\x50\xdd\x31\x99\xda\x83\x0c\x3e\x19\xff\x1a\x99\x6c\xe1\x42\x4b\x13\x49\x5e\x70\x4b\xe3\xf8\xc1\x06\xd0\x83\x38\xa6\x9d\xb2\x9c\x70\xd0\x40\xba\x40\x50\x16\xd9\x02\x55\xd8\x1d\x11\x5d\x9c\x6c\x9c\x13\xb9\x57\x89\xba\x2d\x4e\xe0\xf0\x05\xd9\x5b", 119); syz_usb_ep_write(r[13], 8, 0x77, 0x200026c0); } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :207:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :207:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor049394904 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/8 (0.46s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:setuid Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x8002, 0x0) io_cancel(0x0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x4c60440ee16d4a1f, 0xd548, r0, &(0x7f0000000040)="a4c6b70d40b18d2f71b9ebf1a97cc4f8bfe52c766208fe1c5ff6e6c20fb4d4104d", 0x21, 0x7, 0x0, 0x1}, &(0x7f00000000c0)) ioctl$TUNSETOFFLOAD(0xffffffffffffffff, 0x400454d0, 0x18) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/avc/cache_stats\x00', 0x0, 0x0) ioctl$DRM_IOCTL_MODE_GETGAMMA(r1, 0xc02064a4, &(0x7f0000000200)={0x6, 0x1, &(0x7f0000000140)=[0x6], &(0x7f0000000180)=[0xb572, 0x2, 0x200, 0x6126, 0xffff, 0x800b], &(0x7f00000001c0)=[0x100, 0x8001, 0x7ff, 0x56, 0x3, 0x6, 0xafa4, 0xfff]}) socket$inet6_sctp(0xa, 0x5, 0x84) r2 = syz_open_dev$vcsa(&(0x7f0000000240)='/dev/vcsa#\x00', 0x8, 0x40040) io_uring_setup(0x4a7d, &(0x7f0000000280)={0x0, 0x431f, 0x2, 0x2, 0x24c, 0x0, r2}) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(0xffffffffffffffff, 0x10e, 0x2, &(0x7f0000000300)=0x14, 0x4) socket$ipx(0x4, 0x2, 0x0) syz_emit_ethernet(0xd6, &(0x7f0000000000)={@dev={[], 0x15}, @remote, @void, {@mpls_uc={0x8847, {[{0x1}, {0x80}], @ipv4=@udp={{0x9, 0x4, 0x3, 0x8, 0xc0, 0x64, 0x0, 0x1, 0x11, 0x0, @private=0xa010102, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@timestamp={0x44, 0x10, 0x90, 0x0, 0xf, [0x3, 0x100, 0x9]}]}}, {0x4e20, 0x4e23, 0x9c, 0x0, @wg=@initiation={0x1, 0x1, "a10791f36e091a364d6a214aed3281686b2e1062e4a21dad7e7ea6823c2ad66b", "a9e3b061cb2d16f0f38c93866bab239c5e95fabc9ad7549cc53f24821564c8e31a773c62bd34e62116070c998cf80ff5", "8a6048e68f5476ba71edf7dea37145a3397262db3b25376fb9b698e1", {"108d38c5f12837a8dff49317e1fbf2b1", "6e6f91a5d2fea35b7d2aa0227b5c79de"}}}}}}}}, 0x0) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_cmd_complete={{0xe, 0x7}, @hci_rp_read_enc_key_size={{0x7}, {0x3, 0xc8, 0xfe}}}}, 0xa) syz_execute_func(&(0x7f0000000140)="ab8f2908955c4432c421b45580858a318ec4a1845756f3673664d9e064461c0dc441b55588a00ffe49f2f042808c3e2808000000c4825dde32f3420f9ade") syz_extract_tcp_res(&(0x7f0000000180), 0x47a0, 0x1ff) syz_genetlink_get_family_id$SEG6(&(0x7f00000001c0)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x2, 0xc4) r3 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x0, 0x1000, 0xffffffffffffffff, 0x0) syz_io_uring_complete(r3) syz_io_uring_setup(0x61d6, &(0x7f0000000200)={0x0, 0x19c8, 0x1, 0x0, 0x90, 0x0, 0xffffffffffffffff}, &(0x7f0000ff9000/0x4000)=nil, &(0x7f0000ff9000/0x1000)=nil, &(0x7f0000000280), &(0x7f00000002c0)) r5 = mmap$IORING_OFF_SQES(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2000004, 0x100, r4, 0x10000000) r6 = openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000300)='/selinux/checkreqprot\x00', 0x22040, 0x0) r7 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(r3, r5, &(0x7f0000000380)=@IORING_OP_EPOLL_CTL=@add={0x1d, 0x1, 0x0, r6, &(0x7f0000000340)={0xa}, r4, 0x1, 0x0, 0x1, {0x0, r7}}, 0x5) syz_kvm_setup_cpu$arm64(r6, 0xffffffffffffffff, &(0x7f0000fe7000/0x18000)=nil, &(0x7f0000000400)=[{0x0, &(0x7f00000003c0)="c66bf51c003b684cd1f56d7dbcd2dea7675293e4d016955fb884320ccefef52142eef0b61d389959e4e475075b6b11cdbe1c", 0x32}], 0x1, 0x0, &(0x7f0000000440), 0x1) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x2000000, 0x1000, 0xffffffffffffffff, 0x8000000) syz_memcpy_off$IO_URING_METADATA_FLAGS(r8, 0x114, &(0x7f0000000480)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f00000004c0)='afs\x00', &(0x7f0000000500)='./file0\x00', 0x1f, 0x7, &(0x7f00000008c0)=[{&(0x7f0000000540), 0x0, 0x32}, {&(0x7f0000000580)="3a7a72ca9b2a422afbeba2d7a84338cb03951839451af3f3031d0030db11a08c0eb2244dab7f4fd9442cd55370fbacdc330d3ee2188137d0ad9772c7ae54fae92d1941e049bdcb3b8f645ea6a7d746404286d56dfd7a41fb29e2987d8d73b3679fae427f5af08185e4ffda153228a3ac82bf94f17752ed78dfe5b9a4", 0x7c, 0xee5}, {&(0x7f0000000600)="a963e9743e9c3d092a0ab1d68a13fe85f80ed94358ab9ad4029dff3433a3223c650d6a96505ec9a3d6cd09ad3f268fcdd1248aa43ef138a79b0c4c116f7178b5fc5cc49fa303201e8c7ef4e322434105ecdc912ae672510b34c01aa3890c90f27200de2b65c4bd20", 0x68, 0x10000}, {&(0x7f0000000680)="6ac443efa9855dda4fa3a982abc060ebf1a6785feba77cd70d486a29f4", 0x1d, 0x2}, {&(0x7f00000006c0)="3229202fd13c8ab6d554d8dfb6a8661805f53c5e81671bf5d702aa4c17cad107cfc6a8fe702b26942c632a4ed0e1010440b51b99785c112a0bda8c286267ac9cb4e695376a13d9937dfe154239c4ea04f38539a8e557dbcc8909420c76b2587b42aa2d61bf395fe913bad86ddf17a8f1b3212d0f0a6bc2e7841ef2e2ee0be05901f028c7c65e1c2cb641f556508fbf322da030de7846ad39004082c128a0ffb60c1b801bfd69a0e5f37b51feb78d97240f45f3ce17a28abbd89bd16cd2d06c74488990aba36ff006e8ae3622ec18fa76b767be88f192f94af15e23d74217738a1d48ef2c3e1c0a557203045e3ba25e9cd38efa64", 0xf4, 0x6}, {&(0x7f00000007c0)="414d78403490275a206495f93cf62229596a76f622d42e737bfa148fc2385d9c82946ce95d9b7665c148bfd723f5248ffcb6a4fc8265de9da9e34ff0577dd719233d7ef9610b9b9d98d4f2cedcc5351cb7234e0a8345f81e603a002c13d898f1084656c51be00526c6b7977b287809591c51a288acec3e570a94cc77420195f2a81a77896f9f081b173c24ada23041ea2e7253698601d83769094d3489", 0x9d, 0x1}, {&(0x7f0000000880)="3cc0a154977d26882d94f1c108a6287b15e835bf2d9ebcfd925c4569c9de9d463b929158990d2f48", 0x28, 0xfffffffffffffbff}], 0x1015005, &(0x7f0000000980)={[{@flock_strict='flock=strict'}, {@flock_write='flock=write'}, {@source={'source', 0x3d, '\xeb'}}, {@autocell='autocell'}]}) syz_open_dev$I2C(&(0x7f00000009c0)='/dev/i2c-#\x00', 0x10000, 0x6840) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000a40)={0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x3, &(0x7f0000000a00)='.\\\x00'}, 0x30) syz_open_procfs(r9, &(0x7f0000000a80)='status\x00') syz_open_pts(0xffffffffffffffff, 0x8000) syz_read_part_table(0x6, 0x0, &(0x7f0000000ac0)) r10 = syz_usb_connect(0x6, 0x714, &(0x7f0000000b00)={{0x12, 0x1, 0x250, 0xa8, 0x9c, 0xcc, 0xff, 0x499, 0x150c, 0xbaf4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x702, 0x3, 0x2, 0x5, 0x80, 0x1f, [{{0x9, 0x4, 0x7d, 0x0, 0xb, 0x5c, 0x68, 0x45, 0xb8, [@generic={0x64, 0xcc88dcc324ea21e6, "25bba193734e4eb87cbd6a4c961ef01e6c960fa27de2e0b2883e73bcb56b371cc2f94a39ee59f21237d7fd38bafea3bebf15967e66fda6114d34b349e1868ef95cc0a06305d016cd2cc723334035a110f9da197afa79a6b045fac5f7d5bb639e4541"}, @uac_control={{0xa, 0x24, 0x1, 0x7, 0x80}}], [{{0x9, 0x5, 0x1, 0x3, 0x200, 0x81, 0x1, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x1000}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0xe8, 0xc6, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0x6}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0x8, 0xb4, 0x3}}, {{0x9, 0x5, 0x2, 0x1, 0x200, 0x2, 0x6, 0x20}}, {{0x9, 0x5, 0x7, 0x2, 0x3ff, 0x29, 0x4, 0x4c}}, {{0x9, 0x5, 0x5, 0x0, 0x200, 0x2, 0x22, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x27}]}}, {{0x9, 0x5, 0xe, 0xc, 0x20, 0x40, 0x9, 0x1f, [@generic={0x4f, 0x1, "f148d84407f5b8dfda7c13b68281b7d14209551093f91b2d8f891d9f3b8ff07a8c2b56bcbfa744ea1da69fb116c71d11fa13b6a2c464e65d7c706ae25e0ad836d328f30928af26fe9d4f3f1dc1"}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x18, 0xfc0}]}}, {{0x9, 0x5, 0x4, 0x0, 0x400, 0x0, 0x80, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x2}, @generic={0xf7, 0x30, "abdddd4f9b3f7c940f59ac5d6ac220f766834597348690edd45dbcad8d7200db7184991d2539df54e5ad82e5d58b0366ea3b341be9a30b4b2bd66bf00479628cb477c82938f8d3c106a7e18b0e5485a0b1611aba1d8ad3c740fc3d9accb5d7b293b90b168c3f2c69798135b562475fe2a3b8f619572251662787bf749f673a35ee80ea76edd0fc7b3177f24f50d68aced6902ecf5e0a1d3126d9530946abac7a85799194748f34eef3e249c0ede1511b67626c06322ba0b3133ad7eab46cc07a995f011d24781983c1709a03ac2ef165a9b91ed9e75e221905a932c3501d40566916d63f2fae4e9798fab8e16a1d364f019c0ebdb0"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x40, 0xfe, 0x20, 0x9, [@generic={0xed, 0x1, "97480b619ece3491718d870d1333f7f3cbe03367ac7f15be1793cf2d635af67af88cfea526ad45ea67c39ade3d19918d55ea598a7807fd2c56addfb52f42756bfc602c04560e981a38783ca3dd8ba431c267592bc004b2f53e49082dac6a7848b929dcf53f151f4c9ae6f8912fffd9199bcdcd8b95fdc2dfaa22d3a731f3c4aa3447d4183b1cb4ccceb36e6937f2275c89ce0ba83f40c2c7dbf13b41770a0f125b10ded7eefe7a1824f9eef4938310a55c121bf1a9259f551672b8a0a52feac5cbc5ab96a5491ef533d7be14764e9da531ffef82f8612a740fb58756f7cb6092abb15aa6cf0494cb7106f1"}, @generic={0xd3, 0x8, "4e8e034ee97501ac382574d2a72527c5e0c832618bc6a1ea16c3f323258971633a0333991ad99754b006c95c4de5f901ec1b8d86bd47c564bd2aef08df3c224a3e6e40846554eed2734d71ce3392967ef55c96b3da0aa5481f31c351cf1859cbee244e751c60cfadc233cb6002ee6ff4cc2c9b76378f5b6e410c014f25cb9fff68f8a6ff5b81b6d09b9c7a2aaf848bd247ed21b13aa8d35bcb7bf2fa6b8cbf55299edbce15e788d1f93cff322399249ac080f2d47bd3f27e7a6de184904811722536d0a2330e3e511146faab9864d1b183"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x2c, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc9, 0xbb}, @generic={0x1f, 0x31, "e44d51a15a720f099dadeb93262552a935424229d3f4d12edc1baa9f88"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x8, 0x49, 0x40, 0x55}}]}}, {{0x9, 0x4, 0xfe, 0x33, 0x2, 0xa2, 0x17, 0x9a, 0x2, [@cdc_ncm={{0x9, 0x24, 0x6, 0x0, 0x1, "fb7ffde8"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x4, 0x9f54, 0x267, 0x1}, {0x6, 0x24, 0x1a, 0x9, 0x9}, [@mbim={0xc, 0x24, 0x1b, 0xffff, 0x1, 0x20, 0x6, 0x6, 0x6}, @mdlm={0x15, 0x24, 0x12, 0x3}, @mbim={0xc, 0x24, 0x1b, 0x91, 0x5, 0x1, 0xff, 0x5, 0x35}, @acm={0x4, 0x24, 0x2, 0x1}]}], [{{0x9, 0x5, 0xa, 0x10, 0x8, 0x80, 0xc1, 0x4, [@generic={0xb8, 0x30, "e384dcf03ac39540e5a22199f71a53ba428c3b720290f0276bcca0cd15405f6c930497af5eb320a433cc553d6e0108edbf793ef0240ff269b4ff96d6822bcb48cebae2a5cead65786ebecd5f300c08606d3322b8360029bd21312dac493361e1b08f2adca4dc49a004fefdf7a3a525ae5de11f0a691a41b869d9b9a5d90d5a7b5ebe9e5773b97efe98e3895377a424e30ef22fd2ffa2532f1bb3c1a4e3b86afc08b2659aa2e556f190e27f83619a1618d371e102c558"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x40, 0x4, 0x0, 0x1f}}]}}, {{0x9, 0x4, 0x74, 0x90, 0xa, 0xff, 0x5d, 0x1, 0x81, [@generic={0x6c, 0x4, "deaf8476cc5855ffb6d22d6ceb2977348ba86dee7d9e22e0c46477b06c0db514bb5383a62a402cc6e0795ddda510cf4238b2c64b657a1111efc0e4aacf9e40802dd0eeb69f271c1e6fe0ee5e9f48122832e6a80a4d7a6611e3fd2dca49d351908ff9a48ca20c78a69c65"}, @hid_hid={0x9, 0x21, 0x7, 0x7, 0x1, {0x22, 0xab5}}], [{{0x9, 0x5, 0x0, 0x0, 0x200, 0x4, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x40, 0x0, 0x7f, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xff}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0xfa, 0x5}]}}, {{0x9, 0x5, 0x3, 0x3, 0x3ff, 0x80, 0x7f, 0x8}}, {{0x9, 0x5, 0x5, 0x1, 0x20, 0x4, 0x3c, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x800}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0xff, 0x14, 0x3f}}, {{0x9, 0x5, 0x4, 0x0, 0x20, 0x1, 0x1, 0x56}}, {{0x9, 0x5, 0xc, 0x10, 0x8, 0x1, 0x5, 0x2, [@generic={0x20, 0x4, "6ddd4104cef7b1f7b2dddabb24ea94be1e8ac9fbba62cd71c1a1cbfa4e73"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x10, 0x0, 0x6, 0xf8, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x3, 0x8000}, @generic={0x98, 0x21, "e7bac6d3443cdfcdf9c24b6978dbfb9dd1824a5964cbfa0fe64296d5794c6159bc30b802a59b5c7a49b534035df56bbc488652ee31c601d5326507016bd445a1c09df231cf5781190daaba0cbd84a172640327b8c1a1d90bfab18f24961ffe12a0486a239c79a259c537652603dcbd4b2b7342ae0d715a7543f4d08bb557bddcd3bca83590b57c30eee2ce95f6c7102f646af828a496"}]}}, {{0x9, 0x5, 0x2, 0x3, 0x400, 0x3, 0x2, 0x8}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xff, 0x4, 0x6}}]}}]}}]}}, &(0x7f0000001540)={0xa, &(0x7f0000001240)={0xa, 0x6, 0x300, 0xff, 0x81, 0x6, 0xf7, 0xc4}, 0xf, &(0x7f0000001280)={0x5, 0xf, 0xf, 0x1, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x8, 0x1f, 0xfff}]}, 0x5, [{0x4, &(0x7f00000012c0)=@lang_id={0x4, 0x3, 0xc07}}, {0x54, &(0x7f0000001300)=@string={0x54, 0x3, "321d457f2f5ab9fcb1118c960631fd85a75ead829136aa2a6cc0311451035fe17b956eb8fa52d495a311a6c03f0ae84c86f0ed78daebfa15db7bc5788c9724baf4582dc0ec1ba6681a76b0a1bfc5de9daecc"}}, {0xd3, &(0x7f0000001380)=@string={0xd3, 0x3, "18336fc5623ba1410634c4050bcf3b488ea41867d059dcdcd2c368d848fe5147323c0ba4e51d7cf2a3d150258f8cc2569bd79e951ea95a318de31d146c37a7cf712f1fcd440390852c8d5216f8d23a9918b0e053521eb670ad3ee0fb8a93a8d7bad7199eebe12a3b02107ac4542bc6497977e3308b407bf364982f4fc9c330f9a75ccb65c8688d5c247ad06c20ccf01465e3ab09fc777f73474c2cd053b848ad3255b5adc81e033d2a0fac5061ea52dacf46e88e8c2e388deb91d2d9fc124255909336418e743bda4cb4f73c6b75af9a9b"}}, {0x4, &(0x7f0000001480)=@lang_id={0x4, 0x3, 0x42b}}, {0x5a, &(0x7f00000014c0)=@string={0x5a, 0x3, "4d85f31420ff1ceda25d118d33a6ebbce888c12d90eb54c827d149c8dcbd99f3893b35d1da6c776b1b5d084b308cdf93474167f266199f440a03fc3e3438031b8725dde6029a629c0843bedf048b8409b153f903d657d22b"}}]}) r11 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000015c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r11, &(0x7f00000017c0)={0x2c, &(0x7f0000001640)={0x0, 0x24, 0x5e, {0x5e, 0x9, "50d3392d02ebd229338b7e7170b984d04907f9cee984f83f84c9518b9dd91785fe2d66e10426ff86d8e7d663538306240171790d7f776664bdfd68d3df43cdf6d0e3ab3d2a62953092a2d7ce2fcdfe2cf50026869a4bcd066af9ddbd"}}, &(0x7f00000016c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x449}}, &(0x7f0000001700)={0x0, 0xf, 0x19, {0x5, 0xf, 0x19, 0x1, [@ss_container_id={0x14, 0x10, 0x4, 0x3f, "0ff611988b42043bdd16f18b9b82f6cf"}]}}, &(0x7f0000001740)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x0, 0x9, 0x68, "60c511fa", "23e3f532"}}, &(0x7f0000001780)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x5, 0x0, 0x2, 0x7, 0x8, 0x5, 0x200}}}, &(0x7f0000001c80)={0x84, &(0x7f0000001800)={0x0, 0x16, 0x92, "e49c4e0fdf521d4bb83a1c78b9b6f32eb6e38fba1432727c391749727c41815dc3fc4193cf0fc247b32c61dd80f26629d7cf714fc080157701405e55e4d1ae2b758c66821044d2e8094f1bd75ccf9600454726e5df9764082d537012ad6fa00a11bf546f5d86af482a8f0b0574287a4c5640bd1a225a60d1961cd56b3b48cf69d776cd8bbac5dc1544bf6b94b3519383f9c5"}, &(0x7f00000018c0)={0x0, 0xa, 0x1, 0xea}, &(0x7f0000001900)={0x0, 0x8, 0x1, 0xc0}, &(0x7f0000001940)={0x20, 0x0, 0x4, {0x3, 0x20d99a38c1aec065}}, &(0x7f0000001980)={0x20, 0x0, 0x8, {0x200, 0x2, [0x0]}}, &(0x7f00000019c0)={0x40, 0x7, 0x2}, &(0x7f0000001a00)={0x40, 0x9, 0x1, 0x7}, &(0x7f0000001a40)={0x40, 0xb, 0x2, ',e'}, &(0x7f0000001a80)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000001ac0)={0x40, 0x13, 0x6, @random="cba5d8d51787"}, &(0x7f0000001b00)={0x40, 0x17, 0x6, @dev={[], 0x1b}}, &(0x7f0000001b40)={0x40, 0x19, 0x2, "09ef"}, &(0x7f0000001b80)={0x40, 0x1a, 0x2, 0x200}, &(0x7f0000001bc0)={0x40, 0x1c, 0x1, 0x20}, &(0x7f0000001c00)={0x40, 0x1e, 0x1, 0x81}, &(0x7f0000001c40)={0x40, 0x21, 0x1, 0x40}}) r12 = syz_usb_connect$uac1(0x6, 0xb6, &(0x7f0000001d40)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xa4, 0x3, 0x1, 0x8, 0x80, 0x1f, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x7f, 0x24}, [@mixer_unit={0xb, 0x24, 0x4, 0x3, 0x3f, "e3a7ba11b773"}, @input_terminal={0xc, 0x24, 0x2, 0x4, 0x203, 0x1, 0x2, 0x7, 0xfd}, @extension_unit={0x7, 0x24, 0x8, 0x2, 0x4, 0x40}, @output_terminal={0x9, 0x24, 0x3, 0x2, 0x101, 0x4, 0x4, 0x5}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {}, {{0x9, 0x5, 0x1, 0x9, 0x200, 0xfc, 0x9, 0x7, {0x7, 0x25, 0x1, 0x0, 0x2, 0x8}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x8, 0x7, 0xff, "6cce23a51a59660a8a"}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x7, 0x2, 0xd6, 0x40, "a5e212", 'l'}]}, {{0x9, 0x5, 0x82, 0x9, 0x3ff, 0x3, 0x0, 0xac, {0x7, 0x25, 0x1, 0x3, 0x4, 0x5}}}}}}}]}}, &(0x7f0000001f40)={0xa, &(0x7f0000001e00)={0xa, 0x6, 0x200, 0xff, 0x2, 0x7, 0x10, 0x6}, 0x5, &(0x7f0000001e40)={0x5, 0xf, 0x5}, 0x2, [{0x52, &(0x7f0000001e80)=@string={0x52, 0x3, "4bcfbc749d26d0fbc20c2e202a042e8bb167cadf5c2bcdbd07dde6671da7dd400306b26f220fef4a3397f0a95a4b8ca5bafd5a4fa8b99d24505f7a27ac07a16bbb02d524c0bbfa3af8e318df58feb143"}}, {0x4, &(0x7f0000001f00)=@lang_id={0x4, 0x3, 0x807}}]}) syz_usb_disconnect(r12) syz_usb_ep_read(r10, 0x6, 0xd6, &(0x7f0000001f80)=""/214) r13 = syz_usb_connect$cdc_ecm(0x4, 0x4f, &(0x7f0000002080)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0xff, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x3d, 0x1, 0x1, 0x9, 0xc0, 0xb3, [{{0x9, 0x4, 0x0, 0x8, 0x3, 0x2, 0x6, 0x0, 0x1, {{0x7, 0x24, 0x6, 0x0, 0x0, "93b5"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x5, 0xdf0, 0xa5e2, 0xff}}, {[], {{0x9, 0x5, 0x82, 0x2, 0x40, 0x0, 0x40, 0x20}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x20, 0xff, 0x4}}}}}]}}]}}, &(0x7f0000002640)={0xa, &(0x7f0000002100)={0xa, 0x6, 0x250, 0x0, 0x81, 0x20, 0x20, 0x3}, 0x5, &(0x7f0000002140)={0x5, 0xf, 0x5}, 0x8, [{0xcd, &(0x7f0000002180)=@string={0xcd, 0x3, "2e833dbc02868212d3ec7352fb0de8a05ecf661859debe23ba735fb90a26853e0d4c9bfcebac70ce40539a98cf8947e06bb75de0a9205e0b791cb4f9e7aa0ae1149e9394ffef266f96e0c75ab728cadbc312570efed737090a6251c09e1a5d38a0c6f1ec4ae055863d69e4dcf36d974d2be3e487c7d2f1db2161e93b7d152ce046f030b36d083289eddd7105ed8eaed49f711017baabde9d5f01cd4738503d322669554fcf3b5a65b0519733b07a7f3cffdc92b0382c66120c41aae88568c752f79d501fd4da58e6879e7e"}}, {0x4, &(0x7f0000002280)=@lang_id={0x4, 0x3, 0x3c0a}}, {0x4, &(0x7f00000022c0)=@lang_id={0x4, 0x3, 0x3801}}, {0x1f, &(0x7f0000002300)=@string={0x1f, 0x3, "a670c3582d38967ac485455e8a40acb6f5df24ab49a4c6bb43d584edf7"}}, {0x4, &(0x7f0000002340)=@lang_id={0x4, 0x3, 0x44f}}, {0xe1, &(0x7f0000002380)=@string={0xe1, 0x3, "be2ce18fae6da9f1aa4b972197be7a6ce4b283c3e0027e6da13d8639f674ea9c64289b33c0e1435b7c1654a569127b26ad53774f2b6b20579fac6faffe12949ee4b0d3cd2d890cff2d7e9bb43b602a394efd4975184f7eecab16a3f187cab4c2ca01ac5bc9c55c8bb981323d919f77355b3ce7428da62af80c76b185e10ac7b1cc950ecc715c3e0a1e142311b62941e06291b30d2d3c7d468dfbe283c91fc0833db068e7bf397c233575790229ce513bbdc4387d81b3027ef68b20de25d9f1ff32b95cba443b9e7fba499143e841a6190c6ecb2906fe4230f839ba8c3c73ea"}}, {0xc1, &(0x7f0000002480)=@string={0xc1, 0x3, "f17db2ea26d90ba93d1dbd3d9482882172cc158b4cc43c36d12bb94e06fc7aba0d96ba62a38b39b77bb66a8b4ba6fe260c877464dc1012449a3a6ab5b80e667a3a01db8dd1dc3468b0d72893adf25bd1a7b9dcddf569122a73026b76fd0e25d7440ca5db635b3fc9013fd79099a7d7e81db8745bc9d0a6c938791d2cbfd10f1c628ca17af993b702c1ede30da1882567ce287f66b23ebf408a2d9c63e1cb0b2795273efa8153561c3c3eeb71d12aa087e9255526b528f538af4abd41cf8901"}}, {0xc0, &(0x7f0000002580)=@string={0xc0, 0x3, "6f57d6a596202ebf5a75b9724911f91a3d92ae1ac81abb9c1b134a76e66590f6eb8dd84cc10960b8d223947d1c2e771b94e729d83418f414213ff8b906770330bea70e59fe4d8ba537fbcfd3c4bfc4ea3b640c3112926d8c78eee839720900c505cc013c1263dcf27b6c0f87fcb87f40cb6bde3154ccd63e65a48c86c58a3857f68f8808203fb28d95e74a1865eb8f82fe953562a14751ed18f251e5115370d2bc19145ccf3abeae4c81fb1d97f62e035db73d11ab7ec596bc7a368655c6"}}]}) syz_usb_ep_write(r13, 0x8, 0x77, &(0x7f00000026c0)="01df4294f01fe1f943b780ccad76ab8a48353cbce5481283fb7d07e32952055449b6581b3693b67edea7f103542fd1dccf21a4f8ce11f52482a550dd3199da830c3e19ff1a996ce1424b13495e704be3f8c106d08338a69db29c70d040ba405016d90255d81d115d9c6c9c13b95789ba2d4ee0f005d95b") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 #define SQ_ARRAY_OFFSET(sq_entries,cq_entries) (round_up(CQ_CQES_OFFSET + cq_entries * SIZEOF_IO_URING_CQE, 64)) uint32_t round_up(uint32_t x, uint32_t a) { return (x + a - 1) & ~(a - 1); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = SQ_ARRAY_OFFSET(sq_ring_entries, cq_ring_entries); if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static int do_sandbox_setuid(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); if (unshare(CLONE_NEWNET)) { } const int nobody = 65534; if (setgroups(0, NULL)) exit(1); if (syscall(SYS_setresgid, nobody, nobody, nobody)) exit(1); if (syscall(SYS_setresuid, nobody, nobody, nobody)) exit(1); prctl(PR_SET_DUMPABLE, 1, 0, 0, 0); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 40; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 26 ? 50 : 0) + (call == 32 ? 3000 : 0) + (call == 33 ? 3000 : 0) + (call == 34 ? 300 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 3000 : 0) + (call == 39 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_bpf #define __NR_bpf 321 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[14] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/dsp\000", 9); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0x8002ul, 0ul); if (res != -1) r[0] = res; break; case 1: *(uint64_t*)0x20000080 = 0; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 0; *(uint16_t*)0x20000090 = 0x4a1f; *(uint16_t*)0x20000092 = 0xd548; *(uint32_t*)0x20000094 = r[0]; *(uint64_t*)0x20000098 = 0x20000040; memcpy((void*)0x20000040, "\xa4\xc6\xb7\x0d\x40\xb1\x8d\x2f\x71\xb9\xeb\xf1\xa9\x7c\xc4\xf8\xbf\xe5\x2c\x76\x62\x08\xfe\x1c\x5f\xf6\xe6\xc2\x0f\xb4\xd4\x10\x4d", 33); *(uint64_t*)0x200000a0 = 0x21; *(uint64_t*)0x200000a8 = 7; *(uint64_t*)0x200000b0 = 0; *(uint32_t*)0x200000b8 = 1; *(uint32_t*)0x200000bc = -1; syscall(__NR_io_cancel, 0ul, 0x20000080ul, 0x200000c0ul); break; case 2: syscall(__NR_ioctl, -1, 0x400454d0, 0x18ul); break; case 3: memcpy((void*)0x20000100, "/selinux/avc/cache_stats\000", 25); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000100ul, 0ul, 0ul); if (res != -1) r[1] = res; break; case 4: *(uint32_t*)0x20000200 = 6; *(uint32_t*)0x20000204 = 1; *(uint64_t*)0x20000208 = 0x20000140; *(uint16_t*)0x20000140 = 6; *(uint64_t*)0x20000210 = 0x20000180; *(uint16_t*)0x20000180 = 0xb572; *(uint16_t*)0x20000182 = 2; *(uint16_t*)0x20000184 = 0x200; *(uint16_t*)0x20000186 = 0x6126; *(uint16_t*)0x20000188 = -1; *(uint16_t*)0x2000018a = 0x800b; *(uint64_t*)0x20000218 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x100; *(uint16_t*)0x200001c2 = 0x8001; *(uint16_t*)0x200001c4 = 0x7ff; *(uint16_t*)0x200001c6 = 0x56; *(uint16_t*)0x200001c8 = 3; *(uint16_t*)0x200001ca = 6; *(uint16_t*)0x200001cc = 0xafa4; *(uint16_t*)0x200001ce = 0xfff; syscall(__NR_ioctl, r[1], 0xc02064a4, 0x20000200ul); break; case 5: syscall(__NR_socket, 0xaul, 5ul, 0x84); break; case 6: memcpy((void*)0x20000240, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20000240, 8, 0x40040); if (res != -1) r[2] = res; break; case 7: *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0x431f; *(uint32_t*)0x20000288 = 2; *(uint32_t*)0x2000028c = 2; *(uint32_t*)0x20000290 = 0x24c; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = r[2]; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; *(uint32_t*)0x200002b8 = 0; *(uint32_t*)0x200002bc = 0; *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0; *(uint32_t*)0x200002c8 = 0; *(uint32_t*)0x200002cc = 0; *(uint32_t*)0x200002d0 = 0; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = 0; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; syscall(__NR_io_uring_setup, 0x4a7d, 0x20000280ul); break; case 8: *(uint32_t*)0x20000300 = 0x14; syscall(__NR_setsockopt, -1, 0x10e, 2, 0x20000300ul, 4ul); break; case 9: syscall(__NR_socket, 4ul, 2ul, 0); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0x15; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0x8847); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 1, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 24, 8); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0x80, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 24, 8); STORE_BY_BITMASK(uint8_t, , 0x20000016, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000017, 3, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000017, 8, 2, 6); *(uint16_t*)0x20000018 = htobe16(0xc0); *(uint16_t*)0x2000001a = htobe16(0x64); *(uint16_t*)0x2000001c = htobe16(0); *(uint8_t*)0x2000001e = 1; *(uint8_t*)0x2000001f = 0x11; *(uint16_t*)0x20000020 = htobe16(0); *(uint32_t*)0x20000022 = htobe32(0xa010102); *(uint8_t*)0x20000026 = 0xac; *(uint8_t*)0x20000027 = 0x1e; *(uint8_t*)0x20000028 = 1; *(uint8_t*)0x20000029 = 1; *(uint8_t*)0x2000002a = 0x44; *(uint8_t*)0x2000002b = 0x10; *(uint8_t*)0x2000002c = 0x90; STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0xf, 4, 4); *(uint32_t*)0x2000002e = htobe32(3); *(uint32_t*)0x20000032 = htobe32(0x100); *(uint32_t*)0x20000036 = htobe32(9); *(uint16_t*)0x2000003a = htobe16(0x4e20); *(uint16_t*)0x2000003c = htobe16(0x4e23); *(uint16_t*)0x2000003e = htobe16(0x9c); *(uint16_t*)0x20000040 = htobe16(0); *(uint32_t*)0x20000042 = 1; *(uint32_t*)0x20000046 = 1; memcpy((void*)0x2000004a, "\xa1\x07\x91\xf3\x6e\x09\x1a\x36\x4d\x6a\x21\x4a\xed\x32\x81\x68\x6b\x2e\x10\x62\xe4\xa2\x1d\xad\x7e\x7e\xa6\x82\x3c\x2a\xd6\x6b", 32); memcpy((void*)0x2000006a, "\xa9\xe3\xb0\x61\xcb\x2d\x16\xf0\xf3\x8c\x93\x86\x6b\xab\x23\x9c\x5e\x95\xfa\xbc\x9a\xd7\x54\x9c\xc5\x3f\x24\x82\x15\x64\xc8\xe3\x1a\x77\x3c\x62\xbd\x34\xe6\x21\x16\x07\x0c\x99\x8c\xf8\x0f\xf5", 48); memcpy((void*)0x2000009a, "\x8a\x60\x48\xe6\x8f\x54\x76\xba\x71\xed\xf7\xde\xa3\x71\x45\xa3\x39\x72\x62\xdb\x3b\x25\x37\x6f\xb9\xb6\x98\xe1", 28); memcpy((void*)0x200000b6, "\x10\x8d\x38\xc5\xf1\x28\x37\xa8\xdf\xf4\x93\x17\xe1\xfb\xf2\xb1", 16); memcpy((void*)0x200000c6, "\x6e\x6f\x91\xa5\xd2\xfe\xa3\x5b\x7d\x2a\xa0\x22\x7b\x5c\x79\xde", 16); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x20000022, 4); csum_inet_update(&csum_1, (const uint8_t*)0x20000026, 4); uint16_t csum_1_chunk_2 = 0x1100; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 2); uint16_t csum_1_chunk_3 = 0x9c00; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 2); csum_inet_update(&csum_1, (const uint8_t*)0x2000003a, 156); *(uint16_t*)0x20000040 = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x20000016, 36); *(uint16_t*)0x20000020 = csum_inet_digest(&csum_2); break; case 11: *(uint8_t*)0x20000100 = 4; *(uint8_t*)0x20000101 = 0xe; *(uint8_t*)0x20000102 = 7; *(uint8_t*)0x20000103 = 7; *(uint16_t*)0x20000104 = 0x1408; *(uint8_t*)0x20000106 = 3; *(uint16_t*)0x20000107 = 0xc8; *(uint8_t*)0x20000109 = 0xfe; break; case 12: memcpy((void*)0x20000140, "\xab\x8f\x29\x08\x95\x5c\x44\x32\xc4\x21\xb4\x55\x80\x85\x8a\x31\x8e\xc4\xa1\x84\x57\x56\xf3\x67\x36\x64\xd9\xe0\x64\x46\x1c\x0d\xc4\x41\xb5\x55\x88\xa0\x0f\xfe\x49\xf2\xf0\x42\x80\x8c\x3e\x28\x08\x00\x00\x00\xc4\x82\x5d\xde\x32\xf3\x42\x0f\x9a\xde", 62); syz_execute_func(0x20000140); break; case 13: break; case 14: memcpy((void*)0x200001c0, "SEG6\000", 5); syz_genetlink_get_family_id(0x200001c0); break; case 15: syz_init_net_socket(3, 2, 0xc4); break; case 16: res = syscall(__NR_mmap, 0x20ffc000ul, 0x1000ul, 0ul, 0x1000ul, -1, 0ul); if (res != -1) r[3] = res; break; case 17: syz_io_uring_complete(r[3]); break; case 18: *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0x19c8; *(uint32_t*)0x20000208 = 1; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0x90; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = -1; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; *(uint32_t*)0x20000238 = 0; *(uint32_t*)0x2000023c = 0; *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; res = -1; res = syz_io_uring_setup(0x61d6, 0x20000200, 0x20ff9000, 0x20ff9000, 0x20000280, 0x200002c0); if (res != -1) r[4] = *(uint32_t*)0x20000218; break; case 19: res = syscall(__NR_mmap, 0x20ffc000ul, 0x3000ul, 0x2000004ul, 0x100ul, r[4], 0x10000000ul); if (res != -1) r[5] = res; break; case 20: memcpy((void*)0x20000300, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000300ul, 0x22040ul, 0ul); if (res != -1) r[6] = res; break; case 21: res = syscall(__NR_io_uring_register, -1, 9ul, 0ul, 0ul); if (res != -1) r[7] = res; break; case 22: *(uint8_t*)0x20000380 = 0x1d; *(uint8_t*)0x20000381 = 1; *(uint16_t*)0x20000382 = 0; *(uint32_t*)0x20000384 = r[6]; *(uint64_t*)0x20000388 = 0x20000340; *(uint32_t*)0x20000340 = 0xa; *(uint64_t*)0x20000344 = 0; *(uint32_t*)0x20000390 = r[4]; *(uint32_t*)0x20000394 = 1; *(uint32_t*)0x20000398 = 0; *(uint64_t*)0x200003a0 = 1; *(uint16_t*)0x200003a8 = 0; *(uint16_t*)0x200003aa = r[7]; *(uint8_t*)0x200003ac = 0; *(uint8_t*)0x200003ad = 0; *(uint8_t*)0x200003ae = 0; *(uint8_t*)0x200003af = 0; *(uint8_t*)0x200003b0 = 0; *(uint8_t*)0x200003b1 = 0; *(uint8_t*)0x200003b2 = 0; *(uint8_t*)0x200003b3 = 0; *(uint8_t*)0x200003b4 = 0; *(uint8_t*)0x200003b5 = 0; *(uint8_t*)0x200003b6 = 0; *(uint8_t*)0x200003b7 = 0; *(uint8_t*)0x200003b8 = 0; *(uint8_t*)0x200003b9 = 0; *(uint8_t*)0x200003ba = 0; *(uint8_t*)0x200003bb = 0; *(uint8_t*)0x200003bc = 0; *(uint8_t*)0x200003bd = 0; *(uint8_t*)0x200003be = 0; *(uint8_t*)0x200003bf = 0; syz_io_uring_submit(r[3], r[5], 0x20000380, 5); break; case 23: *(uint64_t*)0x20000400 = 0; *(uint64_t*)0x20000408 = 0x200003c0; memcpy((void*)0x200003c0, "\xc6\x6b\xf5\x1c\x00\x3b\x68\x4c\xd1\xf5\x6d\x7d\xbc\xd2\xde\xa7\x67\x52\x93\xe4\xd0\x16\x95\x5f\xb8\x84\x32\x0c\xce\xfe\xf5\x21\x42\xee\xf0\xb6\x1d\x38\x99\x59\xe4\xe4\x75\x07\x5b\x6b\x11\xcd\xbe\x1c", 50); *(uint64_t*)0x20000410 = 0x32; *(uint64_t*)0x20000440 = 1; *(uint64_t*)0x20000448 = 0; syz_kvm_setup_cpu(r[6], -1, 0x20fe7000, 0x20000400, 1, 0, 0x20000440, 1); break; case 24: res = syscall(__NR_mmap, 0x20ffb000ul, 0x4000ul, 0x2000000ul, 0x1000ul, -1, 0x8000000ul); if (res != -1) r[8] = res; break; case 25: *(uint32_t*)0x20000480 = 1; syz_memcpy_off(r[8], 0x114, 0x20000480, 0, 4); break; case 26: memcpy((void*)0x200004c0, "afs\000", 4); memcpy((void*)0x20000500, "./file0\000", 8); *(uint64_t*)0x200008c0 = 0x20000540; *(uint64_t*)0x200008c8 = 0; *(uint64_t*)0x200008d0 = 0x32; *(uint64_t*)0x200008d8 = 0x20000580; memcpy((void*)0x20000580, "\x3a\x7a\x72\xca\x9b\x2a\x42\x2a\xfb\xeb\xa2\xd7\xa8\x43\x38\xcb\x03\x95\x18\x39\x45\x1a\xf3\xf3\x03\x1d\x00\x30\xdb\x11\xa0\x8c\x0e\xb2\x24\x4d\xab\x7f\x4f\xd9\x44\x2c\xd5\x53\x70\xfb\xac\xdc\x33\x0d\x3e\xe2\x18\x81\x37\xd0\xad\x97\x72\xc7\xae\x54\xfa\xe9\x2d\x19\x41\xe0\x49\xbd\xcb\x3b\x8f\x64\x5e\xa6\xa7\xd7\x46\x40\x42\x86\xd5\x6d\xfd\x7a\x41\xfb\x29\xe2\x98\x7d\x8d\x73\xb3\x67\x9f\xae\x42\x7f\x5a\xf0\x81\x85\xe4\xff\xda\x15\x32\x28\xa3\xac\x82\xbf\x94\xf1\x77\x52\xed\x78\xdf\xe5\xb9\xa4", 124); *(uint64_t*)0x200008e0 = 0x7c; *(uint64_t*)0x200008e8 = 0xee5; *(uint64_t*)0x200008f0 = 0x20000600; memcpy((void*)0x20000600, "\xa9\x63\xe9\x74\x3e\x9c\x3d\x09\x2a\x0a\xb1\xd6\x8a\x13\xfe\x85\xf8\x0e\xd9\x43\x58\xab\x9a\xd4\x02\x9d\xff\x34\x33\xa3\x22\x3c\x65\x0d\x6a\x96\x50\x5e\xc9\xa3\xd6\xcd\x09\xad\x3f\x26\x8f\xcd\xd1\x24\x8a\xa4\x3e\xf1\x38\xa7\x9b\x0c\x4c\x11\x6f\x71\x78\xb5\xfc\x5c\xc4\x9f\xa3\x03\x20\x1e\x8c\x7e\xf4\xe3\x22\x43\x41\x05\xec\xdc\x91\x2a\xe6\x72\x51\x0b\x34\xc0\x1a\xa3\x89\x0c\x90\xf2\x72\x00\xde\x2b\x65\xc4\xbd\x20", 104); *(uint64_t*)0x200008f8 = 0x68; *(uint64_t*)0x20000900 = 0x10000; *(uint64_t*)0x20000908 = 0x20000680; memcpy((void*)0x20000680, "\x6a\xc4\x43\xef\xa9\x85\x5d\xda\x4f\xa3\xa9\x82\xab\xc0\x60\xeb\xf1\xa6\x78\x5f\xeb\xa7\x7c\xd7\x0d\x48\x6a\x29\xf4", 29); *(uint64_t*)0x20000910 = 0x1d; *(uint64_t*)0x20000918 = 2; *(uint64_t*)0x20000920 = 0x200006c0; memcpy((void*)0x200006c0, "\x32\x29\x20\x2f\xd1\x3c\x8a\xb6\xd5\x54\xd8\xdf\xb6\xa8\x66\x18\x05\xf5\x3c\x5e\x81\x67\x1b\xf5\xd7\x02\xaa\x4c\x17\xca\xd1\x07\xcf\xc6\xa8\xfe\x70\x2b\x26\x94\x2c\x63\x2a\x4e\xd0\xe1\x01\x04\x40\xb5\x1b\x99\x78\x5c\x11\x2a\x0b\xda\x8c\x28\x62\x67\xac\x9c\xb4\xe6\x95\x37\x6a\x13\xd9\x93\x7d\xfe\x15\x42\x39\xc4\xea\x04\xf3\x85\x39\xa8\xe5\x57\xdb\xcc\x89\x09\x42\x0c\x76\xb2\x58\x7b\x42\xaa\x2d\x61\xbf\x39\x5f\xe9\x13\xba\xd8\x6d\xdf\x17\xa8\xf1\xb3\x21\x2d\x0f\x0a\x6b\xc2\xe7\x84\x1e\xf2\xe2\xee\x0b\xe0\x59\x01\xf0\x28\xc7\xc6\x5e\x1c\x2c\xb6\x41\xf5\x56\x50\x8f\xbf\x32\x2d\xa0\x30\xde\x78\x46\xad\x39\x00\x40\x82\xc1\x28\xa0\xff\xb6\x0c\x1b\x80\x1b\xfd\x69\xa0\xe5\xf3\x7b\x51\xfe\xb7\x8d\x97\x24\x0f\x45\xf3\xce\x17\xa2\x8a\xbb\xd8\x9b\xd1\x6c\xd2\xd0\x6c\x74\x48\x89\x90\xab\xa3\x6f\xf0\x06\xe8\xae\x36\x22\xec\x18\xfa\x76\xb7\x67\xbe\x88\xf1\x92\xf9\x4a\xf1\x5e\x23\xd7\x42\x17\x73\x8a\x1d\x48\xef\x2c\x3e\x1c\x0a\x55\x72\x03\x04\x5e\x3b\xa2\x5e\x9c\xd3\x8e\xfa\x64", 244); *(uint64_t*)0x20000928 = 0xf4; *(uint64_t*)0x20000930 = 6; *(uint64_t*)0x20000938 = 0x200007c0; memcpy((void*)0x200007c0, "\x41\x4d\x78\x40\x34\x90\x27\x5a\x20\x64\x95\xf9\x3c\xf6\x22\x29\x59\x6a\x76\xf6\x22\xd4\x2e\x73\x7b\xfa\x14\x8f\xc2\x38\x5d\x9c\x82\x94\x6c\xe9\x5d\x9b\x76\x65\xc1\x48\xbf\xd7\x23\xf5\x24\x8f\xfc\xb6\xa4\xfc\x82\x65\xde\x9d\xa9\xe3\x4f\xf0\x57\x7d\xd7\x19\x23\x3d\x7e\xf9\x61\x0b\x9b\x9d\x98\xd4\xf2\xce\xdc\xc5\x35\x1c\xb7\x23\x4e\x0a\x83\x45\xf8\x1e\x60\x3a\x00\x2c\x13\xd8\x98\xf1\x08\x46\x56\xc5\x1b\xe0\x05\x26\xc6\xb7\x97\x7b\x28\x78\x09\x59\x1c\x51\xa2\x88\xac\xec\x3e\x57\x0a\x94\xcc\x77\x42\x01\x95\xf2\xa8\x1a\x77\x89\x6f\x9f\x08\x1b\x17\x3c\x24\xad\xa2\x30\x41\xea\x2e\x72\x53\x69\x86\x01\xd8\x37\x69\x09\x4d\x34\x89", 157); *(uint64_t*)0x20000940 = 0x9d; *(uint64_t*)0x20000948 = 1; *(uint64_t*)0x20000950 = 0x20000880; memcpy((void*)0x20000880, "\x3c\xc0\xa1\x54\x97\x7d\x26\x88\x2d\x94\xf1\xc1\x08\xa6\x28\x7b\x15\xe8\x35\xbf\x2d\x9e\xbc\xfd\x92\x5c\x45\x69\xc9\xde\x9d\x46\x3b\x92\x91\x58\x99\x0d\x2f\x48", 40); *(uint64_t*)0x20000958 = 0x28; *(uint64_t*)0x20000960 = 0xfffffffffffffbff; memcpy((void*)0x20000980, "flock=strict", 12); *(uint8_t*)0x2000098c = 0x2c; memcpy((void*)0x2000098d, "flock=write", 11); *(uint8_t*)0x20000998 = 0x2c; memcpy((void*)0x20000999, "source", 6); *(uint8_t*)0x2000099f = 0x3d; memcpy((void*)0x200009a0, "\353", 1); *(uint8_t*)0x200009a1 = 0x2c; memcpy((void*)0x200009a2, "autocell", 8); *(uint8_t*)0x200009aa = 0x2c; *(uint8_t*)0x200009ab = 0; syz_mount_image(0x200004c0, 0x20000500, 0x1f, 7, 0x200008c0, 0x1015005, 0x20000980); break; case 27: memcpy((void*)0x200009c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200009c0, 0x10000, 0x6840); break; case 28: *(uint32_t*)0x20000a40 = -1; *(uint32_t*)0x20000a44 = -1; *(uint32_t*)0x20000a48 = 0; *(uint32_t*)0x20000a4c = 3; *(uint64_t*)0x20000a50 = 0x20000a00; memcpy((void*)0x20000a00, ".\\\000", 3); *(uint32_t*)0x20000a58 = 0; *(uint32_t*)0x20000a5c = 0; *(uint64_t*)0x20000a60 = 0; *(uint64_t*)0x20000a68 = 0; res = syscall(__NR_bpf, 0x14ul, 0x20000a40ul, 0x30ul); if (res != -1) r[9] = *(uint32_t*)0x20000a40; break; case 29: memcpy((void*)0x20000a80, "status\000", 7); syz_open_procfs(r[9], 0x20000a80); break; case 30: syz_open_pts(-1, 0x8000); break; case 31: syz_read_part_table(6, 0, 0x20000ac0); break; case 32: *(uint8_t*)0x20000b00 = 0x12; *(uint8_t*)0x20000b01 = 1; *(uint16_t*)0x20000b02 = 0x250; *(uint8_t*)0x20000b04 = 0xa8; *(uint8_t*)0x20000b05 = 0x9c; *(uint8_t*)0x20000b06 = 0xcc; *(uint8_t*)0x20000b07 = -1; *(uint16_t*)0x20000b08 = 0x499; *(uint16_t*)0x20000b0a = 0x150c; *(uint16_t*)0x20000b0c = 0xbaf4; *(uint8_t*)0x20000b0e = 1; *(uint8_t*)0x20000b0f = 2; *(uint8_t*)0x20000b10 = 3; *(uint8_t*)0x20000b11 = 1; *(uint8_t*)0x20000b12 = 9; *(uint8_t*)0x20000b13 = 2; *(uint16_t*)0x20000b14 = 0x702; *(uint8_t*)0x20000b16 = 3; *(uint8_t*)0x20000b17 = 2; *(uint8_t*)0x20000b18 = 5; *(uint8_t*)0x20000b19 = 0x80; *(uint8_t*)0x20000b1a = 0x1f; *(uint8_t*)0x20000b1b = 9; *(uint8_t*)0x20000b1c = 4; *(uint8_t*)0x20000b1d = 0x7d; *(uint8_t*)0x20000b1e = 0; *(uint8_t*)0x20000b1f = 0xb; *(uint8_t*)0x20000b20 = 0x5c; *(uint8_t*)0x20000b21 = 0x68; *(uint8_t*)0x20000b22 = 0x45; *(uint8_t*)0x20000b23 = 0xb8; *(uint8_t*)0x20000b24 = 0x64; *(uint8_t*)0x20000b25 = 0xe6; memcpy((void*)0x20000b26, "\x25\xbb\xa1\x93\x73\x4e\x4e\xb8\x7c\xbd\x6a\x4c\x96\x1e\xf0\x1e\x6c\x96\x0f\xa2\x7d\xe2\xe0\xb2\x88\x3e\x73\xbc\xb5\x6b\x37\x1c\xc2\xf9\x4a\x39\xee\x59\xf2\x12\x37\xd7\xfd\x38\xba\xfe\xa3\xbe\xbf\x15\x96\x7e\x66\xfd\xa6\x11\x4d\x34\xb3\x49\xe1\x86\x8e\xf9\x5c\xc0\xa0\x63\x05\xd0\x16\xcd\x2c\xc7\x23\x33\x40\x35\xa1\x10\xf9\xda\x19\x7a\xfa\x79\xa6\xb0\x45\xfa\xc5\xf7\xd5\xbb\x63\x9e\x45\x41", 98); *(uint8_t*)0x20000b88 = 0xa; *(uint8_t*)0x20000b89 = 0x24; *(uint8_t*)0x20000b8a = 1; *(uint16_t*)0x20000b8b = 7; *(uint8_t*)0x20000b8d = 0x80; *(uint8_t*)0x20000b8e = 2; *(uint8_t*)0x20000b8f = 1; *(uint8_t*)0x20000b90 = 2; *(uint8_t*)0x20000b91 = 9; *(uint8_t*)0x20000b92 = 5; *(uint8_t*)0x20000b93 = 1; *(uint8_t*)0x20000b94 = 3; *(uint16_t*)0x20000b95 = 0x200; *(uint8_t*)0x20000b97 = 0x81; *(uint8_t*)0x20000b98 = 1; *(uint8_t*)0x20000b99 = 9; *(uint8_t*)0x20000b9a = 7; *(uint8_t*)0x20000b9b = 0x25; *(uint8_t*)0x20000b9c = 1; *(uint8_t*)0x20000b9d = 1; *(uint8_t*)0x20000b9e = 9; *(uint16_t*)0x20000b9f = 0x1000; *(uint8_t*)0x20000ba1 = 9; *(uint8_t*)0x20000ba2 = 5; *(uint8_t*)0x20000ba3 = 6; *(uint8_t*)0x20000ba4 = 8; *(uint16_t*)0x20000ba5 = 0x400; *(uint8_t*)0x20000ba7 = 0xe8; *(uint8_t*)0x20000ba8 = 0xc6; *(uint8_t*)0x20000ba9 = -1; *(uint8_t*)0x20000baa = 7; *(uint8_t*)0x20000bab = 0x25; *(uint8_t*)0x20000bac = 1; *(uint8_t*)0x20000bad = 1; *(uint8_t*)0x20000bae = 0x81; *(uint16_t*)0x20000baf = 6; *(uint8_t*)0x20000bb1 = 9; *(uint8_t*)0x20000bb2 = 5; *(uint8_t*)0x20000bb3 = 0xd; *(uint8_t*)0x20000bb4 = 0; *(uint16_t*)0x20000bb5 = 0x20; *(uint8_t*)0x20000bb7 = 8; *(uint8_t*)0x20000bb8 = 0xb4; *(uint8_t*)0x20000bb9 = 3; *(uint8_t*)0x20000bba = 9; *(uint8_t*)0x20000bbb = 5; *(uint8_t*)0x20000bbc = 2; *(uint8_t*)0x20000bbd = 1; *(uint16_t*)0x20000bbe = 0x200; *(uint8_t*)0x20000bc0 = 2; *(uint8_t*)0x20000bc1 = 6; *(uint8_t*)0x20000bc2 = 0x20; *(uint8_t*)0x20000bc3 = 9; *(uint8_t*)0x20000bc4 = 5; *(uint8_t*)0x20000bc5 = 7; *(uint8_t*)0x20000bc6 = 2; *(uint16_t*)0x20000bc7 = 0x3ff; *(uint8_t*)0x20000bc9 = 0x29; *(uint8_t*)0x20000bca = 4; *(uint8_t*)0x20000bcb = 0x4c; *(uint8_t*)0x20000bcc = 9; *(uint8_t*)0x20000bcd = 5; *(uint8_t*)0x20000bce = 5; *(uint8_t*)0x20000bcf = 0; *(uint16_t*)0x20000bd0 = 0x200; *(uint8_t*)0x20000bd2 = 2; *(uint8_t*)0x20000bd3 = 0x22; *(uint8_t*)0x20000bd4 = 5; *(uint8_t*)0x20000bd5 = 7; *(uint8_t*)0x20000bd6 = 0x25; *(uint8_t*)0x20000bd7 = 1; *(uint8_t*)0x20000bd8 = 0; *(uint8_t*)0x20000bd9 = 7; *(uint16_t*)0x20000bda = 0x27; *(uint8_t*)0x20000bdc = 9; *(uint8_t*)0x20000bdd = 5; *(uint8_t*)0x20000bde = 0xe; *(uint8_t*)0x20000bdf = 0xc; *(uint16_t*)0x20000be0 = 0x20; *(uint8_t*)0x20000be2 = 0x40; *(uint8_t*)0x20000be3 = 9; *(uint8_t*)0x20000be4 = 0x1f; *(uint8_t*)0x20000be5 = 0x4f; *(uint8_t*)0x20000be6 = 1; memcpy((void*)0x20000be7, "\xf1\x48\xd8\x44\x07\xf5\xb8\xdf\xda\x7c\x13\xb6\x82\x81\xb7\xd1\x42\x09\x55\x10\x93\xf9\x1b\x2d\x8f\x89\x1d\x9f\x3b\x8f\xf0\x7a\x8c\x2b\x56\xbc\xbf\xa7\x44\xea\x1d\xa6\x9f\xb1\x16\xc7\x1d\x11\xfa\x13\xb6\xa2\xc4\x64\xe6\x5d\x7c\x70\x6a\xe2\x5e\x0a\xd8\x36\xd3\x28\xf3\x09\x28\xaf\x26\xfe\x9d\x4f\x3f\x1d\xc1", 77); *(uint8_t*)0x20000c34 = 7; *(uint8_t*)0x20000c35 = 0x25; *(uint8_t*)0x20000c36 = 1; *(uint8_t*)0x20000c37 = 0x82; *(uint8_t*)0x20000c38 = 0x18; *(uint16_t*)0x20000c39 = 0xfc0; *(uint8_t*)0x20000c3b = 9; *(uint8_t*)0x20000c3c = 5; *(uint8_t*)0x20000c3d = 4; *(uint8_t*)0x20000c3e = 0; *(uint16_t*)0x20000c3f = 0x400; *(uint8_t*)0x20000c41 = 0; *(uint8_t*)0x20000c42 = 0x80; *(uint8_t*)0x20000c43 = 7; *(uint8_t*)0x20000c44 = 7; *(uint8_t*)0x20000c45 = 0x25; *(uint8_t*)0x20000c46 = 1; *(uint8_t*)0x20000c47 = 2; *(uint8_t*)0x20000c48 = 4; *(uint16_t*)0x20000c49 = 2; *(uint8_t*)0x20000c4b = 0xf7; *(uint8_t*)0x20000c4c = 0x30; memcpy((void*)0x20000c4d, "\xab\xdd\xdd\x4f\x9b\x3f\x7c\x94\x0f\x59\xac\x5d\x6a\xc2\x20\xf7\x66\x83\x45\x97\x34\x86\x90\xed\xd4\x5d\xbc\xad\x8d\x72\x00\xdb\x71\x84\x99\x1d\x25\x39\xdf\x54\xe5\xad\x82\xe5\xd5\x8b\x03\x66\xea\x3b\x34\x1b\xe9\xa3\x0b\x4b\x2b\xd6\x6b\xf0\x04\x79\x62\x8c\xb4\x77\xc8\x29\x38\xf8\xd3\xc1\x06\xa7\xe1\x8b\x0e\x54\x85\xa0\xb1\x61\x1a\xba\x1d\x8a\xd3\xc7\x40\xfc\x3d\x9a\xcc\xb5\xd7\xb2\x93\xb9\x0b\x16\x8c\x3f\x2c\x69\x79\x81\x35\xb5\x62\x47\x5f\xe2\xa3\xb8\xf6\x19\x57\x22\x51\x66\x27\x87\xbf\x74\x9f\x67\x3a\x35\xee\x80\xea\x76\xed\xd0\xfc\x7b\x31\x77\xf2\x4f\x50\xd6\x8a\xce\xd6\x90\x2e\xcf\x5e\x0a\x1d\x31\x26\xd9\x53\x09\x46\xab\xac\x7a\x85\x79\x91\x94\x74\x8f\x34\xee\xf3\xe2\x49\xc0\xed\xe1\x51\x1b\x67\x62\x6c\x06\x32\x2b\xa0\xb3\x13\x3a\xd7\xea\xb4\x6c\xc0\x7a\x99\x5f\x01\x1d\x24\x78\x19\x83\xc1\x70\x9a\x03\xac\x2e\xf1\x65\xa9\xb9\x1e\xd9\xe7\x5e\x22\x19\x05\xa9\x32\xc3\x50\x1d\x40\x56\x69\x16\xd6\x3f\x2f\xae\x4e\x97\x98\xfa\xb8\xe1\x6a\x1d\x36\x4f\x01\x9c\x0e\xbd\xb0", 245); *(uint8_t*)0x20000d42 = 9; *(uint8_t*)0x20000d43 = 5; *(uint8_t*)0x20000d44 = 2; *(uint8_t*)0x20000d45 = 0; *(uint16_t*)0x20000d46 = 0x40; *(uint8_t*)0x20000d48 = 0xfe; *(uint8_t*)0x20000d49 = 0x20; *(uint8_t*)0x20000d4a = 9; *(uint8_t*)0x20000d4b = 0xed; *(uint8_t*)0x20000d4c = 1; memcpy((void*)0x20000d4d, "\x97\x48\x0b\x61\x9e\xce\x34\x91\x71\x8d\x87\x0d\x13\x33\xf7\xf3\xcb\xe0\x33\x67\xac\x7f\x15\xbe\x17\x93\xcf\x2d\x63\x5a\xf6\x7a\xf8\x8c\xfe\xa5\x26\xad\x45\xea\x67\xc3\x9a\xde\x3d\x19\x91\x8d\x55\xea\x59\x8a\x78\x07\xfd\x2c\x56\xad\xdf\xb5\x2f\x42\x75\x6b\xfc\x60\x2c\x04\x56\x0e\x98\x1a\x38\x78\x3c\xa3\xdd\x8b\xa4\x31\xc2\x67\x59\x2b\xc0\x04\xb2\xf5\x3e\x49\x08\x2d\xac\x6a\x78\x48\xb9\x29\xdc\xf5\x3f\x15\x1f\x4c\x9a\xe6\xf8\x91\x2f\xff\xd9\x19\x9b\xcd\xcd\x8b\x95\xfd\xc2\xdf\xaa\x22\xd3\xa7\x31\xf3\xc4\xaa\x34\x47\xd4\x18\x3b\x1c\xb4\xcc\xce\xb3\x6e\x69\x37\xf2\x27\x5c\x89\xce\x0b\xa8\x3f\x40\xc2\xc7\xdb\xf1\x3b\x41\x77\x0a\x0f\x12\x5b\x10\xde\xd7\xee\xfe\x7a\x18\x24\xf9\xee\xf4\x93\x83\x10\xa5\x5c\x12\x1b\xf1\xa9\x25\x9f\x55\x16\x72\xb8\xa0\xa5\x2f\xea\xc5\xcb\xc5\xab\x96\xa5\x49\x1e\xf5\x33\xd7\xbe\x14\x76\x4e\x9d\xa5\x31\xff\xef\x82\xf8\x61\x2a\x74\x0f\xb5\x87\x56\xf7\xcb\x60\x92\xab\xb1\x5a\xa6\xcf\x04\x94\xcb\x71\x06\xf1", 235); *(uint8_t*)0x20000e38 = 0xd3; *(uint8_t*)0x20000e39 = 8; memcpy((void*)0x20000e3a, "\x4e\x8e\x03\x4e\xe9\x75\x01\xac\x38\x25\x74\xd2\xa7\x25\x27\xc5\xe0\xc8\x32\x61\x8b\xc6\xa1\xea\x16\xc3\xf3\x23\x25\x89\x71\x63\x3a\x03\x33\x99\x1a\xd9\x97\x54\xb0\x06\xc9\x5c\x4d\xe5\xf9\x01\xec\x1b\x8d\x86\xbd\x47\xc5\x64\xbd\x2a\xef\x08\xdf\x3c\x22\x4a\x3e\x6e\x40\x84\x65\x54\xee\xd2\x73\x4d\x71\xce\x33\x92\x96\x7e\xf5\x5c\x96\xb3\xda\x0a\xa5\x48\x1f\x31\xc3\x51\xcf\x18\x59\xcb\xee\x24\x4e\x75\x1c\x60\xcf\xad\xc2\x33\xcb\x60\x02\xee\x6f\xf4\xcc\x2c\x9b\x76\x37\x8f\x5b\x6e\x41\x0c\x01\x4f\x25\xcb\x9f\xff\x68\xf8\xa6\xff\x5b\x81\xb6\xd0\x9b\x9c\x7a\x2a\xaf\x84\x8b\xd2\x47\xed\x21\xb1\x3a\xa8\xd3\x5b\xcb\x7b\xf2\xfa\x6b\x8c\xbf\x55\x29\x9e\xdb\xce\x15\xe7\x88\xd1\xf9\x3c\xff\x32\x23\x99\x24\x9a\xc0\x80\xf2\xd4\x7b\xd3\xf2\x7e\x7a\x6d\xe1\x84\x90\x48\x11\x72\x25\x36\xd0\xa2\x33\x0e\x3e\x51\x11\x46\xfa\xab\x98\x64\xd1\xb1\x83", 209); *(uint8_t*)0x20000f0b = 9; *(uint8_t*)0x20000f0c = 5; *(uint8_t*)0x20000f0d = 0xb; *(uint8_t*)0x20000f0e = 0; *(uint16_t*)0x20000f0f = 0x10; *(uint8_t*)0x20000f11 = 0x2c; *(uint8_t*)0x20000f12 = 9; *(uint8_t*)0x20000f13 = 6; *(uint8_t*)0x20000f14 = 7; *(uint8_t*)0x20000f15 = 0x25; *(uint8_t*)0x20000f16 = 1; *(uint8_t*)0x20000f17 = 0x80; *(uint8_t*)0x20000f18 = 0xc9; *(uint16_t*)0x20000f19 = 0xbb; *(uint8_t*)0x20000f1b = 0x1f; *(uint8_t*)0x20000f1c = 0x31; memcpy((void*)0x20000f1d, "\xe4\x4d\x51\xa1\x5a\x72\x0f\x09\x9d\xad\xeb\x93\x26\x25\x52\xa9\x35\x42\x42\x29\xd3\xf4\xd1\x2e\xdc\x1b\xaa\x9f\x88", 29); *(uint8_t*)0x20000f3a = 9; *(uint8_t*)0x20000f3b = 5; *(uint8_t*)0x20000f3c = 0xc; *(uint8_t*)0x20000f3d = 0; *(uint16_t*)0x20000f3e = 8; *(uint8_t*)0x20000f40 = 0x49; *(uint8_t*)0x20000f41 = 0x40; *(uint8_t*)0x20000f42 = 0x55; *(uint8_t*)0x20000f43 = 9; *(uint8_t*)0x20000f44 = 4; *(uint8_t*)0x20000f45 = 0xfe; *(uint8_t*)0x20000f46 = 0x33; *(uint8_t*)0x20000f47 = 2; *(uint8_t*)0x20000f48 = 0xa2; *(uint8_t*)0x20000f49 = 0x17; *(uint8_t*)0x20000f4a = 0x9a; *(uint8_t*)0x20000f4b = 2; *(uint8_t*)0x20000f4c = 9; *(uint8_t*)0x20000f4d = 0x24; *(uint8_t*)0x20000f4e = 6; *(uint8_t*)0x20000f4f = 0; *(uint8_t*)0x20000f50 = 1; memcpy((void*)0x20000f51, "\xfb\x7f\xfd\xe8", 4); *(uint8_t*)0x20000f55 = 5; *(uint8_t*)0x20000f56 = 0x24; *(uint8_t*)0x20000f57 = 0; *(uint16_t*)0x20000f58 = 1; *(uint8_t*)0x20000f5a = 0xd; *(uint8_t*)0x20000f5b = 0x24; *(uint8_t*)0x20000f5c = 0xf; *(uint8_t*)0x20000f5d = 1; *(uint32_t*)0x20000f5e = 4; *(uint16_t*)0x20000f62 = 0x9f54; *(uint16_t*)0x20000f64 = 0x267; *(uint8_t*)0x20000f66 = 1; *(uint8_t*)0x20000f67 = 6; *(uint8_t*)0x20000f68 = 0x24; *(uint8_t*)0x20000f69 = 0x1a; *(uint16_t*)0x20000f6a = 9; *(uint8_t*)0x20000f6c = 9; *(uint8_t*)0x20000f6d = 0xc; *(uint8_t*)0x20000f6e = 0x24; *(uint8_t*)0x20000f6f = 0x1b; *(uint16_t*)0x20000f70 = -1; *(uint16_t*)0x20000f72 = 1; *(uint8_t*)0x20000f74 = 0x20; *(uint8_t*)0x20000f75 = 6; *(uint16_t*)0x20000f76 = 6; *(uint8_t*)0x20000f78 = 6; *(uint8_t*)0x20000f79 = 0x15; *(uint8_t*)0x20000f7a = 0x24; *(uint8_t*)0x20000f7b = 0x12; *(uint16_t*)0x20000f7c = 3; *(uint64_t*)0x20000f7e = 0x14f5e048ba817a3; *(uint64_t*)0x20000f86 = 0x2a397ecbffc007a6; *(uint8_t*)0x20000f8e = 0xc; *(uint8_t*)0x20000f8f = 0x24; *(uint8_t*)0x20000f90 = 0x1b; *(uint16_t*)0x20000f91 = 0x91; *(uint16_t*)0x20000f93 = 5; *(uint8_t*)0x20000f95 = 1; *(uint8_t*)0x20000f96 = -1; *(uint16_t*)0x20000f97 = 5; *(uint8_t*)0x20000f99 = 0x35; *(uint8_t*)0x20000f9a = 4; *(uint8_t*)0x20000f9b = 0x24; *(uint8_t*)0x20000f9c = 2; *(uint8_t*)0x20000f9d = 1; *(uint8_t*)0x20000f9e = 9; *(uint8_t*)0x20000f9f = 5; *(uint8_t*)0x20000fa0 = 0xa; *(uint8_t*)0x20000fa1 = 0x10; *(uint16_t*)0x20000fa2 = 8; *(uint8_t*)0x20000fa4 = 0x80; *(uint8_t*)0x20000fa5 = 0xc1; *(uint8_t*)0x20000fa6 = 4; *(uint8_t*)0x20000fa7 = 0xb8; *(uint8_t*)0x20000fa8 = 0x30; memcpy((void*)0x20000fa9, "\xe3\x84\xdc\xf0\x3a\xc3\x95\x40\xe5\xa2\x21\x99\xf7\x1a\x53\xba\x42\x8c\x3b\x72\x02\x90\xf0\x27\x6b\xcc\xa0\xcd\x15\x40\x5f\x6c\x93\x04\x97\xaf\x5e\xb3\x20\xa4\x33\xcc\x55\x3d\x6e\x01\x08\xed\xbf\x79\x3e\xf0\x24\x0f\xf2\x69\xb4\xff\x96\xd6\x82\x2b\xcb\x48\xce\xba\xe2\xa5\xce\xad\x65\x78\x6e\xbe\xcd\x5f\x30\x0c\x08\x60\x6d\x33\x22\xb8\x36\x00\x29\xbd\x21\x31\x2d\xac\x49\x33\x61\xe1\xb0\x8f\x2a\xdc\xa4\xdc\x49\xa0\x04\xfe\xfd\xf7\xa3\xa5\x25\xae\x5d\xe1\x1f\x0a\x69\x1a\x41\xb8\x69\xd9\xb9\xa5\xd9\x0d\x5a\x7b\x5e\xbe\x9e\x57\x73\xb9\x7e\xfe\x98\xe3\x89\x53\x77\xa4\x24\xe3\x0e\xf2\x2f\xd2\xff\xa2\x53\x2f\x1b\xb3\xc1\xa4\xe3\xb8\x6a\xfc\x08\xb2\x65\x9a\xa2\xe5\x56\xf1\x90\xe2\x7f\x83\x61\x9a\x16\x18\xd3\x71\xe1\x02\xc5\x58", 182); *(uint8_t*)0x2000105f = 9; *(uint8_t*)0x20001060 = 5; *(uint8_t*)0x20001061 = 0x80; *(uint8_t*)0x20001062 = 1; *(uint16_t*)0x20001063 = 0x40; *(uint8_t*)0x20001065 = 4; *(uint8_t*)0x20001066 = 0; *(uint8_t*)0x20001067 = 0x1f; *(uint8_t*)0x20001068 = 9; *(uint8_t*)0x20001069 = 4; *(uint8_t*)0x2000106a = 0x74; *(uint8_t*)0x2000106b = 0x90; *(uint8_t*)0x2000106c = 0xa; *(uint8_t*)0x2000106d = -1; *(uint8_t*)0x2000106e = 0x5d; *(uint8_t*)0x2000106f = 1; *(uint8_t*)0x20001070 = 0x81; *(uint8_t*)0x20001071 = 0x6c; *(uint8_t*)0x20001072 = 4; memcpy((void*)0x20001073, "\xde\xaf\x84\x76\xcc\x58\x55\xff\xb6\xd2\x2d\x6c\xeb\x29\x77\x34\x8b\xa8\x6d\xee\x7d\x9e\x22\xe0\xc4\x64\x77\xb0\x6c\x0d\xb5\x14\xbb\x53\x83\xa6\x2a\x40\x2c\xc6\xe0\x79\x5d\xdd\xa5\x10\xcf\x42\x38\xb2\xc6\x4b\x65\x7a\x11\x11\xef\xc0\xe4\xaa\xcf\x9e\x40\x80\x2d\xd0\xee\xb6\x9f\x27\x1c\x1e\x6f\xe0\xee\x5e\x9f\x48\x12\x28\x32\xe6\xa8\x0a\x4d\x7a\x66\x11\xe3\xfd\x2d\xca\x49\xd3\x51\x90\x8f\xf9\xa4\x8c\xa2\x0c\x78\xa6\x9c\x65", 106); *(uint8_t*)0x200010dd = 9; *(uint8_t*)0x200010de = 0x21; *(uint16_t*)0x200010df = 7; *(uint8_t*)0x200010e1 = 7; *(uint8_t*)0x200010e2 = 1; *(uint8_t*)0x200010e3 = 0x22; *(uint16_t*)0x200010e4 = 0xab5; *(uint8_t*)0x200010e6 = 9; *(uint8_t*)0x200010e7 = 5; *(uint8_t*)0x200010e8 = 0; *(uint8_t*)0x200010e9 = 0; *(uint16_t*)0x200010ea = 0x200; *(uint8_t*)0x200010ec = 4; *(uint8_t*)0x200010ed = 7; *(uint8_t*)0x200010ee = 0; *(uint8_t*)0x200010ef = 9; *(uint8_t*)0x200010f0 = 5; *(uint8_t*)0x200010f1 = 0x80; *(uint8_t*)0x200010f2 = 0xc; *(uint16_t*)0x200010f3 = 0x40; *(uint8_t*)0x200010f5 = 0; *(uint8_t*)0x200010f6 = 0x7f; *(uint8_t*)0x200010f7 = -1; *(uint8_t*)0x200010f8 = 7; *(uint8_t*)0x200010f9 = 0x25; *(uint8_t*)0x200010fa = 1; *(uint8_t*)0x200010fb = 0; *(uint8_t*)0x200010fc = 0; *(uint16_t*)0x200010fd = 0xff; *(uint8_t*)0x200010ff = 7; *(uint8_t*)0x20001100 = 0x25; *(uint8_t*)0x20001101 = 1; *(uint8_t*)0x20001102 = 2; *(uint8_t*)0x20001103 = 0xfa; *(uint16_t*)0x20001104 = 5; *(uint8_t*)0x20001106 = 9; *(uint8_t*)0x20001107 = 5; *(uint8_t*)0x20001108 = 3; *(uint8_t*)0x20001109 = 3; *(uint16_t*)0x2000110a = 0x3ff; *(uint8_t*)0x2000110c = 0x80; *(uint8_t*)0x2000110d = 0x7f; *(uint8_t*)0x2000110e = 8; *(uint8_t*)0x2000110f = 9; *(uint8_t*)0x20001110 = 5; *(uint8_t*)0x20001111 = 5; *(uint8_t*)0x20001112 = 1; *(uint16_t*)0x20001113 = 0x20; *(uint8_t*)0x20001115 = 4; *(uint8_t*)0x20001116 = 0x3c; *(uint8_t*)0x20001117 = 4; *(uint8_t*)0x20001118 = 7; *(uint8_t*)0x20001119 = 0x25; *(uint8_t*)0x2000111a = 1; *(uint8_t*)0x2000111b = 0x80; *(uint8_t*)0x2000111c = 0x40; *(uint16_t*)0x2000111d = 0x800; *(uint8_t*)0x2000111f = 9; *(uint8_t*)0x20001120 = 5; *(uint8_t*)0x20001121 = 0xd; *(uint8_t*)0x20001122 = 0; *(uint16_t*)0x20001123 = 0x20; *(uint8_t*)0x20001125 = -1; *(uint8_t*)0x20001126 = 0x14; *(uint8_t*)0x20001127 = 0x3f; *(uint8_t*)0x20001128 = 9; *(uint8_t*)0x20001129 = 5; *(uint8_t*)0x2000112a = 4; *(uint8_t*)0x2000112b = 0; *(uint16_t*)0x2000112c = 0x20; *(uint8_t*)0x2000112e = 1; *(uint8_t*)0x2000112f = 1; *(uint8_t*)0x20001130 = 0x56; *(uint8_t*)0x20001131 = 9; *(uint8_t*)0x20001132 = 5; *(uint8_t*)0x20001133 = 0xc; *(uint8_t*)0x20001134 = 0x10; *(uint16_t*)0x20001135 = 8; *(uint8_t*)0x20001137 = 1; *(uint8_t*)0x20001138 = 5; *(uint8_t*)0x20001139 = 2; *(uint8_t*)0x2000113a = 0x20; *(uint8_t*)0x2000113b = 4; memcpy((void*)0x2000113c, "\x6d\xdd\x41\x04\xce\xf7\xb1\xf7\xb2\xdd\xda\xbb\x24\xea\x94\xbe\x1e\x8a\xc9\xfb\xba\x62\xcd\x71\xc1\xa1\xcb\xfa\x4e\x73", 30); *(uint8_t*)0x2000115a = 9; *(uint8_t*)0x2000115b = 5; *(uint8_t*)0x2000115c = 7; *(uint8_t*)0x2000115d = 4; *(uint16_t*)0x2000115e = 0x10; *(uint8_t*)0x20001160 = 0; *(uint8_t*)0x20001161 = 6; *(uint8_t*)0x20001162 = 0xf8; *(uint8_t*)0x20001163 = 7; *(uint8_t*)0x20001164 = 0x25; *(uint8_t*)0x20001165 = 1; *(uint8_t*)0x20001166 = 0x80; *(uint8_t*)0x20001167 = 3; *(uint16_t*)0x20001168 = 0x8000; *(uint8_t*)0x2000116a = 0x98; *(uint8_t*)0x2000116b = 0x21; memcpy((void*)0x2000116c, "\xe7\xba\xc6\xd3\x44\x3c\xdf\xcd\xf9\xc2\x4b\x69\x78\xdb\xfb\x9d\xd1\x82\x4a\x59\x64\xcb\xfa\x0f\xe6\x42\x96\xd5\x79\x4c\x61\x59\xbc\x30\xb8\x02\xa5\x9b\x5c\x7a\x49\xb5\x34\x03\x5d\xf5\x6b\xbc\x48\x86\x52\xee\x31\xc6\x01\xd5\x32\x65\x07\x01\x6b\xd4\x45\xa1\xc0\x9d\xf2\x31\xcf\x57\x81\x19\x0d\xaa\xba\x0c\xbd\x84\xa1\x72\x64\x03\x27\xb8\xc1\xa1\xd9\x0b\xfa\xb1\x8f\x24\x96\x1f\xfe\x12\xa0\x48\x6a\x23\x9c\x79\xa2\x59\xc5\x37\x65\x26\x03\xdc\xbd\x4b\x2b\x73\x42\xae\x0d\x71\x5a\x75\x43\xf4\xd0\x8b\xb5\x57\xbd\xdc\xd3\xbc\xa8\x35\x90\xb5\x7c\x30\xee\xe2\xce\x95\xf6\xc7\x10\x2f\x64\x6a\xf8\x28\xa4\x96", 150); *(uint8_t*)0x20001202 = 9; *(uint8_t*)0x20001203 = 5; *(uint8_t*)0x20001204 = 2; *(uint8_t*)0x20001205 = 3; *(uint16_t*)0x20001206 = 0x400; *(uint8_t*)0x20001208 = 3; *(uint8_t*)0x20001209 = 2; *(uint8_t*)0x2000120a = 8; *(uint8_t*)0x2000120b = 9; *(uint8_t*)0x2000120c = 5; *(uint8_t*)0x2000120d = 6; *(uint8_t*)0x2000120e = 0x10; *(uint16_t*)0x2000120f = 0x20; *(uint8_t*)0x20001211 = -1; *(uint8_t*)0x20001212 = 4; *(uint8_t*)0x20001213 = 6; *(uint32_t*)0x20001540 = 0xa; *(uint64_t*)0x20001544 = 0x20001240; *(uint8_t*)0x20001240 = 0xa; *(uint8_t*)0x20001241 = 6; *(uint16_t*)0x20001242 = 0x300; *(uint8_t*)0x20001244 = -1; *(uint8_t*)0x20001245 = 0x81; *(uint8_t*)0x20001246 = 6; *(uint8_t*)0x20001247 = 0xf7; *(uint8_t*)0x20001248 = 0xc4; *(uint8_t*)0x20001249 = 0; *(uint32_t*)0x2000154c = 0xf; *(uint64_t*)0x20001550 = 0x20001280; *(uint8_t*)0x20001280 = 5; *(uint8_t*)0x20001281 = 0xf; *(uint16_t*)0x20001282 = 0xf; *(uint8_t*)0x20001284 = 1; *(uint8_t*)0x20001285 = 0xa; *(uint8_t*)0x20001286 = 0x10; *(uint8_t*)0x20001287 = 3; *(uint8_t*)0x20001288 = 0; *(uint16_t*)0x20001289 = 0; *(uint8_t*)0x2000128b = 8; *(uint8_t*)0x2000128c = 0x1f; *(uint16_t*)0x2000128d = 0xfff; *(uint32_t*)0x20001558 = 5; *(uint32_t*)0x2000155c = 4; *(uint64_t*)0x20001560 = 0x200012c0; *(uint8_t*)0x200012c0 = 4; *(uint8_t*)0x200012c1 = 3; *(uint16_t*)0x200012c2 = 0xc07; *(uint32_t*)0x20001568 = 0x54; *(uint64_t*)0x2000156c = 0x20001300; *(uint8_t*)0x20001300 = 0x54; *(uint8_t*)0x20001301 = 3; memcpy((void*)0x20001302, "\x32\x1d\x45\x7f\x2f\x5a\xb9\xfc\xb1\x11\x8c\x96\x06\x31\xfd\x85\xa7\x5e\xad\x82\x91\x36\xaa\x2a\x6c\xc0\x31\x14\x51\x03\x5f\xe1\x7b\x95\x6e\xb8\xfa\x52\xd4\x95\xa3\x11\xa6\xc0\x3f\x0a\xe8\x4c\x86\xf0\xed\x78\xda\xeb\xfa\x15\xdb\x7b\xc5\x78\x8c\x97\x24\xba\xf4\x58\x2d\xc0\xec\x1b\xa6\x68\x1a\x76\xb0\xa1\xbf\xc5\xde\x9d\xae\xcc", 82); *(uint32_t*)0x20001574 = 0xd3; *(uint64_t*)0x20001578 = 0x20001380; *(uint8_t*)0x20001380 = 0xd3; *(uint8_t*)0x20001381 = 3; memcpy((void*)0x20001382, "\x18\x33\x6f\xc5\x62\x3b\xa1\x41\x06\x34\xc4\x05\x0b\xcf\x3b\x48\x8e\xa4\x18\x67\xd0\x59\xdc\xdc\xd2\xc3\x68\xd8\x48\xfe\x51\x47\x32\x3c\x0b\xa4\xe5\x1d\x7c\xf2\xa3\xd1\x50\x25\x8f\x8c\xc2\x56\x9b\xd7\x9e\x95\x1e\xa9\x5a\x31\x8d\xe3\x1d\x14\x6c\x37\xa7\xcf\x71\x2f\x1f\xcd\x44\x03\x90\x85\x2c\x8d\x52\x16\xf8\xd2\x3a\x99\x18\xb0\xe0\x53\x52\x1e\xb6\x70\xad\x3e\xe0\xfb\x8a\x93\xa8\xd7\xba\xd7\x19\x9e\xeb\xe1\x2a\x3b\x02\x10\x7a\xc4\x54\x2b\xc6\x49\x79\x77\xe3\x30\x8b\x40\x7b\xf3\x64\x98\x2f\x4f\xc9\xc3\x30\xf9\xa7\x5c\xcb\x65\xc8\x68\x8d\x5c\x24\x7a\xd0\x6c\x20\xcc\xf0\x14\x65\xe3\xab\x09\xfc\x77\x7f\x73\x47\x4c\x2c\xd0\x53\xb8\x48\xad\x32\x55\xb5\xad\xc8\x1e\x03\x3d\x2a\x0f\xac\x50\x61\xea\x52\xda\xcf\x46\xe8\x8e\x8c\x2e\x38\x8d\xeb\x91\xd2\xd9\xfc\x12\x42\x55\x90\x93\x36\x41\x8e\x74\x3b\xda\x4c\xb4\xf7\x3c\x6b\x75\xaf\x9a\x9b", 209); *(uint32_t*)0x20001580 = 4; *(uint64_t*)0x20001584 = 0x20001480; *(uint8_t*)0x20001480 = 4; *(uint8_t*)0x20001481 = 3; *(uint16_t*)0x20001482 = 0x42b; *(uint32_t*)0x2000158c = 0x5a; *(uint64_t*)0x20001590 = 0x200014c0; *(uint8_t*)0x200014c0 = 0x5a; *(uint8_t*)0x200014c1 = 3; memcpy((void*)0x200014c2, "\x4d\x85\xf3\x14\x20\xff\x1c\xed\xa2\x5d\x11\x8d\x33\xa6\xeb\xbc\xe8\x88\xc1\x2d\x90\xeb\x54\xc8\x27\xd1\x49\xc8\xdc\xbd\x99\xf3\x89\x3b\x35\xd1\xda\x6c\x77\x6b\x1b\x5d\x08\x4b\x30\x8c\xdf\x93\x47\x41\x67\xf2\x66\x19\x9f\x44\x0a\x03\xfc\x3e\x34\x38\x03\x1b\x87\x25\xdd\xe6\x02\x9a\x62\x9c\x08\x43\xbe\xdf\x04\x8b\x84\x09\xb1\x53\xf9\x03\xd6\x57\xd2\x2b", 88); res = -1; res = syz_usb_connect(6, 0x714, 0x20000b00, 0x20001540); if (res != -1) r[10] = res; break; case 33: *(uint8_t*)0x200015c0 = 0x12; *(uint8_t*)0x200015c1 = 1; *(uint16_t*)0x200015c2 = 0x200; *(uint8_t*)0x200015c4 = -1; *(uint8_t*)0x200015c5 = -1; *(uint8_t*)0x200015c6 = -1; *(uint8_t*)0x200015c7 = 0x40; *(uint16_t*)0x200015c8 = 0xcf3; *(uint16_t*)0x200015ca = 0x9271; *(uint16_t*)0x200015cc = 0x108; *(uint8_t*)0x200015ce = 1; *(uint8_t*)0x200015cf = 2; *(uint8_t*)0x200015d0 = 3; *(uint8_t*)0x200015d1 = 1; *(uint8_t*)0x200015d2 = 9; *(uint8_t*)0x200015d3 = 2; *(uint16_t*)0x200015d4 = 0x48; *(uint8_t*)0x200015d6 = 1; *(uint8_t*)0x200015d7 = 1; *(uint8_t*)0x200015d8 = 0; *(uint8_t*)0x200015d9 = 0x80; *(uint8_t*)0x200015da = 0xfa; *(uint8_t*)0x200015db = 9; *(uint8_t*)0x200015dc = 4; *(uint8_t*)0x200015dd = 0; *(uint8_t*)0x200015de = 0; *(uint8_t*)0x200015df = 6; *(uint8_t*)0x200015e0 = -1; *(uint8_t*)0x200015e1 = 0; *(uint8_t*)0x200015e2 = 0; *(uint8_t*)0x200015e3 = 0; *(uint8_t*)0x200015e4 = 9; *(uint8_t*)0x200015e5 = 5; *(uint8_t*)0x200015e6 = 1; *(uint8_t*)0x200015e7 = 2; *(uint16_t*)0x200015e8 = 0x200; *(uint8_t*)0x200015ea = 0; *(uint8_t*)0x200015eb = 0; *(uint8_t*)0x200015ec = 0; *(uint8_t*)0x200015ed = 9; *(uint8_t*)0x200015ee = 5; *(uint8_t*)0x200015ef = 0x82; *(uint8_t*)0x200015f0 = 2; *(uint16_t*)0x200015f1 = 0x200; *(uint8_t*)0x200015f3 = 0; *(uint8_t*)0x200015f4 = 0; *(uint8_t*)0x200015f5 = 0; *(uint8_t*)0x200015f6 = 9; *(uint8_t*)0x200015f7 = 5; *(uint8_t*)0x200015f8 = 0x83; *(uint8_t*)0x200015f9 = 3; *(uint16_t*)0x200015fa = 0x40; *(uint8_t*)0x200015fc = 1; *(uint8_t*)0x200015fd = 0; *(uint8_t*)0x200015fe = 0; *(uint8_t*)0x200015ff = 9; *(uint8_t*)0x20001600 = 5; *(uint8_t*)0x20001601 = 4; *(uint8_t*)0x20001602 = 3; *(uint16_t*)0x20001603 = 0x40; *(uint8_t*)0x20001605 = 1; *(uint8_t*)0x20001606 = 0; *(uint8_t*)0x20001607 = 0; *(uint8_t*)0x20001608 = 9; *(uint8_t*)0x20001609 = 5; *(uint8_t*)0x2000160a = 5; *(uint8_t*)0x2000160b = 2; *(uint16_t*)0x2000160c = 0x200; *(uint8_t*)0x2000160e = 0; *(uint8_t*)0x2000160f = 0; *(uint8_t*)0x20001610 = 0; *(uint8_t*)0x20001611 = 9; *(uint8_t*)0x20001612 = 5; *(uint8_t*)0x20001613 = 6; *(uint8_t*)0x20001614 = 2; *(uint16_t*)0x20001615 = 0x200; *(uint8_t*)0x20001617 = 0; *(uint8_t*)0x20001618 = 0; *(uint8_t*)0x20001619 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200015c0, 0); if (res != -1) r[11] = res; break; case 34: *(uint32_t*)0x200017c0 = 0x2c; *(uint64_t*)0x200017c4 = 0x20001640; *(uint8_t*)0x20001640 = 0; *(uint8_t*)0x20001641 = 0x24; *(uint32_t*)0x20001642 = 0x5e; *(uint8_t*)0x20001646 = 0x5e; *(uint8_t*)0x20001647 = 9; memcpy((void*)0x20001648, "\x50\xd3\x39\x2d\x02\xeb\xd2\x29\x33\x8b\x7e\x71\x70\xb9\x84\xd0\x49\x07\xf9\xce\xe9\x84\xf8\x3f\x84\xc9\x51\x8b\x9d\xd9\x17\x85\xfe\x2d\x66\xe1\x04\x26\xff\x86\xd8\xe7\xd6\x63\x53\x83\x06\x24\x01\x71\x79\x0d\x7f\x77\x66\x64\xbd\xfd\x68\xd3\xdf\x43\xcd\xf6\xd0\xe3\xab\x3d\x2a\x62\x95\x30\x92\xa2\xd7\xce\x2f\xcd\xfe\x2c\xf5\x00\x26\x86\x9a\x4b\xcd\x06\x6a\xf9\xdd\xbd", 92); *(uint64_t*)0x200017cc = 0x200016c0; *(uint8_t*)0x200016c0 = 0; *(uint8_t*)0x200016c1 = 3; *(uint32_t*)0x200016c2 = 4; *(uint8_t*)0x200016c6 = 4; *(uint8_t*)0x200016c7 = 3; *(uint16_t*)0x200016c8 = 0x449; *(uint64_t*)0x200017d4 = 0x20001700; *(uint8_t*)0x20001700 = 0; *(uint8_t*)0x20001701 = 0xf; *(uint32_t*)0x20001702 = 0x19; *(uint8_t*)0x20001706 = 5; *(uint8_t*)0x20001707 = 0xf; *(uint16_t*)0x20001708 = 0x19; *(uint8_t*)0x2000170a = 1; *(uint8_t*)0x2000170b = 0x14; *(uint8_t*)0x2000170c = 0x10; *(uint8_t*)0x2000170d = 4; *(uint8_t*)0x2000170e = 0x3f; memcpy((void*)0x2000170f, "\x0f\xf6\x11\x98\x8b\x42\x04\x3b\xdd\x16\xf1\x8b\x9b\x82\xf6\xcf", 16); *(uint64_t*)0x200017dc = 0x20001740; *(uint8_t*)0x20001740 = 0x20; *(uint8_t*)0x20001741 = 0x29; *(uint32_t*)0x20001742 = 0xf; *(uint8_t*)0x20001746 = 0xf; *(uint8_t*)0x20001747 = 0x29; *(uint8_t*)0x20001748 = 0; *(uint16_t*)0x20001749 = 0; *(uint8_t*)0x2000174b = 9; *(uint8_t*)0x2000174c = 0x68; memcpy((void*)0x2000174d, "\x60\xc5\x11\xfa", 4); memcpy((void*)0x20001751, "\x23\xe3\xf5\x32", 4); *(uint64_t*)0x200017e4 = 0x20001780; *(uint8_t*)0x20001780 = 0x20; *(uint8_t*)0x20001781 = 0x2a; *(uint32_t*)0x20001782 = 0xc; *(uint8_t*)0x20001786 = 0xc; *(uint8_t*)0x20001787 = 0x2a; *(uint8_t*)0x20001788 = 5; *(uint16_t*)0x20001789 = 0; *(uint8_t*)0x2000178b = 2; *(uint8_t*)0x2000178c = 7; *(uint8_t*)0x2000178d = 8; *(uint16_t*)0x2000178e = 5; *(uint16_t*)0x20001790 = 0x200; *(uint32_t*)0x20001c80 = 0x84; *(uint64_t*)0x20001c84 = 0x20001800; *(uint8_t*)0x20001800 = 0; *(uint8_t*)0x20001801 = 0x16; *(uint32_t*)0x20001802 = 0x92; memcpy((void*)0x20001806, "\xe4\x9c\x4e\x0f\xdf\x52\x1d\x4b\xb8\x3a\x1c\x78\xb9\xb6\xf3\x2e\xb6\xe3\x8f\xba\x14\x32\x72\x7c\x39\x17\x49\x72\x7c\x41\x81\x5d\xc3\xfc\x41\x93\xcf\x0f\xc2\x47\xb3\x2c\x61\xdd\x80\xf2\x66\x29\xd7\xcf\x71\x4f\xc0\x80\x15\x77\x01\x40\x5e\x55\xe4\xd1\xae\x2b\x75\x8c\x66\x82\x10\x44\xd2\xe8\x09\x4f\x1b\xd7\x5c\xcf\x96\x00\x45\x47\x26\xe5\xdf\x97\x64\x08\x2d\x53\x70\x12\xad\x6f\xa0\x0a\x11\xbf\x54\x6f\x5d\x86\xaf\x48\x2a\x8f\x0b\x05\x74\x28\x7a\x4c\x56\x40\xbd\x1a\x22\x5a\x60\xd1\x96\x1c\xd5\x6b\x3b\x48\xcf\x69\xd7\x76\xcd\x8b\xba\xc5\xdc\x15\x44\xbf\x6b\x94\xb3\x51\x93\x83\xf9\xc5", 146); *(uint64_t*)0x20001c8c = 0x200018c0; *(uint8_t*)0x200018c0 = 0; *(uint8_t*)0x200018c1 = 0xa; *(uint32_t*)0x200018c2 = 1; *(uint8_t*)0x200018c6 = 0xea; *(uint64_t*)0x20001c94 = 0x20001900; *(uint8_t*)0x20001900 = 0; *(uint8_t*)0x20001901 = 8; *(uint32_t*)0x20001902 = 1; *(uint8_t*)0x20001906 = 0xc0; *(uint64_t*)0x20001c9c = 0x20001940; *(uint8_t*)0x20001940 = 0x20; *(uint8_t*)0x20001941 = 0; *(uint32_t*)0x20001942 = 4; *(uint16_t*)0x20001946 = 3; *(uint16_t*)0x20001948 = 0xc065; *(uint64_t*)0x20001ca4 = 0x20001980; *(uint8_t*)0x20001980 = 0x20; *(uint8_t*)0x20001981 = 0; *(uint32_t*)0x20001982 = 8; *(uint16_t*)0x20001986 = 0x200; *(uint16_t*)0x20001988 = 2; *(uint32_t*)0x2000198a = 0; *(uint64_t*)0x20001cac = 0x200019c0; *(uint8_t*)0x200019c0 = 0x40; *(uint8_t*)0x200019c1 = 7; *(uint32_t*)0x200019c2 = 2; *(uint16_t*)0x200019c6 = 0; *(uint64_t*)0x20001cb4 = 0x20001a00; *(uint8_t*)0x20001a00 = 0x40; *(uint8_t*)0x20001a01 = 9; *(uint32_t*)0x20001a02 = 1; *(uint8_t*)0x20001a06 = 7; *(uint64_t*)0x20001cbc = 0x20001a40; *(uint8_t*)0x20001a40 = 0x40; *(uint8_t*)0x20001a41 = 0xb; *(uint32_t*)0x20001a42 = 2; memcpy((void*)0x20001a46, ",e", 2); *(uint64_t*)0x20001cc4 = 0x20001a80; *(uint8_t*)0x20001a80 = 0x40; *(uint8_t*)0x20001a81 = 0xf; *(uint32_t*)0x20001a82 = 2; *(uint16_t*)0x20001a86 = 0xa; *(uint64_t*)0x20001ccc = 0x20001ac0; *(uint8_t*)0x20001ac0 = 0x40; *(uint8_t*)0x20001ac1 = 0x13; *(uint32_t*)0x20001ac2 = 6; memcpy((void*)0x20001ac6, "\xcb\xa5\xd8\xd5\x17\x87", 6); *(uint64_t*)0x20001cd4 = 0x20001b00; *(uint8_t*)0x20001b00 = 0x40; *(uint8_t*)0x20001b01 = 0x17; *(uint32_t*)0x20001b02 = 6; *(uint8_t*)0x20001b06 = 0xaa; *(uint8_t*)0x20001b07 = 0xaa; *(uint8_t*)0x20001b08 = 0xaa; *(uint8_t*)0x20001b09 = 0xaa; *(uint8_t*)0x20001b0a = 0xaa; *(uint8_t*)0x20001b0b = 0x1b; *(uint64_t*)0x20001cdc = 0x20001b40; *(uint8_t*)0x20001b40 = 0x40; *(uint8_t*)0x20001b41 = 0x19; *(uint32_t*)0x20001b42 = 2; memcpy((void*)0x20001b46, "\x09\xef", 2); *(uint64_t*)0x20001ce4 = 0x20001b80; *(uint8_t*)0x20001b80 = 0x40; *(uint8_t*)0x20001b81 = 0x1a; *(uint32_t*)0x20001b82 = 2; *(uint16_t*)0x20001b86 = 0x200; *(uint64_t*)0x20001cec = 0x20001bc0; *(uint8_t*)0x20001bc0 = 0x40; *(uint8_t*)0x20001bc1 = 0x1c; *(uint32_t*)0x20001bc2 = 1; *(uint8_t*)0x20001bc6 = 0x20; *(uint64_t*)0x20001cf4 = 0x20001c00; *(uint8_t*)0x20001c00 = 0x40; *(uint8_t*)0x20001c01 = 0x1e; *(uint32_t*)0x20001c02 = 1; *(uint8_t*)0x20001c06 = 0x81; *(uint64_t*)0x20001cfc = 0x20001c40; *(uint8_t*)0x20001c40 = 0x40; *(uint8_t*)0x20001c41 = 0x21; *(uint32_t*)0x20001c42 = 1; *(uint8_t*)0x20001c46 = 0x40; syz_usb_control_io(r[11], 0x200017c0, 0x20001c80); break; case 35: *(uint8_t*)0x20001d40 = 0x12; *(uint8_t*)0x20001d41 = 1; *(uint16_t*)0x20001d42 = 0x300; *(uint8_t*)0x20001d44 = 0; *(uint8_t*)0x20001d45 = 0; *(uint8_t*)0x20001d46 = 0; *(uint8_t*)0x20001d47 = 0x40; *(uint16_t*)0x20001d48 = 0x1d6b; *(uint16_t*)0x20001d4a = 0x101; *(uint16_t*)0x20001d4c = 0x40; *(uint8_t*)0x20001d4e = 1; *(uint8_t*)0x20001d4f = 2; *(uint8_t*)0x20001d50 = 3; *(uint8_t*)0x20001d51 = 1; *(uint8_t*)0x20001d52 = 9; *(uint8_t*)0x20001d53 = 2; *(uint16_t*)0x20001d54 = 0xa4; *(uint8_t*)0x20001d56 = 3; *(uint8_t*)0x20001d57 = 1; *(uint8_t*)0x20001d58 = 8; *(uint8_t*)0x20001d59 = 0x80; *(uint8_t*)0x20001d5a = 0x1f; *(uint8_t*)0x20001d5b = 9; *(uint8_t*)0x20001d5c = 4; *(uint8_t*)0x20001d5d = 0; *(uint8_t*)0x20001d5e = 0; *(uint8_t*)0x20001d5f = 0; *(uint8_t*)0x20001d60 = 1; *(uint8_t*)0x20001d61 = 1; *(uint8_t*)0x20001d62 = 0; *(uint8_t*)0x20001d63 = 0; *(uint8_t*)0x20001d64 = 0xa; *(uint8_t*)0x20001d65 = 0x24; *(uint8_t*)0x20001d66 = 1; *(uint16_t*)0x20001d67 = 0x7f; *(uint8_t*)0x20001d69 = 0x24; *(uint8_t*)0x20001d6a = 2; *(uint8_t*)0x20001d6b = 1; *(uint8_t*)0x20001d6c = 2; *(uint8_t*)0x20001d6d = 0xb; *(uint8_t*)0x20001d6e = 0x24; *(uint8_t*)0x20001d6f = 4; *(uint8_t*)0x20001d70 = 3; *(uint8_t*)0x20001d71 = 0x3f; memcpy((void*)0x20001d72, "\xe3\xa7\xba\x11\xb7\x73", 6); *(uint8_t*)0x20001d78 = 0xc; *(uint8_t*)0x20001d79 = 0x24; *(uint8_t*)0x20001d7a = 2; *(uint8_t*)0x20001d7b = 4; *(uint16_t*)0x20001d7c = 0x203; *(uint8_t*)0x20001d7e = 1; *(uint8_t*)0x20001d7f = 2; *(uint16_t*)0x20001d80 = 7; *(uint8_t*)0x20001d82 = 0xfd; *(uint8_t*)0x20001d83 = 0; *(uint8_t*)0x20001d84 = 7; *(uint8_t*)0x20001d85 = 0x24; *(uint8_t*)0x20001d86 = 8; *(uint8_t*)0x20001d87 = 2; *(uint16_t*)0x20001d88 = 4; *(uint8_t*)0x20001d8a = 0x40; *(uint8_t*)0x20001d8b = 9; *(uint8_t*)0x20001d8c = 0x24; *(uint8_t*)0x20001d8d = 3; *(uint8_t*)0x20001d8e = 2; *(uint16_t*)0x20001d8f = 0x101; *(uint8_t*)0x20001d91 = 4; *(uint8_t*)0x20001d92 = 4; *(uint8_t*)0x20001d93 = 5; *(uint8_t*)0x20001d94 = 9; *(uint8_t*)0x20001d95 = 4; *(uint8_t*)0x20001d96 = 1; *(uint8_t*)0x20001d97 = 0; *(uint8_t*)0x20001d98 = 0; *(uint8_t*)0x20001d99 = 1; *(uint8_t*)0x20001d9a = 2; *(uint8_t*)0x20001d9b = 0; *(uint8_t*)0x20001d9c = 0; *(uint8_t*)0x20001d9d = 9; *(uint8_t*)0x20001d9e = 4; *(uint8_t*)0x20001d9f = 1; *(uint8_t*)0x20001da0 = 1; *(uint8_t*)0x20001da1 = 1; *(uint8_t*)0x20001da2 = 1; *(uint8_t*)0x20001da3 = 2; *(uint8_t*)0x20001da4 = 0; *(uint8_t*)0x20001da5 = 0; *(uint8_t*)0x20001da6 = 9; *(uint8_t*)0x20001da7 = 5; *(uint8_t*)0x20001da8 = 1; *(uint8_t*)0x20001da9 = 9; *(uint16_t*)0x20001daa = 0x200; *(uint8_t*)0x20001dac = 0xfc; *(uint8_t*)0x20001dad = 9; *(uint8_t*)0x20001dae = 7; *(uint8_t*)0x20001daf = 7; *(uint8_t*)0x20001db0 = 0x25; *(uint8_t*)0x20001db1 = 1; *(uint8_t*)0x20001db2 = 0; *(uint8_t*)0x20001db3 = 2; *(uint16_t*)0x20001db4 = 8; *(uint8_t*)0x20001db6 = 9; *(uint8_t*)0x20001db7 = 4; *(uint8_t*)0x20001db8 = 2; *(uint8_t*)0x20001db9 = 0; *(uint8_t*)0x20001dba = 0; *(uint8_t*)0x20001dbb = 1; *(uint8_t*)0x20001dbc = 2; *(uint8_t*)0x20001dbd = 0; *(uint8_t*)0x20001dbe = 0; *(uint8_t*)0x20001dbf = 9; *(uint8_t*)0x20001dc0 = 4; *(uint8_t*)0x20001dc1 = 2; *(uint8_t*)0x20001dc2 = 1; *(uint8_t*)0x20001dc3 = 1; *(uint8_t*)0x20001dc4 = 1; *(uint8_t*)0x20001dc5 = 2; *(uint8_t*)0x20001dc6 = 0; *(uint8_t*)0x20001dc7 = 0; *(uint8_t*)0x20001dc8 = 0x12; *(uint8_t*)0x20001dc9 = 0x24; *(uint8_t*)0x20001dca = 2; *(uint8_t*)0x20001dcb = 2; *(uint16_t*)0x20001dcc = 8; *(uint16_t*)0x20001dce = 7; *(uint8_t*)0x20001dd0 = -1; memcpy((void*)0x20001dd1, "\x6c\xce\x23\xa5\x1a\x59\x66\x0a\x8a", 9); *(uint8_t*)0x20001dda = 0xc; *(uint8_t*)0x20001ddb = 0x24; *(uint8_t*)0x20001ddc = 2; *(uint8_t*)0x20001ddd = 1; *(uint8_t*)0x20001dde = 7; *(uint8_t*)0x20001ddf = 2; *(uint8_t*)0x20001de0 = 0xd6; *(uint8_t*)0x20001de1 = 0x40; memcpy((void*)0x20001de2, "\xa5\xe2\x12", 3); memcpy((void*)0x20001de5, "l", 1); *(uint8_t*)0x20001de6 = 9; *(uint8_t*)0x20001de7 = 5; *(uint8_t*)0x20001de8 = 0x82; *(uint8_t*)0x20001de9 = 9; *(uint16_t*)0x20001dea = 0x3ff; *(uint8_t*)0x20001dec = 3; *(uint8_t*)0x20001ded = 0; *(uint8_t*)0x20001dee = 0xac; *(uint8_t*)0x20001def = 7; *(uint8_t*)0x20001df0 = 0x25; *(uint8_t*)0x20001df1 = 1; *(uint8_t*)0x20001df2 = 3; *(uint8_t*)0x20001df3 = 4; *(uint16_t*)0x20001df4 = 5; *(uint32_t*)0x20001f40 = 0xa; *(uint64_t*)0x20001f44 = 0x20001e00; *(uint8_t*)0x20001e00 = 0xa; *(uint8_t*)0x20001e01 = 6; *(uint16_t*)0x20001e02 = 0x200; *(uint8_t*)0x20001e04 = -1; *(uint8_t*)0x20001e05 = 2; *(uint8_t*)0x20001e06 = 7; *(uint8_t*)0x20001e07 = 0x10; *(uint8_t*)0x20001e08 = 6; *(uint8_t*)0x20001e09 = 0; *(uint32_t*)0x20001f4c = 5; *(uint64_t*)0x20001f50 = 0x20001e40; *(uint8_t*)0x20001e40 = 5; *(uint8_t*)0x20001e41 = 0xf; *(uint16_t*)0x20001e42 = 5; *(uint8_t*)0x20001e44 = 0; *(uint32_t*)0x20001f58 = 2; *(uint32_t*)0x20001f5c = 0x52; *(uint64_t*)0x20001f60 = 0x20001e80; *(uint8_t*)0x20001e80 = 0x52; *(uint8_t*)0x20001e81 = 3; memcpy((void*)0x20001e82, "\x4b\xcf\xbc\x74\x9d\x26\xd0\xfb\xc2\x0c\x2e\x20\x2a\x04\x2e\x8b\xb1\x67\xca\xdf\x5c\x2b\xcd\xbd\x07\xdd\xe6\x67\x1d\xa7\xdd\x40\x03\x06\xb2\x6f\x22\x0f\xef\x4a\x33\x97\xf0\xa9\x5a\x4b\x8c\xa5\xba\xfd\x5a\x4f\xa8\xb9\x9d\x24\x50\x5f\x7a\x27\xac\x07\xa1\x6b\xbb\x02\xd5\x24\xc0\xbb\xfa\x3a\xf8\xe3\x18\xdf\x58\xfe\xb1\x43", 80); *(uint32_t*)0x20001f68 = 4; *(uint64_t*)0x20001f6c = 0x20001f00; *(uint8_t*)0x20001f00 = 4; *(uint8_t*)0x20001f01 = 3; *(uint16_t*)0x20001f02 = 0x807; res = -1; res = syz_usb_connect(6, 0xb6, 0x20001d40, 0x20001f40); if (res != -1) r[12] = res; break; case 36: syz_usb_disconnect(r[12]); break; case 37: syz_usb_ep_read(r[10], 6, 0xd6, 0x20001f80); break; case 38: *(uint8_t*)0x20002080 = 0x12; *(uint8_t*)0x20002081 = 1; *(uint16_t*)0x20002082 = 0x110; *(uint8_t*)0x20002084 = 2; *(uint8_t*)0x20002085 = 0; *(uint8_t*)0x20002086 = 0; *(uint8_t*)0x20002087 = -1; *(uint16_t*)0x20002088 = 0x525; *(uint16_t*)0x2000208a = 0xa4a1; *(uint16_t*)0x2000208c = 0x40; *(uint8_t*)0x2000208e = 1; *(uint8_t*)0x2000208f = 2; *(uint8_t*)0x20002090 = 3; *(uint8_t*)0x20002091 = 1; *(uint8_t*)0x20002092 = 9; *(uint8_t*)0x20002093 = 2; *(uint16_t*)0x20002094 = 0x3d; *(uint8_t*)0x20002096 = 1; *(uint8_t*)0x20002097 = 1; *(uint8_t*)0x20002098 = 9; *(uint8_t*)0x20002099 = 0xc0; *(uint8_t*)0x2000209a = 0xb3; *(uint8_t*)0x2000209b = 9; *(uint8_t*)0x2000209c = 4; *(uint8_t*)0x2000209d = 0; *(uint8_t*)0x2000209e = 8; *(uint8_t*)0x2000209f = 3; *(uint8_t*)0x200020a0 = 2; *(uint8_t*)0x200020a1 = 6; *(uint8_t*)0x200020a2 = 0; *(uint8_t*)0x200020a3 = 1; *(uint8_t*)0x200020a4 = 7; *(uint8_t*)0x200020a5 = 0x24; *(uint8_t*)0x200020a6 = 6; *(uint8_t*)0x200020a7 = 0; *(uint8_t*)0x200020a8 = 0; memcpy((void*)0x200020a9, "\x93\xb5", 2); *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 0x24; *(uint8_t*)0x200020ad = 0; *(uint16_t*)0x200020ae = 1; *(uint8_t*)0x200020b0 = 0xd; *(uint8_t*)0x200020b1 = 0x24; *(uint8_t*)0x200020b2 = 0xf; *(uint8_t*)0x200020b3 = 1; *(uint32_t*)0x200020b4 = 5; *(uint16_t*)0x200020b8 = 0xdf0; *(uint16_t*)0x200020ba = 0xa5e2; *(uint8_t*)0x200020bc = -1; *(uint8_t*)0x200020bd = 9; *(uint8_t*)0x200020be = 5; *(uint8_t*)0x200020bf = 0x82; *(uint8_t*)0x200020c0 = 2; *(uint16_t*)0x200020c1 = 0x40; *(uint8_t*)0x200020c3 = 0; *(uint8_t*)0x200020c4 = 0x40; *(uint8_t*)0x200020c5 = 0x20; *(uint8_t*)0x200020c6 = 9; *(uint8_t*)0x200020c7 = 5; *(uint8_t*)0x200020c8 = 3; *(uint8_t*)0x200020c9 = 2; *(uint16_t*)0x200020ca = 8; *(uint8_t*)0x200020cc = 0x20; *(uint8_t*)0x200020cd = -1; *(uint8_t*)0x200020ce = 4; *(uint32_t*)0x20002640 = 0xa; *(uint64_t*)0x20002644 = 0x20002100; *(uint8_t*)0x20002100 = 0xa; *(uint8_t*)0x20002101 = 6; *(uint16_t*)0x20002102 = 0x250; *(uint8_t*)0x20002104 = 0; *(uint8_t*)0x20002105 = 0x81; *(uint8_t*)0x20002106 = 0x20; *(uint8_t*)0x20002107 = 0x20; *(uint8_t*)0x20002108 = 3; *(uint8_t*)0x20002109 = 0; *(uint32_t*)0x2000264c = 5; *(uint64_t*)0x20002650 = 0x20002140; *(uint8_t*)0x20002140 = 5; *(uint8_t*)0x20002141 = 0xf; *(uint16_t*)0x20002142 = 5; *(uint8_t*)0x20002144 = 0; *(uint32_t*)0x20002658 = 8; *(uint32_t*)0x2000265c = 0xcd; *(uint64_t*)0x20002660 = 0x20002180; *(uint8_t*)0x20002180 = 0xcd; *(uint8_t*)0x20002181 = 3; memcpy((void*)0x20002182, "\x2e\x83\x3d\xbc\x02\x86\x82\x12\xd3\xec\x73\x52\xfb\x0d\xe8\xa0\x5e\xcf\x66\x18\x59\xde\xbe\x23\xba\x73\x5f\xb9\x0a\x26\x85\x3e\x0d\x4c\x9b\xfc\xeb\xac\x70\xce\x40\x53\x9a\x98\xcf\x89\x47\xe0\x6b\xb7\x5d\xe0\xa9\x20\x5e\x0b\x79\x1c\xb4\xf9\xe7\xaa\x0a\xe1\x14\x9e\x93\x94\xff\xef\x26\x6f\x96\xe0\xc7\x5a\xb7\x28\xca\xdb\xc3\x12\x57\x0e\xfe\xd7\x37\x09\x0a\x62\x51\xc0\x9e\x1a\x5d\x38\xa0\xc6\xf1\xec\x4a\xe0\x55\x86\x3d\x69\xe4\xdc\xf3\x6d\x97\x4d\x2b\xe3\xe4\x87\xc7\xd2\xf1\xdb\x21\x61\xe9\x3b\x7d\x15\x2c\xe0\x46\xf0\x30\xb3\x6d\x08\x32\x89\xed\xdd\x71\x05\xed\x8e\xae\xd4\x9f\x71\x10\x17\xba\xab\xde\x9d\x5f\x01\xcd\x47\x38\x50\x3d\x32\x26\x69\x55\x4f\xcf\x3b\x5a\x65\xb0\x51\x97\x33\xb0\x7a\x7f\x3c\xff\xdc\x92\xb0\x38\x2c\x66\x12\x0c\x41\xaa\xe8\x85\x68\xc7\x52\xf7\x9d\x50\x1f\xd4\xda\x58\xe6\x87\x9e\x7e", 203); *(uint32_t*)0x20002668 = 4; *(uint64_t*)0x2000266c = 0x20002280; *(uint8_t*)0x20002280 = 4; *(uint8_t*)0x20002281 = 3; *(uint16_t*)0x20002282 = 0x3c0a; *(uint32_t*)0x20002674 = 4; *(uint64_t*)0x20002678 = 0x200022c0; *(uint8_t*)0x200022c0 = 4; *(uint8_t*)0x200022c1 = 3; *(uint16_t*)0x200022c2 = 0x3801; *(uint32_t*)0x20002680 = 0x1f; *(uint64_t*)0x20002684 = 0x20002300; *(uint8_t*)0x20002300 = 0x1f; *(uint8_t*)0x20002301 = 3; memcpy((void*)0x20002302, "\xa6\x70\xc3\x58\x2d\x38\x96\x7a\xc4\x85\x45\x5e\x8a\x40\xac\xb6\xf5\xdf\x24\xab\x49\xa4\xc6\xbb\x43\xd5\x84\xed\xf7", 29); *(uint32_t*)0x2000268c = 4; *(uint64_t*)0x20002690 = 0x20002340; *(uint8_t*)0x20002340 = 4; *(uint8_t*)0x20002341 = 3; *(uint16_t*)0x20002342 = 0x44f; *(uint32_t*)0x20002698 = 0xe1; *(uint64_t*)0x2000269c = 0x20002380; *(uint8_t*)0x20002380 = 0xe1; *(uint8_t*)0x20002381 = 3; memcpy((void*)0x20002382, "\xbe\x2c\xe1\x8f\xae\x6d\xa9\xf1\xaa\x4b\x97\x21\x97\xbe\x7a\x6c\xe4\xb2\x83\xc3\xe0\x02\x7e\x6d\xa1\x3d\x86\x39\xf6\x74\xea\x9c\x64\x28\x9b\x33\xc0\xe1\x43\x5b\x7c\x16\x54\xa5\x69\x12\x7b\x26\xad\x53\x77\x4f\x2b\x6b\x20\x57\x9f\xac\x6f\xaf\xfe\x12\x94\x9e\xe4\xb0\xd3\xcd\x2d\x89\x0c\xff\x2d\x7e\x9b\xb4\x3b\x60\x2a\x39\x4e\xfd\x49\x75\x18\x4f\x7e\xec\xab\x16\xa3\xf1\x87\xca\xb4\xc2\xca\x01\xac\x5b\xc9\xc5\x5c\x8b\xb9\x81\x32\x3d\x91\x9f\x77\x35\x5b\x3c\xe7\x42\x8d\xa6\x2a\xf8\x0c\x76\xb1\x85\xe1\x0a\xc7\xb1\xcc\x95\x0e\xcc\x71\x5c\x3e\x0a\x1e\x14\x23\x11\xb6\x29\x41\xe0\x62\x91\xb3\x0d\x2d\x3c\x7d\x46\x8d\xfb\xe2\x83\xc9\x1f\xc0\x83\x3d\xb0\x68\xe7\xbf\x39\x7c\x23\x35\x75\x79\x02\x29\xce\x51\x3b\xbd\xc4\x38\x7d\x81\xb3\x02\x7e\xf6\x8b\x20\xde\x25\xd9\xf1\xff\x32\xb9\x5c\xba\x44\x3b\x9e\x7f\xba\x49\x91\x43\xe8\x41\xa6\x19\x0c\x6e\xcb\x29\x06\xfe\x42\x30\xf8\x39\xba\x8c\x3c\x73\xea", 223); *(uint32_t*)0x200026a4 = 0xc1; *(uint64_t*)0x200026a8 = 0x20002480; *(uint8_t*)0x20002480 = 0xc1; *(uint8_t*)0x20002481 = 3; memcpy((void*)0x20002482, "\xf1\x7d\xb2\xea\x26\xd9\x0b\xa9\x3d\x1d\xbd\x3d\x94\x82\x88\x21\x72\xcc\x15\x8b\x4c\xc4\x3c\x36\xd1\x2b\xb9\x4e\x06\xfc\x7a\xba\x0d\x96\xba\x62\xa3\x8b\x39\xb7\x7b\xb6\x6a\x8b\x4b\xa6\xfe\x26\x0c\x87\x74\x64\xdc\x10\x12\x44\x9a\x3a\x6a\xb5\xb8\x0e\x66\x7a\x3a\x01\xdb\x8d\xd1\xdc\x34\x68\xb0\xd7\x28\x93\xad\xf2\x5b\xd1\xa7\xb9\xdc\xdd\xf5\x69\x12\x2a\x73\x02\x6b\x76\xfd\x0e\x25\xd7\x44\x0c\xa5\xdb\x63\x5b\x3f\xc9\x01\x3f\xd7\x90\x99\xa7\xd7\xe8\x1d\xb8\x74\x5b\xc9\xd0\xa6\xc9\x38\x79\x1d\x2c\xbf\xd1\x0f\x1c\x62\x8c\xa1\x7a\xf9\x93\xb7\x02\xc1\xed\xe3\x0d\xa1\x88\x25\x67\xce\x28\x7f\x66\xb2\x3e\xbf\x40\x8a\x2d\x9c\x63\xe1\xcb\x0b\x27\x95\x27\x3e\xfa\x81\x53\x56\x1c\x3c\x3e\xeb\x71\xd1\x2a\xa0\x87\xe9\x25\x55\x26\xb5\x28\xf5\x38\xaf\x4a\xbd\x41\xcf\x89\x01", 191); *(uint32_t*)0x200026b0 = 0xc0; *(uint64_t*)0x200026b4 = 0x20002580; *(uint8_t*)0x20002580 = 0xc0; *(uint8_t*)0x20002581 = 3; memcpy((void*)0x20002582, "\x6f\x57\xd6\xa5\x96\x20\x2e\xbf\x5a\x75\xb9\x72\x49\x11\xf9\x1a\x3d\x92\xae\x1a\xc8\x1a\xbb\x9c\x1b\x13\x4a\x76\xe6\x65\x90\xf6\xeb\x8d\xd8\x4c\xc1\x09\x60\xb8\xd2\x23\x94\x7d\x1c\x2e\x77\x1b\x94\xe7\x29\xd8\x34\x18\xf4\x14\x21\x3f\xf8\xb9\x06\x77\x03\x30\xbe\xa7\x0e\x59\xfe\x4d\x8b\xa5\x37\xfb\xcf\xd3\xc4\xbf\xc4\xea\x3b\x64\x0c\x31\x12\x92\x6d\x8c\x78\xee\xe8\x39\x72\x09\x00\xc5\x05\xcc\x01\x3c\x12\x63\xdc\xf2\x7b\x6c\x0f\x87\xfc\xb8\x7f\x40\xcb\x6b\xde\x31\x54\xcc\xd6\x3e\x65\xa4\x8c\x86\xc5\x8a\x38\x57\xf6\x8f\x88\x08\x20\x3f\xb2\x8d\x95\xe7\x4a\x18\x65\xeb\x8f\x82\xfe\x95\x35\x62\xa1\x47\x51\xed\x18\xf2\x51\xe5\x11\x53\x70\xd2\xbc\x19\x14\x5c\xcf\x3a\xbe\xae\x4c\x81\xfb\x1d\x97\xf6\x2e\x03\x5d\xb7\x3d\x11\xab\x7e\xc5\x96\xbc\x7a\x36\x86\x55\xc6", 190); res = -1; res = syz_usb_connect(4, 0x4f, 0x20002080, 0x20002640); if (res != -1) r[13] = res; break; case 39: memcpy((void*)0x200026c0, "\x01\xdf\x42\x94\xf0\x1f\xe1\xf9\x43\xb7\x80\xcc\xad\x76\xab\x8a\x48\x35\x3c\xbc\xe5\x48\x12\x83\xfb\x7d\x07\xe3\x29\x52\x05\x54\x49\xb6\x58\x1b\x36\x93\xb6\x7e\xde\xa7\xf1\x03\x54\x2f\xd1\xdc\xcf\x21\xa4\xf8\xce\x11\xf5\x24\x82\xa5\x50\xdd\x31\x99\xda\x83\x0c\x3e\x19\xff\x1a\x99\x6c\xe1\x42\x4b\x13\x49\x5e\x70\x4b\xe3\xf8\xc1\x06\xd0\x83\x38\xa6\x9d\xb2\x9c\x70\xd0\x40\xba\x40\x50\x16\xd9\x02\x55\xd8\x1d\x11\x5d\x9c\x6c\x9c\x13\xb9\x57\x89\xba\x2d\x4e\xe0\xf0\x05\xd9\x5b", 119); syz_usb_ep_write(r[13], 8, 0x77, 0x200026c0); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); use_temporary_dir(); do_sandbox_setuid(); return 0; } : In function ‘syz_io_uring_setup’: :281:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :281:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor767397405 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/21 (0.63s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:true VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x8002, 0x0) io_cancel(0x0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x4c60440ee16d4a1f, 0xd548, r0, &(0x7f0000000040)="a4c6b70d40b18d2f71b9ebf1a97cc4f8bfe52c766208fe1c5ff6e6c20fb4d4104d", 0x21, 0x7, 0x0, 0x1}, &(0x7f00000000c0)) ioctl$TUNSETOFFLOAD(0xffffffffffffffff, 0x400454d0, 0x18) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/avc/cache_stats\x00', 0x0, 0x0) ioctl$DRM_IOCTL_MODE_GETGAMMA(r1, 0xc02064a4, &(0x7f0000000200)={0x6, 0x1, &(0x7f0000000140)=[0x6], &(0x7f0000000180)=[0xb572, 0x2, 0x200, 0x6126, 0xffff, 0x800b], &(0x7f00000001c0)=[0x100, 0x8001, 0x7ff, 0x56, 0x3, 0x6, 0xafa4, 0xfff]}) socket$inet6_sctp(0xa, 0x5, 0x84) r2 = syz_open_dev$vcsa(&(0x7f0000000240)='/dev/vcsa#\x00', 0x8, 0x40040) io_uring_setup(0x4a7d, &(0x7f0000000280)={0x0, 0x431f, 0x2, 0x2, 0x24c, 0x0, r2}) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(0xffffffffffffffff, 0x10e, 0x2, &(0x7f0000000300)=0x14, 0x4) socket$ipx(0x4, 0x2, 0x0) syz_emit_ethernet(0xd6, &(0x7f0000000000)={@dev={[], 0x15}, @remote, @void, {@mpls_uc={0x8847, {[{0x1}, {0x80}], @ipv4=@udp={{0x9, 0x4, 0x3, 0x8, 0xc0, 0x64, 0x0, 0x1, 0x11, 0x0, @private=0xa010102, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@timestamp={0x44, 0x10, 0x90, 0x0, 0xf, [0x3, 0x100, 0x9]}]}}, {0x4e20, 0x4e23, 0x9c, 0x0, @wg=@initiation={0x1, 0x1, "a10791f36e091a364d6a214aed3281686b2e1062e4a21dad7e7ea6823c2ad66b", "a9e3b061cb2d16f0f38c93866bab239c5e95fabc9ad7549cc53f24821564c8e31a773c62bd34e62116070c998cf80ff5", "8a6048e68f5476ba71edf7dea37145a3397262db3b25376fb9b698e1", {"108d38c5f12837a8dff49317e1fbf2b1", "6e6f91a5d2fea35b7d2aa0227b5c79de"}}}}}}}}, 0x0) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_cmd_complete={{0xe, 0x7}, @hci_rp_read_enc_key_size={{0x7}, {0x3, 0xc8, 0xfe}}}}, 0xa) syz_execute_func(&(0x7f0000000140)="ab8f2908955c4432c421b45580858a318ec4a1845756f3673664d9e064461c0dc441b55588a00ffe49f2f042808c3e2808000000c4825dde32f3420f9ade") syz_extract_tcp_res(&(0x7f0000000180), 0x47a0, 0x1ff) syz_genetlink_get_family_id$SEG6(&(0x7f00000001c0)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x2, 0xc4) r3 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x0, 0x1000, 0xffffffffffffffff, 0x0) syz_io_uring_complete(r3) syz_io_uring_setup(0x61d6, &(0x7f0000000200)={0x0, 0x19c8, 0x1, 0x0, 0x90, 0x0, 0xffffffffffffffff}, &(0x7f0000ff9000/0x4000)=nil, &(0x7f0000ff9000/0x1000)=nil, &(0x7f0000000280), &(0x7f00000002c0)) r5 = mmap$IORING_OFF_SQES(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2000004, 0x100, r4, 0x10000000) r6 = openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000300)='/selinux/checkreqprot\x00', 0x22040, 0x0) r7 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(r3, r5, &(0x7f0000000380)=@IORING_OP_EPOLL_CTL=@add={0x1d, 0x1, 0x0, r6, &(0x7f0000000340)={0xa}, r4, 0x1, 0x0, 0x1, {0x0, r7}}, 0x5) syz_kvm_setup_cpu$arm64(r6, 0xffffffffffffffff, &(0x7f0000fe7000/0x18000)=nil, &(0x7f0000000400)=[{0x0, &(0x7f00000003c0)="c66bf51c003b684cd1f56d7dbcd2dea7675293e4d016955fb884320ccefef52142eef0b61d389959e4e475075b6b11cdbe1c", 0x32}], 0x1, 0x0, &(0x7f0000000440), 0x1) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x2000000, 0x1000, 0xffffffffffffffff, 0x8000000) syz_memcpy_off$IO_URING_METADATA_FLAGS(r8, 0x114, &(0x7f0000000480)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f00000004c0)='afs\x00', &(0x7f0000000500)='./file0\x00', 0x1f, 0x7, &(0x7f00000008c0)=[{&(0x7f0000000540), 0x0, 0x32}, {&(0x7f0000000580)="3a7a72ca9b2a422afbeba2d7a84338cb03951839451af3f3031d0030db11a08c0eb2244dab7f4fd9442cd55370fbacdc330d3ee2188137d0ad9772c7ae54fae92d1941e049bdcb3b8f645ea6a7d746404286d56dfd7a41fb29e2987d8d73b3679fae427f5af08185e4ffda153228a3ac82bf94f17752ed78dfe5b9a4", 0x7c, 0xee5}, {&(0x7f0000000600)="a963e9743e9c3d092a0ab1d68a13fe85f80ed94358ab9ad4029dff3433a3223c650d6a96505ec9a3d6cd09ad3f268fcdd1248aa43ef138a79b0c4c116f7178b5fc5cc49fa303201e8c7ef4e322434105ecdc912ae672510b34c01aa3890c90f27200de2b65c4bd20", 0x68, 0x10000}, {&(0x7f0000000680)="6ac443efa9855dda4fa3a982abc060ebf1a6785feba77cd70d486a29f4", 0x1d, 0x2}, {&(0x7f00000006c0)="3229202fd13c8ab6d554d8dfb6a8661805f53c5e81671bf5d702aa4c17cad107cfc6a8fe702b26942c632a4ed0e1010440b51b99785c112a0bda8c286267ac9cb4e695376a13d9937dfe154239c4ea04f38539a8e557dbcc8909420c76b2587b42aa2d61bf395fe913bad86ddf17a8f1b3212d0f0a6bc2e7841ef2e2ee0be05901f028c7c65e1c2cb641f556508fbf322da030de7846ad39004082c128a0ffb60c1b801bfd69a0e5f37b51feb78d97240f45f3ce17a28abbd89bd16cd2d06c74488990aba36ff006e8ae3622ec18fa76b767be88f192f94af15e23d74217738a1d48ef2c3e1c0a557203045e3ba25e9cd38efa64", 0xf4, 0x6}, {&(0x7f00000007c0)="414d78403490275a206495f93cf62229596a76f622d42e737bfa148fc2385d9c82946ce95d9b7665c148bfd723f5248ffcb6a4fc8265de9da9e34ff0577dd719233d7ef9610b9b9d98d4f2cedcc5351cb7234e0a8345f81e603a002c13d898f1084656c51be00526c6b7977b287809591c51a288acec3e570a94cc77420195f2a81a77896f9f081b173c24ada23041ea2e7253698601d83769094d3489", 0x9d, 0x1}, {&(0x7f0000000880)="3cc0a154977d26882d94f1c108a6287b15e835bf2d9ebcfd925c4569c9de9d463b929158990d2f48", 0x28, 0xfffffffffffffbff}], 0x1015005, &(0x7f0000000980)={[{@flock_strict='flock=strict'}, {@flock_write='flock=write'}, {@source={'source', 0x3d, '\xeb'}}, {@autocell='autocell'}]}) syz_open_dev$I2C(&(0x7f00000009c0)='/dev/i2c-#\x00', 0x10000, 0x6840) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000a40)={0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x3, &(0x7f0000000a00)='.\\\x00'}, 0x30) syz_open_procfs(r9, &(0x7f0000000a80)='status\x00') syz_open_pts(0xffffffffffffffff, 0x8000) syz_read_part_table(0x6, 0x0, &(0x7f0000000ac0)) r10 = syz_usb_connect(0x6, 0x714, &(0x7f0000000b00)={{0x12, 0x1, 0x250, 0xa8, 0x9c, 0xcc, 0xff, 0x499, 0x150c, 0xbaf4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x702, 0x3, 0x2, 0x5, 0x80, 0x1f, [{{0x9, 0x4, 0x7d, 0x0, 0xb, 0x5c, 0x68, 0x45, 0xb8, [@generic={0x64, 0xcc88dcc324ea21e6, "25bba193734e4eb87cbd6a4c961ef01e6c960fa27de2e0b2883e73bcb56b371cc2f94a39ee59f21237d7fd38bafea3bebf15967e66fda6114d34b349e1868ef95cc0a06305d016cd2cc723334035a110f9da197afa79a6b045fac5f7d5bb639e4541"}, @uac_control={{0xa, 0x24, 0x1, 0x7, 0x80}}], [{{0x9, 0x5, 0x1, 0x3, 0x200, 0x81, 0x1, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x1000}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0xe8, 0xc6, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0x6}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0x8, 0xb4, 0x3}}, {{0x9, 0x5, 0x2, 0x1, 0x200, 0x2, 0x6, 0x20}}, {{0x9, 0x5, 0x7, 0x2, 0x3ff, 0x29, 0x4, 0x4c}}, {{0x9, 0x5, 0x5, 0x0, 0x200, 0x2, 0x22, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x27}]}}, {{0x9, 0x5, 0xe, 0xc, 0x20, 0x40, 0x9, 0x1f, [@generic={0x4f, 0x1, "f148d84407f5b8dfda7c13b68281b7d14209551093f91b2d8f891d9f3b8ff07a8c2b56bcbfa744ea1da69fb116c71d11fa13b6a2c464e65d7c706ae25e0ad836d328f30928af26fe9d4f3f1dc1"}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x18, 0xfc0}]}}, {{0x9, 0x5, 0x4, 0x0, 0x400, 0x0, 0x80, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x2}, @generic={0xf7, 0x30, "abdddd4f9b3f7c940f59ac5d6ac220f766834597348690edd45dbcad8d7200db7184991d2539df54e5ad82e5d58b0366ea3b341be9a30b4b2bd66bf00479628cb477c82938f8d3c106a7e18b0e5485a0b1611aba1d8ad3c740fc3d9accb5d7b293b90b168c3f2c69798135b562475fe2a3b8f619572251662787bf749f673a35ee80ea76edd0fc7b3177f24f50d68aced6902ecf5e0a1d3126d9530946abac7a85799194748f34eef3e249c0ede1511b67626c06322ba0b3133ad7eab46cc07a995f011d24781983c1709a03ac2ef165a9b91ed9e75e221905a932c3501d40566916d63f2fae4e9798fab8e16a1d364f019c0ebdb0"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x40, 0xfe, 0x20, 0x9, [@generic={0xed, 0x1, "97480b619ece3491718d870d1333f7f3cbe03367ac7f15be1793cf2d635af67af88cfea526ad45ea67c39ade3d19918d55ea598a7807fd2c56addfb52f42756bfc602c04560e981a38783ca3dd8ba431c267592bc004b2f53e49082dac6a7848b929dcf53f151f4c9ae6f8912fffd9199bcdcd8b95fdc2dfaa22d3a731f3c4aa3447d4183b1cb4ccceb36e6937f2275c89ce0ba83f40c2c7dbf13b41770a0f125b10ded7eefe7a1824f9eef4938310a55c121bf1a9259f551672b8a0a52feac5cbc5ab96a5491ef533d7be14764e9da531ffef82f8612a740fb58756f7cb6092abb15aa6cf0494cb7106f1"}, @generic={0xd3, 0x8, "4e8e034ee97501ac382574d2a72527c5e0c832618bc6a1ea16c3f323258971633a0333991ad99754b006c95c4de5f901ec1b8d86bd47c564bd2aef08df3c224a3e6e40846554eed2734d71ce3392967ef55c96b3da0aa5481f31c351cf1859cbee244e751c60cfadc233cb6002ee6ff4cc2c9b76378f5b6e410c014f25cb9fff68f8a6ff5b81b6d09b9c7a2aaf848bd247ed21b13aa8d35bcb7bf2fa6b8cbf55299edbce15e788d1f93cff322399249ac080f2d47bd3f27e7a6de184904811722536d0a2330e3e511146faab9864d1b183"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x2c, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc9, 0xbb}, @generic={0x1f, 0x31, "e44d51a15a720f099dadeb93262552a935424229d3f4d12edc1baa9f88"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x8, 0x49, 0x40, 0x55}}]}}, {{0x9, 0x4, 0xfe, 0x33, 0x2, 0xa2, 0x17, 0x9a, 0x2, [@cdc_ncm={{0x9, 0x24, 0x6, 0x0, 0x1, "fb7ffde8"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x4, 0x9f54, 0x267, 0x1}, {0x6, 0x24, 0x1a, 0x9, 0x9}, [@mbim={0xc, 0x24, 0x1b, 0xffff, 0x1, 0x20, 0x6, 0x6, 0x6}, @mdlm={0x15, 0x24, 0x12, 0x3}, @mbim={0xc, 0x24, 0x1b, 0x91, 0x5, 0x1, 0xff, 0x5, 0x35}, @acm={0x4, 0x24, 0x2, 0x1}]}], [{{0x9, 0x5, 0xa, 0x10, 0x8, 0x80, 0xc1, 0x4, [@generic={0xb8, 0x30, "e384dcf03ac39540e5a22199f71a53ba428c3b720290f0276bcca0cd15405f6c930497af5eb320a433cc553d6e0108edbf793ef0240ff269b4ff96d6822bcb48cebae2a5cead65786ebecd5f300c08606d3322b8360029bd21312dac493361e1b08f2adca4dc49a004fefdf7a3a525ae5de11f0a691a41b869d9b9a5d90d5a7b5ebe9e5773b97efe98e3895377a424e30ef22fd2ffa2532f1bb3c1a4e3b86afc08b2659aa2e556f190e27f83619a1618d371e102c558"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x40, 0x4, 0x0, 0x1f}}]}}, {{0x9, 0x4, 0x74, 0x90, 0xa, 0xff, 0x5d, 0x1, 0x81, [@generic={0x6c, 0x4, "deaf8476cc5855ffb6d22d6ceb2977348ba86dee7d9e22e0c46477b06c0db514bb5383a62a402cc6e0795ddda510cf4238b2c64b657a1111efc0e4aacf9e40802dd0eeb69f271c1e6fe0ee5e9f48122832e6a80a4d7a6611e3fd2dca49d351908ff9a48ca20c78a69c65"}, @hid_hid={0x9, 0x21, 0x7, 0x7, 0x1, {0x22, 0xab5}}], [{{0x9, 0x5, 0x0, 0x0, 0x200, 0x4, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x40, 0x0, 0x7f, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xff}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0xfa, 0x5}]}}, {{0x9, 0x5, 0x3, 0x3, 0x3ff, 0x80, 0x7f, 0x8}}, {{0x9, 0x5, 0x5, 0x1, 0x20, 0x4, 0x3c, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x800}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0xff, 0x14, 0x3f}}, {{0x9, 0x5, 0x4, 0x0, 0x20, 0x1, 0x1, 0x56}}, {{0x9, 0x5, 0xc, 0x10, 0x8, 0x1, 0x5, 0x2, [@generic={0x20, 0x4, "6ddd4104cef7b1f7b2dddabb24ea94be1e8ac9fbba62cd71c1a1cbfa4e73"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x10, 0x0, 0x6, 0xf8, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x3, 0x8000}, @generic={0x98, 0x21, "e7bac6d3443cdfcdf9c24b6978dbfb9dd1824a5964cbfa0fe64296d5794c6159bc30b802a59b5c7a49b534035df56bbc488652ee31c601d5326507016bd445a1c09df231cf5781190daaba0cbd84a172640327b8c1a1d90bfab18f24961ffe12a0486a239c79a259c537652603dcbd4b2b7342ae0d715a7543f4d08bb557bddcd3bca83590b57c30eee2ce95f6c7102f646af828a496"}]}}, {{0x9, 0x5, 0x2, 0x3, 0x400, 0x3, 0x2, 0x8}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xff, 0x4, 0x6}}]}}]}}]}}, &(0x7f0000001540)={0xa, &(0x7f0000001240)={0xa, 0x6, 0x300, 0xff, 0x81, 0x6, 0xf7, 0xc4}, 0xf, &(0x7f0000001280)={0x5, 0xf, 0xf, 0x1, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x8, 0x1f, 0xfff}]}, 0x5, [{0x4, &(0x7f00000012c0)=@lang_id={0x4, 0x3, 0xc07}}, {0x54, &(0x7f0000001300)=@string={0x54, 0x3, "321d457f2f5ab9fcb1118c960631fd85a75ead829136aa2a6cc0311451035fe17b956eb8fa52d495a311a6c03f0ae84c86f0ed78daebfa15db7bc5788c9724baf4582dc0ec1ba6681a76b0a1bfc5de9daecc"}}, {0xd3, &(0x7f0000001380)=@string={0xd3, 0x3, "18336fc5623ba1410634c4050bcf3b488ea41867d059dcdcd2c368d848fe5147323c0ba4e51d7cf2a3d150258f8cc2569bd79e951ea95a318de31d146c37a7cf712f1fcd440390852c8d5216f8d23a9918b0e053521eb670ad3ee0fb8a93a8d7bad7199eebe12a3b02107ac4542bc6497977e3308b407bf364982f4fc9c330f9a75ccb65c8688d5c247ad06c20ccf01465e3ab09fc777f73474c2cd053b848ad3255b5adc81e033d2a0fac5061ea52dacf46e88e8c2e388deb91d2d9fc124255909336418e743bda4cb4f73c6b75af9a9b"}}, {0x4, &(0x7f0000001480)=@lang_id={0x4, 0x3, 0x42b}}, {0x5a, &(0x7f00000014c0)=@string={0x5a, 0x3, "4d85f31420ff1ceda25d118d33a6ebbce888c12d90eb54c827d149c8dcbd99f3893b35d1da6c776b1b5d084b308cdf93474167f266199f440a03fc3e3438031b8725dde6029a629c0843bedf048b8409b153f903d657d22b"}}]}) r11 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000015c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r11, &(0x7f00000017c0)={0x2c, &(0x7f0000001640)={0x0, 0x24, 0x5e, {0x5e, 0x9, "50d3392d02ebd229338b7e7170b984d04907f9cee984f83f84c9518b9dd91785fe2d66e10426ff86d8e7d663538306240171790d7f776664bdfd68d3df43cdf6d0e3ab3d2a62953092a2d7ce2fcdfe2cf50026869a4bcd066af9ddbd"}}, &(0x7f00000016c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x449}}, &(0x7f0000001700)={0x0, 0xf, 0x19, {0x5, 0xf, 0x19, 0x1, [@ss_container_id={0x14, 0x10, 0x4, 0x3f, "0ff611988b42043bdd16f18b9b82f6cf"}]}}, &(0x7f0000001740)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x0, 0x9, 0x68, "60c511fa", "23e3f532"}}, &(0x7f0000001780)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x5, 0x0, 0x2, 0x7, 0x8, 0x5, 0x200}}}, &(0x7f0000001c80)={0x84, &(0x7f0000001800)={0x0, 0x16, 0x92, "e49c4e0fdf521d4bb83a1c78b9b6f32eb6e38fba1432727c391749727c41815dc3fc4193cf0fc247b32c61dd80f26629d7cf714fc080157701405e55e4d1ae2b758c66821044d2e8094f1bd75ccf9600454726e5df9764082d537012ad6fa00a11bf546f5d86af482a8f0b0574287a4c5640bd1a225a60d1961cd56b3b48cf69d776cd8bbac5dc1544bf6b94b3519383f9c5"}, &(0x7f00000018c0)={0x0, 0xa, 0x1, 0xea}, &(0x7f0000001900)={0x0, 0x8, 0x1, 0xc0}, &(0x7f0000001940)={0x20, 0x0, 0x4, {0x3, 0x20d99a38c1aec065}}, &(0x7f0000001980)={0x20, 0x0, 0x8, {0x200, 0x2, [0x0]}}, &(0x7f00000019c0)={0x40, 0x7, 0x2}, &(0x7f0000001a00)={0x40, 0x9, 0x1, 0x7}, &(0x7f0000001a40)={0x40, 0xb, 0x2, ',e'}, &(0x7f0000001a80)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000001ac0)={0x40, 0x13, 0x6, @random="cba5d8d51787"}, &(0x7f0000001b00)={0x40, 0x17, 0x6, @dev={[], 0x1b}}, &(0x7f0000001b40)={0x40, 0x19, 0x2, "09ef"}, &(0x7f0000001b80)={0x40, 0x1a, 0x2, 0x200}, &(0x7f0000001bc0)={0x40, 0x1c, 0x1, 0x20}, &(0x7f0000001c00)={0x40, 0x1e, 0x1, 0x81}, &(0x7f0000001c40)={0x40, 0x21, 0x1, 0x40}}) r12 = syz_usb_connect$uac1(0x6, 0xb6, &(0x7f0000001d40)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xa4, 0x3, 0x1, 0x8, 0x80, 0x1f, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x7f, 0x24}, [@mixer_unit={0xb, 0x24, 0x4, 0x3, 0x3f, "e3a7ba11b773"}, @input_terminal={0xc, 0x24, 0x2, 0x4, 0x203, 0x1, 0x2, 0x7, 0xfd}, @extension_unit={0x7, 0x24, 0x8, 0x2, 0x4, 0x40}, @output_terminal={0x9, 0x24, 0x3, 0x2, 0x101, 0x4, 0x4, 0x5}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {}, {{0x9, 0x5, 0x1, 0x9, 0x200, 0xfc, 0x9, 0x7, {0x7, 0x25, 0x1, 0x0, 0x2, 0x8}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x8, 0x7, 0xff, "6cce23a51a59660a8a"}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x7, 0x2, 0xd6, 0x40, "a5e212", 'l'}]}, {{0x9, 0x5, 0x82, 0x9, 0x3ff, 0x3, 0x0, 0xac, {0x7, 0x25, 0x1, 0x3, 0x4, 0x5}}}}}}}]}}, &(0x7f0000001f40)={0xa, &(0x7f0000001e00)={0xa, 0x6, 0x200, 0xff, 0x2, 0x7, 0x10, 0x6}, 0x5, &(0x7f0000001e40)={0x5, 0xf, 0x5}, 0x2, [{0x52, &(0x7f0000001e80)=@string={0x52, 0x3, "4bcfbc749d26d0fbc20c2e202a042e8bb167cadf5c2bcdbd07dde6671da7dd400306b26f220fef4a3397f0a95a4b8ca5bafd5a4fa8b99d24505f7a27ac07a16bbb02d524c0bbfa3af8e318df58feb143"}}, {0x4, &(0x7f0000001f00)=@lang_id={0x4, 0x3, 0x807}}]}) syz_usb_disconnect(r12) syz_usb_ep_read(r10, 0x6, 0xd6, &(0x7f0000001f80)=""/214) r13 = syz_usb_connect$cdc_ecm(0x4, 0x4f, &(0x7f0000002080)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0xff, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x3d, 0x1, 0x1, 0x9, 0xc0, 0xb3, [{{0x9, 0x4, 0x0, 0x8, 0x3, 0x2, 0x6, 0x0, 0x1, {{0x7, 0x24, 0x6, 0x0, 0x0, "93b5"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x5, 0xdf0, 0xa5e2, 0xff}}, {[], {{0x9, 0x5, 0x82, 0x2, 0x40, 0x0, 0x40, 0x20}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x20, 0xff, 0x4}}}}}]}}]}}, &(0x7f0000002640)={0xa, &(0x7f0000002100)={0xa, 0x6, 0x250, 0x0, 0x81, 0x20, 0x20, 0x3}, 0x5, &(0x7f0000002140)={0x5, 0xf, 0x5}, 0x8, [{0xcd, &(0x7f0000002180)=@string={0xcd, 0x3, "2e833dbc02868212d3ec7352fb0de8a05ecf661859debe23ba735fb90a26853e0d4c9bfcebac70ce40539a98cf8947e06bb75de0a9205e0b791cb4f9e7aa0ae1149e9394ffef266f96e0c75ab728cadbc312570efed737090a6251c09e1a5d38a0c6f1ec4ae055863d69e4dcf36d974d2be3e487c7d2f1db2161e93b7d152ce046f030b36d083289eddd7105ed8eaed49f711017baabde9d5f01cd4738503d322669554fcf3b5a65b0519733b07a7f3cffdc92b0382c66120c41aae88568c752f79d501fd4da58e6879e7e"}}, {0x4, &(0x7f0000002280)=@lang_id={0x4, 0x3, 0x3c0a}}, {0x4, &(0x7f00000022c0)=@lang_id={0x4, 0x3, 0x3801}}, {0x1f, &(0x7f0000002300)=@string={0x1f, 0x3, "a670c3582d38967ac485455e8a40acb6f5df24ab49a4c6bb43d584edf7"}}, {0x4, &(0x7f0000002340)=@lang_id={0x4, 0x3, 0x44f}}, {0xe1, &(0x7f0000002380)=@string={0xe1, 0x3, "be2ce18fae6da9f1aa4b972197be7a6ce4b283c3e0027e6da13d8639f674ea9c64289b33c0e1435b7c1654a569127b26ad53774f2b6b20579fac6faffe12949ee4b0d3cd2d890cff2d7e9bb43b602a394efd4975184f7eecab16a3f187cab4c2ca01ac5bc9c55c8bb981323d919f77355b3ce7428da62af80c76b185e10ac7b1cc950ecc715c3e0a1e142311b62941e06291b30d2d3c7d468dfbe283c91fc0833db068e7bf397c233575790229ce513bbdc4387d81b3027ef68b20de25d9f1ff32b95cba443b9e7fba499143e841a6190c6ecb2906fe4230f839ba8c3c73ea"}}, {0xc1, &(0x7f0000002480)=@string={0xc1, 0x3, "f17db2ea26d90ba93d1dbd3d9482882172cc158b4cc43c36d12bb94e06fc7aba0d96ba62a38b39b77bb66a8b4ba6fe260c877464dc1012449a3a6ab5b80e667a3a01db8dd1dc3468b0d72893adf25bd1a7b9dcddf569122a73026b76fd0e25d7440ca5db635b3fc9013fd79099a7d7e81db8745bc9d0a6c938791d2cbfd10f1c628ca17af993b702c1ede30da1882567ce287f66b23ebf408a2d9c63e1cb0b2795273efa8153561c3c3eeb71d12aa087e9255526b528f538af4abd41cf8901"}}, {0xc0, &(0x7f0000002580)=@string={0xc0, 0x3, "6f57d6a596202ebf5a75b9724911f91a3d92ae1ac81abb9c1b134a76e66590f6eb8dd84cc10960b8d223947d1c2e771b94e729d83418f414213ff8b906770330bea70e59fe4d8ba537fbcfd3c4bfc4ea3b640c3112926d8c78eee839720900c505cc013c1263dcf27b6c0f87fcb87f40cb6bde3154ccd63e65a48c86c58a3857f68f8808203fb28d95e74a1865eb8f82fe953562a14751ed18f251e5115370d2bc19145ccf3abeae4c81fb1d97f62e035db73d11ab7ec596bc7a368655c6"}}]}) syz_usb_ep_write(r13, 0x8, 0x77, &(0x7f00000026c0)="01df4294f01fe1f943b780ccad76ab8a48353cbce5481283fb7d07e32952055449b6581b3693b67edea7f103542fd1dccf21a4f8ce11f52482a550dd3199da830c3e19ff1a996ce1424b13495e704be3f8c106d08338a69db29c70d040ba405016d90255d81d115d9c6c9c13b95789ba2d4ee0f005d95b") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 #define SQ_ARRAY_OFFSET(sq_entries,cq_entries) (round_up(CQ_CQES_OFFSET + cq_entries * SIZEOF_IO_URING_CQE, 64)) uint32_t round_up(uint32_t x, uint32_t a) { return (x + a - 1) & ~(a - 1); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = SQ_ARRAY_OFFSET(sq_ring_entries, cq_ring_entries); if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_usb() { if (chmod("/dev/raw-gadget", 0666)) exit(1); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 40; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 26 ? 50 : 0) + (call == 32 ? 3000 : 0) + (call == 33 ? 3000 : 0) + (call == 34 ? 300 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 3000 : 0) + (call == 39 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_bpf #define __NR_bpf 321 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[14] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/dsp\000", 9); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0x8002ul, 0ul); if (res != -1) r[0] = res; break; case 1: *(uint64_t*)0x20000080 = 0; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 0; *(uint16_t*)0x20000090 = 0x4a1f; *(uint16_t*)0x20000092 = 0xd548; *(uint32_t*)0x20000094 = r[0]; *(uint64_t*)0x20000098 = 0x20000040; memcpy((void*)0x20000040, "\xa4\xc6\xb7\x0d\x40\xb1\x8d\x2f\x71\xb9\xeb\xf1\xa9\x7c\xc4\xf8\xbf\xe5\x2c\x76\x62\x08\xfe\x1c\x5f\xf6\xe6\xc2\x0f\xb4\xd4\x10\x4d", 33); *(uint64_t*)0x200000a0 = 0x21; *(uint64_t*)0x200000a8 = 7; *(uint64_t*)0x200000b0 = 0; *(uint32_t*)0x200000b8 = 1; *(uint32_t*)0x200000bc = -1; syscall(__NR_io_cancel, 0ul, 0x20000080ul, 0x200000c0ul); break; case 2: syscall(__NR_ioctl, -1, 0x400454d0, 0x18ul); break; case 3: memcpy((void*)0x20000100, "/selinux/avc/cache_stats\000", 25); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000100ul, 0ul, 0ul); if (res != -1) r[1] = res; break; case 4: *(uint32_t*)0x20000200 = 6; *(uint32_t*)0x20000204 = 1; *(uint64_t*)0x20000208 = 0x20000140; *(uint16_t*)0x20000140 = 6; *(uint64_t*)0x20000210 = 0x20000180; *(uint16_t*)0x20000180 = 0xb572; *(uint16_t*)0x20000182 = 2; *(uint16_t*)0x20000184 = 0x200; *(uint16_t*)0x20000186 = 0x6126; *(uint16_t*)0x20000188 = -1; *(uint16_t*)0x2000018a = 0x800b; *(uint64_t*)0x20000218 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x100; *(uint16_t*)0x200001c2 = 0x8001; *(uint16_t*)0x200001c4 = 0x7ff; *(uint16_t*)0x200001c6 = 0x56; *(uint16_t*)0x200001c8 = 3; *(uint16_t*)0x200001ca = 6; *(uint16_t*)0x200001cc = 0xafa4; *(uint16_t*)0x200001ce = 0xfff; syscall(__NR_ioctl, r[1], 0xc02064a4, 0x20000200ul); break; case 5: syscall(__NR_socket, 0xaul, 5ul, 0x84); break; case 6: memcpy((void*)0x20000240, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20000240, 8, 0x40040); if (res != -1) r[2] = res; break; case 7: *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0x431f; *(uint32_t*)0x20000288 = 2; *(uint32_t*)0x2000028c = 2; *(uint32_t*)0x20000290 = 0x24c; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = r[2]; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; *(uint32_t*)0x200002b8 = 0; *(uint32_t*)0x200002bc = 0; *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0; *(uint32_t*)0x200002c8 = 0; *(uint32_t*)0x200002cc = 0; *(uint32_t*)0x200002d0 = 0; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = 0; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; syscall(__NR_io_uring_setup, 0x4a7d, 0x20000280ul); break; case 8: *(uint32_t*)0x20000300 = 0x14; syscall(__NR_setsockopt, -1, 0x10e, 2, 0x20000300ul, 4ul); break; case 9: syscall(__NR_socket, 4ul, 2ul, 0); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0x15; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0x8847); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 1, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 24, 8); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0x80, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 24, 8); STORE_BY_BITMASK(uint8_t, , 0x20000016, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000017, 3, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000017, 8, 2, 6); *(uint16_t*)0x20000018 = htobe16(0xc0); *(uint16_t*)0x2000001a = htobe16(0x64); *(uint16_t*)0x2000001c = htobe16(0); *(uint8_t*)0x2000001e = 1; *(uint8_t*)0x2000001f = 0x11; *(uint16_t*)0x20000020 = htobe16(0); *(uint32_t*)0x20000022 = htobe32(0xa010102); *(uint8_t*)0x20000026 = 0xac; *(uint8_t*)0x20000027 = 0x1e; *(uint8_t*)0x20000028 = 1; *(uint8_t*)0x20000029 = 1; *(uint8_t*)0x2000002a = 0x44; *(uint8_t*)0x2000002b = 0x10; *(uint8_t*)0x2000002c = 0x90; STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0xf, 4, 4); *(uint32_t*)0x2000002e = htobe32(3); *(uint32_t*)0x20000032 = htobe32(0x100); *(uint32_t*)0x20000036 = htobe32(9); *(uint16_t*)0x2000003a = htobe16(0x4e20); *(uint16_t*)0x2000003c = htobe16(0x4e23); *(uint16_t*)0x2000003e = htobe16(0x9c); *(uint16_t*)0x20000040 = htobe16(0); *(uint32_t*)0x20000042 = 1; *(uint32_t*)0x20000046 = 1; memcpy((void*)0x2000004a, "\xa1\x07\x91\xf3\x6e\x09\x1a\x36\x4d\x6a\x21\x4a\xed\x32\x81\x68\x6b\x2e\x10\x62\xe4\xa2\x1d\xad\x7e\x7e\xa6\x82\x3c\x2a\xd6\x6b", 32); memcpy((void*)0x2000006a, "\xa9\xe3\xb0\x61\xcb\x2d\x16\xf0\xf3\x8c\x93\x86\x6b\xab\x23\x9c\x5e\x95\xfa\xbc\x9a\xd7\x54\x9c\xc5\x3f\x24\x82\x15\x64\xc8\xe3\x1a\x77\x3c\x62\xbd\x34\xe6\x21\x16\x07\x0c\x99\x8c\xf8\x0f\xf5", 48); memcpy((void*)0x2000009a, "\x8a\x60\x48\xe6\x8f\x54\x76\xba\x71\xed\xf7\xde\xa3\x71\x45\xa3\x39\x72\x62\xdb\x3b\x25\x37\x6f\xb9\xb6\x98\xe1", 28); memcpy((void*)0x200000b6, "\x10\x8d\x38\xc5\xf1\x28\x37\xa8\xdf\xf4\x93\x17\xe1\xfb\xf2\xb1", 16); memcpy((void*)0x200000c6, "\x6e\x6f\x91\xa5\xd2\xfe\xa3\x5b\x7d\x2a\xa0\x22\x7b\x5c\x79\xde", 16); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x20000022, 4); csum_inet_update(&csum_1, (const uint8_t*)0x20000026, 4); uint16_t csum_1_chunk_2 = 0x1100; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 2); uint16_t csum_1_chunk_3 = 0x9c00; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 2); csum_inet_update(&csum_1, (const uint8_t*)0x2000003a, 156); *(uint16_t*)0x20000040 = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x20000016, 36); *(uint16_t*)0x20000020 = csum_inet_digest(&csum_2); break; case 11: *(uint8_t*)0x20000100 = 4; *(uint8_t*)0x20000101 = 0xe; *(uint8_t*)0x20000102 = 7; *(uint8_t*)0x20000103 = 7; *(uint16_t*)0x20000104 = 0x1408; *(uint8_t*)0x20000106 = 3; *(uint16_t*)0x20000107 = 0xc8; *(uint8_t*)0x20000109 = 0xfe; break; case 12: memcpy((void*)0x20000140, "\xab\x8f\x29\x08\x95\x5c\x44\x32\xc4\x21\xb4\x55\x80\x85\x8a\x31\x8e\xc4\xa1\x84\x57\x56\xf3\x67\x36\x64\xd9\xe0\x64\x46\x1c\x0d\xc4\x41\xb5\x55\x88\xa0\x0f\xfe\x49\xf2\xf0\x42\x80\x8c\x3e\x28\x08\x00\x00\x00\xc4\x82\x5d\xde\x32\xf3\x42\x0f\x9a\xde", 62); syz_execute_func(0x20000140); break; case 13: break; case 14: memcpy((void*)0x200001c0, "SEG6\000", 5); syz_genetlink_get_family_id(0x200001c0); break; case 15: syz_init_net_socket(3, 2, 0xc4); break; case 16: res = syscall(__NR_mmap, 0x20ffc000ul, 0x1000ul, 0ul, 0x1000ul, -1, 0ul); if (res != -1) r[3] = res; break; case 17: syz_io_uring_complete(r[3]); break; case 18: *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0x19c8; *(uint32_t*)0x20000208 = 1; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0x90; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = -1; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; *(uint32_t*)0x20000238 = 0; *(uint32_t*)0x2000023c = 0; *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; res = -1; res = syz_io_uring_setup(0x61d6, 0x20000200, 0x20ff9000, 0x20ff9000, 0x20000280, 0x200002c0); if (res != -1) r[4] = *(uint32_t*)0x20000218; break; case 19: res = syscall(__NR_mmap, 0x20ffc000ul, 0x3000ul, 0x2000004ul, 0x100ul, r[4], 0x10000000ul); if (res != -1) r[5] = res; break; case 20: memcpy((void*)0x20000300, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000300ul, 0x22040ul, 0ul); if (res != -1) r[6] = res; break; case 21: res = syscall(__NR_io_uring_register, -1, 9ul, 0ul, 0ul); if (res != -1) r[7] = res; break; case 22: *(uint8_t*)0x20000380 = 0x1d; *(uint8_t*)0x20000381 = 1; *(uint16_t*)0x20000382 = 0; *(uint32_t*)0x20000384 = r[6]; *(uint64_t*)0x20000388 = 0x20000340; *(uint32_t*)0x20000340 = 0xa; *(uint64_t*)0x20000344 = 0; *(uint32_t*)0x20000390 = r[4]; *(uint32_t*)0x20000394 = 1; *(uint32_t*)0x20000398 = 0; *(uint64_t*)0x200003a0 = 1; *(uint16_t*)0x200003a8 = 0; *(uint16_t*)0x200003aa = r[7]; *(uint8_t*)0x200003ac = 0; *(uint8_t*)0x200003ad = 0; *(uint8_t*)0x200003ae = 0; *(uint8_t*)0x200003af = 0; *(uint8_t*)0x200003b0 = 0; *(uint8_t*)0x200003b1 = 0; *(uint8_t*)0x200003b2 = 0; *(uint8_t*)0x200003b3 = 0; *(uint8_t*)0x200003b4 = 0; *(uint8_t*)0x200003b5 = 0; *(uint8_t*)0x200003b6 = 0; *(uint8_t*)0x200003b7 = 0; *(uint8_t*)0x200003b8 = 0; *(uint8_t*)0x200003b9 = 0; *(uint8_t*)0x200003ba = 0; *(uint8_t*)0x200003bb = 0; *(uint8_t*)0x200003bc = 0; *(uint8_t*)0x200003bd = 0; *(uint8_t*)0x200003be = 0; *(uint8_t*)0x200003bf = 0; syz_io_uring_submit(r[3], r[5], 0x20000380, 5); break; case 23: *(uint64_t*)0x20000400 = 0; *(uint64_t*)0x20000408 = 0x200003c0; memcpy((void*)0x200003c0, "\xc6\x6b\xf5\x1c\x00\x3b\x68\x4c\xd1\xf5\x6d\x7d\xbc\xd2\xde\xa7\x67\x52\x93\xe4\xd0\x16\x95\x5f\xb8\x84\x32\x0c\xce\xfe\xf5\x21\x42\xee\xf0\xb6\x1d\x38\x99\x59\xe4\xe4\x75\x07\x5b\x6b\x11\xcd\xbe\x1c", 50); *(uint64_t*)0x20000410 = 0x32; *(uint64_t*)0x20000440 = 1; *(uint64_t*)0x20000448 = 0; syz_kvm_setup_cpu(r[6], -1, 0x20fe7000, 0x20000400, 1, 0, 0x20000440, 1); break; case 24: res = syscall(__NR_mmap, 0x20ffb000ul, 0x4000ul, 0x2000000ul, 0x1000ul, -1, 0x8000000ul); if (res != -1) r[8] = res; break; case 25: *(uint32_t*)0x20000480 = 1; syz_memcpy_off(r[8], 0x114, 0x20000480, 0, 4); break; case 26: memcpy((void*)0x200004c0, "afs\000", 4); memcpy((void*)0x20000500, "./file0\000", 8); *(uint64_t*)0x200008c0 = 0x20000540; *(uint64_t*)0x200008c8 = 0; *(uint64_t*)0x200008d0 = 0x32; *(uint64_t*)0x200008d8 = 0x20000580; memcpy((void*)0x20000580, "\x3a\x7a\x72\xca\x9b\x2a\x42\x2a\xfb\xeb\xa2\xd7\xa8\x43\x38\xcb\x03\x95\x18\x39\x45\x1a\xf3\xf3\x03\x1d\x00\x30\xdb\x11\xa0\x8c\x0e\xb2\x24\x4d\xab\x7f\x4f\xd9\x44\x2c\xd5\x53\x70\xfb\xac\xdc\x33\x0d\x3e\xe2\x18\x81\x37\xd0\xad\x97\x72\xc7\xae\x54\xfa\xe9\x2d\x19\x41\xe0\x49\xbd\xcb\x3b\x8f\x64\x5e\xa6\xa7\xd7\x46\x40\x42\x86\xd5\x6d\xfd\x7a\x41\xfb\x29\xe2\x98\x7d\x8d\x73\xb3\x67\x9f\xae\x42\x7f\x5a\xf0\x81\x85\xe4\xff\xda\x15\x32\x28\xa3\xac\x82\xbf\x94\xf1\x77\x52\xed\x78\xdf\xe5\xb9\xa4", 124); *(uint64_t*)0x200008e0 = 0x7c; *(uint64_t*)0x200008e8 = 0xee5; *(uint64_t*)0x200008f0 = 0x20000600; memcpy((void*)0x20000600, "\xa9\x63\xe9\x74\x3e\x9c\x3d\x09\x2a\x0a\xb1\xd6\x8a\x13\xfe\x85\xf8\x0e\xd9\x43\x58\xab\x9a\xd4\x02\x9d\xff\x34\x33\xa3\x22\x3c\x65\x0d\x6a\x96\x50\x5e\xc9\xa3\xd6\xcd\x09\xad\x3f\x26\x8f\xcd\xd1\x24\x8a\xa4\x3e\xf1\x38\xa7\x9b\x0c\x4c\x11\x6f\x71\x78\xb5\xfc\x5c\xc4\x9f\xa3\x03\x20\x1e\x8c\x7e\xf4\xe3\x22\x43\x41\x05\xec\xdc\x91\x2a\xe6\x72\x51\x0b\x34\xc0\x1a\xa3\x89\x0c\x90\xf2\x72\x00\xde\x2b\x65\xc4\xbd\x20", 104); *(uint64_t*)0x200008f8 = 0x68; *(uint64_t*)0x20000900 = 0x10000; *(uint64_t*)0x20000908 = 0x20000680; memcpy((void*)0x20000680, "\x6a\xc4\x43\xef\xa9\x85\x5d\xda\x4f\xa3\xa9\x82\xab\xc0\x60\xeb\xf1\xa6\x78\x5f\xeb\xa7\x7c\xd7\x0d\x48\x6a\x29\xf4", 29); *(uint64_t*)0x20000910 = 0x1d; *(uint64_t*)0x20000918 = 2; *(uint64_t*)0x20000920 = 0x200006c0; memcpy((void*)0x200006c0, "\x32\x29\x20\x2f\xd1\x3c\x8a\xb6\xd5\x54\xd8\xdf\xb6\xa8\x66\x18\x05\xf5\x3c\x5e\x81\x67\x1b\xf5\xd7\x02\xaa\x4c\x17\xca\xd1\x07\xcf\xc6\xa8\xfe\x70\x2b\x26\x94\x2c\x63\x2a\x4e\xd0\xe1\x01\x04\x40\xb5\x1b\x99\x78\x5c\x11\x2a\x0b\xda\x8c\x28\x62\x67\xac\x9c\xb4\xe6\x95\x37\x6a\x13\xd9\x93\x7d\xfe\x15\x42\x39\xc4\xea\x04\xf3\x85\x39\xa8\xe5\x57\xdb\xcc\x89\x09\x42\x0c\x76\xb2\x58\x7b\x42\xaa\x2d\x61\xbf\x39\x5f\xe9\x13\xba\xd8\x6d\xdf\x17\xa8\xf1\xb3\x21\x2d\x0f\x0a\x6b\xc2\xe7\x84\x1e\xf2\xe2\xee\x0b\xe0\x59\x01\xf0\x28\xc7\xc6\x5e\x1c\x2c\xb6\x41\xf5\x56\x50\x8f\xbf\x32\x2d\xa0\x30\xde\x78\x46\xad\x39\x00\x40\x82\xc1\x28\xa0\xff\xb6\x0c\x1b\x80\x1b\xfd\x69\xa0\xe5\xf3\x7b\x51\xfe\xb7\x8d\x97\x24\x0f\x45\xf3\xce\x17\xa2\x8a\xbb\xd8\x9b\xd1\x6c\xd2\xd0\x6c\x74\x48\x89\x90\xab\xa3\x6f\xf0\x06\xe8\xae\x36\x22\xec\x18\xfa\x76\xb7\x67\xbe\x88\xf1\x92\xf9\x4a\xf1\x5e\x23\xd7\x42\x17\x73\x8a\x1d\x48\xef\x2c\x3e\x1c\x0a\x55\x72\x03\x04\x5e\x3b\xa2\x5e\x9c\xd3\x8e\xfa\x64", 244); *(uint64_t*)0x20000928 = 0xf4; *(uint64_t*)0x20000930 = 6; *(uint64_t*)0x20000938 = 0x200007c0; memcpy((void*)0x200007c0, "\x41\x4d\x78\x40\x34\x90\x27\x5a\x20\x64\x95\xf9\x3c\xf6\x22\x29\x59\x6a\x76\xf6\x22\xd4\x2e\x73\x7b\xfa\x14\x8f\xc2\x38\x5d\x9c\x82\x94\x6c\xe9\x5d\x9b\x76\x65\xc1\x48\xbf\xd7\x23\xf5\x24\x8f\xfc\xb6\xa4\xfc\x82\x65\xde\x9d\xa9\xe3\x4f\xf0\x57\x7d\xd7\x19\x23\x3d\x7e\xf9\x61\x0b\x9b\x9d\x98\xd4\xf2\xce\xdc\xc5\x35\x1c\xb7\x23\x4e\x0a\x83\x45\xf8\x1e\x60\x3a\x00\x2c\x13\xd8\x98\xf1\x08\x46\x56\xc5\x1b\xe0\x05\x26\xc6\xb7\x97\x7b\x28\x78\x09\x59\x1c\x51\xa2\x88\xac\xec\x3e\x57\x0a\x94\xcc\x77\x42\x01\x95\xf2\xa8\x1a\x77\x89\x6f\x9f\x08\x1b\x17\x3c\x24\xad\xa2\x30\x41\xea\x2e\x72\x53\x69\x86\x01\xd8\x37\x69\x09\x4d\x34\x89", 157); *(uint64_t*)0x20000940 = 0x9d; *(uint64_t*)0x20000948 = 1; *(uint64_t*)0x20000950 = 0x20000880; memcpy((void*)0x20000880, "\x3c\xc0\xa1\x54\x97\x7d\x26\x88\x2d\x94\xf1\xc1\x08\xa6\x28\x7b\x15\xe8\x35\xbf\x2d\x9e\xbc\xfd\x92\x5c\x45\x69\xc9\xde\x9d\x46\x3b\x92\x91\x58\x99\x0d\x2f\x48", 40); *(uint64_t*)0x20000958 = 0x28; *(uint64_t*)0x20000960 = 0xfffffffffffffbff; memcpy((void*)0x20000980, "flock=strict", 12); *(uint8_t*)0x2000098c = 0x2c; memcpy((void*)0x2000098d, "flock=write", 11); *(uint8_t*)0x20000998 = 0x2c; memcpy((void*)0x20000999, "source", 6); *(uint8_t*)0x2000099f = 0x3d; memcpy((void*)0x200009a0, "\353", 1); *(uint8_t*)0x200009a1 = 0x2c; memcpy((void*)0x200009a2, "autocell", 8); *(uint8_t*)0x200009aa = 0x2c; *(uint8_t*)0x200009ab = 0; syz_mount_image(0x200004c0, 0x20000500, 0x1f, 7, 0x200008c0, 0x1015005, 0x20000980); break; case 27: memcpy((void*)0x200009c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200009c0, 0x10000, 0x6840); break; case 28: *(uint32_t*)0x20000a40 = -1; *(uint32_t*)0x20000a44 = -1; *(uint32_t*)0x20000a48 = 0; *(uint32_t*)0x20000a4c = 3; *(uint64_t*)0x20000a50 = 0x20000a00; memcpy((void*)0x20000a00, ".\\\000", 3); *(uint32_t*)0x20000a58 = 0; *(uint32_t*)0x20000a5c = 0; *(uint64_t*)0x20000a60 = 0; *(uint64_t*)0x20000a68 = 0; res = syscall(__NR_bpf, 0x14ul, 0x20000a40ul, 0x30ul); if (res != -1) r[9] = *(uint32_t*)0x20000a40; break; case 29: memcpy((void*)0x20000a80, "status\000", 7); syz_open_procfs(r[9], 0x20000a80); break; case 30: syz_open_pts(-1, 0x8000); break; case 31: syz_read_part_table(6, 0, 0x20000ac0); break; case 32: *(uint8_t*)0x20000b00 = 0x12; *(uint8_t*)0x20000b01 = 1; *(uint16_t*)0x20000b02 = 0x250; *(uint8_t*)0x20000b04 = 0xa8; *(uint8_t*)0x20000b05 = 0x9c; *(uint8_t*)0x20000b06 = 0xcc; *(uint8_t*)0x20000b07 = -1; *(uint16_t*)0x20000b08 = 0x499; *(uint16_t*)0x20000b0a = 0x150c; *(uint16_t*)0x20000b0c = 0xbaf4; *(uint8_t*)0x20000b0e = 1; *(uint8_t*)0x20000b0f = 2; *(uint8_t*)0x20000b10 = 3; *(uint8_t*)0x20000b11 = 1; *(uint8_t*)0x20000b12 = 9; *(uint8_t*)0x20000b13 = 2; *(uint16_t*)0x20000b14 = 0x702; *(uint8_t*)0x20000b16 = 3; *(uint8_t*)0x20000b17 = 2; *(uint8_t*)0x20000b18 = 5; *(uint8_t*)0x20000b19 = 0x80; *(uint8_t*)0x20000b1a = 0x1f; *(uint8_t*)0x20000b1b = 9; *(uint8_t*)0x20000b1c = 4; *(uint8_t*)0x20000b1d = 0x7d; *(uint8_t*)0x20000b1e = 0; *(uint8_t*)0x20000b1f = 0xb; *(uint8_t*)0x20000b20 = 0x5c; *(uint8_t*)0x20000b21 = 0x68; *(uint8_t*)0x20000b22 = 0x45; *(uint8_t*)0x20000b23 = 0xb8; *(uint8_t*)0x20000b24 = 0x64; *(uint8_t*)0x20000b25 = 0xe6; memcpy((void*)0x20000b26, "\x25\xbb\xa1\x93\x73\x4e\x4e\xb8\x7c\xbd\x6a\x4c\x96\x1e\xf0\x1e\x6c\x96\x0f\xa2\x7d\xe2\xe0\xb2\x88\x3e\x73\xbc\xb5\x6b\x37\x1c\xc2\xf9\x4a\x39\xee\x59\xf2\x12\x37\xd7\xfd\x38\xba\xfe\xa3\xbe\xbf\x15\x96\x7e\x66\xfd\xa6\x11\x4d\x34\xb3\x49\xe1\x86\x8e\xf9\x5c\xc0\xa0\x63\x05\xd0\x16\xcd\x2c\xc7\x23\x33\x40\x35\xa1\x10\xf9\xda\x19\x7a\xfa\x79\xa6\xb0\x45\xfa\xc5\xf7\xd5\xbb\x63\x9e\x45\x41", 98); *(uint8_t*)0x20000b88 = 0xa; *(uint8_t*)0x20000b89 = 0x24; *(uint8_t*)0x20000b8a = 1; *(uint16_t*)0x20000b8b = 7; *(uint8_t*)0x20000b8d = 0x80; *(uint8_t*)0x20000b8e = 2; *(uint8_t*)0x20000b8f = 1; *(uint8_t*)0x20000b90 = 2; *(uint8_t*)0x20000b91 = 9; *(uint8_t*)0x20000b92 = 5; *(uint8_t*)0x20000b93 = 1; *(uint8_t*)0x20000b94 = 3; *(uint16_t*)0x20000b95 = 0x200; *(uint8_t*)0x20000b97 = 0x81; *(uint8_t*)0x20000b98 = 1; *(uint8_t*)0x20000b99 = 9; *(uint8_t*)0x20000b9a = 7; *(uint8_t*)0x20000b9b = 0x25; *(uint8_t*)0x20000b9c = 1; *(uint8_t*)0x20000b9d = 1; *(uint8_t*)0x20000b9e = 9; *(uint16_t*)0x20000b9f = 0x1000; *(uint8_t*)0x20000ba1 = 9; *(uint8_t*)0x20000ba2 = 5; *(uint8_t*)0x20000ba3 = 6; *(uint8_t*)0x20000ba4 = 8; *(uint16_t*)0x20000ba5 = 0x400; *(uint8_t*)0x20000ba7 = 0xe8; *(uint8_t*)0x20000ba8 = 0xc6; *(uint8_t*)0x20000ba9 = -1; *(uint8_t*)0x20000baa = 7; *(uint8_t*)0x20000bab = 0x25; *(uint8_t*)0x20000bac = 1; *(uint8_t*)0x20000bad = 1; *(uint8_t*)0x20000bae = 0x81; *(uint16_t*)0x20000baf = 6; *(uint8_t*)0x20000bb1 = 9; *(uint8_t*)0x20000bb2 = 5; *(uint8_t*)0x20000bb3 = 0xd; *(uint8_t*)0x20000bb4 = 0; *(uint16_t*)0x20000bb5 = 0x20; *(uint8_t*)0x20000bb7 = 8; *(uint8_t*)0x20000bb8 = 0xb4; *(uint8_t*)0x20000bb9 = 3; *(uint8_t*)0x20000bba = 9; *(uint8_t*)0x20000bbb = 5; *(uint8_t*)0x20000bbc = 2; *(uint8_t*)0x20000bbd = 1; *(uint16_t*)0x20000bbe = 0x200; *(uint8_t*)0x20000bc0 = 2; *(uint8_t*)0x20000bc1 = 6; *(uint8_t*)0x20000bc2 = 0x20; *(uint8_t*)0x20000bc3 = 9; *(uint8_t*)0x20000bc4 = 5; *(uint8_t*)0x20000bc5 = 7; *(uint8_t*)0x20000bc6 = 2; *(uint16_t*)0x20000bc7 = 0x3ff; *(uint8_t*)0x20000bc9 = 0x29; *(uint8_t*)0x20000bca = 4; *(uint8_t*)0x20000bcb = 0x4c; *(uint8_t*)0x20000bcc = 9; *(uint8_t*)0x20000bcd = 5; *(uint8_t*)0x20000bce = 5; *(uint8_t*)0x20000bcf = 0; *(uint16_t*)0x20000bd0 = 0x200; *(uint8_t*)0x20000bd2 = 2; *(uint8_t*)0x20000bd3 = 0x22; *(uint8_t*)0x20000bd4 = 5; *(uint8_t*)0x20000bd5 = 7; *(uint8_t*)0x20000bd6 = 0x25; *(uint8_t*)0x20000bd7 = 1; *(uint8_t*)0x20000bd8 = 0; *(uint8_t*)0x20000bd9 = 7; *(uint16_t*)0x20000bda = 0x27; *(uint8_t*)0x20000bdc = 9; *(uint8_t*)0x20000bdd = 5; *(uint8_t*)0x20000bde = 0xe; *(uint8_t*)0x20000bdf = 0xc; *(uint16_t*)0x20000be0 = 0x20; *(uint8_t*)0x20000be2 = 0x40; *(uint8_t*)0x20000be3 = 9; *(uint8_t*)0x20000be4 = 0x1f; *(uint8_t*)0x20000be5 = 0x4f; *(uint8_t*)0x20000be6 = 1; memcpy((void*)0x20000be7, "\xf1\x48\xd8\x44\x07\xf5\xb8\xdf\xda\x7c\x13\xb6\x82\x81\xb7\xd1\x42\x09\x55\x10\x93\xf9\x1b\x2d\x8f\x89\x1d\x9f\x3b\x8f\xf0\x7a\x8c\x2b\x56\xbc\xbf\xa7\x44\xea\x1d\xa6\x9f\xb1\x16\xc7\x1d\x11\xfa\x13\xb6\xa2\xc4\x64\xe6\x5d\x7c\x70\x6a\xe2\x5e\x0a\xd8\x36\xd3\x28\xf3\x09\x28\xaf\x26\xfe\x9d\x4f\x3f\x1d\xc1", 77); *(uint8_t*)0x20000c34 = 7; *(uint8_t*)0x20000c35 = 0x25; *(uint8_t*)0x20000c36 = 1; *(uint8_t*)0x20000c37 = 0x82; *(uint8_t*)0x20000c38 = 0x18; *(uint16_t*)0x20000c39 = 0xfc0; *(uint8_t*)0x20000c3b = 9; *(uint8_t*)0x20000c3c = 5; *(uint8_t*)0x20000c3d = 4; *(uint8_t*)0x20000c3e = 0; *(uint16_t*)0x20000c3f = 0x400; *(uint8_t*)0x20000c41 = 0; *(uint8_t*)0x20000c42 = 0x80; *(uint8_t*)0x20000c43 = 7; *(uint8_t*)0x20000c44 = 7; *(uint8_t*)0x20000c45 = 0x25; *(uint8_t*)0x20000c46 = 1; *(uint8_t*)0x20000c47 = 2; *(uint8_t*)0x20000c48 = 4; *(uint16_t*)0x20000c49 = 2; *(uint8_t*)0x20000c4b = 0xf7; *(uint8_t*)0x20000c4c = 0x30; memcpy((void*)0x20000c4d, "\xab\xdd\xdd\x4f\x9b\x3f\x7c\x94\x0f\x59\xac\x5d\x6a\xc2\x20\xf7\x66\x83\x45\x97\x34\x86\x90\xed\xd4\x5d\xbc\xad\x8d\x72\x00\xdb\x71\x84\x99\x1d\x25\x39\xdf\x54\xe5\xad\x82\xe5\xd5\x8b\x03\x66\xea\x3b\x34\x1b\xe9\xa3\x0b\x4b\x2b\xd6\x6b\xf0\x04\x79\x62\x8c\xb4\x77\xc8\x29\x38\xf8\xd3\xc1\x06\xa7\xe1\x8b\x0e\x54\x85\xa0\xb1\x61\x1a\xba\x1d\x8a\xd3\xc7\x40\xfc\x3d\x9a\xcc\xb5\xd7\xb2\x93\xb9\x0b\x16\x8c\x3f\x2c\x69\x79\x81\x35\xb5\x62\x47\x5f\xe2\xa3\xb8\xf6\x19\x57\x22\x51\x66\x27\x87\xbf\x74\x9f\x67\x3a\x35\xee\x80\xea\x76\xed\xd0\xfc\x7b\x31\x77\xf2\x4f\x50\xd6\x8a\xce\xd6\x90\x2e\xcf\x5e\x0a\x1d\x31\x26\xd9\x53\x09\x46\xab\xac\x7a\x85\x79\x91\x94\x74\x8f\x34\xee\xf3\xe2\x49\xc0\xed\xe1\x51\x1b\x67\x62\x6c\x06\x32\x2b\xa0\xb3\x13\x3a\xd7\xea\xb4\x6c\xc0\x7a\x99\x5f\x01\x1d\x24\x78\x19\x83\xc1\x70\x9a\x03\xac\x2e\xf1\x65\xa9\xb9\x1e\xd9\xe7\x5e\x22\x19\x05\xa9\x32\xc3\x50\x1d\x40\x56\x69\x16\xd6\x3f\x2f\xae\x4e\x97\x98\xfa\xb8\xe1\x6a\x1d\x36\x4f\x01\x9c\x0e\xbd\xb0", 245); *(uint8_t*)0x20000d42 = 9; *(uint8_t*)0x20000d43 = 5; *(uint8_t*)0x20000d44 = 2; *(uint8_t*)0x20000d45 = 0; *(uint16_t*)0x20000d46 = 0x40; *(uint8_t*)0x20000d48 = 0xfe; *(uint8_t*)0x20000d49 = 0x20; *(uint8_t*)0x20000d4a = 9; *(uint8_t*)0x20000d4b = 0xed; *(uint8_t*)0x20000d4c = 1; memcpy((void*)0x20000d4d, "\x97\x48\x0b\x61\x9e\xce\x34\x91\x71\x8d\x87\x0d\x13\x33\xf7\xf3\xcb\xe0\x33\x67\xac\x7f\x15\xbe\x17\x93\xcf\x2d\x63\x5a\xf6\x7a\xf8\x8c\xfe\xa5\x26\xad\x45\xea\x67\xc3\x9a\xde\x3d\x19\x91\x8d\x55\xea\x59\x8a\x78\x07\xfd\x2c\x56\xad\xdf\xb5\x2f\x42\x75\x6b\xfc\x60\x2c\x04\x56\x0e\x98\x1a\x38\x78\x3c\xa3\xdd\x8b\xa4\x31\xc2\x67\x59\x2b\xc0\x04\xb2\xf5\x3e\x49\x08\x2d\xac\x6a\x78\x48\xb9\x29\xdc\xf5\x3f\x15\x1f\x4c\x9a\xe6\xf8\x91\x2f\xff\xd9\x19\x9b\xcd\xcd\x8b\x95\xfd\xc2\xdf\xaa\x22\xd3\xa7\x31\xf3\xc4\xaa\x34\x47\xd4\x18\x3b\x1c\xb4\xcc\xce\xb3\x6e\x69\x37\xf2\x27\x5c\x89\xce\x0b\xa8\x3f\x40\xc2\xc7\xdb\xf1\x3b\x41\x77\x0a\x0f\x12\x5b\x10\xde\xd7\xee\xfe\x7a\x18\x24\xf9\xee\xf4\x93\x83\x10\xa5\x5c\x12\x1b\xf1\xa9\x25\x9f\x55\x16\x72\xb8\xa0\xa5\x2f\xea\xc5\xcb\xc5\xab\x96\xa5\x49\x1e\xf5\x33\xd7\xbe\x14\x76\x4e\x9d\xa5\x31\xff\xef\x82\xf8\x61\x2a\x74\x0f\xb5\x87\x56\xf7\xcb\x60\x92\xab\xb1\x5a\xa6\xcf\x04\x94\xcb\x71\x06\xf1", 235); *(uint8_t*)0x20000e38 = 0xd3; *(uint8_t*)0x20000e39 = 8; memcpy((void*)0x20000e3a, "\x4e\x8e\x03\x4e\xe9\x75\x01\xac\x38\x25\x74\xd2\xa7\x25\x27\xc5\xe0\xc8\x32\x61\x8b\xc6\xa1\xea\x16\xc3\xf3\x23\x25\x89\x71\x63\x3a\x03\x33\x99\x1a\xd9\x97\x54\xb0\x06\xc9\x5c\x4d\xe5\xf9\x01\xec\x1b\x8d\x86\xbd\x47\xc5\x64\xbd\x2a\xef\x08\xdf\x3c\x22\x4a\x3e\x6e\x40\x84\x65\x54\xee\xd2\x73\x4d\x71\xce\x33\x92\x96\x7e\xf5\x5c\x96\xb3\xda\x0a\xa5\x48\x1f\x31\xc3\x51\xcf\x18\x59\xcb\xee\x24\x4e\x75\x1c\x60\xcf\xad\xc2\x33\xcb\x60\x02\xee\x6f\xf4\xcc\x2c\x9b\x76\x37\x8f\x5b\x6e\x41\x0c\x01\x4f\x25\xcb\x9f\xff\x68\xf8\xa6\xff\x5b\x81\xb6\xd0\x9b\x9c\x7a\x2a\xaf\x84\x8b\xd2\x47\xed\x21\xb1\x3a\xa8\xd3\x5b\xcb\x7b\xf2\xfa\x6b\x8c\xbf\x55\x29\x9e\xdb\xce\x15\xe7\x88\xd1\xf9\x3c\xff\x32\x23\x99\x24\x9a\xc0\x80\xf2\xd4\x7b\xd3\xf2\x7e\x7a\x6d\xe1\x84\x90\x48\x11\x72\x25\x36\xd0\xa2\x33\x0e\x3e\x51\x11\x46\xfa\xab\x98\x64\xd1\xb1\x83", 209); *(uint8_t*)0x20000f0b = 9; *(uint8_t*)0x20000f0c = 5; *(uint8_t*)0x20000f0d = 0xb; *(uint8_t*)0x20000f0e = 0; *(uint16_t*)0x20000f0f = 0x10; *(uint8_t*)0x20000f11 = 0x2c; *(uint8_t*)0x20000f12 = 9; *(uint8_t*)0x20000f13 = 6; *(uint8_t*)0x20000f14 = 7; *(uint8_t*)0x20000f15 = 0x25; *(uint8_t*)0x20000f16 = 1; *(uint8_t*)0x20000f17 = 0x80; *(uint8_t*)0x20000f18 = 0xc9; *(uint16_t*)0x20000f19 = 0xbb; *(uint8_t*)0x20000f1b = 0x1f; *(uint8_t*)0x20000f1c = 0x31; memcpy((void*)0x20000f1d, "\xe4\x4d\x51\xa1\x5a\x72\x0f\x09\x9d\xad\xeb\x93\x26\x25\x52\xa9\x35\x42\x42\x29\xd3\xf4\xd1\x2e\xdc\x1b\xaa\x9f\x88", 29); *(uint8_t*)0x20000f3a = 9; *(uint8_t*)0x20000f3b = 5; *(uint8_t*)0x20000f3c = 0xc; *(uint8_t*)0x20000f3d = 0; *(uint16_t*)0x20000f3e = 8; *(uint8_t*)0x20000f40 = 0x49; *(uint8_t*)0x20000f41 = 0x40; *(uint8_t*)0x20000f42 = 0x55; *(uint8_t*)0x20000f43 = 9; *(uint8_t*)0x20000f44 = 4; *(uint8_t*)0x20000f45 = 0xfe; *(uint8_t*)0x20000f46 = 0x33; *(uint8_t*)0x20000f47 = 2; *(uint8_t*)0x20000f48 = 0xa2; *(uint8_t*)0x20000f49 = 0x17; *(uint8_t*)0x20000f4a = 0x9a; *(uint8_t*)0x20000f4b = 2; *(uint8_t*)0x20000f4c = 9; *(uint8_t*)0x20000f4d = 0x24; *(uint8_t*)0x20000f4e = 6; *(uint8_t*)0x20000f4f = 0; *(uint8_t*)0x20000f50 = 1; memcpy((void*)0x20000f51, "\xfb\x7f\xfd\xe8", 4); *(uint8_t*)0x20000f55 = 5; *(uint8_t*)0x20000f56 = 0x24; *(uint8_t*)0x20000f57 = 0; *(uint16_t*)0x20000f58 = 1; *(uint8_t*)0x20000f5a = 0xd; *(uint8_t*)0x20000f5b = 0x24; *(uint8_t*)0x20000f5c = 0xf; *(uint8_t*)0x20000f5d = 1; *(uint32_t*)0x20000f5e = 4; *(uint16_t*)0x20000f62 = 0x9f54; *(uint16_t*)0x20000f64 = 0x267; *(uint8_t*)0x20000f66 = 1; *(uint8_t*)0x20000f67 = 6; *(uint8_t*)0x20000f68 = 0x24; *(uint8_t*)0x20000f69 = 0x1a; *(uint16_t*)0x20000f6a = 9; *(uint8_t*)0x20000f6c = 9; *(uint8_t*)0x20000f6d = 0xc; *(uint8_t*)0x20000f6e = 0x24; *(uint8_t*)0x20000f6f = 0x1b; *(uint16_t*)0x20000f70 = -1; *(uint16_t*)0x20000f72 = 1; *(uint8_t*)0x20000f74 = 0x20; *(uint8_t*)0x20000f75 = 6; *(uint16_t*)0x20000f76 = 6; *(uint8_t*)0x20000f78 = 6; *(uint8_t*)0x20000f79 = 0x15; *(uint8_t*)0x20000f7a = 0x24; *(uint8_t*)0x20000f7b = 0x12; *(uint16_t*)0x20000f7c = 3; *(uint64_t*)0x20000f7e = 0x14f5e048ba817a3; *(uint64_t*)0x20000f86 = 0x2a397ecbffc007a6; *(uint8_t*)0x20000f8e = 0xc; *(uint8_t*)0x20000f8f = 0x24; *(uint8_t*)0x20000f90 = 0x1b; *(uint16_t*)0x20000f91 = 0x91; *(uint16_t*)0x20000f93 = 5; *(uint8_t*)0x20000f95 = 1; *(uint8_t*)0x20000f96 = -1; *(uint16_t*)0x20000f97 = 5; *(uint8_t*)0x20000f99 = 0x35; *(uint8_t*)0x20000f9a = 4; *(uint8_t*)0x20000f9b = 0x24; *(uint8_t*)0x20000f9c = 2; *(uint8_t*)0x20000f9d = 1; *(uint8_t*)0x20000f9e = 9; *(uint8_t*)0x20000f9f = 5; *(uint8_t*)0x20000fa0 = 0xa; *(uint8_t*)0x20000fa1 = 0x10; *(uint16_t*)0x20000fa2 = 8; *(uint8_t*)0x20000fa4 = 0x80; *(uint8_t*)0x20000fa5 = 0xc1; *(uint8_t*)0x20000fa6 = 4; *(uint8_t*)0x20000fa7 = 0xb8; *(uint8_t*)0x20000fa8 = 0x30; memcpy((void*)0x20000fa9, "\xe3\x84\xdc\xf0\x3a\xc3\x95\x40\xe5\xa2\x21\x99\xf7\x1a\x53\xba\x42\x8c\x3b\x72\x02\x90\xf0\x27\x6b\xcc\xa0\xcd\x15\x40\x5f\x6c\x93\x04\x97\xaf\x5e\xb3\x20\xa4\x33\xcc\x55\x3d\x6e\x01\x08\xed\xbf\x79\x3e\xf0\x24\x0f\xf2\x69\xb4\xff\x96\xd6\x82\x2b\xcb\x48\xce\xba\xe2\xa5\xce\xad\x65\x78\x6e\xbe\xcd\x5f\x30\x0c\x08\x60\x6d\x33\x22\xb8\x36\x00\x29\xbd\x21\x31\x2d\xac\x49\x33\x61\xe1\xb0\x8f\x2a\xdc\xa4\xdc\x49\xa0\x04\xfe\xfd\xf7\xa3\xa5\x25\xae\x5d\xe1\x1f\x0a\x69\x1a\x41\xb8\x69\xd9\xb9\xa5\xd9\x0d\x5a\x7b\x5e\xbe\x9e\x57\x73\xb9\x7e\xfe\x98\xe3\x89\x53\x77\xa4\x24\xe3\x0e\xf2\x2f\xd2\xff\xa2\x53\x2f\x1b\xb3\xc1\xa4\xe3\xb8\x6a\xfc\x08\xb2\x65\x9a\xa2\xe5\x56\xf1\x90\xe2\x7f\x83\x61\x9a\x16\x18\xd3\x71\xe1\x02\xc5\x58", 182); *(uint8_t*)0x2000105f = 9; *(uint8_t*)0x20001060 = 5; *(uint8_t*)0x20001061 = 0x80; *(uint8_t*)0x20001062 = 1; *(uint16_t*)0x20001063 = 0x40; *(uint8_t*)0x20001065 = 4; *(uint8_t*)0x20001066 = 0; *(uint8_t*)0x20001067 = 0x1f; *(uint8_t*)0x20001068 = 9; *(uint8_t*)0x20001069 = 4; *(uint8_t*)0x2000106a = 0x74; *(uint8_t*)0x2000106b = 0x90; *(uint8_t*)0x2000106c = 0xa; *(uint8_t*)0x2000106d = -1; *(uint8_t*)0x2000106e = 0x5d; *(uint8_t*)0x2000106f = 1; *(uint8_t*)0x20001070 = 0x81; *(uint8_t*)0x20001071 = 0x6c; *(uint8_t*)0x20001072 = 4; memcpy((void*)0x20001073, "\xde\xaf\x84\x76\xcc\x58\x55\xff\xb6\xd2\x2d\x6c\xeb\x29\x77\x34\x8b\xa8\x6d\xee\x7d\x9e\x22\xe0\xc4\x64\x77\xb0\x6c\x0d\xb5\x14\xbb\x53\x83\xa6\x2a\x40\x2c\xc6\xe0\x79\x5d\xdd\xa5\x10\xcf\x42\x38\xb2\xc6\x4b\x65\x7a\x11\x11\xef\xc0\xe4\xaa\xcf\x9e\x40\x80\x2d\xd0\xee\xb6\x9f\x27\x1c\x1e\x6f\xe0\xee\x5e\x9f\x48\x12\x28\x32\xe6\xa8\x0a\x4d\x7a\x66\x11\xe3\xfd\x2d\xca\x49\xd3\x51\x90\x8f\xf9\xa4\x8c\xa2\x0c\x78\xa6\x9c\x65", 106); *(uint8_t*)0x200010dd = 9; *(uint8_t*)0x200010de = 0x21; *(uint16_t*)0x200010df = 7; *(uint8_t*)0x200010e1 = 7; *(uint8_t*)0x200010e2 = 1; *(uint8_t*)0x200010e3 = 0x22; *(uint16_t*)0x200010e4 = 0xab5; *(uint8_t*)0x200010e6 = 9; *(uint8_t*)0x200010e7 = 5; *(uint8_t*)0x200010e8 = 0; *(uint8_t*)0x200010e9 = 0; *(uint16_t*)0x200010ea = 0x200; *(uint8_t*)0x200010ec = 4; *(uint8_t*)0x200010ed = 7; *(uint8_t*)0x200010ee = 0; *(uint8_t*)0x200010ef = 9; *(uint8_t*)0x200010f0 = 5; *(uint8_t*)0x200010f1 = 0x80; *(uint8_t*)0x200010f2 = 0xc; *(uint16_t*)0x200010f3 = 0x40; *(uint8_t*)0x200010f5 = 0; *(uint8_t*)0x200010f6 = 0x7f; *(uint8_t*)0x200010f7 = -1; *(uint8_t*)0x200010f8 = 7; *(uint8_t*)0x200010f9 = 0x25; *(uint8_t*)0x200010fa = 1; *(uint8_t*)0x200010fb = 0; *(uint8_t*)0x200010fc = 0; *(uint16_t*)0x200010fd = 0xff; *(uint8_t*)0x200010ff = 7; *(uint8_t*)0x20001100 = 0x25; *(uint8_t*)0x20001101 = 1; *(uint8_t*)0x20001102 = 2; *(uint8_t*)0x20001103 = 0xfa; *(uint16_t*)0x20001104 = 5; *(uint8_t*)0x20001106 = 9; *(uint8_t*)0x20001107 = 5; *(uint8_t*)0x20001108 = 3; *(uint8_t*)0x20001109 = 3; *(uint16_t*)0x2000110a = 0x3ff; *(uint8_t*)0x2000110c = 0x80; *(uint8_t*)0x2000110d = 0x7f; *(uint8_t*)0x2000110e = 8; *(uint8_t*)0x2000110f = 9; *(uint8_t*)0x20001110 = 5; *(uint8_t*)0x20001111 = 5; *(uint8_t*)0x20001112 = 1; *(uint16_t*)0x20001113 = 0x20; *(uint8_t*)0x20001115 = 4; *(uint8_t*)0x20001116 = 0x3c; *(uint8_t*)0x20001117 = 4; *(uint8_t*)0x20001118 = 7; *(uint8_t*)0x20001119 = 0x25; *(uint8_t*)0x2000111a = 1; *(uint8_t*)0x2000111b = 0x80; *(uint8_t*)0x2000111c = 0x40; *(uint16_t*)0x2000111d = 0x800; *(uint8_t*)0x2000111f = 9; *(uint8_t*)0x20001120 = 5; *(uint8_t*)0x20001121 = 0xd; *(uint8_t*)0x20001122 = 0; *(uint16_t*)0x20001123 = 0x20; *(uint8_t*)0x20001125 = -1; *(uint8_t*)0x20001126 = 0x14; *(uint8_t*)0x20001127 = 0x3f; *(uint8_t*)0x20001128 = 9; *(uint8_t*)0x20001129 = 5; *(uint8_t*)0x2000112a = 4; *(uint8_t*)0x2000112b = 0; *(uint16_t*)0x2000112c = 0x20; *(uint8_t*)0x2000112e = 1; *(uint8_t*)0x2000112f = 1; *(uint8_t*)0x20001130 = 0x56; *(uint8_t*)0x20001131 = 9; *(uint8_t*)0x20001132 = 5; *(uint8_t*)0x20001133 = 0xc; *(uint8_t*)0x20001134 = 0x10; *(uint16_t*)0x20001135 = 8; *(uint8_t*)0x20001137 = 1; *(uint8_t*)0x20001138 = 5; *(uint8_t*)0x20001139 = 2; *(uint8_t*)0x2000113a = 0x20; *(uint8_t*)0x2000113b = 4; memcpy((void*)0x2000113c, "\x6d\xdd\x41\x04\xce\xf7\xb1\xf7\xb2\xdd\xda\xbb\x24\xea\x94\xbe\x1e\x8a\xc9\xfb\xba\x62\xcd\x71\xc1\xa1\xcb\xfa\x4e\x73", 30); *(uint8_t*)0x2000115a = 9; *(uint8_t*)0x2000115b = 5; *(uint8_t*)0x2000115c = 7; *(uint8_t*)0x2000115d = 4; *(uint16_t*)0x2000115e = 0x10; *(uint8_t*)0x20001160 = 0; *(uint8_t*)0x20001161 = 6; *(uint8_t*)0x20001162 = 0xf8; *(uint8_t*)0x20001163 = 7; *(uint8_t*)0x20001164 = 0x25; *(uint8_t*)0x20001165 = 1; *(uint8_t*)0x20001166 = 0x80; *(uint8_t*)0x20001167 = 3; *(uint16_t*)0x20001168 = 0x8000; *(uint8_t*)0x2000116a = 0x98; *(uint8_t*)0x2000116b = 0x21; memcpy((void*)0x2000116c, "\xe7\xba\xc6\xd3\x44\x3c\xdf\xcd\xf9\xc2\x4b\x69\x78\xdb\xfb\x9d\xd1\x82\x4a\x59\x64\xcb\xfa\x0f\xe6\x42\x96\xd5\x79\x4c\x61\x59\xbc\x30\xb8\x02\xa5\x9b\x5c\x7a\x49\xb5\x34\x03\x5d\xf5\x6b\xbc\x48\x86\x52\xee\x31\xc6\x01\xd5\x32\x65\x07\x01\x6b\xd4\x45\xa1\xc0\x9d\xf2\x31\xcf\x57\x81\x19\x0d\xaa\xba\x0c\xbd\x84\xa1\x72\x64\x03\x27\xb8\xc1\xa1\xd9\x0b\xfa\xb1\x8f\x24\x96\x1f\xfe\x12\xa0\x48\x6a\x23\x9c\x79\xa2\x59\xc5\x37\x65\x26\x03\xdc\xbd\x4b\x2b\x73\x42\xae\x0d\x71\x5a\x75\x43\xf4\xd0\x8b\xb5\x57\xbd\xdc\xd3\xbc\xa8\x35\x90\xb5\x7c\x30\xee\xe2\xce\x95\xf6\xc7\x10\x2f\x64\x6a\xf8\x28\xa4\x96", 150); *(uint8_t*)0x20001202 = 9; *(uint8_t*)0x20001203 = 5; *(uint8_t*)0x20001204 = 2; *(uint8_t*)0x20001205 = 3; *(uint16_t*)0x20001206 = 0x400; *(uint8_t*)0x20001208 = 3; *(uint8_t*)0x20001209 = 2; *(uint8_t*)0x2000120a = 8; *(uint8_t*)0x2000120b = 9; *(uint8_t*)0x2000120c = 5; *(uint8_t*)0x2000120d = 6; *(uint8_t*)0x2000120e = 0x10; *(uint16_t*)0x2000120f = 0x20; *(uint8_t*)0x20001211 = -1; *(uint8_t*)0x20001212 = 4; *(uint8_t*)0x20001213 = 6; *(uint32_t*)0x20001540 = 0xa; *(uint64_t*)0x20001544 = 0x20001240; *(uint8_t*)0x20001240 = 0xa; *(uint8_t*)0x20001241 = 6; *(uint16_t*)0x20001242 = 0x300; *(uint8_t*)0x20001244 = -1; *(uint8_t*)0x20001245 = 0x81; *(uint8_t*)0x20001246 = 6; *(uint8_t*)0x20001247 = 0xf7; *(uint8_t*)0x20001248 = 0xc4; *(uint8_t*)0x20001249 = 0; *(uint32_t*)0x2000154c = 0xf; *(uint64_t*)0x20001550 = 0x20001280; *(uint8_t*)0x20001280 = 5; *(uint8_t*)0x20001281 = 0xf; *(uint16_t*)0x20001282 = 0xf; *(uint8_t*)0x20001284 = 1; *(uint8_t*)0x20001285 = 0xa; *(uint8_t*)0x20001286 = 0x10; *(uint8_t*)0x20001287 = 3; *(uint8_t*)0x20001288 = 0; *(uint16_t*)0x20001289 = 0; *(uint8_t*)0x2000128b = 8; *(uint8_t*)0x2000128c = 0x1f; *(uint16_t*)0x2000128d = 0xfff; *(uint32_t*)0x20001558 = 5; *(uint32_t*)0x2000155c = 4; *(uint64_t*)0x20001560 = 0x200012c0; *(uint8_t*)0x200012c0 = 4; *(uint8_t*)0x200012c1 = 3; *(uint16_t*)0x200012c2 = 0xc07; *(uint32_t*)0x20001568 = 0x54; *(uint64_t*)0x2000156c = 0x20001300; *(uint8_t*)0x20001300 = 0x54; *(uint8_t*)0x20001301 = 3; memcpy((void*)0x20001302, "\x32\x1d\x45\x7f\x2f\x5a\xb9\xfc\xb1\x11\x8c\x96\x06\x31\xfd\x85\xa7\x5e\xad\x82\x91\x36\xaa\x2a\x6c\xc0\x31\x14\x51\x03\x5f\xe1\x7b\x95\x6e\xb8\xfa\x52\xd4\x95\xa3\x11\xa6\xc0\x3f\x0a\xe8\x4c\x86\xf0\xed\x78\xda\xeb\xfa\x15\xdb\x7b\xc5\x78\x8c\x97\x24\xba\xf4\x58\x2d\xc0\xec\x1b\xa6\x68\x1a\x76\xb0\xa1\xbf\xc5\xde\x9d\xae\xcc", 82); *(uint32_t*)0x20001574 = 0xd3; *(uint64_t*)0x20001578 = 0x20001380; *(uint8_t*)0x20001380 = 0xd3; *(uint8_t*)0x20001381 = 3; memcpy((void*)0x20001382, "\x18\x33\x6f\xc5\x62\x3b\xa1\x41\x06\x34\xc4\x05\x0b\xcf\x3b\x48\x8e\xa4\x18\x67\xd0\x59\xdc\xdc\xd2\xc3\x68\xd8\x48\xfe\x51\x47\x32\x3c\x0b\xa4\xe5\x1d\x7c\xf2\xa3\xd1\x50\x25\x8f\x8c\xc2\x56\x9b\xd7\x9e\x95\x1e\xa9\x5a\x31\x8d\xe3\x1d\x14\x6c\x37\xa7\xcf\x71\x2f\x1f\xcd\x44\x03\x90\x85\x2c\x8d\x52\x16\xf8\xd2\x3a\x99\x18\xb0\xe0\x53\x52\x1e\xb6\x70\xad\x3e\xe0\xfb\x8a\x93\xa8\xd7\xba\xd7\x19\x9e\xeb\xe1\x2a\x3b\x02\x10\x7a\xc4\x54\x2b\xc6\x49\x79\x77\xe3\x30\x8b\x40\x7b\xf3\x64\x98\x2f\x4f\xc9\xc3\x30\xf9\xa7\x5c\xcb\x65\xc8\x68\x8d\x5c\x24\x7a\xd0\x6c\x20\xcc\xf0\x14\x65\xe3\xab\x09\xfc\x77\x7f\x73\x47\x4c\x2c\xd0\x53\xb8\x48\xad\x32\x55\xb5\xad\xc8\x1e\x03\x3d\x2a\x0f\xac\x50\x61\xea\x52\xda\xcf\x46\xe8\x8e\x8c\x2e\x38\x8d\xeb\x91\xd2\xd9\xfc\x12\x42\x55\x90\x93\x36\x41\x8e\x74\x3b\xda\x4c\xb4\xf7\x3c\x6b\x75\xaf\x9a\x9b", 209); *(uint32_t*)0x20001580 = 4; *(uint64_t*)0x20001584 = 0x20001480; *(uint8_t*)0x20001480 = 4; *(uint8_t*)0x20001481 = 3; *(uint16_t*)0x20001482 = 0x42b; *(uint32_t*)0x2000158c = 0x5a; *(uint64_t*)0x20001590 = 0x200014c0; *(uint8_t*)0x200014c0 = 0x5a; *(uint8_t*)0x200014c1 = 3; memcpy((void*)0x200014c2, "\x4d\x85\xf3\x14\x20\xff\x1c\xed\xa2\x5d\x11\x8d\x33\xa6\xeb\xbc\xe8\x88\xc1\x2d\x90\xeb\x54\xc8\x27\xd1\x49\xc8\xdc\xbd\x99\xf3\x89\x3b\x35\xd1\xda\x6c\x77\x6b\x1b\x5d\x08\x4b\x30\x8c\xdf\x93\x47\x41\x67\xf2\x66\x19\x9f\x44\x0a\x03\xfc\x3e\x34\x38\x03\x1b\x87\x25\xdd\xe6\x02\x9a\x62\x9c\x08\x43\xbe\xdf\x04\x8b\x84\x09\xb1\x53\xf9\x03\xd6\x57\xd2\x2b", 88); res = -1; res = syz_usb_connect(6, 0x714, 0x20000b00, 0x20001540); if (res != -1) r[10] = res; break; case 33: *(uint8_t*)0x200015c0 = 0x12; *(uint8_t*)0x200015c1 = 1; *(uint16_t*)0x200015c2 = 0x200; *(uint8_t*)0x200015c4 = -1; *(uint8_t*)0x200015c5 = -1; *(uint8_t*)0x200015c6 = -1; *(uint8_t*)0x200015c7 = 0x40; *(uint16_t*)0x200015c8 = 0xcf3; *(uint16_t*)0x200015ca = 0x9271; *(uint16_t*)0x200015cc = 0x108; *(uint8_t*)0x200015ce = 1; *(uint8_t*)0x200015cf = 2; *(uint8_t*)0x200015d0 = 3; *(uint8_t*)0x200015d1 = 1; *(uint8_t*)0x200015d2 = 9; *(uint8_t*)0x200015d3 = 2; *(uint16_t*)0x200015d4 = 0x48; *(uint8_t*)0x200015d6 = 1; *(uint8_t*)0x200015d7 = 1; *(uint8_t*)0x200015d8 = 0; *(uint8_t*)0x200015d9 = 0x80; *(uint8_t*)0x200015da = 0xfa; *(uint8_t*)0x200015db = 9; *(uint8_t*)0x200015dc = 4; *(uint8_t*)0x200015dd = 0; *(uint8_t*)0x200015de = 0; *(uint8_t*)0x200015df = 6; *(uint8_t*)0x200015e0 = -1; *(uint8_t*)0x200015e1 = 0; *(uint8_t*)0x200015e2 = 0; *(uint8_t*)0x200015e3 = 0; *(uint8_t*)0x200015e4 = 9; *(uint8_t*)0x200015e5 = 5; *(uint8_t*)0x200015e6 = 1; *(uint8_t*)0x200015e7 = 2; *(uint16_t*)0x200015e8 = 0x200; *(uint8_t*)0x200015ea = 0; *(uint8_t*)0x200015eb = 0; *(uint8_t*)0x200015ec = 0; *(uint8_t*)0x200015ed = 9; *(uint8_t*)0x200015ee = 5; *(uint8_t*)0x200015ef = 0x82; *(uint8_t*)0x200015f0 = 2; *(uint16_t*)0x200015f1 = 0x200; *(uint8_t*)0x200015f3 = 0; *(uint8_t*)0x200015f4 = 0; *(uint8_t*)0x200015f5 = 0; *(uint8_t*)0x200015f6 = 9; *(uint8_t*)0x200015f7 = 5; *(uint8_t*)0x200015f8 = 0x83; *(uint8_t*)0x200015f9 = 3; *(uint16_t*)0x200015fa = 0x40; *(uint8_t*)0x200015fc = 1; *(uint8_t*)0x200015fd = 0; *(uint8_t*)0x200015fe = 0; *(uint8_t*)0x200015ff = 9; *(uint8_t*)0x20001600 = 5; *(uint8_t*)0x20001601 = 4; *(uint8_t*)0x20001602 = 3; *(uint16_t*)0x20001603 = 0x40; *(uint8_t*)0x20001605 = 1; *(uint8_t*)0x20001606 = 0; *(uint8_t*)0x20001607 = 0; *(uint8_t*)0x20001608 = 9; *(uint8_t*)0x20001609 = 5; *(uint8_t*)0x2000160a = 5; *(uint8_t*)0x2000160b = 2; *(uint16_t*)0x2000160c = 0x200; *(uint8_t*)0x2000160e = 0; *(uint8_t*)0x2000160f = 0; *(uint8_t*)0x20001610 = 0; *(uint8_t*)0x20001611 = 9; *(uint8_t*)0x20001612 = 5; *(uint8_t*)0x20001613 = 6; *(uint8_t*)0x20001614 = 2; *(uint16_t*)0x20001615 = 0x200; *(uint8_t*)0x20001617 = 0; *(uint8_t*)0x20001618 = 0; *(uint8_t*)0x20001619 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200015c0, 0); if (res != -1) r[11] = res; break; case 34: *(uint32_t*)0x200017c0 = 0x2c; *(uint64_t*)0x200017c4 = 0x20001640; *(uint8_t*)0x20001640 = 0; *(uint8_t*)0x20001641 = 0x24; *(uint32_t*)0x20001642 = 0x5e; *(uint8_t*)0x20001646 = 0x5e; *(uint8_t*)0x20001647 = 9; memcpy((void*)0x20001648, "\x50\xd3\x39\x2d\x02\xeb\xd2\x29\x33\x8b\x7e\x71\x70\xb9\x84\xd0\x49\x07\xf9\xce\xe9\x84\xf8\x3f\x84\xc9\x51\x8b\x9d\xd9\x17\x85\xfe\x2d\x66\xe1\x04\x26\xff\x86\xd8\xe7\xd6\x63\x53\x83\x06\x24\x01\x71\x79\x0d\x7f\x77\x66\x64\xbd\xfd\x68\xd3\xdf\x43\xcd\xf6\xd0\xe3\xab\x3d\x2a\x62\x95\x30\x92\xa2\xd7\xce\x2f\xcd\xfe\x2c\xf5\x00\x26\x86\x9a\x4b\xcd\x06\x6a\xf9\xdd\xbd", 92); *(uint64_t*)0x200017cc = 0x200016c0; *(uint8_t*)0x200016c0 = 0; *(uint8_t*)0x200016c1 = 3; *(uint32_t*)0x200016c2 = 4; *(uint8_t*)0x200016c6 = 4; *(uint8_t*)0x200016c7 = 3; *(uint16_t*)0x200016c8 = 0x449; *(uint64_t*)0x200017d4 = 0x20001700; *(uint8_t*)0x20001700 = 0; *(uint8_t*)0x20001701 = 0xf; *(uint32_t*)0x20001702 = 0x19; *(uint8_t*)0x20001706 = 5; *(uint8_t*)0x20001707 = 0xf; *(uint16_t*)0x20001708 = 0x19; *(uint8_t*)0x2000170a = 1; *(uint8_t*)0x2000170b = 0x14; *(uint8_t*)0x2000170c = 0x10; *(uint8_t*)0x2000170d = 4; *(uint8_t*)0x2000170e = 0x3f; memcpy((void*)0x2000170f, "\x0f\xf6\x11\x98\x8b\x42\x04\x3b\xdd\x16\xf1\x8b\x9b\x82\xf6\xcf", 16); *(uint64_t*)0x200017dc = 0x20001740; *(uint8_t*)0x20001740 = 0x20; *(uint8_t*)0x20001741 = 0x29; *(uint32_t*)0x20001742 = 0xf; *(uint8_t*)0x20001746 = 0xf; *(uint8_t*)0x20001747 = 0x29; *(uint8_t*)0x20001748 = 0; *(uint16_t*)0x20001749 = 0; *(uint8_t*)0x2000174b = 9; *(uint8_t*)0x2000174c = 0x68; memcpy((void*)0x2000174d, "\x60\xc5\x11\xfa", 4); memcpy((void*)0x20001751, "\x23\xe3\xf5\x32", 4); *(uint64_t*)0x200017e4 = 0x20001780; *(uint8_t*)0x20001780 = 0x20; *(uint8_t*)0x20001781 = 0x2a; *(uint32_t*)0x20001782 = 0xc; *(uint8_t*)0x20001786 = 0xc; *(uint8_t*)0x20001787 = 0x2a; *(uint8_t*)0x20001788 = 5; *(uint16_t*)0x20001789 = 0; *(uint8_t*)0x2000178b = 2; *(uint8_t*)0x2000178c = 7; *(uint8_t*)0x2000178d = 8; *(uint16_t*)0x2000178e = 5; *(uint16_t*)0x20001790 = 0x200; *(uint32_t*)0x20001c80 = 0x84; *(uint64_t*)0x20001c84 = 0x20001800; *(uint8_t*)0x20001800 = 0; *(uint8_t*)0x20001801 = 0x16; *(uint32_t*)0x20001802 = 0x92; memcpy((void*)0x20001806, "\xe4\x9c\x4e\x0f\xdf\x52\x1d\x4b\xb8\x3a\x1c\x78\xb9\xb6\xf3\x2e\xb6\xe3\x8f\xba\x14\x32\x72\x7c\x39\x17\x49\x72\x7c\x41\x81\x5d\xc3\xfc\x41\x93\xcf\x0f\xc2\x47\xb3\x2c\x61\xdd\x80\xf2\x66\x29\xd7\xcf\x71\x4f\xc0\x80\x15\x77\x01\x40\x5e\x55\xe4\xd1\xae\x2b\x75\x8c\x66\x82\x10\x44\xd2\xe8\x09\x4f\x1b\xd7\x5c\xcf\x96\x00\x45\x47\x26\xe5\xdf\x97\x64\x08\x2d\x53\x70\x12\xad\x6f\xa0\x0a\x11\xbf\x54\x6f\x5d\x86\xaf\x48\x2a\x8f\x0b\x05\x74\x28\x7a\x4c\x56\x40\xbd\x1a\x22\x5a\x60\xd1\x96\x1c\xd5\x6b\x3b\x48\xcf\x69\xd7\x76\xcd\x8b\xba\xc5\xdc\x15\x44\xbf\x6b\x94\xb3\x51\x93\x83\xf9\xc5", 146); *(uint64_t*)0x20001c8c = 0x200018c0; *(uint8_t*)0x200018c0 = 0; *(uint8_t*)0x200018c1 = 0xa; *(uint32_t*)0x200018c2 = 1; *(uint8_t*)0x200018c6 = 0xea; *(uint64_t*)0x20001c94 = 0x20001900; *(uint8_t*)0x20001900 = 0; *(uint8_t*)0x20001901 = 8; *(uint32_t*)0x20001902 = 1; *(uint8_t*)0x20001906 = 0xc0; *(uint64_t*)0x20001c9c = 0x20001940; *(uint8_t*)0x20001940 = 0x20; *(uint8_t*)0x20001941 = 0; *(uint32_t*)0x20001942 = 4; *(uint16_t*)0x20001946 = 3; *(uint16_t*)0x20001948 = 0xc065; *(uint64_t*)0x20001ca4 = 0x20001980; *(uint8_t*)0x20001980 = 0x20; *(uint8_t*)0x20001981 = 0; *(uint32_t*)0x20001982 = 8; *(uint16_t*)0x20001986 = 0x200; *(uint16_t*)0x20001988 = 2; *(uint32_t*)0x2000198a = 0; *(uint64_t*)0x20001cac = 0x200019c0; *(uint8_t*)0x200019c0 = 0x40; *(uint8_t*)0x200019c1 = 7; *(uint32_t*)0x200019c2 = 2; *(uint16_t*)0x200019c6 = 0; *(uint64_t*)0x20001cb4 = 0x20001a00; *(uint8_t*)0x20001a00 = 0x40; *(uint8_t*)0x20001a01 = 9; *(uint32_t*)0x20001a02 = 1; *(uint8_t*)0x20001a06 = 7; *(uint64_t*)0x20001cbc = 0x20001a40; *(uint8_t*)0x20001a40 = 0x40; *(uint8_t*)0x20001a41 = 0xb; *(uint32_t*)0x20001a42 = 2; memcpy((void*)0x20001a46, ",e", 2); *(uint64_t*)0x20001cc4 = 0x20001a80; *(uint8_t*)0x20001a80 = 0x40; *(uint8_t*)0x20001a81 = 0xf; *(uint32_t*)0x20001a82 = 2; *(uint16_t*)0x20001a86 = 0xa; *(uint64_t*)0x20001ccc = 0x20001ac0; *(uint8_t*)0x20001ac0 = 0x40; *(uint8_t*)0x20001ac1 = 0x13; *(uint32_t*)0x20001ac2 = 6; memcpy((void*)0x20001ac6, "\xcb\xa5\xd8\xd5\x17\x87", 6); *(uint64_t*)0x20001cd4 = 0x20001b00; *(uint8_t*)0x20001b00 = 0x40; *(uint8_t*)0x20001b01 = 0x17; *(uint32_t*)0x20001b02 = 6; *(uint8_t*)0x20001b06 = 0xaa; *(uint8_t*)0x20001b07 = 0xaa; *(uint8_t*)0x20001b08 = 0xaa; *(uint8_t*)0x20001b09 = 0xaa; *(uint8_t*)0x20001b0a = 0xaa; *(uint8_t*)0x20001b0b = 0x1b; *(uint64_t*)0x20001cdc = 0x20001b40; *(uint8_t*)0x20001b40 = 0x40; *(uint8_t*)0x20001b41 = 0x19; *(uint32_t*)0x20001b42 = 2; memcpy((void*)0x20001b46, "\x09\xef", 2); *(uint64_t*)0x20001ce4 = 0x20001b80; *(uint8_t*)0x20001b80 = 0x40; *(uint8_t*)0x20001b81 = 0x1a; *(uint32_t*)0x20001b82 = 2; *(uint16_t*)0x20001b86 = 0x200; *(uint64_t*)0x20001cec = 0x20001bc0; *(uint8_t*)0x20001bc0 = 0x40; *(uint8_t*)0x20001bc1 = 0x1c; *(uint32_t*)0x20001bc2 = 1; *(uint8_t*)0x20001bc6 = 0x20; *(uint64_t*)0x20001cf4 = 0x20001c00; *(uint8_t*)0x20001c00 = 0x40; *(uint8_t*)0x20001c01 = 0x1e; *(uint32_t*)0x20001c02 = 1; *(uint8_t*)0x20001c06 = 0x81; *(uint64_t*)0x20001cfc = 0x20001c40; *(uint8_t*)0x20001c40 = 0x40; *(uint8_t*)0x20001c41 = 0x21; *(uint32_t*)0x20001c42 = 1; *(uint8_t*)0x20001c46 = 0x40; syz_usb_control_io(r[11], 0x200017c0, 0x20001c80); break; case 35: *(uint8_t*)0x20001d40 = 0x12; *(uint8_t*)0x20001d41 = 1; *(uint16_t*)0x20001d42 = 0x300; *(uint8_t*)0x20001d44 = 0; *(uint8_t*)0x20001d45 = 0; *(uint8_t*)0x20001d46 = 0; *(uint8_t*)0x20001d47 = 0x40; *(uint16_t*)0x20001d48 = 0x1d6b; *(uint16_t*)0x20001d4a = 0x101; *(uint16_t*)0x20001d4c = 0x40; *(uint8_t*)0x20001d4e = 1; *(uint8_t*)0x20001d4f = 2; *(uint8_t*)0x20001d50 = 3; *(uint8_t*)0x20001d51 = 1; *(uint8_t*)0x20001d52 = 9; *(uint8_t*)0x20001d53 = 2; *(uint16_t*)0x20001d54 = 0xa4; *(uint8_t*)0x20001d56 = 3; *(uint8_t*)0x20001d57 = 1; *(uint8_t*)0x20001d58 = 8; *(uint8_t*)0x20001d59 = 0x80; *(uint8_t*)0x20001d5a = 0x1f; *(uint8_t*)0x20001d5b = 9; *(uint8_t*)0x20001d5c = 4; *(uint8_t*)0x20001d5d = 0; *(uint8_t*)0x20001d5e = 0; *(uint8_t*)0x20001d5f = 0; *(uint8_t*)0x20001d60 = 1; *(uint8_t*)0x20001d61 = 1; *(uint8_t*)0x20001d62 = 0; *(uint8_t*)0x20001d63 = 0; *(uint8_t*)0x20001d64 = 0xa; *(uint8_t*)0x20001d65 = 0x24; *(uint8_t*)0x20001d66 = 1; *(uint16_t*)0x20001d67 = 0x7f; *(uint8_t*)0x20001d69 = 0x24; *(uint8_t*)0x20001d6a = 2; *(uint8_t*)0x20001d6b = 1; *(uint8_t*)0x20001d6c = 2; *(uint8_t*)0x20001d6d = 0xb; *(uint8_t*)0x20001d6e = 0x24; *(uint8_t*)0x20001d6f = 4; *(uint8_t*)0x20001d70 = 3; *(uint8_t*)0x20001d71 = 0x3f; memcpy((void*)0x20001d72, "\xe3\xa7\xba\x11\xb7\x73", 6); *(uint8_t*)0x20001d78 = 0xc; *(uint8_t*)0x20001d79 = 0x24; *(uint8_t*)0x20001d7a = 2; *(uint8_t*)0x20001d7b = 4; *(uint16_t*)0x20001d7c = 0x203; *(uint8_t*)0x20001d7e = 1; *(uint8_t*)0x20001d7f = 2; *(uint16_t*)0x20001d80 = 7; *(uint8_t*)0x20001d82 = 0xfd; *(uint8_t*)0x20001d83 = 0; *(uint8_t*)0x20001d84 = 7; *(uint8_t*)0x20001d85 = 0x24; *(uint8_t*)0x20001d86 = 8; *(uint8_t*)0x20001d87 = 2; *(uint16_t*)0x20001d88 = 4; *(uint8_t*)0x20001d8a = 0x40; *(uint8_t*)0x20001d8b = 9; *(uint8_t*)0x20001d8c = 0x24; *(uint8_t*)0x20001d8d = 3; *(uint8_t*)0x20001d8e = 2; *(uint16_t*)0x20001d8f = 0x101; *(uint8_t*)0x20001d91 = 4; *(uint8_t*)0x20001d92 = 4; *(uint8_t*)0x20001d93 = 5; *(uint8_t*)0x20001d94 = 9; *(uint8_t*)0x20001d95 = 4; *(uint8_t*)0x20001d96 = 1; *(uint8_t*)0x20001d97 = 0; *(uint8_t*)0x20001d98 = 0; *(uint8_t*)0x20001d99 = 1; *(uint8_t*)0x20001d9a = 2; *(uint8_t*)0x20001d9b = 0; *(uint8_t*)0x20001d9c = 0; *(uint8_t*)0x20001d9d = 9; *(uint8_t*)0x20001d9e = 4; *(uint8_t*)0x20001d9f = 1; *(uint8_t*)0x20001da0 = 1; *(uint8_t*)0x20001da1 = 1; *(uint8_t*)0x20001da2 = 1; *(uint8_t*)0x20001da3 = 2; *(uint8_t*)0x20001da4 = 0; *(uint8_t*)0x20001da5 = 0; *(uint8_t*)0x20001da6 = 9; *(uint8_t*)0x20001da7 = 5; *(uint8_t*)0x20001da8 = 1; *(uint8_t*)0x20001da9 = 9; *(uint16_t*)0x20001daa = 0x200; *(uint8_t*)0x20001dac = 0xfc; *(uint8_t*)0x20001dad = 9; *(uint8_t*)0x20001dae = 7; *(uint8_t*)0x20001daf = 7; *(uint8_t*)0x20001db0 = 0x25; *(uint8_t*)0x20001db1 = 1; *(uint8_t*)0x20001db2 = 0; *(uint8_t*)0x20001db3 = 2; *(uint16_t*)0x20001db4 = 8; *(uint8_t*)0x20001db6 = 9; *(uint8_t*)0x20001db7 = 4; *(uint8_t*)0x20001db8 = 2; *(uint8_t*)0x20001db9 = 0; *(uint8_t*)0x20001dba = 0; *(uint8_t*)0x20001dbb = 1; *(uint8_t*)0x20001dbc = 2; *(uint8_t*)0x20001dbd = 0; *(uint8_t*)0x20001dbe = 0; *(uint8_t*)0x20001dbf = 9; *(uint8_t*)0x20001dc0 = 4; *(uint8_t*)0x20001dc1 = 2; *(uint8_t*)0x20001dc2 = 1; *(uint8_t*)0x20001dc3 = 1; *(uint8_t*)0x20001dc4 = 1; *(uint8_t*)0x20001dc5 = 2; *(uint8_t*)0x20001dc6 = 0; *(uint8_t*)0x20001dc7 = 0; *(uint8_t*)0x20001dc8 = 0x12; *(uint8_t*)0x20001dc9 = 0x24; *(uint8_t*)0x20001dca = 2; *(uint8_t*)0x20001dcb = 2; *(uint16_t*)0x20001dcc = 8; *(uint16_t*)0x20001dce = 7; *(uint8_t*)0x20001dd0 = -1; memcpy((void*)0x20001dd1, "\x6c\xce\x23\xa5\x1a\x59\x66\x0a\x8a", 9); *(uint8_t*)0x20001dda = 0xc; *(uint8_t*)0x20001ddb = 0x24; *(uint8_t*)0x20001ddc = 2; *(uint8_t*)0x20001ddd = 1; *(uint8_t*)0x20001dde = 7; *(uint8_t*)0x20001ddf = 2; *(uint8_t*)0x20001de0 = 0xd6; *(uint8_t*)0x20001de1 = 0x40; memcpy((void*)0x20001de2, "\xa5\xe2\x12", 3); memcpy((void*)0x20001de5, "l", 1); *(uint8_t*)0x20001de6 = 9; *(uint8_t*)0x20001de7 = 5; *(uint8_t*)0x20001de8 = 0x82; *(uint8_t*)0x20001de9 = 9; *(uint16_t*)0x20001dea = 0x3ff; *(uint8_t*)0x20001dec = 3; *(uint8_t*)0x20001ded = 0; *(uint8_t*)0x20001dee = 0xac; *(uint8_t*)0x20001def = 7; *(uint8_t*)0x20001df0 = 0x25; *(uint8_t*)0x20001df1 = 1; *(uint8_t*)0x20001df2 = 3; *(uint8_t*)0x20001df3 = 4; *(uint16_t*)0x20001df4 = 5; *(uint32_t*)0x20001f40 = 0xa; *(uint64_t*)0x20001f44 = 0x20001e00; *(uint8_t*)0x20001e00 = 0xa; *(uint8_t*)0x20001e01 = 6; *(uint16_t*)0x20001e02 = 0x200; *(uint8_t*)0x20001e04 = -1; *(uint8_t*)0x20001e05 = 2; *(uint8_t*)0x20001e06 = 7; *(uint8_t*)0x20001e07 = 0x10; *(uint8_t*)0x20001e08 = 6; *(uint8_t*)0x20001e09 = 0; *(uint32_t*)0x20001f4c = 5; *(uint64_t*)0x20001f50 = 0x20001e40; *(uint8_t*)0x20001e40 = 5; *(uint8_t*)0x20001e41 = 0xf; *(uint16_t*)0x20001e42 = 5; *(uint8_t*)0x20001e44 = 0; *(uint32_t*)0x20001f58 = 2; *(uint32_t*)0x20001f5c = 0x52; *(uint64_t*)0x20001f60 = 0x20001e80; *(uint8_t*)0x20001e80 = 0x52; *(uint8_t*)0x20001e81 = 3; memcpy((void*)0x20001e82, "\x4b\xcf\xbc\x74\x9d\x26\xd0\xfb\xc2\x0c\x2e\x20\x2a\x04\x2e\x8b\xb1\x67\xca\xdf\x5c\x2b\xcd\xbd\x07\xdd\xe6\x67\x1d\xa7\xdd\x40\x03\x06\xb2\x6f\x22\x0f\xef\x4a\x33\x97\xf0\xa9\x5a\x4b\x8c\xa5\xba\xfd\x5a\x4f\xa8\xb9\x9d\x24\x50\x5f\x7a\x27\xac\x07\xa1\x6b\xbb\x02\xd5\x24\xc0\xbb\xfa\x3a\xf8\xe3\x18\xdf\x58\xfe\xb1\x43", 80); *(uint32_t*)0x20001f68 = 4; *(uint64_t*)0x20001f6c = 0x20001f00; *(uint8_t*)0x20001f00 = 4; *(uint8_t*)0x20001f01 = 3; *(uint16_t*)0x20001f02 = 0x807; res = -1; res = syz_usb_connect(6, 0xb6, 0x20001d40, 0x20001f40); if (res != -1) r[12] = res; break; case 36: syz_usb_disconnect(r[12]); break; case 37: syz_usb_ep_read(r[10], 6, 0xd6, 0x20001f80); break; case 38: *(uint8_t*)0x20002080 = 0x12; *(uint8_t*)0x20002081 = 1; *(uint16_t*)0x20002082 = 0x110; *(uint8_t*)0x20002084 = 2; *(uint8_t*)0x20002085 = 0; *(uint8_t*)0x20002086 = 0; *(uint8_t*)0x20002087 = -1; *(uint16_t*)0x20002088 = 0x525; *(uint16_t*)0x2000208a = 0xa4a1; *(uint16_t*)0x2000208c = 0x40; *(uint8_t*)0x2000208e = 1; *(uint8_t*)0x2000208f = 2; *(uint8_t*)0x20002090 = 3; *(uint8_t*)0x20002091 = 1; *(uint8_t*)0x20002092 = 9; *(uint8_t*)0x20002093 = 2; *(uint16_t*)0x20002094 = 0x3d; *(uint8_t*)0x20002096 = 1; *(uint8_t*)0x20002097 = 1; *(uint8_t*)0x20002098 = 9; *(uint8_t*)0x20002099 = 0xc0; *(uint8_t*)0x2000209a = 0xb3; *(uint8_t*)0x2000209b = 9; *(uint8_t*)0x2000209c = 4; *(uint8_t*)0x2000209d = 0; *(uint8_t*)0x2000209e = 8; *(uint8_t*)0x2000209f = 3; *(uint8_t*)0x200020a0 = 2; *(uint8_t*)0x200020a1 = 6; *(uint8_t*)0x200020a2 = 0; *(uint8_t*)0x200020a3 = 1; *(uint8_t*)0x200020a4 = 7; *(uint8_t*)0x200020a5 = 0x24; *(uint8_t*)0x200020a6 = 6; *(uint8_t*)0x200020a7 = 0; *(uint8_t*)0x200020a8 = 0; memcpy((void*)0x200020a9, "\x93\xb5", 2); *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 0x24; *(uint8_t*)0x200020ad = 0; *(uint16_t*)0x200020ae = 1; *(uint8_t*)0x200020b0 = 0xd; *(uint8_t*)0x200020b1 = 0x24; *(uint8_t*)0x200020b2 = 0xf; *(uint8_t*)0x200020b3 = 1; *(uint32_t*)0x200020b4 = 5; *(uint16_t*)0x200020b8 = 0xdf0; *(uint16_t*)0x200020ba = 0xa5e2; *(uint8_t*)0x200020bc = -1; *(uint8_t*)0x200020bd = 9; *(uint8_t*)0x200020be = 5; *(uint8_t*)0x200020bf = 0x82; *(uint8_t*)0x200020c0 = 2; *(uint16_t*)0x200020c1 = 0x40; *(uint8_t*)0x200020c3 = 0; *(uint8_t*)0x200020c4 = 0x40; *(uint8_t*)0x200020c5 = 0x20; *(uint8_t*)0x200020c6 = 9; *(uint8_t*)0x200020c7 = 5; *(uint8_t*)0x200020c8 = 3; *(uint8_t*)0x200020c9 = 2; *(uint16_t*)0x200020ca = 8; *(uint8_t*)0x200020cc = 0x20; *(uint8_t*)0x200020cd = -1; *(uint8_t*)0x200020ce = 4; *(uint32_t*)0x20002640 = 0xa; *(uint64_t*)0x20002644 = 0x20002100; *(uint8_t*)0x20002100 = 0xa; *(uint8_t*)0x20002101 = 6; *(uint16_t*)0x20002102 = 0x250; *(uint8_t*)0x20002104 = 0; *(uint8_t*)0x20002105 = 0x81; *(uint8_t*)0x20002106 = 0x20; *(uint8_t*)0x20002107 = 0x20; *(uint8_t*)0x20002108 = 3; *(uint8_t*)0x20002109 = 0; *(uint32_t*)0x2000264c = 5; *(uint64_t*)0x20002650 = 0x20002140; *(uint8_t*)0x20002140 = 5; *(uint8_t*)0x20002141 = 0xf; *(uint16_t*)0x20002142 = 5; *(uint8_t*)0x20002144 = 0; *(uint32_t*)0x20002658 = 8; *(uint32_t*)0x2000265c = 0xcd; *(uint64_t*)0x20002660 = 0x20002180; *(uint8_t*)0x20002180 = 0xcd; *(uint8_t*)0x20002181 = 3; memcpy((void*)0x20002182, "\x2e\x83\x3d\xbc\x02\x86\x82\x12\xd3\xec\x73\x52\xfb\x0d\xe8\xa0\x5e\xcf\x66\x18\x59\xde\xbe\x23\xba\x73\x5f\xb9\x0a\x26\x85\x3e\x0d\x4c\x9b\xfc\xeb\xac\x70\xce\x40\x53\x9a\x98\xcf\x89\x47\xe0\x6b\xb7\x5d\xe0\xa9\x20\x5e\x0b\x79\x1c\xb4\xf9\xe7\xaa\x0a\xe1\x14\x9e\x93\x94\xff\xef\x26\x6f\x96\xe0\xc7\x5a\xb7\x28\xca\xdb\xc3\x12\x57\x0e\xfe\xd7\x37\x09\x0a\x62\x51\xc0\x9e\x1a\x5d\x38\xa0\xc6\xf1\xec\x4a\xe0\x55\x86\x3d\x69\xe4\xdc\xf3\x6d\x97\x4d\x2b\xe3\xe4\x87\xc7\xd2\xf1\xdb\x21\x61\xe9\x3b\x7d\x15\x2c\xe0\x46\xf0\x30\xb3\x6d\x08\x32\x89\xed\xdd\x71\x05\xed\x8e\xae\xd4\x9f\x71\x10\x17\xba\xab\xde\x9d\x5f\x01\xcd\x47\x38\x50\x3d\x32\x26\x69\x55\x4f\xcf\x3b\x5a\x65\xb0\x51\x97\x33\xb0\x7a\x7f\x3c\xff\xdc\x92\xb0\x38\x2c\x66\x12\x0c\x41\xaa\xe8\x85\x68\xc7\x52\xf7\x9d\x50\x1f\xd4\xda\x58\xe6\x87\x9e\x7e", 203); *(uint32_t*)0x20002668 = 4; *(uint64_t*)0x2000266c = 0x20002280; *(uint8_t*)0x20002280 = 4; *(uint8_t*)0x20002281 = 3; *(uint16_t*)0x20002282 = 0x3c0a; *(uint32_t*)0x20002674 = 4; *(uint64_t*)0x20002678 = 0x200022c0; *(uint8_t*)0x200022c0 = 4; *(uint8_t*)0x200022c1 = 3; *(uint16_t*)0x200022c2 = 0x3801; *(uint32_t*)0x20002680 = 0x1f; *(uint64_t*)0x20002684 = 0x20002300; *(uint8_t*)0x20002300 = 0x1f; *(uint8_t*)0x20002301 = 3; memcpy((void*)0x20002302, "\xa6\x70\xc3\x58\x2d\x38\x96\x7a\xc4\x85\x45\x5e\x8a\x40\xac\xb6\xf5\xdf\x24\xab\x49\xa4\xc6\xbb\x43\xd5\x84\xed\xf7", 29); *(uint32_t*)0x2000268c = 4; *(uint64_t*)0x20002690 = 0x20002340; *(uint8_t*)0x20002340 = 4; *(uint8_t*)0x20002341 = 3; *(uint16_t*)0x20002342 = 0x44f; *(uint32_t*)0x20002698 = 0xe1; *(uint64_t*)0x2000269c = 0x20002380; *(uint8_t*)0x20002380 = 0xe1; *(uint8_t*)0x20002381 = 3; memcpy((void*)0x20002382, "\xbe\x2c\xe1\x8f\xae\x6d\xa9\xf1\xaa\x4b\x97\x21\x97\xbe\x7a\x6c\xe4\xb2\x83\xc3\xe0\x02\x7e\x6d\xa1\x3d\x86\x39\xf6\x74\xea\x9c\x64\x28\x9b\x33\xc0\xe1\x43\x5b\x7c\x16\x54\xa5\x69\x12\x7b\x26\xad\x53\x77\x4f\x2b\x6b\x20\x57\x9f\xac\x6f\xaf\xfe\x12\x94\x9e\xe4\xb0\xd3\xcd\x2d\x89\x0c\xff\x2d\x7e\x9b\xb4\x3b\x60\x2a\x39\x4e\xfd\x49\x75\x18\x4f\x7e\xec\xab\x16\xa3\xf1\x87\xca\xb4\xc2\xca\x01\xac\x5b\xc9\xc5\x5c\x8b\xb9\x81\x32\x3d\x91\x9f\x77\x35\x5b\x3c\xe7\x42\x8d\xa6\x2a\xf8\x0c\x76\xb1\x85\xe1\x0a\xc7\xb1\xcc\x95\x0e\xcc\x71\x5c\x3e\x0a\x1e\x14\x23\x11\xb6\x29\x41\xe0\x62\x91\xb3\x0d\x2d\x3c\x7d\x46\x8d\xfb\xe2\x83\xc9\x1f\xc0\x83\x3d\xb0\x68\xe7\xbf\x39\x7c\x23\x35\x75\x79\x02\x29\xce\x51\x3b\xbd\xc4\x38\x7d\x81\xb3\x02\x7e\xf6\x8b\x20\xde\x25\xd9\xf1\xff\x32\xb9\x5c\xba\x44\x3b\x9e\x7f\xba\x49\x91\x43\xe8\x41\xa6\x19\x0c\x6e\xcb\x29\x06\xfe\x42\x30\xf8\x39\xba\x8c\x3c\x73\xea", 223); *(uint32_t*)0x200026a4 = 0xc1; *(uint64_t*)0x200026a8 = 0x20002480; *(uint8_t*)0x20002480 = 0xc1; *(uint8_t*)0x20002481 = 3; memcpy((void*)0x20002482, "\xf1\x7d\xb2\xea\x26\xd9\x0b\xa9\x3d\x1d\xbd\x3d\x94\x82\x88\x21\x72\xcc\x15\x8b\x4c\xc4\x3c\x36\xd1\x2b\xb9\x4e\x06\xfc\x7a\xba\x0d\x96\xba\x62\xa3\x8b\x39\xb7\x7b\xb6\x6a\x8b\x4b\xa6\xfe\x26\x0c\x87\x74\x64\xdc\x10\x12\x44\x9a\x3a\x6a\xb5\xb8\x0e\x66\x7a\x3a\x01\xdb\x8d\xd1\xdc\x34\x68\xb0\xd7\x28\x93\xad\xf2\x5b\xd1\xa7\xb9\xdc\xdd\xf5\x69\x12\x2a\x73\x02\x6b\x76\xfd\x0e\x25\xd7\x44\x0c\xa5\xdb\x63\x5b\x3f\xc9\x01\x3f\xd7\x90\x99\xa7\xd7\xe8\x1d\xb8\x74\x5b\xc9\xd0\xa6\xc9\x38\x79\x1d\x2c\xbf\xd1\x0f\x1c\x62\x8c\xa1\x7a\xf9\x93\xb7\x02\xc1\xed\xe3\x0d\xa1\x88\x25\x67\xce\x28\x7f\x66\xb2\x3e\xbf\x40\x8a\x2d\x9c\x63\xe1\xcb\x0b\x27\x95\x27\x3e\xfa\x81\x53\x56\x1c\x3c\x3e\xeb\x71\xd1\x2a\xa0\x87\xe9\x25\x55\x26\xb5\x28\xf5\x38\xaf\x4a\xbd\x41\xcf\x89\x01", 191); *(uint32_t*)0x200026b0 = 0xc0; *(uint64_t*)0x200026b4 = 0x20002580; *(uint8_t*)0x20002580 = 0xc0; *(uint8_t*)0x20002581 = 3; memcpy((void*)0x20002582, "\x6f\x57\xd6\xa5\x96\x20\x2e\xbf\x5a\x75\xb9\x72\x49\x11\xf9\x1a\x3d\x92\xae\x1a\xc8\x1a\xbb\x9c\x1b\x13\x4a\x76\xe6\x65\x90\xf6\xeb\x8d\xd8\x4c\xc1\x09\x60\xb8\xd2\x23\x94\x7d\x1c\x2e\x77\x1b\x94\xe7\x29\xd8\x34\x18\xf4\x14\x21\x3f\xf8\xb9\x06\x77\x03\x30\xbe\xa7\x0e\x59\xfe\x4d\x8b\xa5\x37\xfb\xcf\xd3\xc4\xbf\xc4\xea\x3b\x64\x0c\x31\x12\x92\x6d\x8c\x78\xee\xe8\x39\x72\x09\x00\xc5\x05\xcc\x01\x3c\x12\x63\xdc\xf2\x7b\x6c\x0f\x87\xfc\xb8\x7f\x40\xcb\x6b\xde\x31\x54\xcc\xd6\x3e\x65\xa4\x8c\x86\xc5\x8a\x38\x57\xf6\x8f\x88\x08\x20\x3f\xb2\x8d\x95\xe7\x4a\x18\x65\xeb\x8f\x82\xfe\x95\x35\x62\xa1\x47\x51\xed\x18\xf2\x51\xe5\x11\x53\x70\xd2\xbc\x19\x14\x5c\xcf\x3a\xbe\xae\x4c\x81\xfb\x1d\x97\xf6\x2e\x03\x5d\xb7\x3d\x11\xab\x7e\xc5\x96\xbc\x7a\x36\x86\x55\xc6", 190); res = -1; res = syz_usb_connect(4, 0x4f, 0x20002080, 0x20002640); if (res != -1) r[13] = res; break; case 39: memcpy((void*)0x200026c0, "\x01\xdf\x42\x94\xf0\x1f\xe1\xf9\x43\xb7\x80\xcc\xad\x76\xab\x8a\x48\x35\x3c\xbc\xe5\x48\x12\x83\xfb\x7d\x07\xe3\x29\x52\x05\x54\x49\xb6\x58\x1b\x36\x93\xb6\x7e\xde\xa7\xf1\x03\x54\x2f\xd1\xdc\xcf\x21\xa4\xf8\xce\x11\xf5\x24\x82\xa5\x50\xdd\x31\x99\xda\x83\x0c\x3e\x19\xff\x1a\x99\x6c\xe1\x42\x4b\x13\x49\x5e\x70\x4b\xe3\xf8\xc1\x06\xd0\x83\x38\xa6\x9d\xb2\x9c\x70\xd0\x40\xba\x40\x50\x16\xd9\x02\x55\xd8\x1d\x11\x5d\x9c\x6c\x9c\x13\xb9\x57\x89\xba\x2d\x4e\xe0\xf0\x05\xd9\x5b", 119); syz_usb_ep_write(r[13], 8, 0x77, 0x200026c0); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); setup_usb(); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :281:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :281:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor436887263 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/23 (0.63s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:false HandleSegv:false Repro:false Trace:false} program: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x8002, 0x0) io_cancel(0x0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x4c60440ee16d4a1f, 0xd548, r0, &(0x7f0000000040)="a4c6b70d40b18d2f71b9ebf1a97cc4f8bfe52c766208fe1c5ff6e6c20fb4d4104d", 0x21, 0x7, 0x0, 0x1}, &(0x7f00000000c0)) ioctl$TUNSETOFFLOAD(0xffffffffffffffff, 0x400454d0, 0x18) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/avc/cache_stats\x00', 0x0, 0x0) ioctl$DRM_IOCTL_MODE_GETGAMMA(r1, 0xc02064a4, &(0x7f0000000200)={0x6, 0x1, &(0x7f0000000140)=[0x6], &(0x7f0000000180)=[0xb572, 0x2, 0x200, 0x6126, 0xffff, 0x800b], &(0x7f00000001c0)=[0x100, 0x8001, 0x7ff, 0x56, 0x3, 0x6, 0xafa4, 0xfff]}) socket$inet6_sctp(0xa, 0x5, 0x84) r2 = syz_open_dev$vcsa(&(0x7f0000000240)='/dev/vcsa#\x00', 0x8, 0x40040) io_uring_setup(0x4a7d, &(0x7f0000000280)={0x0, 0x431f, 0x2, 0x2, 0x24c, 0x0, r2}) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(0xffffffffffffffff, 0x10e, 0x2, &(0x7f0000000300)=0x14, 0x4) socket$ipx(0x4, 0x2, 0x0) syz_emit_ethernet(0xd6, &(0x7f0000000000)={@dev={[], 0x15}, @remote, @void, {@mpls_uc={0x8847, {[{0x1}, {0x80}], @ipv4=@udp={{0x9, 0x4, 0x3, 0x8, 0xc0, 0x64, 0x0, 0x1, 0x11, 0x0, @private=0xa010102, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@timestamp={0x44, 0x10, 0x90, 0x0, 0xf, [0x3, 0x100, 0x9]}]}}, {0x4e20, 0x4e23, 0x9c, 0x0, @wg=@initiation={0x1, 0x1, "a10791f36e091a364d6a214aed3281686b2e1062e4a21dad7e7ea6823c2ad66b", "a9e3b061cb2d16f0f38c93866bab239c5e95fabc9ad7549cc53f24821564c8e31a773c62bd34e62116070c998cf80ff5", "8a6048e68f5476ba71edf7dea37145a3397262db3b25376fb9b698e1", {"108d38c5f12837a8dff49317e1fbf2b1", "6e6f91a5d2fea35b7d2aa0227b5c79de"}}}}}}}}, 0x0) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_cmd_complete={{0xe, 0x7}, @hci_rp_read_enc_key_size={{0x7}, {0x3, 0xc8, 0xfe}}}}, 0xa) syz_execute_func(&(0x7f0000000140)="ab8f2908955c4432c421b45580858a318ec4a1845756f3673664d9e064461c0dc441b55588a00ffe49f2f042808c3e2808000000c4825dde32f3420f9ade") syz_extract_tcp_res(&(0x7f0000000180), 0x47a0, 0x1ff) syz_genetlink_get_family_id$SEG6(&(0x7f00000001c0)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x2, 0xc4) r3 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x0, 0x1000, 0xffffffffffffffff, 0x0) syz_io_uring_complete(r3) syz_io_uring_setup(0x61d6, &(0x7f0000000200)={0x0, 0x19c8, 0x1, 0x0, 0x90, 0x0, 0xffffffffffffffff}, &(0x7f0000ff9000/0x4000)=nil, &(0x7f0000ff9000/0x1000)=nil, &(0x7f0000000280), &(0x7f00000002c0)) r5 = mmap$IORING_OFF_SQES(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2000004, 0x100, r4, 0x10000000) r6 = openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000300)='/selinux/checkreqprot\x00', 0x22040, 0x0) r7 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(r3, r5, &(0x7f0000000380)=@IORING_OP_EPOLL_CTL=@add={0x1d, 0x1, 0x0, r6, &(0x7f0000000340)={0xa}, r4, 0x1, 0x0, 0x1, {0x0, r7}}, 0x5) syz_kvm_setup_cpu$arm64(r6, 0xffffffffffffffff, &(0x7f0000fe7000/0x18000)=nil, &(0x7f0000000400)=[{0x0, &(0x7f00000003c0)="c66bf51c003b684cd1f56d7dbcd2dea7675293e4d016955fb884320ccefef52142eef0b61d389959e4e475075b6b11cdbe1c", 0x32}], 0x1, 0x0, &(0x7f0000000440), 0x1) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x2000000, 0x1000, 0xffffffffffffffff, 0x8000000) syz_memcpy_off$IO_URING_METADATA_FLAGS(r8, 0x114, &(0x7f0000000480)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f00000004c0)='afs\x00', &(0x7f0000000500)='./file0\x00', 0x1f, 0x7, &(0x7f00000008c0)=[{&(0x7f0000000540), 0x0, 0x32}, {&(0x7f0000000580)="3a7a72ca9b2a422afbeba2d7a84338cb03951839451af3f3031d0030db11a08c0eb2244dab7f4fd9442cd55370fbacdc330d3ee2188137d0ad9772c7ae54fae92d1941e049bdcb3b8f645ea6a7d746404286d56dfd7a41fb29e2987d8d73b3679fae427f5af08185e4ffda153228a3ac82bf94f17752ed78dfe5b9a4", 0x7c, 0xee5}, {&(0x7f0000000600)="a963e9743e9c3d092a0ab1d68a13fe85f80ed94358ab9ad4029dff3433a3223c650d6a96505ec9a3d6cd09ad3f268fcdd1248aa43ef138a79b0c4c116f7178b5fc5cc49fa303201e8c7ef4e322434105ecdc912ae672510b34c01aa3890c90f27200de2b65c4bd20", 0x68, 0x10000}, {&(0x7f0000000680)="6ac443efa9855dda4fa3a982abc060ebf1a6785feba77cd70d486a29f4", 0x1d, 0x2}, {&(0x7f00000006c0)="3229202fd13c8ab6d554d8dfb6a8661805f53c5e81671bf5d702aa4c17cad107cfc6a8fe702b26942c632a4ed0e1010440b51b99785c112a0bda8c286267ac9cb4e695376a13d9937dfe154239c4ea04f38539a8e557dbcc8909420c76b2587b42aa2d61bf395fe913bad86ddf17a8f1b3212d0f0a6bc2e7841ef2e2ee0be05901f028c7c65e1c2cb641f556508fbf322da030de7846ad39004082c128a0ffb60c1b801bfd69a0e5f37b51feb78d97240f45f3ce17a28abbd89bd16cd2d06c74488990aba36ff006e8ae3622ec18fa76b767be88f192f94af15e23d74217738a1d48ef2c3e1c0a557203045e3ba25e9cd38efa64", 0xf4, 0x6}, {&(0x7f00000007c0)="414d78403490275a206495f93cf62229596a76f622d42e737bfa148fc2385d9c82946ce95d9b7665c148bfd723f5248ffcb6a4fc8265de9da9e34ff0577dd719233d7ef9610b9b9d98d4f2cedcc5351cb7234e0a8345f81e603a002c13d898f1084656c51be00526c6b7977b287809591c51a288acec3e570a94cc77420195f2a81a77896f9f081b173c24ada23041ea2e7253698601d83769094d3489", 0x9d, 0x1}, {&(0x7f0000000880)="3cc0a154977d26882d94f1c108a6287b15e835bf2d9ebcfd925c4569c9de9d463b929158990d2f48", 0x28, 0xfffffffffffffbff}], 0x1015005, &(0x7f0000000980)={[{@flock_strict='flock=strict'}, {@flock_write='flock=write'}, {@source={'source', 0x3d, '\xeb'}}, {@autocell='autocell'}]}) syz_open_dev$I2C(&(0x7f00000009c0)='/dev/i2c-#\x00', 0x10000, 0x6840) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000a40)={0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x3, &(0x7f0000000a00)='.\\\x00'}, 0x30) syz_open_procfs(r9, &(0x7f0000000a80)='status\x00') syz_open_pts(0xffffffffffffffff, 0x8000) syz_read_part_table(0x6, 0x0, &(0x7f0000000ac0)) r10 = syz_usb_connect(0x6, 0x714, &(0x7f0000000b00)={{0x12, 0x1, 0x250, 0xa8, 0x9c, 0xcc, 0xff, 0x499, 0x150c, 0xbaf4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x702, 0x3, 0x2, 0x5, 0x80, 0x1f, [{{0x9, 0x4, 0x7d, 0x0, 0xb, 0x5c, 0x68, 0x45, 0xb8, [@generic={0x64, 0xcc88dcc324ea21e6, "25bba193734e4eb87cbd6a4c961ef01e6c960fa27de2e0b2883e73bcb56b371cc2f94a39ee59f21237d7fd38bafea3bebf15967e66fda6114d34b349e1868ef95cc0a06305d016cd2cc723334035a110f9da197afa79a6b045fac5f7d5bb639e4541"}, @uac_control={{0xa, 0x24, 0x1, 0x7, 0x80}}], [{{0x9, 0x5, 0x1, 0x3, 0x200, 0x81, 0x1, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x1000}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0xe8, 0xc6, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0x6}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0x8, 0xb4, 0x3}}, {{0x9, 0x5, 0x2, 0x1, 0x200, 0x2, 0x6, 0x20}}, {{0x9, 0x5, 0x7, 0x2, 0x3ff, 0x29, 0x4, 0x4c}}, {{0x9, 0x5, 0x5, 0x0, 0x200, 0x2, 0x22, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x27}]}}, {{0x9, 0x5, 0xe, 0xc, 0x20, 0x40, 0x9, 0x1f, [@generic={0x4f, 0x1, "f148d84407f5b8dfda7c13b68281b7d14209551093f91b2d8f891d9f3b8ff07a8c2b56bcbfa744ea1da69fb116c71d11fa13b6a2c464e65d7c706ae25e0ad836d328f30928af26fe9d4f3f1dc1"}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x18, 0xfc0}]}}, {{0x9, 0x5, 0x4, 0x0, 0x400, 0x0, 0x80, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x2}, @generic={0xf7, 0x30, "abdddd4f9b3f7c940f59ac5d6ac220f766834597348690edd45dbcad8d7200db7184991d2539df54e5ad82e5d58b0366ea3b341be9a30b4b2bd66bf00479628cb477c82938f8d3c106a7e18b0e5485a0b1611aba1d8ad3c740fc3d9accb5d7b293b90b168c3f2c69798135b562475fe2a3b8f619572251662787bf749f673a35ee80ea76edd0fc7b3177f24f50d68aced6902ecf5e0a1d3126d9530946abac7a85799194748f34eef3e249c0ede1511b67626c06322ba0b3133ad7eab46cc07a995f011d24781983c1709a03ac2ef165a9b91ed9e75e221905a932c3501d40566916d63f2fae4e9798fab8e16a1d364f019c0ebdb0"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x40, 0xfe, 0x20, 0x9, [@generic={0xed, 0x1, "97480b619ece3491718d870d1333f7f3cbe03367ac7f15be1793cf2d635af67af88cfea526ad45ea67c39ade3d19918d55ea598a7807fd2c56addfb52f42756bfc602c04560e981a38783ca3dd8ba431c267592bc004b2f53e49082dac6a7848b929dcf53f151f4c9ae6f8912fffd9199bcdcd8b95fdc2dfaa22d3a731f3c4aa3447d4183b1cb4ccceb36e6937f2275c89ce0ba83f40c2c7dbf13b41770a0f125b10ded7eefe7a1824f9eef4938310a55c121bf1a9259f551672b8a0a52feac5cbc5ab96a5491ef533d7be14764e9da531ffef82f8612a740fb58756f7cb6092abb15aa6cf0494cb7106f1"}, @generic={0xd3, 0x8, "4e8e034ee97501ac382574d2a72527c5e0c832618bc6a1ea16c3f323258971633a0333991ad99754b006c95c4de5f901ec1b8d86bd47c564bd2aef08df3c224a3e6e40846554eed2734d71ce3392967ef55c96b3da0aa5481f31c351cf1859cbee244e751c60cfadc233cb6002ee6ff4cc2c9b76378f5b6e410c014f25cb9fff68f8a6ff5b81b6d09b9c7a2aaf848bd247ed21b13aa8d35bcb7bf2fa6b8cbf55299edbce15e788d1f93cff322399249ac080f2d47bd3f27e7a6de184904811722536d0a2330e3e511146faab9864d1b183"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x2c, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc9, 0xbb}, @generic={0x1f, 0x31, "e44d51a15a720f099dadeb93262552a935424229d3f4d12edc1baa9f88"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x8, 0x49, 0x40, 0x55}}]}}, {{0x9, 0x4, 0xfe, 0x33, 0x2, 0xa2, 0x17, 0x9a, 0x2, [@cdc_ncm={{0x9, 0x24, 0x6, 0x0, 0x1, "fb7ffde8"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x4, 0x9f54, 0x267, 0x1}, {0x6, 0x24, 0x1a, 0x9, 0x9}, [@mbim={0xc, 0x24, 0x1b, 0xffff, 0x1, 0x20, 0x6, 0x6, 0x6}, @mdlm={0x15, 0x24, 0x12, 0x3}, @mbim={0xc, 0x24, 0x1b, 0x91, 0x5, 0x1, 0xff, 0x5, 0x35}, @acm={0x4, 0x24, 0x2, 0x1}]}], [{{0x9, 0x5, 0xa, 0x10, 0x8, 0x80, 0xc1, 0x4, [@generic={0xb8, 0x30, "e384dcf03ac39540e5a22199f71a53ba428c3b720290f0276bcca0cd15405f6c930497af5eb320a433cc553d6e0108edbf793ef0240ff269b4ff96d6822bcb48cebae2a5cead65786ebecd5f300c08606d3322b8360029bd21312dac493361e1b08f2adca4dc49a004fefdf7a3a525ae5de11f0a691a41b869d9b9a5d90d5a7b5ebe9e5773b97efe98e3895377a424e30ef22fd2ffa2532f1bb3c1a4e3b86afc08b2659aa2e556f190e27f83619a1618d371e102c558"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x40, 0x4, 0x0, 0x1f}}]}}, {{0x9, 0x4, 0x74, 0x90, 0xa, 0xff, 0x5d, 0x1, 0x81, [@generic={0x6c, 0x4, "deaf8476cc5855ffb6d22d6ceb2977348ba86dee7d9e22e0c46477b06c0db514bb5383a62a402cc6e0795ddda510cf4238b2c64b657a1111efc0e4aacf9e40802dd0eeb69f271c1e6fe0ee5e9f48122832e6a80a4d7a6611e3fd2dca49d351908ff9a48ca20c78a69c65"}, @hid_hid={0x9, 0x21, 0x7, 0x7, 0x1, {0x22, 0xab5}}], [{{0x9, 0x5, 0x0, 0x0, 0x200, 0x4, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x40, 0x0, 0x7f, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xff}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0xfa, 0x5}]}}, {{0x9, 0x5, 0x3, 0x3, 0x3ff, 0x80, 0x7f, 0x8}}, {{0x9, 0x5, 0x5, 0x1, 0x20, 0x4, 0x3c, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x800}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0xff, 0x14, 0x3f}}, {{0x9, 0x5, 0x4, 0x0, 0x20, 0x1, 0x1, 0x56}}, {{0x9, 0x5, 0xc, 0x10, 0x8, 0x1, 0x5, 0x2, [@generic={0x20, 0x4, "6ddd4104cef7b1f7b2dddabb24ea94be1e8ac9fbba62cd71c1a1cbfa4e73"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x10, 0x0, 0x6, 0xf8, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x3, 0x8000}, @generic={0x98, 0x21, "e7bac6d3443cdfcdf9c24b6978dbfb9dd1824a5964cbfa0fe64296d5794c6159bc30b802a59b5c7a49b534035df56bbc488652ee31c601d5326507016bd445a1c09df231cf5781190daaba0cbd84a172640327b8c1a1d90bfab18f24961ffe12a0486a239c79a259c537652603dcbd4b2b7342ae0d715a7543f4d08bb557bddcd3bca83590b57c30eee2ce95f6c7102f646af828a496"}]}}, {{0x9, 0x5, 0x2, 0x3, 0x400, 0x3, 0x2, 0x8}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xff, 0x4, 0x6}}]}}]}}]}}, &(0x7f0000001540)={0xa, &(0x7f0000001240)={0xa, 0x6, 0x300, 0xff, 0x81, 0x6, 0xf7, 0xc4}, 0xf, &(0x7f0000001280)={0x5, 0xf, 0xf, 0x1, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x8, 0x1f, 0xfff}]}, 0x5, [{0x4, &(0x7f00000012c0)=@lang_id={0x4, 0x3, 0xc07}}, {0x54, &(0x7f0000001300)=@string={0x54, 0x3, "321d457f2f5ab9fcb1118c960631fd85a75ead829136aa2a6cc0311451035fe17b956eb8fa52d495a311a6c03f0ae84c86f0ed78daebfa15db7bc5788c9724baf4582dc0ec1ba6681a76b0a1bfc5de9daecc"}}, {0xd3, &(0x7f0000001380)=@string={0xd3, 0x3, "18336fc5623ba1410634c4050bcf3b488ea41867d059dcdcd2c368d848fe5147323c0ba4e51d7cf2a3d150258f8cc2569bd79e951ea95a318de31d146c37a7cf712f1fcd440390852c8d5216f8d23a9918b0e053521eb670ad3ee0fb8a93a8d7bad7199eebe12a3b02107ac4542bc6497977e3308b407bf364982f4fc9c330f9a75ccb65c8688d5c247ad06c20ccf01465e3ab09fc777f73474c2cd053b848ad3255b5adc81e033d2a0fac5061ea52dacf46e88e8c2e388deb91d2d9fc124255909336418e743bda4cb4f73c6b75af9a9b"}}, {0x4, &(0x7f0000001480)=@lang_id={0x4, 0x3, 0x42b}}, {0x5a, &(0x7f00000014c0)=@string={0x5a, 0x3, "4d85f31420ff1ceda25d118d33a6ebbce888c12d90eb54c827d149c8dcbd99f3893b35d1da6c776b1b5d084b308cdf93474167f266199f440a03fc3e3438031b8725dde6029a629c0843bedf048b8409b153f903d657d22b"}}]}) r11 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000015c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r11, &(0x7f00000017c0)={0x2c, &(0x7f0000001640)={0x0, 0x24, 0x5e, {0x5e, 0x9, "50d3392d02ebd229338b7e7170b984d04907f9cee984f83f84c9518b9dd91785fe2d66e10426ff86d8e7d663538306240171790d7f776664bdfd68d3df43cdf6d0e3ab3d2a62953092a2d7ce2fcdfe2cf50026869a4bcd066af9ddbd"}}, &(0x7f00000016c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x449}}, &(0x7f0000001700)={0x0, 0xf, 0x19, {0x5, 0xf, 0x19, 0x1, [@ss_container_id={0x14, 0x10, 0x4, 0x3f, "0ff611988b42043bdd16f18b9b82f6cf"}]}}, &(0x7f0000001740)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x0, 0x9, 0x68, "60c511fa", "23e3f532"}}, &(0x7f0000001780)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x5, 0x0, 0x2, 0x7, 0x8, 0x5, 0x200}}}, &(0x7f0000001c80)={0x84, &(0x7f0000001800)={0x0, 0x16, 0x92, "e49c4e0fdf521d4bb83a1c78b9b6f32eb6e38fba1432727c391749727c41815dc3fc4193cf0fc247b32c61dd80f26629d7cf714fc080157701405e55e4d1ae2b758c66821044d2e8094f1bd75ccf9600454726e5df9764082d537012ad6fa00a11bf546f5d86af482a8f0b0574287a4c5640bd1a225a60d1961cd56b3b48cf69d776cd8bbac5dc1544bf6b94b3519383f9c5"}, &(0x7f00000018c0)={0x0, 0xa, 0x1, 0xea}, &(0x7f0000001900)={0x0, 0x8, 0x1, 0xc0}, &(0x7f0000001940)={0x20, 0x0, 0x4, {0x3, 0x20d99a38c1aec065}}, &(0x7f0000001980)={0x20, 0x0, 0x8, {0x200, 0x2, [0x0]}}, &(0x7f00000019c0)={0x40, 0x7, 0x2}, &(0x7f0000001a00)={0x40, 0x9, 0x1, 0x7}, &(0x7f0000001a40)={0x40, 0xb, 0x2, ',e'}, &(0x7f0000001a80)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000001ac0)={0x40, 0x13, 0x6, @random="cba5d8d51787"}, &(0x7f0000001b00)={0x40, 0x17, 0x6, @dev={[], 0x1b}}, &(0x7f0000001b40)={0x40, 0x19, 0x2, "09ef"}, &(0x7f0000001b80)={0x40, 0x1a, 0x2, 0x200}, &(0x7f0000001bc0)={0x40, 0x1c, 0x1, 0x20}, &(0x7f0000001c00)={0x40, 0x1e, 0x1, 0x81}, &(0x7f0000001c40)={0x40, 0x21, 0x1, 0x40}}) r12 = syz_usb_connect$uac1(0x6, 0xb6, &(0x7f0000001d40)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xa4, 0x3, 0x1, 0x8, 0x80, 0x1f, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x7f, 0x24}, [@mixer_unit={0xb, 0x24, 0x4, 0x3, 0x3f, "e3a7ba11b773"}, @input_terminal={0xc, 0x24, 0x2, 0x4, 0x203, 0x1, 0x2, 0x7, 0xfd}, @extension_unit={0x7, 0x24, 0x8, 0x2, 0x4, 0x40}, @output_terminal={0x9, 0x24, 0x3, 0x2, 0x101, 0x4, 0x4, 0x5}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {}, {{0x9, 0x5, 0x1, 0x9, 0x200, 0xfc, 0x9, 0x7, {0x7, 0x25, 0x1, 0x0, 0x2, 0x8}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x8, 0x7, 0xff, "6cce23a51a59660a8a"}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x7, 0x2, 0xd6, 0x40, "a5e212", 'l'}]}, {{0x9, 0x5, 0x82, 0x9, 0x3ff, 0x3, 0x0, 0xac, {0x7, 0x25, 0x1, 0x3, 0x4, 0x5}}}}}}}]}}, &(0x7f0000001f40)={0xa, &(0x7f0000001e00)={0xa, 0x6, 0x200, 0xff, 0x2, 0x7, 0x10, 0x6}, 0x5, &(0x7f0000001e40)={0x5, 0xf, 0x5}, 0x2, [{0x52, &(0x7f0000001e80)=@string={0x52, 0x3, "4bcfbc749d26d0fbc20c2e202a042e8bb167cadf5c2bcdbd07dde6671da7dd400306b26f220fef4a3397f0a95a4b8ca5bafd5a4fa8b99d24505f7a27ac07a16bbb02d524c0bbfa3af8e318df58feb143"}}, {0x4, &(0x7f0000001f00)=@lang_id={0x4, 0x3, 0x807}}]}) syz_usb_disconnect(r12) syz_usb_ep_read(r10, 0x6, 0xd6, &(0x7f0000001f80)=""/214) r13 = syz_usb_connect$cdc_ecm(0x4, 0x4f, &(0x7f0000002080)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0xff, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x3d, 0x1, 0x1, 0x9, 0xc0, 0xb3, [{{0x9, 0x4, 0x0, 0x8, 0x3, 0x2, 0x6, 0x0, 0x1, {{0x7, 0x24, 0x6, 0x0, 0x0, "93b5"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x5, 0xdf0, 0xa5e2, 0xff}}, {[], {{0x9, 0x5, 0x82, 0x2, 0x40, 0x0, 0x40, 0x20}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x20, 0xff, 0x4}}}}}]}}]}}, &(0x7f0000002640)={0xa, &(0x7f0000002100)={0xa, 0x6, 0x250, 0x0, 0x81, 0x20, 0x20, 0x3}, 0x5, &(0x7f0000002140)={0x5, 0xf, 0x5}, 0x8, [{0xcd, &(0x7f0000002180)=@string={0xcd, 0x3, "2e833dbc02868212d3ec7352fb0de8a05ecf661859debe23ba735fb90a26853e0d4c9bfcebac70ce40539a98cf8947e06bb75de0a9205e0b791cb4f9e7aa0ae1149e9394ffef266f96e0c75ab728cadbc312570efed737090a6251c09e1a5d38a0c6f1ec4ae055863d69e4dcf36d974d2be3e487c7d2f1db2161e93b7d152ce046f030b36d083289eddd7105ed8eaed49f711017baabde9d5f01cd4738503d322669554fcf3b5a65b0519733b07a7f3cffdc92b0382c66120c41aae88568c752f79d501fd4da58e6879e7e"}}, {0x4, &(0x7f0000002280)=@lang_id={0x4, 0x3, 0x3c0a}}, {0x4, &(0x7f00000022c0)=@lang_id={0x4, 0x3, 0x3801}}, {0x1f, &(0x7f0000002300)=@string={0x1f, 0x3, "a670c3582d38967ac485455e8a40acb6f5df24ab49a4c6bb43d584edf7"}}, {0x4, &(0x7f0000002340)=@lang_id={0x4, 0x3, 0x44f}}, {0xe1, &(0x7f0000002380)=@string={0xe1, 0x3, "be2ce18fae6da9f1aa4b972197be7a6ce4b283c3e0027e6da13d8639f674ea9c64289b33c0e1435b7c1654a569127b26ad53774f2b6b20579fac6faffe12949ee4b0d3cd2d890cff2d7e9bb43b602a394efd4975184f7eecab16a3f187cab4c2ca01ac5bc9c55c8bb981323d919f77355b3ce7428da62af80c76b185e10ac7b1cc950ecc715c3e0a1e142311b62941e06291b30d2d3c7d468dfbe283c91fc0833db068e7bf397c233575790229ce513bbdc4387d81b3027ef68b20de25d9f1ff32b95cba443b9e7fba499143e841a6190c6ecb2906fe4230f839ba8c3c73ea"}}, {0xc1, &(0x7f0000002480)=@string={0xc1, 0x3, "f17db2ea26d90ba93d1dbd3d9482882172cc158b4cc43c36d12bb94e06fc7aba0d96ba62a38b39b77bb66a8b4ba6fe260c877464dc1012449a3a6ab5b80e667a3a01db8dd1dc3468b0d72893adf25bd1a7b9dcddf569122a73026b76fd0e25d7440ca5db635b3fc9013fd79099a7d7e81db8745bc9d0a6c938791d2cbfd10f1c628ca17af993b702c1ede30da1882567ce287f66b23ebf408a2d9c63e1cb0b2795273efa8153561c3c3eeb71d12aa087e9255526b528f538af4abd41cf8901"}}, {0xc0, &(0x7f0000002580)=@string={0xc0, 0x3, "6f57d6a596202ebf5a75b9724911f91a3d92ae1ac81abb9c1b134a76e66590f6eb8dd84cc10960b8d223947d1c2e771b94e729d83418f414213ff8b906770330bea70e59fe4d8ba537fbcfd3c4bfc4ea3b640c3112926d8c78eee839720900c505cc013c1263dcf27b6c0f87fcb87f40cb6bde3154ccd63e65a48c86c58a3857f68f8808203fb28d95e74a1865eb8f82fe953562a14751ed18f251e5115370d2bc19145ccf3abeae4c81fb1d97f62e035db73d11ab7ec596bc7a368655c6"}}]}) syz_usb_ep_write(r13, 0x8, 0x77, &(0x7f00000026c0)="01df4294f01fe1f943b780ccad76ab8a48353cbce5481283fb7d07e32952055449b6581b3693b67edea7f103542fd1dccf21a4f8ce11f52482a550dd3199da830c3e19ff1a996ce1424b13495e704be3f8c106d08338a69db29c70d040ba405016d90255d81d115d9c6c9c13b95789ba2d4ee0f005d95b") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 #define SQ_ARRAY_OFFSET(sq_entries,cq_entries) (round_up(CQ_CQES_OFFSET + cq_entries * SIZEOF_IO_URING_CQE, 64)) uint32_t round_up(uint32_t x, uint32_t a) { return (x + a - 1) & ~(a - 1); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = SQ_ARRAY_OFFSET(sq_ring_entries, cq_ring_entries); if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 40; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 26 ? 50 : 0) + (call == 32 ? 3000 : 0) + (call == 33 ? 3000 : 0) + (call == 34 ? 300 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 3000 : 0) + (call == 39 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } #ifndef __NR_bpf #define __NR_bpf 321 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[14] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/dsp\000", 9); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0x8002ul, 0ul); if (res != -1) r[0] = res; break; case 1: *(uint64_t*)0x20000080 = 0; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 0; *(uint16_t*)0x20000090 = 0x4a1f; *(uint16_t*)0x20000092 = 0xd548; *(uint32_t*)0x20000094 = r[0]; *(uint64_t*)0x20000098 = 0x20000040; memcpy((void*)0x20000040, "\xa4\xc6\xb7\x0d\x40\xb1\x8d\x2f\x71\xb9\xeb\xf1\xa9\x7c\xc4\xf8\xbf\xe5\x2c\x76\x62\x08\xfe\x1c\x5f\xf6\xe6\xc2\x0f\xb4\xd4\x10\x4d", 33); *(uint64_t*)0x200000a0 = 0x21; *(uint64_t*)0x200000a8 = 7; *(uint64_t*)0x200000b0 = 0; *(uint32_t*)0x200000b8 = 1; *(uint32_t*)0x200000bc = -1; syscall(__NR_io_cancel, 0ul, 0x20000080ul, 0x200000c0ul); break; case 2: syscall(__NR_ioctl, -1, 0x400454d0, 0x18ul); break; case 3: memcpy((void*)0x20000100, "/selinux/avc/cache_stats\000", 25); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000100ul, 0ul, 0ul); if (res != -1) r[1] = res; break; case 4: *(uint32_t*)0x20000200 = 6; *(uint32_t*)0x20000204 = 1; *(uint64_t*)0x20000208 = 0x20000140; *(uint16_t*)0x20000140 = 6; *(uint64_t*)0x20000210 = 0x20000180; *(uint16_t*)0x20000180 = 0xb572; *(uint16_t*)0x20000182 = 2; *(uint16_t*)0x20000184 = 0x200; *(uint16_t*)0x20000186 = 0x6126; *(uint16_t*)0x20000188 = -1; *(uint16_t*)0x2000018a = 0x800b; *(uint64_t*)0x20000218 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x100; *(uint16_t*)0x200001c2 = 0x8001; *(uint16_t*)0x200001c4 = 0x7ff; *(uint16_t*)0x200001c6 = 0x56; *(uint16_t*)0x200001c8 = 3; *(uint16_t*)0x200001ca = 6; *(uint16_t*)0x200001cc = 0xafa4; *(uint16_t*)0x200001ce = 0xfff; syscall(__NR_ioctl, r[1], 0xc02064a4, 0x20000200ul); break; case 5: syscall(__NR_socket, 0xaul, 5ul, 0x84); break; case 6: memcpy((void*)0x20000240, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20000240, 8, 0x40040); if (res != -1) r[2] = res; break; case 7: *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0x431f; *(uint32_t*)0x20000288 = 2; *(uint32_t*)0x2000028c = 2; *(uint32_t*)0x20000290 = 0x24c; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = r[2]; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; *(uint32_t*)0x200002b8 = 0; *(uint32_t*)0x200002bc = 0; *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0; *(uint32_t*)0x200002c8 = 0; *(uint32_t*)0x200002cc = 0; *(uint32_t*)0x200002d0 = 0; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = 0; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; syscall(__NR_io_uring_setup, 0x4a7d, 0x20000280ul); break; case 8: *(uint32_t*)0x20000300 = 0x14; syscall(__NR_setsockopt, -1, 0x10e, 2, 0x20000300ul, 4ul); break; case 9: syscall(__NR_socket, 4ul, 2ul, 0); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0x15; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0x8847); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 1, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 24, 8); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0x80, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 24, 8); STORE_BY_BITMASK(uint8_t, , 0x20000016, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000017, 3, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000017, 8, 2, 6); *(uint16_t*)0x20000018 = htobe16(0xc0); *(uint16_t*)0x2000001a = htobe16(0x64); *(uint16_t*)0x2000001c = htobe16(0); *(uint8_t*)0x2000001e = 1; *(uint8_t*)0x2000001f = 0x11; *(uint16_t*)0x20000020 = htobe16(0); *(uint32_t*)0x20000022 = htobe32(0xa010102); *(uint8_t*)0x20000026 = 0xac; *(uint8_t*)0x20000027 = 0x1e; *(uint8_t*)0x20000028 = 1; *(uint8_t*)0x20000029 = 1; *(uint8_t*)0x2000002a = 0x44; *(uint8_t*)0x2000002b = 0x10; *(uint8_t*)0x2000002c = 0x90; STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0xf, 4, 4); *(uint32_t*)0x2000002e = htobe32(3); *(uint32_t*)0x20000032 = htobe32(0x100); *(uint32_t*)0x20000036 = htobe32(9); *(uint16_t*)0x2000003a = htobe16(0x4e20); *(uint16_t*)0x2000003c = htobe16(0x4e23); *(uint16_t*)0x2000003e = htobe16(0x9c); *(uint16_t*)0x20000040 = htobe16(0); *(uint32_t*)0x20000042 = 1; *(uint32_t*)0x20000046 = 1; memcpy((void*)0x2000004a, "\xa1\x07\x91\xf3\x6e\x09\x1a\x36\x4d\x6a\x21\x4a\xed\x32\x81\x68\x6b\x2e\x10\x62\xe4\xa2\x1d\xad\x7e\x7e\xa6\x82\x3c\x2a\xd6\x6b", 32); memcpy((void*)0x2000006a, "\xa9\xe3\xb0\x61\xcb\x2d\x16\xf0\xf3\x8c\x93\x86\x6b\xab\x23\x9c\x5e\x95\xfa\xbc\x9a\xd7\x54\x9c\xc5\x3f\x24\x82\x15\x64\xc8\xe3\x1a\x77\x3c\x62\xbd\x34\xe6\x21\x16\x07\x0c\x99\x8c\xf8\x0f\xf5", 48); memcpy((void*)0x2000009a, "\x8a\x60\x48\xe6\x8f\x54\x76\xba\x71\xed\xf7\xde\xa3\x71\x45\xa3\x39\x72\x62\xdb\x3b\x25\x37\x6f\xb9\xb6\x98\xe1", 28); memcpy((void*)0x200000b6, "\x10\x8d\x38\xc5\xf1\x28\x37\xa8\xdf\xf4\x93\x17\xe1\xfb\xf2\xb1", 16); memcpy((void*)0x200000c6, "\x6e\x6f\x91\xa5\xd2\xfe\xa3\x5b\x7d\x2a\xa0\x22\x7b\x5c\x79\xde", 16); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x20000022, 4); csum_inet_update(&csum_1, (const uint8_t*)0x20000026, 4); uint16_t csum_1_chunk_2 = 0x1100; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 2); uint16_t csum_1_chunk_3 = 0x9c00; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 2); csum_inet_update(&csum_1, (const uint8_t*)0x2000003a, 156); *(uint16_t*)0x20000040 = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x20000016, 36); *(uint16_t*)0x20000020 = csum_inet_digest(&csum_2); break; case 11: *(uint8_t*)0x20000100 = 4; *(uint8_t*)0x20000101 = 0xe; *(uint8_t*)0x20000102 = 7; *(uint8_t*)0x20000103 = 7; *(uint16_t*)0x20000104 = 0x1408; *(uint8_t*)0x20000106 = 3; *(uint16_t*)0x20000107 = 0xc8; *(uint8_t*)0x20000109 = 0xfe; break; case 12: memcpy((void*)0x20000140, "\xab\x8f\x29\x08\x95\x5c\x44\x32\xc4\x21\xb4\x55\x80\x85\x8a\x31\x8e\xc4\xa1\x84\x57\x56\xf3\x67\x36\x64\xd9\xe0\x64\x46\x1c\x0d\xc4\x41\xb5\x55\x88\xa0\x0f\xfe\x49\xf2\xf0\x42\x80\x8c\x3e\x28\x08\x00\x00\x00\xc4\x82\x5d\xde\x32\xf3\x42\x0f\x9a\xde", 62); syz_execute_func(0x20000140); break; case 13: break; case 14: memcpy((void*)0x200001c0, "SEG6\000", 5); syz_genetlink_get_family_id(0x200001c0); break; case 15: syz_init_net_socket(3, 2, 0xc4); break; case 16: res = syscall(__NR_mmap, 0x20ffc000ul, 0x1000ul, 0ul, 0x1000ul, -1, 0ul); if (res != -1) r[3] = res; break; case 17: syz_io_uring_complete(r[3]); break; case 18: *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0x19c8; *(uint32_t*)0x20000208 = 1; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0x90; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = -1; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; *(uint32_t*)0x20000238 = 0; *(uint32_t*)0x2000023c = 0; *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; res = -1; res = syz_io_uring_setup(0x61d6, 0x20000200, 0x20ff9000, 0x20ff9000, 0x20000280, 0x200002c0); if (res != -1) r[4] = *(uint32_t*)0x20000218; break; case 19: res = syscall(__NR_mmap, 0x20ffc000ul, 0x3000ul, 0x2000004ul, 0x100ul, r[4], 0x10000000ul); if (res != -1) r[5] = res; break; case 20: memcpy((void*)0x20000300, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000300ul, 0x22040ul, 0ul); if (res != -1) r[6] = res; break; case 21: res = syscall(__NR_io_uring_register, -1, 9ul, 0ul, 0ul); if (res != -1) r[7] = res; break; case 22: *(uint8_t*)0x20000380 = 0x1d; *(uint8_t*)0x20000381 = 1; *(uint16_t*)0x20000382 = 0; *(uint32_t*)0x20000384 = r[6]; *(uint64_t*)0x20000388 = 0x20000340; *(uint32_t*)0x20000340 = 0xa; *(uint64_t*)0x20000344 = 0; *(uint32_t*)0x20000390 = r[4]; *(uint32_t*)0x20000394 = 1; *(uint32_t*)0x20000398 = 0; *(uint64_t*)0x200003a0 = 1; *(uint16_t*)0x200003a8 = 0; *(uint16_t*)0x200003aa = r[7]; *(uint8_t*)0x200003ac = 0; *(uint8_t*)0x200003ad = 0; *(uint8_t*)0x200003ae = 0; *(uint8_t*)0x200003af = 0; *(uint8_t*)0x200003b0 = 0; *(uint8_t*)0x200003b1 = 0; *(uint8_t*)0x200003b2 = 0; *(uint8_t*)0x200003b3 = 0; *(uint8_t*)0x200003b4 = 0; *(uint8_t*)0x200003b5 = 0; *(uint8_t*)0x200003b6 = 0; *(uint8_t*)0x200003b7 = 0; *(uint8_t*)0x200003b8 = 0; *(uint8_t*)0x200003b9 = 0; *(uint8_t*)0x200003ba = 0; *(uint8_t*)0x200003bb = 0; *(uint8_t*)0x200003bc = 0; *(uint8_t*)0x200003bd = 0; *(uint8_t*)0x200003be = 0; *(uint8_t*)0x200003bf = 0; syz_io_uring_submit(r[3], r[5], 0x20000380, 5); break; case 23: *(uint64_t*)0x20000400 = 0; *(uint64_t*)0x20000408 = 0x200003c0; memcpy((void*)0x200003c0, "\xc6\x6b\xf5\x1c\x00\x3b\x68\x4c\xd1\xf5\x6d\x7d\xbc\xd2\xde\xa7\x67\x52\x93\xe4\xd0\x16\x95\x5f\xb8\x84\x32\x0c\xce\xfe\xf5\x21\x42\xee\xf0\xb6\x1d\x38\x99\x59\xe4\xe4\x75\x07\x5b\x6b\x11\xcd\xbe\x1c", 50); *(uint64_t*)0x20000410 = 0x32; *(uint64_t*)0x20000440 = 1; *(uint64_t*)0x20000448 = 0; syz_kvm_setup_cpu(r[6], -1, 0x20fe7000, 0x20000400, 1, 0, 0x20000440, 1); break; case 24: res = syscall(__NR_mmap, 0x20ffb000ul, 0x4000ul, 0x2000000ul, 0x1000ul, -1, 0x8000000ul); if (res != -1) r[8] = res; break; case 25: *(uint32_t*)0x20000480 = 1; syz_memcpy_off(r[8], 0x114, 0x20000480, 0, 4); break; case 26: memcpy((void*)0x200004c0, "afs\000", 4); memcpy((void*)0x20000500, "./file0\000", 8); *(uint64_t*)0x200008c0 = 0x20000540; *(uint64_t*)0x200008c8 = 0; *(uint64_t*)0x200008d0 = 0x32; *(uint64_t*)0x200008d8 = 0x20000580; memcpy((void*)0x20000580, "\x3a\x7a\x72\xca\x9b\x2a\x42\x2a\xfb\xeb\xa2\xd7\xa8\x43\x38\xcb\x03\x95\x18\x39\x45\x1a\xf3\xf3\x03\x1d\x00\x30\xdb\x11\xa0\x8c\x0e\xb2\x24\x4d\xab\x7f\x4f\xd9\x44\x2c\xd5\x53\x70\xfb\xac\xdc\x33\x0d\x3e\xe2\x18\x81\x37\xd0\xad\x97\x72\xc7\xae\x54\xfa\xe9\x2d\x19\x41\xe0\x49\xbd\xcb\x3b\x8f\x64\x5e\xa6\xa7\xd7\x46\x40\x42\x86\xd5\x6d\xfd\x7a\x41\xfb\x29\xe2\x98\x7d\x8d\x73\xb3\x67\x9f\xae\x42\x7f\x5a\xf0\x81\x85\xe4\xff\xda\x15\x32\x28\xa3\xac\x82\xbf\x94\xf1\x77\x52\xed\x78\xdf\xe5\xb9\xa4", 124); *(uint64_t*)0x200008e0 = 0x7c; *(uint64_t*)0x200008e8 = 0xee5; *(uint64_t*)0x200008f0 = 0x20000600; memcpy((void*)0x20000600, "\xa9\x63\xe9\x74\x3e\x9c\x3d\x09\x2a\x0a\xb1\xd6\x8a\x13\xfe\x85\xf8\x0e\xd9\x43\x58\xab\x9a\xd4\x02\x9d\xff\x34\x33\xa3\x22\x3c\x65\x0d\x6a\x96\x50\x5e\xc9\xa3\xd6\xcd\x09\xad\x3f\x26\x8f\xcd\xd1\x24\x8a\xa4\x3e\xf1\x38\xa7\x9b\x0c\x4c\x11\x6f\x71\x78\xb5\xfc\x5c\xc4\x9f\xa3\x03\x20\x1e\x8c\x7e\xf4\xe3\x22\x43\x41\x05\xec\xdc\x91\x2a\xe6\x72\x51\x0b\x34\xc0\x1a\xa3\x89\x0c\x90\xf2\x72\x00\xde\x2b\x65\xc4\xbd\x20", 104); *(uint64_t*)0x200008f8 = 0x68; *(uint64_t*)0x20000900 = 0x10000; *(uint64_t*)0x20000908 = 0x20000680; memcpy((void*)0x20000680, "\x6a\xc4\x43\xef\xa9\x85\x5d\xda\x4f\xa3\xa9\x82\xab\xc0\x60\xeb\xf1\xa6\x78\x5f\xeb\xa7\x7c\xd7\x0d\x48\x6a\x29\xf4", 29); *(uint64_t*)0x20000910 = 0x1d; *(uint64_t*)0x20000918 = 2; *(uint64_t*)0x20000920 = 0x200006c0; memcpy((void*)0x200006c0, "\x32\x29\x20\x2f\xd1\x3c\x8a\xb6\xd5\x54\xd8\xdf\xb6\xa8\x66\x18\x05\xf5\x3c\x5e\x81\x67\x1b\xf5\xd7\x02\xaa\x4c\x17\xca\xd1\x07\xcf\xc6\xa8\xfe\x70\x2b\x26\x94\x2c\x63\x2a\x4e\xd0\xe1\x01\x04\x40\xb5\x1b\x99\x78\x5c\x11\x2a\x0b\xda\x8c\x28\x62\x67\xac\x9c\xb4\xe6\x95\x37\x6a\x13\xd9\x93\x7d\xfe\x15\x42\x39\xc4\xea\x04\xf3\x85\x39\xa8\xe5\x57\xdb\xcc\x89\x09\x42\x0c\x76\xb2\x58\x7b\x42\xaa\x2d\x61\xbf\x39\x5f\xe9\x13\xba\xd8\x6d\xdf\x17\xa8\xf1\xb3\x21\x2d\x0f\x0a\x6b\xc2\xe7\x84\x1e\xf2\xe2\xee\x0b\xe0\x59\x01\xf0\x28\xc7\xc6\x5e\x1c\x2c\xb6\x41\xf5\x56\x50\x8f\xbf\x32\x2d\xa0\x30\xde\x78\x46\xad\x39\x00\x40\x82\xc1\x28\xa0\xff\xb6\x0c\x1b\x80\x1b\xfd\x69\xa0\xe5\xf3\x7b\x51\xfe\xb7\x8d\x97\x24\x0f\x45\xf3\xce\x17\xa2\x8a\xbb\xd8\x9b\xd1\x6c\xd2\xd0\x6c\x74\x48\x89\x90\xab\xa3\x6f\xf0\x06\xe8\xae\x36\x22\xec\x18\xfa\x76\xb7\x67\xbe\x88\xf1\x92\xf9\x4a\xf1\x5e\x23\xd7\x42\x17\x73\x8a\x1d\x48\xef\x2c\x3e\x1c\x0a\x55\x72\x03\x04\x5e\x3b\xa2\x5e\x9c\xd3\x8e\xfa\x64", 244); *(uint64_t*)0x20000928 = 0xf4; *(uint64_t*)0x20000930 = 6; *(uint64_t*)0x20000938 = 0x200007c0; memcpy((void*)0x200007c0, "\x41\x4d\x78\x40\x34\x90\x27\x5a\x20\x64\x95\xf9\x3c\xf6\x22\x29\x59\x6a\x76\xf6\x22\xd4\x2e\x73\x7b\xfa\x14\x8f\xc2\x38\x5d\x9c\x82\x94\x6c\xe9\x5d\x9b\x76\x65\xc1\x48\xbf\xd7\x23\xf5\x24\x8f\xfc\xb6\xa4\xfc\x82\x65\xde\x9d\xa9\xe3\x4f\xf0\x57\x7d\xd7\x19\x23\x3d\x7e\xf9\x61\x0b\x9b\x9d\x98\xd4\xf2\xce\xdc\xc5\x35\x1c\xb7\x23\x4e\x0a\x83\x45\xf8\x1e\x60\x3a\x00\x2c\x13\xd8\x98\xf1\x08\x46\x56\xc5\x1b\xe0\x05\x26\xc6\xb7\x97\x7b\x28\x78\x09\x59\x1c\x51\xa2\x88\xac\xec\x3e\x57\x0a\x94\xcc\x77\x42\x01\x95\xf2\xa8\x1a\x77\x89\x6f\x9f\x08\x1b\x17\x3c\x24\xad\xa2\x30\x41\xea\x2e\x72\x53\x69\x86\x01\xd8\x37\x69\x09\x4d\x34\x89", 157); *(uint64_t*)0x20000940 = 0x9d; *(uint64_t*)0x20000948 = 1; *(uint64_t*)0x20000950 = 0x20000880; memcpy((void*)0x20000880, "\x3c\xc0\xa1\x54\x97\x7d\x26\x88\x2d\x94\xf1\xc1\x08\xa6\x28\x7b\x15\xe8\x35\xbf\x2d\x9e\xbc\xfd\x92\x5c\x45\x69\xc9\xde\x9d\x46\x3b\x92\x91\x58\x99\x0d\x2f\x48", 40); *(uint64_t*)0x20000958 = 0x28; *(uint64_t*)0x20000960 = 0xfffffffffffffbff; memcpy((void*)0x20000980, "flock=strict", 12); *(uint8_t*)0x2000098c = 0x2c; memcpy((void*)0x2000098d, "flock=write", 11); *(uint8_t*)0x20000998 = 0x2c; memcpy((void*)0x20000999, "source", 6); *(uint8_t*)0x2000099f = 0x3d; memcpy((void*)0x200009a0, "\353", 1); *(uint8_t*)0x200009a1 = 0x2c; memcpy((void*)0x200009a2, "autocell", 8); *(uint8_t*)0x200009aa = 0x2c; *(uint8_t*)0x200009ab = 0; syz_mount_image(0x200004c0, 0x20000500, 0x1f, 7, 0x200008c0, 0x1015005, 0x20000980); break; case 27: memcpy((void*)0x200009c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200009c0, 0x10000, 0x6840); break; case 28: *(uint32_t*)0x20000a40 = -1; *(uint32_t*)0x20000a44 = -1; *(uint32_t*)0x20000a48 = 0; *(uint32_t*)0x20000a4c = 3; *(uint64_t*)0x20000a50 = 0x20000a00; memcpy((void*)0x20000a00, ".\\\000", 3); *(uint32_t*)0x20000a58 = 0; *(uint32_t*)0x20000a5c = 0; *(uint64_t*)0x20000a60 = 0; *(uint64_t*)0x20000a68 = 0; res = syscall(__NR_bpf, 0x14ul, 0x20000a40ul, 0x30ul); if (res != -1) r[9] = *(uint32_t*)0x20000a40; break; case 29: memcpy((void*)0x20000a80, "status\000", 7); syz_open_procfs(r[9], 0x20000a80); break; case 30: syz_open_pts(-1, 0x8000); break; case 31: syz_read_part_table(6, 0, 0x20000ac0); break; case 32: *(uint8_t*)0x20000b00 = 0x12; *(uint8_t*)0x20000b01 = 1; *(uint16_t*)0x20000b02 = 0x250; *(uint8_t*)0x20000b04 = 0xa8; *(uint8_t*)0x20000b05 = 0x9c; *(uint8_t*)0x20000b06 = 0xcc; *(uint8_t*)0x20000b07 = -1; *(uint16_t*)0x20000b08 = 0x499; *(uint16_t*)0x20000b0a = 0x150c; *(uint16_t*)0x20000b0c = 0xbaf4; *(uint8_t*)0x20000b0e = 1; *(uint8_t*)0x20000b0f = 2; *(uint8_t*)0x20000b10 = 3; *(uint8_t*)0x20000b11 = 1; *(uint8_t*)0x20000b12 = 9; *(uint8_t*)0x20000b13 = 2; *(uint16_t*)0x20000b14 = 0x702; *(uint8_t*)0x20000b16 = 3; *(uint8_t*)0x20000b17 = 2; *(uint8_t*)0x20000b18 = 5; *(uint8_t*)0x20000b19 = 0x80; *(uint8_t*)0x20000b1a = 0x1f; *(uint8_t*)0x20000b1b = 9; *(uint8_t*)0x20000b1c = 4; *(uint8_t*)0x20000b1d = 0x7d; *(uint8_t*)0x20000b1e = 0; *(uint8_t*)0x20000b1f = 0xb; *(uint8_t*)0x20000b20 = 0x5c; *(uint8_t*)0x20000b21 = 0x68; *(uint8_t*)0x20000b22 = 0x45; *(uint8_t*)0x20000b23 = 0xb8; *(uint8_t*)0x20000b24 = 0x64; *(uint8_t*)0x20000b25 = 0xe6; memcpy((void*)0x20000b26, "\x25\xbb\xa1\x93\x73\x4e\x4e\xb8\x7c\xbd\x6a\x4c\x96\x1e\xf0\x1e\x6c\x96\x0f\xa2\x7d\xe2\xe0\xb2\x88\x3e\x73\xbc\xb5\x6b\x37\x1c\xc2\xf9\x4a\x39\xee\x59\xf2\x12\x37\xd7\xfd\x38\xba\xfe\xa3\xbe\xbf\x15\x96\x7e\x66\xfd\xa6\x11\x4d\x34\xb3\x49\xe1\x86\x8e\xf9\x5c\xc0\xa0\x63\x05\xd0\x16\xcd\x2c\xc7\x23\x33\x40\x35\xa1\x10\xf9\xda\x19\x7a\xfa\x79\xa6\xb0\x45\xfa\xc5\xf7\xd5\xbb\x63\x9e\x45\x41", 98); *(uint8_t*)0x20000b88 = 0xa; *(uint8_t*)0x20000b89 = 0x24; *(uint8_t*)0x20000b8a = 1; *(uint16_t*)0x20000b8b = 7; *(uint8_t*)0x20000b8d = 0x80; *(uint8_t*)0x20000b8e = 2; *(uint8_t*)0x20000b8f = 1; *(uint8_t*)0x20000b90 = 2; *(uint8_t*)0x20000b91 = 9; *(uint8_t*)0x20000b92 = 5; *(uint8_t*)0x20000b93 = 1; *(uint8_t*)0x20000b94 = 3; *(uint16_t*)0x20000b95 = 0x200; *(uint8_t*)0x20000b97 = 0x81; *(uint8_t*)0x20000b98 = 1; *(uint8_t*)0x20000b99 = 9; *(uint8_t*)0x20000b9a = 7; *(uint8_t*)0x20000b9b = 0x25; *(uint8_t*)0x20000b9c = 1; *(uint8_t*)0x20000b9d = 1; *(uint8_t*)0x20000b9e = 9; *(uint16_t*)0x20000b9f = 0x1000; *(uint8_t*)0x20000ba1 = 9; *(uint8_t*)0x20000ba2 = 5; *(uint8_t*)0x20000ba3 = 6; *(uint8_t*)0x20000ba4 = 8; *(uint16_t*)0x20000ba5 = 0x400; *(uint8_t*)0x20000ba7 = 0xe8; *(uint8_t*)0x20000ba8 = 0xc6; *(uint8_t*)0x20000ba9 = -1; *(uint8_t*)0x20000baa = 7; *(uint8_t*)0x20000bab = 0x25; *(uint8_t*)0x20000bac = 1; *(uint8_t*)0x20000bad = 1; *(uint8_t*)0x20000bae = 0x81; *(uint16_t*)0x20000baf = 6; *(uint8_t*)0x20000bb1 = 9; *(uint8_t*)0x20000bb2 = 5; *(uint8_t*)0x20000bb3 = 0xd; *(uint8_t*)0x20000bb4 = 0; *(uint16_t*)0x20000bb5 = 0x20; *(uint8_t*)0x20000bb7 = 8; *(uint8_t*)0x20000bb8 = 0xb4; *(uint8_t*)0x20000bb9 = 3; *(uint8_t*)0x20000bba = 9; *(uint8_t*)0x20000bbb = 5; *(uint8_t*)0x20000bbc = 2; *(uint8_t*)0x20000bbd = 1; *(uint16_t*)0x20000bbe = 0x200; *(uint8_t*)0x20000bc0 = 2; *(uint8_t*)0x20000bc1 = 6; *(uint8_t*)0x20000bc2 = 0x20; *(uint8_t*)0x20000bc3 = 9; *(uint8_t*)0x20000bc4 = 5; *(uint8_t*)0x20000bc5 = 7; *(uint8_t*)0x20000bc6 = 2; *(uint16_t*)0x20000bc7 = 0x3ff; *(uint8_t*)0x20000bc9 = 0x29; *(uint8_t*)0x20000bca = 4; *(uint8_t*)0x20000bcb = 0x4c; *(uint8_t*)0x20000bcc = 9; *(uint8_t*)0x20000bcd = 5; *(uint8_t*)0x20000bce = 5; *(uint8_t*)0x20000bcf = 0; *(uint16_t*)0x20000bd0 = 0x200; *(uint8_t*)0x20000bd2 = 2; *(uint8_t*)0x20000bd3 = 0x22; *(uint8_t*)0x20000bd4 = 5; *(uint8_t*)0x20000bd5 = 7; *(uint8_t*)0x20000bd6 = 0x25; *(uint8_t*)0x20000bd7 = 1; *(uint8_t*)0x20000bd8 = 0; *(uint8_t*)0x20000bd9 = 7; *(uint16_t*)0x20000bda = 0x27; *(uint8_t*)0x20000bdc = 9; *(uint8_t*)0x20000bdd = 5; *(uint8_t*)0x20000bde = 0xe; *(uint8_t*)0x20000bdf = 0xc; *(uint16_t*)0x20000be0 = 0x20; *(uint8_t*)0x20000be2 = 0x40; *(uint8_t*)0x20000be3 = 9; *(uint8_t*)0x20000be4 = 0x1f; *(uint8_t*)0x20000be5 = 0x4f; *(uint8_t*)0x20000be6 = 1; memcpy((void*)0x20000be7, "\xf1\x48\xd8\x44\x07\xf5\xb8\xdf\xda\x7c\x13\xb6\x82\x81\xb7\xd1\x42\x09\x55\x10\x93\xf9\x1b\x2d\x8f\x89\x1d\x9f\x3b\x8f\xf0\x7a\x8c\x2b\x56\xbc\xbf\xa7\x44\xea\x1d\xa6\x9f\xb1\x16\xc7\x1d\x11\xfa\x13\xb6\xa2\xc4\x64\xe6\x5d\x7c\x70\x6a\xe2\x5e\x0a\xd8\x36\xd3\x28\xf3\x09\x28\xaf\x26\xfe\x9d\x4f\x3f\x1d\xc1", 77); *(uint8_t*)0x20000c34 = 7; *(uint8_t*)0x20000c35 = 0x25; *(uint8_t*)0x20000c36 = 1; *(uint8_t*)0x20000c37 = 0x82; *(uint8_t*)0x20000c38 = 0x18; *(uint16_t*)0x20000c39 = 0xfc0; *(uint8_t*)0x20000c3b = 9; *(uint8_t*)0x20000c3c = 5; *(uint8_t*)0x20000c3d = 4; *(uint8_t*)0x20000c3e = 0; *(uint16_t*)0x20000c3f = 0x400; *(uint8_t*)0x20000c41 = 0; *(uint8_t*)0x20000c42 = 0x80; *(uint8_t*)0x20000c43 = 7; *(uint8_t*)0x20000c44 = 7; *(uint8_t*)0x20000c45 = 0x25; *(uint8_t*)0x20000c46 = 1; *(uint8_t*)0x20000c47 = 2; *(uint8_t*)0x20000c48 = 4; *(uint16_t*)0x20000c49 = 2; *(uint8_t*)0x20000c4b = 0xf7; *(uint8_t*)0x20000c4c = 0x30; memcpy((void*)0x20000c4d, "\xab\xdd\xdd\x4f\x9b\x3f\x7c\x94\x0f\x59\xac\x5d\x6a\xc2\x20\xf7\x66\x83\x45\x97\x34\x86\x90\xed\xd4\x5d\xbc\xad\x8d\x72\x00\xdb\x71\x84\x99\x1d\x25\x39\xdf\x54\xe5\xad\x82\xe5\xd5\x8b\x03\x66\xea\x3b\x34\x1b\xe9\xa3\x0b\x4b\x2b\xd6\x6b\xf0\x04\x79\x62\x8c\xb4\x77\xc8\x29\x38\xf8\xd3\xc1\x06\xa7\xe1\x8b\x0e\x54\x85\xa0\xb1\x61\x1a\xba\x1d\x8a\xd3\xc7\x40\xfc\x3d\x9a\xcc\xb5\xd7\xb2\x93\xb9\x0b\x16\x8c\x3f\x2c\x69\x79\x81\x35\xb5\x62\x47\x5f\xe2\xa3\xb8\xf6\x19\x57\x22\x51\x66\x27\x87\xbf\x74\x9f\x67\x3a\x35\xee\x80\xea\x76\xed\xd0\xfc\x7b\x31\x77\xf2\x4f\x50\xd6\x8a\xce\xd6\x90\x2e\xcf\x5e\x0a\x1d\x31\x26\xd9\x53\x09\x46\xab\xac\x7a\x85\x79\x91\x94\x74\x8f\x34\xee\xf3\xe2\x49\xc0\xed\xe1\x51\x1b\x67\x62\x6c\x06\x32\x2b\xa0\xb3\x13\x3a\xd7\xea\xb4\x6c\xc0\x7a\x99\x5f\x01\x1d\x24\x78\x19\x83\xc1\x70\x9a\x03\xac\x2e\xf1\x65\xa9\xb9\x1e\xd9\xe7\x5e\x22\x19\x05\xa9\x32\xc3\x50\x1d\x40\x56\x69\x16\xd6\x3f\x2f\xae\x4e\x97\x98\xfa\xb8\xe1\x6a\x1d\x36\x4f\x01\x9c\x0e\xbd\xb0", 245); *(uint8_t*)0x20000d42 = 9; *(uint8_t*)0x20000d43 = 5; *(uint8_t*)0x20000d44 = 2; *(uint8_t*)0x20000d45 = 0; *(uint16_t*)0x20000d46 = 0x40; *(uint8_t*)0x20000d48 = 0xfe; *(uint8_t*)0x20000d49 = 0x20; *(uint8_t*)0x20000d4a = 9; *(uint8_t*)0x20000d4b = 0xed; *(uint8_t*)0x20000d4c = 1; memcpy((void*)0x20000d4d, "\x97\x48\x0b\x61\x9e\xce\x34\x91\x71\x8d\x87\x0d\x13\x33\xf7\xf3\xcb\xe0\x33\x67\xac\x7f\x15\xbe\x17\x93\xcf\x2d\x63\x5a\xf6\x7a\xf8\x8c\xfe\xa5\x26\xad\x45\xea\x67\xc3\x9a\xde\x3d\x19\x91\x8d\x55\xea\x59\x8a\x78\x07\xfd\x2c\x56\xad\xdf\xb5\x2f\x42\x75\x6b\xfc\x60\x2c\x04\x56\x0e\x98\x1a\x38\x78\x3c\xa3\xdd\x8b\xa4\x31\xc2\x67\x59\x2b\xc0\x04\xb2\xf5\x3e\x49\x08\x2d\xac\x6a\x78\x48\xb9\x29\xdc\xf5\x3f\x15\x1f\x4c\x9a\xe6\xf8\x91\x2f\xff\xd9\x19\x9b\xcd\xcd\x8b\x95\xfd\xc2\xdf\xaa\x22\xd3\xa7\x31\xf3\xc4\xaa\x34\x47\xd4\x18\x3b\x1c\xb4\xcc\xce\xb3\x6e\x69\x37\xf2\x27\x5c\x89\xce\x0b\xa8\x3f\x40\xc2\xc7\xdb\xf1\x3b\x41\x77\x0a\x0f\x12\x5b\x10\xde\xd7\xee\xfe\x7a\x18\x24\xf9\xee\xf4\x93\x83\x10\xa5\x5c\x12\x1b\xf1\xa9\x25\x9f\x55\x16\x72\xb8\xa0\xa5\x2f\xea\xc5\xcb\xc5\xab\x96\xa5\x49\x1e\xf5\x33\xd7\xbe\x14\x76\x4e\x9d\xa5\x31\xff\xef\x82\xf8\x61\x2a\x74\x0f\xb5\x87\x56\xf7\xcb\x60\x92\xab\xb1\x5a\xa6\xcf\x04\x94\xcb\x71\x06\xf1", 235); *(uint8_t*)0x20000e38 = 0xd3; *(uint8_t*)0x20000e39 = 8; memcpy((void*)0x20000e3a, "\x4e\x8e\x03\x4e\xe9\x75\x01\xac\x38\x25\x74\xd2\xa7\x25\x27\xc5\xe0\xc8\x32\x61\x8b\xc6\xa1\xea\x16\xc3\xf3\x23\x25\x89\x71\x63\x3a\x03\x33\x99\x1a\xd9\x97\x54\xb0\x06\xc9\x5c\x4d\xe5\xf9\x01\xec\x1b\x8d\x86\xbd\x47\xc5\x64\xbd\x2a\xef\x08\xdf\x3c\x22\x4a\x3e\x6e\x40\x84\x65\x54\xee\xd2\x73\x4d\x71\xce\x33\x92\x96\x7e\xf5\x5c\x96\xb3\xda\x0a\xa5\x48\x1f\x31\xc3\x51\xcf\x18\x59\xcb\xee\x24\x4e\x75\x1c\x60\xcf\xad\xc2\x33\xcb\x60\x02\xee\x6f\xf4\xcc\x2c\x9b\x76\x37\x8f\x5b\x6e\x41\x0c\x01\x4f\x25\xcb\x9f\xff\x68\xf8\xa6\xff\x5b\x81\xb6\xd0\x9b\x9c\x7a\x2a\xaf\x84\x8b\xd2\x47\xed\x21\xb1\x3a\xa8\xd3\x5b\xcb\x7b\xf2\xfa\x6b\x8c\xbf\x55\x29\x9e\xdb\xce\x15\xe7\x88\xd1\xf9\x3c\xff\x32\x23\x99\x24\x9a\xc0\x80\xf2\xd4\x7b\xd3\xf2\x7e\x7a\x6d\xe1\x84\x90\x48\x11\x72\x25\x36\xd0\xa2\x33\x0e\x3e\x51\x11\x46\xfa\xab\x98\x64\xd1\xb1\x83", 209); *(uint8_t*)0x20000f0b = 9; *(uint8_t*)0x20000f0c = 5; *(uint8_t*)0x20000f0d = 0xb; *(uint8_t*)0x20000f0e = 0; *(uint16_t*)0x20000f0f = 0x10; *(uint8_t*)0x20000f11 = 0x2c; *(uint8_t*)0x20000f12 = 9; *(uint8_t*)0x20000f13 = 6; *(uint8_t*)0x20000f14 = 7; *(uint8_t*)0x20000f15 = 0x25; *(uint8_t*)0x20000f16 = 1; *(uint8_t*)0x20000f17 = 0x80; *(uint8_t*)0x20000f18 = 0xc9; *(uint16_t*)0x20000f19 = 0xbb; *(uint8_t*)0x20000f1b = 0x1f; *(uint8_t*)0x20000f1c = 0x31; memcpy((void*)0x20000f1d, "\xe4\x4d\x51\xa1\x5a\x72\x0f\x09\x9d\xad\xeb\x93\x26\x25\x52\xa9\x35\x42\x42\x29\xd3\xf4\xd1\x2e\xdc\x1b\xaa\x9f\x88", 29); *(uint8_t*)0x20000f3a = 9; *(uint8_t*)0x20000f3b = 5; *(uint8_t*)0x20000f3c = 0xc; *(uint8_t*)0x20000f3d = 0; *(uint16_t*)0x20000f3e = 8; *(uint8_t*)0x20000f40 = 0x49; *(uint8_t*)0x20000f41 = 0x40; *(uint8_t*)0x20000f42 = 0x55; *(uint8_t*)0x20000f43 = 9; *(uint8_t*)0x20000f44 = 4; *(uint8_t*)0x20000f45 = 0xfe; *(uint8_t*)0x20000f46 = 0x33; *(uint8_t*)0x20000f47 = 2; *(uint8_t*)0x20000f48 = 0xa2; *(uint8_t*)0x20000f49 = 0x17; *(uint8_t*)0x20000f4a = 0x9a; *(uint8_t*)0x20000f4b = 2; *(uint8_t*)0x20000f4c = 9; *(uint8_t*)0x20000f4d = 0x24; *(uint8_t*)0x20000f4e = 6; *(uint8_t*)0x20000f4f = 0; *(uint8_t*)0x20000f50 = 1; memcpy((void*)0x20000f51, "\xfb\x7f\xfd\xe8", 4); *(uint8_t*)0x20000f55 = 5; *(uint8_t*)0x20000f56 = 0x24; *(uint8_t*)0x20000f57 = 0; *(uint16_t*)0x20000f58 = 1; *(uint8_t*)0x20000f5a = 0xd; *(uint8_t*)0x20000f5b = 0x24; *(uint8_t*)0x20000f5c = 0xf; *(uint8_t*)0x20000f5d = 1; *(uint32_t*)0x20000f5e = 4; *(uint16_t*)0x20000f62 = 0x9f54; *(uint16_t*)0x20000f64 = 0x267; *(uint8_t*)0x20000f66 = 1; *(uint8_t*)0x20000f67 = 6; *(uint8_t*)0x20000f68 = 0x24; *(uint8_t*)0x20000f69 = 0x1a; *(uint16_t*)0x20000f6a = 9; *(uint8_t*)0x20000f6c = 9; *(uint8_t*)0x20000f6d = 0xc; *(uint8_t*)0x20000f6e = 0x24; *(uint8_t*)0x20000f6f = 0x1b; *(uint16_t*)0x20000f70 = -1; *(uint16_t*)0x20000f72 = 1; *(uint8_t*)0x20000f74 = 0x20; *(uint8_t*)0x20000f75 = 6; *(uint16_t*)0x20000f76 = 6; *(uint8_t*)0x20000f78 = 6; *(uint8_t*)0x20000f79 = 0x15; *(uint8_t*)0x20000f7a = 0x24; *(uint8_t*)0x20000f7b = 0x12; *(uint16_t*)0x20000f7c = 3; *(uint64_t*)0x20000f7e = 0x14f5e048ba817a3; *(uint64_t*)0x20000f86 = 0x2a397ecbffc007a6; *(uint8_t*)0x20000f8e = 0xc; *(uint8_t*)0x20000f8f = 0x24; *(uint8_t*)0x20000f90 = 0x1b; *(uint16_t*)0x20000f91 = 0x91; *(uint16_t*)0x20000f93 = 5; *(uint8_t*)0x20000f95 = 1; *(uint8_t*)0x20000f96 = -1; *(uint16_t*)0x20000f97 = 5; *(uint8_t*)0x20000f99 = 0x35; *(uint8_t*)0x20000f9a = 4; *(uint8_t*)0x20000f9b = 0x24; *(uint8_t*)0x20000f9c = 2; *(uint8_t*)0x20000f9d = 1; *(uint8_t*)0x20000f9e = 9; *(uint8_t*)0x20000f9f = 5; *(uint8_t*)0x20000fa0 = 0xa; *(uint8_t*)0x20000fa1 = 0x10; *(uint16_t*)0x20000fa2 = 8; *(uint8_t*)0x20000fa4 = 0x80; *(uint8_t*)0x20000fa5 = 0xc1; *(uint8_t*)0x20000fa6 = 4; *(uint8_t*)0x20000fa7 = 0xb8; *(uint8_t*)0x20000fa8 = 0x30; memcpy((void*)0x20000fa9, "\xe3\x84\xdc\xf0\x3a\xc3\x95\x40\xe5\xa2\x21\x99\xf7\x1a\x53\xba\x42\x8c\x3b\x72\x02\x90\xf0\x27\x6b\xcc\xa0\xcd\x15\x40\x5f\x6c\x93\x04\x97\xaf\x5e\xb3\x20\xa4\x33\xcc\x55\x3d\x6e\x01\x08\xed\xbf\x79\x3e\xf0\x24\x0f\xf2\x69\xb4\xff\x96\xd6\x82\x2b\xcb\x48\xce\xba\xe2\xa5\xce\xad\x65\x78\x6e\xbe\xcd\x5f\x30\x0c\x08\x60\x6d\x33\x22\xb8\x36\x00\x29\xbd\x21\x31\x2d\xac\x49\x33\x61\xe1\xb0\x8f\x2a\xdc\xa4\xdc\x49\xa0\x04\xfe\xfd\xf7\xa3\xa5\x25\xae\x5d\xe1\x1f\x0a\x69\x1a\x41\xb8\x69\xd9\xb9\xa5\xd9\x0d\x5a\x7b\x5e\xbe\x9e\x57\x73\xb9\x7e\xfe\x98\xe3\x89\x53\x77\xa4\x24\xe3\x0e\xf2\x2f\xd2\xff\xa2\x53\x2f\x1b\xb3\xc1\xa4\xe3\xb8\x6a\xfc\x08\xb2\x65\x9a\xa2\xe5\x56\xf1\x90\xe2\x7f\x83\x61\x9a\x16\x18\xd3\x71\xe1\x02\xc5\x58", 182); *(uint8_t*)0x2000105f = 9; *(uint8_t*)0x20001060 = 5; *(uint8_t*)0x20001061 = 0x80; *(uint8_t*)0x20001062 = 1; *(uint16_t*)0x20001063 = 0x40; *(uint8_t*)0x20001065 = 4; *(uint8_t*)0x20001066 = 0; *(uint8_t*)0x20001067 = 0x1f; *(uint8_t*)0x20001068 = 9; *(uint8_t*)0x20001069 = 4; *(uint8_t*)0x2000106a = 0x74; *(uint8_t*)0x2000106b = 0x90; *(uint8_t*)0x2000106c = 0xa; *(uint8_t*)0x2000106d = -1; *(uint8_t*)0x2000106e = 0x5d; *(uint8_t*)0x2000106f = 1; *(uint8_t*)0x20001070 = 0x81; *(uint8_t*)0x20001071 = 0x6c; *(uint8_t*)0x20001072 = 4; memcpy((void*)0x20001073, "\xde\xaf\x84\x76\xcc\x58\x55\xff\xb6\xd2\x2d\x6c\xeb\x29\x77\x34\x8b\xa8\x6d\xee\x7d\x9e\x22\xe0\xc4\x64\x77\xb0\x6c\x0d\xb5\x14\xbb\x53\x83\xa6\x2a\x40\x2c\xc6\xe0\x79\x5d\xdd\xa5\x10\xcf\x42\x38\xb2\xc6\x4b\x65\x7a\x11\x11\xef\xc0\xe4\xaa\xcf\x9e\x40\x80\x2d\xd0\xee\xb6\x9f\x27\x1c\x1e\x6f\xe0\xee\x5e\x9f\x48\x12\x28\x32\xe6\xa8\x0a\x4d\x7a\x66\x11\xe3\xfd\x2d\xca\x49\xd3\x51\x90\x8f\xf9\xa4\x8c\xa2\x0c\x78\xa6\x9c\x65", 106); *(uint8_t*)0x200010dd = 9; *(uint8_t*)0x200010de = 0x21; *(uint16_t*)0x200010df = 7; *(uint8_t*)0x200010e1 = 7; *(uint8_t*)0x200010e2 = 1; *(uint8_t*)0x200010e3 = 0x22; *(uint16_t*)0x200010e4 = 0xab5; *(uint8_t*)0x200010e6 = 9; *(uint8_t*)0x200010e7 = 5; *(uint8_t*)0x200010e8 = 0; *(uint8_t*)0x200010e9 = 0; *(uint16_t*)0x200010ea = 0x200; *(uint8_t*)0x200010ec = 4; *(uint8_t*)0x200010ed = 7; *(uint8_t*)0x200010ee = 0; *(uint8_t*)0x200010ef = 9; *(uint8_t*)0x200010f0 = 5; *(uint8_t*)0x200010f1 = 0x80; *(uint8_t*)0x200010f2 = 0xc; *(uint16_t*)0x200010f3 = 0x40; *(uint8_t*)0x200010f5 = 0; *(uint8_t*)0x200010f6 = 0x7f; *(uint8_t*)0x200010f7 = -1; *(uint8_t*)0x200010f8 = 7; *(uint8_t*)0x200010f9 = 0x25; *(uint8_t*)0x200010fa = 1; *(uint8_t*)0x200010fb = 0; *(uint8_t*)0x200010fc = 0; *(uint16_t*)0x200010fd = 0xff; *(uint8_t*)0x200010ff = 7; *(uint8_t*)0x20001100 = 0x25; *(uint8_t*)0x20001101 = 1; *(uint8_t*)0x20001102 = 2; *(uint8_t*)0x20001103 = 0xfa; *(uint16_t*)0x20001104 = 5; *(uint8_t*)0x20001106 = 9; *(uint8_t*)0x20001107 = 5; *(uint8_t*)0x20001108 = 3; *(uint8_t*)0x20001109 = 3; *(uint16_t*)0x2000110a = 0x3ff; *(uint8_t*)0x2000110c = 0x80; *(uint8_t*)0x2000110d = 0x7f; *(uint8_t*)0x2000110e = 8; *(uint8_t*)0x2000110f = 9; *(uint8_t*)0x20001110 = 5; *(uint8_t*)0x20001111 = 5; *(uint8_t*)0x20001112 = 1; *(uint16_t*)0x20001113 = 0x20; *(uint8_t*)0x20001115 = 4; *(uint8_t*)0x20001116 = 0x3c; *(uint8_t*)0x20001117 = 4; *(uint8_t*)0x20001118 = 7; *(uint8_t*)0x20001119 = 0x25; *(uint8_t*)0x2000111a = 1; *(uint8_t*)0x2000111b = 0x80; *(uint8_t*)0x2000111c = 0x40; *(uint16_t*)0x2000111d = 0x800; *(uint8_t*)0x2000111f = 9; *(uint8_t*)0x20001120 = 5; *(uint8_t*)0x20001121 = 0xd; *(uint8_t*)0x20001122 = 0; *(uint16_t*)0x20001123 = 0x20; *(uint8_t*)0x20001125 = -1; *(uint8_t*)0x20001126 = 0x14; *(uint8_t*)0x20001127 = 0x3f; *(uint8_t*)0x20001128 = 9; *(uint8_t*)0x20001129 = 5; *(uint8_t*)0x2000112a = 4; *(uint8_t*)0x2000112b = 0; *(uint16_t*)0x2000112c = 0x20; *(uint8_t*)0x2000112e = 1; *(uint8_t*)0x2000112f = 1; *(uint8_t*)0x20001130 = 0x56; *(uint8_t*)0x20001131 = 9; *(uint8_t*)0x20001132 = 5; *(uint8_t*)0x20001133 = 0xc; *(uint8_t*)0x20001134 = 0x10; *(uint16_t*)0x20001135 = 8; *(uint8_t*)0x20001137 = 1; *(uint8_t*)0x20001138 = 5; *(uint8_t*)0x20001139 = 2; *(uint8_t*)0x2000113a = 0x20; *(uint8_t*)0x2000113b = 4; memcpy((void*)0x2000113c, "\x6d\xdd\x41\x04\xce\xf7\xb1\xf7\xb2\xdd\xda\xbb\x24\xea\x94\xbe\x1e\x8a\xc9\xfb\xba\x62\xcd\x71\xc1\xa1\xcb\xfa\x4e\x73", 30); *(uint8_t*)0x2000115a = 9; *(uint8_t*)0x2000115b = 5; *(uint8_t*)0x2000115c = 7; *(uint8_t*)0x2000115d = 4; *(uint16_t*)0x2000115e = 0x10; *(uint8_t*)0x20001160 = 0; *(uint8_t*)0x20001161 = 6; *(uint8_t*)0x20001162 = 0xf8; *(uint8_t*)0x20001163 = 7; *(uint8_t*)0x20001164 = 0x25; *(uint8_t*)0x20001165 = 1; *(uint8_t*)0x20001166 = 0x80; *(uint8_t*)0x20001167 = 3; *(uint16_t*)0x20001168 = 0x8000; *(uint8_t*)0x2000116a = 0x98; *(uint8_t*)0x2000116b = 0x21; memcpy((void*)0x2000116c, "\xe7\xba\xc6\xd3\x44\x3c\xdf\xcd\xf9\xc2\x4b\x69\x78\xdb\xfb\x9d\xd1\x82\x4a\x59\x64\xcb\xfa\x0f\xe6\x42\x96\xd5\x79\x4c\x61\x59\xbc\x30\xb8\x02\xa5\x9b\x5c\x7a\x49\xb5\x34\x03\x5d\xf5\x6b\xbc\x48\x86\x52\xee\x31\xc6\x01\xd5\x32\x65\x07\x01\x6b\xd4\x45\xa1\xc0\x9d\xf2\x31\xcf\x57\x81\x19\x0d\xaa\xba\x0c\xbd\x84\xa1\x72\x64\x03\x27\xb8\xc1\xa1\xd9\x0b\xfa\xb1\x8f\x24\x96\x1f\xfe\x12\xa0\x48\x6a\x23\x9c\x79\xa2\x59\xc5\x37\x65\x26\x03\xdc\xbd\x4b\x2b\x73\x42\xae\x0d\x71\x5a\x75\x43\xf4\xd0\x8b\xb5\x57\xbd\xdc\xd3\xbc\xa8\x35\x90\xb5\x7c\x30\xee\xe2\xce\x95\xf6\xc7\x10\x2f\x64\x6a\xf8\x28\xa4\x96", 150); *(uint8_t*)0x20001202 = 9; *(uint8_t*)0x20001203 = 5; *(uint8_t*)0x20001204 = 2; *(uint8_t*)0x20001205 = 3; *(uint16_t*)0x20001206 = 0x400; *(uint8_t*)0x20001208 = 3; *(uint8_t*)0x20001209 = 2; *(uint8_t*)0x2000120a = 8; *(uint8_t*)0x2000120b = 9; *(uint8_t*)0x2000120c = 5; *(uint8_t*)0x2000120d = 6; *(uint8_t*)0x2000120e = 0x10; *(uint16_t*)0x2000120f = 0x20; *(uint8_t*)0x20001211 = -1; *(uint8_t*)0x20001212 = 4; *(uint8_t*)0x20001213 = 6; *(uint32_t*)0x20001540 = 0xa; *(uint64_t*)0x20001544 = 0x20001240; *(uint8_t*)0x20001240 = 0xa; *(uint8_t*)0x20001241 = 6; *(uint16_t*)0x20001242 = 0x300; *(uint8_t*)0x20001244 = -1; *(uint8_t*)0x20001245 = 0x81; *(uint8_t*)0x20001246 = 6; *(uint8_t*)0x20001247 = 0xf7; *(uint8_t*)0x20001248 = 0xc4; *(uint8_t*)0x20001249 = 0; *(uint32_t*)0x2000154c = 0xf; *(uint64_t*)0x20001550 = 0x20001280; *(uint8_t*)0x20001280 = 5; *(uint8_t*)0x20001281 = 0xf; *(uint16_t*)0x20001282 = 0xf; *(uint8_t*)0x20001284 = 1; *(uint8_t*)0x20001285 = 0xa; *(uint8_t*)0x20001286 = 0x10; *(uint8_t*)0x20001287 = 3; *(uint8_t*)0x20001288 = 0; *(uint16_t*)0x20001289 = 0; *(uint8_t*)0x2000128b = 8; *(uint8_t*)0x2000128c = 0x1f; *(uint16_t*)0x2000128d = 0xfff; *(uint32_t*)0x20001558 = 5; *(uint32_t*)0x2000155c = 4; *(uint64_t*)0x20001560 = 0x200012c0; *(uint8_t*)0x200012c0 = 4; *(uint8_t*)0x200012c1 = 3; *(uint16_t*)0x200012c2 = 0xc07; *(uint32_t*)0x20001568 = 0x54; *(uint64_t*)0x2000156c = 0x20001300; *(uint8_t*)0x20001300 = 0x54; *(uint8_t*)0x20001301 = 3; memcpy((void*)0x20001302, "\x32\x1d\x45\x7f\x2f\x5a\xb9\xfc\xb1\x11\x8c\x96\x06\x31\xfd\x85\xa7\x5e\xad\x82\x91\x36\xaa\x2a\x6c\xc0\x31\x14\x51\x03\x5f\xe1\x7b\x95\x6e\xb8\xfa\x52\xd4\x95\xa3\x11\xa6\xc0\x3f\x0a\xe8\x4c\x86\xf0\xed\x78\xda\xeb\xfa\x15\xdb\x7b\xc5\x78\x8c\x97\x24\xba\xf4\x58\x2d\xc0\xec\x1b\xa6\x68\x1a\x76\xb0\xa1\xbf\xc5\xde\x9d\xae\xcc", 82); *(uint32_t*)0x20001574 = 0xd3; *(uint64_t*)0x20001578 = 0x20001380; *(uint8_t*)0x20001380 = 0xd3; *(uint8_t*)0x20001381 = 3; memcpy((void*)0x20001382, "\x18\x33\x6f\xc5\x62\x3b\xa1\x41\x06\x34\xc4\x05\x0b\xcf\x3b\x48\x8e\xa4\x18\x67\xd0\x59\xdc\xdc\xd2\xc3\x68\xd8\x48\xfe\x51\x47\x32\x3c\x0b\xa4\xe5\x1d\x7c\xf2\xa3\xd1\x50\x25\x8f\x8c\xc2\x56\x9b\xd7\x9e\x95\x1e\xa9\x5a\x31\x8d\xe3\x1d\x14\x6c\x37\xa7\xcf\x71\x2f\x1f\xcd\x44\x03\x90\x85\x2c\x8d\x52\x16\xf8\xd2\x3a\x99\x18\xb0\xe0\x53\x52\x1e\xb6\x70\xad\x3e\xe0\xfb\x8a\x93\xa8\xd7\xba\xd7\x19\x9e\xeb\xe1\x2a\x3b\x02\x10\x7a\xc4\x54\x2b\xc6\x49\x79\x77\xe3\x30\x8b\x40\x7b\xf3\x64\x98\x2f\x4f\xc9\xc3\x30\xf9\xa7\x5c\xcb\x65\xc8\x68\x8d\x5c\x24\x7a\xd0\x6c\x20\xcc\xf0\x14\x65\xe3\xab\x09\xfc\x77\x7f\x73\x47\x4c\x2c\xd0\x53\xb8\x48\xad\x32\x55\xb5\xad\xc8\x1e\x03\x3d\x2a\x0f\xac\x50\x61\xea\x52\xda\xcf\x46\xe8\x8e\x8c\x2e\x38\x8d\xeb\x91\xd2\xd9\xfc\x12\x42\x55\x90\x93\x36\x41\x8e\x74\x3b\xda\x4c\xb4\xf7\x3c\x6b\x75\xaf\x9a\x9b", 209); *(uint32_t*)0x20001580 = 4; *(uint64_t*)0x20001584 = 0x20001480; *(uint8_t*)0x20001480 = 4; *(uint8_t*)0x20001481 = 3; *(uint16_t*)0x20001482 = 0x42b; *(uint32_t*)0x2000158c = 0x5a; *(uint64_t*)0x20001590 = 0x200014c0; *(uint8_t*)0x200014c0 = 0x5a; *(uint8_t*)0x200014c1 = 3; memcpy((void*)0x200014c2, "\x4d\x85\xf3\x14\x20\xff\x1c\xed\xa2\x5d\x11\x8d\x33\xa6\xeb\xbc\xe8\x88\xc1\x2d\x90\xeb\x54\xc8\x27\xd1\x49\xc8\xdc\xbd\x99\xf3\x89\x3b\x35\xd1\xda\x6c\x77\x6b\x1b\x5d\x08\x4b\x30\x8c\xdf\x93\x47\x41\x67\xf2\x66\x19\x9f\x44\x0a\x03\xfc\x3e\x34\x38\x03\x1b\x87\x25\xdd\xe6\x02\x9a\x62\x9c\x08\x43\xbe\xdf\x04\x8b\x84\x09\xb1\x53\xf9\x03\xd6\x57\xd2\x2b", 88); res = -1; res = syz_usb_connect(6, 0x714, 0x20000b00, 0x20001540); if (res != -1) r[10] = res; break; case 33: *(uint8_t*)0x200015c0 = 0x12; *(uint8_t*)0x200015c1 = 1; *(uint16_t*)0x200015c2 = 0x200; *(uint8_t*)0x200015c4 = -1; *(uint8_t*)0x200015c5 = -1; *(uint8_t*)0x200015c6 = -1; *(uint8_t*)0x200015c7 = 0x40; *(uint16_t*)0x200015c8 = 0xcf3; *(uint16_t*)0x200015ca = 0x9271; *(uint16_t*)0x200015cc = 0x108; *(uint8_t*)0x200015ce = 1; *(uint8_t*)0x200015cf = 2; *(uint8_t*)0x200015d0 = 3; *(uint8_t*)0x200015d1 = 1; *(uint8_t*)0x200015d2 = 9; *(uint8_t*)0x200015d3 = 2; *(uint16_t*)0x200015d4 = 0x48; *(uint8_t*)0x200015d6 = 1; *(uint8_t*)0x200015d7 = 1; *(uint8_t*)0x200015d8 = 0; *(uint8_t*)0x200015d9 = 0x80; *(uint8_t*)0x200015da = 0xfa; *(uint8_t*)0x200015db = 9; *(uint8_t*)0x200015dc = 4; *(uint8_t*)0x200015dd = 0; *(uint8_t*)0x200015de = 0; *(uint8_t*)0x200015df = 6; *(uint8_t*)0x200015e0 = -1; *(uint8_t*)0x200015e1 = 0; *(uint8_t*)0x200015e2 = 0; *(uint8_t*)0x200015e3 = 0; *(uint8_t*)0x200015e4 = 9; *(uint8_t*)0x200015e5 = 5; *(uint8_t*)0x200015e6 = 1; *(uint8_t*)0x200015e7 = 2; *(uint16_t*)0x200015e8 = 0x200; *(uint8_t*)0x200015ea = 0; *(uint8_t*)0x200015eb = 0; *(uint8_t*)0x200015ec = 0; *(uint8_t*)0x200015ed = 9; *(uint8_t*)0x200015ee = 5; *(uint8_t*)0x200015ef = 0x82; *(uint8_t*)0x200015f0 = 2; *(uint16_t*)0x200015f1 = 0x200; *(uint8_t*)0x200015f3 = 0; *(uint8_t*)0x200015f4 = 0; *(uint8_t*)0x200015f5 = 0; *(uint8_t*)0x200015f6 = 9; *(uint8_t*)0x200015f7 = 5; *(uint8_t*)0x200015f8 = 0x83; *(uint8_t*)0x200015f9 = 3; *(uint16_t*)0x200015fa = 0x40; *(uint8_t*)0x200015fc = 1; *(uint8_t*)0x200015fd = 0; *(uint8_t*)0x200015fe = 0; *(uint8_t*)0x200015ff = 9; *(uint8_t*)0x20001600 = 5; *(uint8_t*)0x20001601 = 4; *(uint8_t*)0x20001602 = 3; *(uint16_t*)0x20001603 = 0x40; *(uint8_t*)0x20001605 = 1; *(uint8_t*)0x20001606 = 0; *(uint8_t*)0x20001607 = 0; *(uint8_t*)0x20001608 = 9; *(uint8_t*)0x20001609 = 5; *(uint8_t*)0x2000160a = 5; *(uint8_t*)0x2000160b = 2; *(uint16_t*)0x2000160c = 0x200; *(uint8_t*)0x2000160e = 0; *(uint8_t*)0x2000160f = 0; *(uint8_t*)0x20001610 = 0; *(uint8_t*)0x20001611 = 9; *(uint8_t*)0x20001612 = 5; *(uint8_t*)0x20001613 = 6; *(uint8_t*)0x20001614 = 2; *(uint16_t*)0x20001615 = 0x200; *(uint8_t*)0x20001617 = 0; *(uint8_t*)0x20001618 = 0; *(uint8_t*)0x20001619 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200015c0, 0); if (res != -1) r[11] = res; break; case 34: *(uint32_t*)0x200017c0 = 0x2c; *(uint64_t*)0x200017c4 = 0x20001640; *(uint8_t*)0x20001640 = 0; *(uint8_t*)0x20001641 = 0x24; *(uint32_t*)0x20001642 = 0x5e; *(uint8_t*)0x20001646 = 0x5e; *(uint8_t*)0x20001647 = 9; memcpy((void*)0x20001648, "\x50\xd3\x39\x2d\x02\xeb\xd2\x29\x33\x8b\x7e\x71\x70\xb9\x84\xd0\x49\x07\xf9\xce\xe9\x84\xf8\x3f\x84\xc9\x51\x8b\x9d\xd9\x17\x85\xfe\x2d\x66\xe1\x04\x26\xff\x86\xd8\xe7\xd6\x63\x53\x83\x06\x24\x01\x71\x79\x0d\x7f\x77\x66\x64\xbd\xfd\x68\xd3\xdf\x43\xcd\xf6\xd0\xe3\xab\x3d\x2a\x62\x95\x30\x92\xa2\xd7\xce\x2f\xcd\xfe\x2c\xf5\x00\x26\x86\x9a\x4b\xcd\x06\x6a\xf9\xdd\xbd", 92); *(uint64_t*)0x200017cc = 0x200016c0; *(uint8_t*)0x200016c0 = 0; *(uint8_t*)0x200016c1 = 3; *(uint32_t*)0x200016c2 = 4; *(uint8_t*)0x200016c6 = 4; *(uint8_t*)0x200016c7 = 3; *(uint16_t*)0x200016c8 = 0x449; *(uint64_t*)0x200017d4 = 0x20001700; *(uint8_t*)0x20001700 = 0; *(uint8_t*)0x20001701 = 0xf; *(uint32_t*)0x20001702 = 0x19; *(uint8_t*)0x20001706 = 5; *(uint8_t*)0x20001707 = 0xf; *(uint16_t*)0x20001708 = 0x19; *(uint8_t*)0x2000170a = 1; *(uint8_t*)0x2000170b = 0x14; *(uint8_t*)0x2000170c = 0x10; *(uint8_t*)0x2000170d = 4; *(uint8_t*)0x2000170e = 0x3f; memcpy((void*)0x2000170f, "\x0f\xf6\x11\x98\x8b\x42\x04\x3b\xdd\x16\xf1\x8b\x9b\x82\xf6\xcf", 16); *(uint64_t*)0x200017dc = 0x20001740; *(uint8_t*)0x20001740 = 0x20; *(uint8_t*)0x20001741 = 0x29; *(uint32_t*)0x20001742 = 0xf; *(uint8_t*)0x20001746 = 0xf; *(uint8_t*)0x20001747 = 0x29; *(uint8_t*)0x20001748 = 0; *(uint16_t*)0x20001749 = 0; *(uint8_t*)0x2000174b = 9; *(uint8_t*)0x2000174c = 0x68; memcpy((void*)0x2000174d, "\x60\xc5\x11\xfa", 4); memcpy((void*)0x20001751, "\x23\xe3\xf5\x32", 4); *(uint64_t*)0x200017e4 = 0x20001780; *(uint8_t*)0x20001780 = 0x20; *(uint8_t*)0x20001781 = 0x2a; *(uint32_t*)0x20001782 = 0xc; *(uint8_t*)0x20001786 = 0xc; *(uint8_t*)0x20001787 = 0x2a; *(uint8_t*)0x20001788 = 5; *(uint16_t*)0x20001789 = 0; *(uint8_t*)0x2000178b = 2; *(uint8_t*)0x2000178c = 7; *(uint8_t*)0x2000178d = 8; *(uint16_t*)0x2000178e = 5; *(uint16_t*)0x20001790 = 0x200; *(uint32_t*)0x20001c80 = 0x84; *(uint64_t*)0x20001c84 = 0x20001800; *(uint8_t*)0x20001800 = 0; *(uint8_t*)0x20001801 = 0x16; *(uint32_t*)0x20001802 = 0x92; memcpy((void*)0x20001806, "\xe4\x9c\x4e\x0f\xdf\x52\x1d\x4b\xb8\x3a\x1c\x78\xb9\xb6\xf3\x2e\xb6\xe3\x8f\xba\x14\x32\x72\x7c\x39\x17\x49\x72\x7c\x41\x81\x5d\xc3\xfc\x41\x93\xcf\x0f\xc2\x47\xb3\x2c\x61\xdd\x80\xf2\x66\x29\xd7\xcf\x71\x4f\xc0\x80\x15\x77\x01\x40\x5e\x55\xe4\xd1\xae\x2b\x75\x8c\x66\x82\x10\x44\xd2\xe8\x09\x4f\x1b\xd7\x5c\xcf\x96\x00\x45\x47\x26\xe5\xdf\x97\x64\x08\x2d\x53\x70\x12\xad\x6f\xa0\x0a\x11\xbf\x54\x6f\x5d\x86\xaf\x48\x2a\x8f\x0b\x05\x74\x28\x7a\x4c\x56\x40\xbd\x1a\x22\x5a\x60\xd1\x96\x1c\xd5\x6b\x3b\x48\xcf\x69\xd7\x76\xcd\x8b\xba\xc5\xdc\x15\x44\xbf\x6b\x94\xb3\x51\x93\x83\xf9\xc5", 146); *(uint64_t*)0x20001c8c = 0x200018c0; *(uint8_t*)0x200018c0 = 0; *(uint8_t*)0x200018c1 = 0xa; *(uint32_t*)0x200018c2 = 1; *(uint8_t*)0x200018c6 = 0xea; *(uint64_t*)0x20001c94 = 0x20001900; *(uint8_t*)0x20001900 = 0; *(uint8_t*)0x20001901 = 8; *(uint32_t*)0x20001902 = 1; *(uint8_t*)0x20001906 = 0xc0; *(uint64_t*)0x20001c9c = 0x20001940; *(uint8_t*)0x20001940 = 0x20; *(uint8_t*)0x20001941 = 0; *(uint32_t*)0x20001942 = 4; *(uint16_t*)0x20001946 = 3; *(uint16_t*)0x20001948 = 0xc065; *(uint64_t*)0x20001ca4 = 0x20001980; *(uint8_t*)0x20001980 = 0x20; *(uint8_t*)0x20001981 = 0; *(uint32_t*)0x20001982 = 8; *(uint16_t*)0x20001986 = 0x200; *(uint16_t*)0x20001988 = 2; *(uint32_t*)0x2000198a = 0; *(uint64_t*)0x20001cac = 0x200019c0; *(uint8_t*)0x200019c0 = 0x40; *(uint8_t*)0x200019c1 = 7; *(uint32_t*)0x200019c2 = 2; *(uint16_t*)0x200019c6 = 0; *(uint64_t*)0x20001cb4 = 0x20001a00; *(uint8_t*)0x20001a00 = 0x40; *(uint8_t*)0x20001a01 = 9; *(uint32_t*)0x20001a02 = 1; *(uint8_t*)0x20001a06 = 7; *(uint64_t*)0x20001cbc = 0x20001a40; *(uint8_t*)0x20001a40 = 0x40; *(uint8_t*)0x20001a41 = 0xb; *(uint32_t*)0x20001a42 = 2; memcpy((void*)0x20001a46, ",e", 2); *(uint64_t*)0x20001cc4 = 0x20001a80; *(uint8_t*)0x20001a80 = 0x40; *(uint8_t*)0x20001a81 = 0xf; *(uint32_t*)0x20001a82 = 2; *(uint16_t*)0x20001a86 = 0xa; *(uint64_t*)0x20001ccc = 0x20001ac0; *(uint8_t*)0x20001ac0 = 0x40; *(uint8_t*)0x20001ac1 = 0x13; *(uint32_t*)0x20001ac2 = 6; memcpy((void*)0x20001ac6, "\xcb\xa5\xd8\xd5\x17\x87", 6); *(uint64_t*)0x20001cd4 = 0x20001b00; *(uint8_t*)0x20001b00 = 0x40; *(uint8_t*)0x20001b01 = 0x17; *(uint32_t*)0x20001b02 = 6; *(uint8_t*)0x20001b06 = 0xaa; *(uint8_t*)0x20001b07 = 0xaa; *(uint8_t*)0x20001b08 = 0xaa; *(uint8_t*)0x20001b09 = 0xaa; *(uint8_t*)0x20001b0a = 0xaa; *(uint8_t*)0x20001b0b = 0x1b; *(uint64_t*)0x20001cdc = 0x20001b40; *(uint8_t*)0x20001b40 = 0x40; *(uint8_t*)0x20001b41 = 0x19; *(uint32_t*)0x20001b42 = 2; memcpy((void*)0x20001b46, "\x09\xef", 2); *(uint64_t*)0x20001ce4 = 0x20001b80; *(uint8_t*)0x20001b80 = 0x40; *(uint8_t*)0x20001b81 = 0x1a; *(uint32_t*)0x20001b82 = 2; *(uint16_t*)0x20001b86 = 0x200; *(uint64_t*)0x20001cec = 0x20001bc0; *(uint8_t*)0x20001bc0 = 0x40; *(uint8_t*)0x20001bc1 = 0x1c; *(uint32_t*)0x20001bc2 = 1; *(uint8_t*)0x20001bc6 = 0x20; *(uint64_t*)0x20001cf4 = 0x20001c00; *(uint8_t*)0x20001c00 = 0x40; *(uint8_t*)0x20001c01 = 0x1e; *(uint32_t*)0x20001c02 = 1; *(uint8_t*)0x20001c06 = 0x81; *(uint64_t*)0x20001cfc = 0x20001c40; *(uint8_t*)0x20001c40 = 0x40; *(uint8_t*)0x20001c41 = 0x21; *(uint32_t*)0x20001c42 = 1; *(uint8_t*)0x20001c46 = 0x40; syz_usb_control_io(r[11], 0x200017c0, 0x20001c80); break; case 35: *(uint8_t*)0x20001d40 = 0x12; *(uint8_t*)0x20001d41 = 1; *(uint16_t*)0x20001d42 = 0x300; *(uint8_t*)0x20001d44 = 0; *(uint8_t*)0x20001d45 = 0; *(uint8_t*)0x20001d46 = 0; *(uint8_t*)0x20001d47 = 0x40; *(uint16_t*)0x20001d48 = 0x1d6b; *(uint16_t*)0x20001d4a = 0x101; *(uint16_t*)0x20001d4c = 0x40; *(uint8_t*)0x20001d4e = 1; *(uint8_t*)0x20001d4f = 2; *(uint8_t*)0x20001d50 = 3; *(uint8_t*)0x20001d51 = 1; *(uint8_t*)0x20001d52 = 9; *(uint8_t*)0x20001d53 = 2; *(uint16_t*)0x20001d54 = 0xa4; *(uint8_t*)0x20001d56 = 3; *(uint8_t*)0x20001d57 = 1; *(uint8_t*)0x20001d58 = 8; *(uint8_t*)0x20001d59 = 0x80; *(uint8_t*)0x20001d5a = 0x1f; *(uint8_t*)0x20001d5b = 9; *(uint8_t*)0x20001d5c = 4; *(uint8_t*)0x20001d5d = 0; *(uint8_t*)0x20001d5e = 0; *(uint8_t*)0x20001d5f = 0; *(uint8_t*)0x20001d60 = 1; *(uint8_t*)0x20001d61 = 1; *(uint8_t*)0x20001d62 = 0; *(uint8_t*)0x20001d63 = 0; *(uint8_t*)0x20001d64 = 0xa; *(uint8_t*)0x20001d65 = 0x24; *(uint8_t*)0x20001d66 = 1; *(uint16_t*)0x20001d67 = 0x7f; *(uint8_t*)0x20001d69 = 0x24; *(uint8_t*)0x20001d6a = 2; *(uint8_t*)0x20001d6b = 1; *(uint8_t*)0x20001d6c = 2; *(uint8_t*)0x20001d6d = 0xb; *(uint8_t*)0x20001d6e = 0x24; *(uint8_t*)0x20001d6f = 4; *(uint8_t*)0x20001d70 = 3; *(uint8_t*)0x20001d71 = 0x3f; memcpy((void*)0x20001d72, "\xe3\xa7\xba\x11\xb7\x73", 6); *(uint8_t*)0x20001d78 = 0xc; *(uint8_t*)0x20001d79 = 0x24; *(uint8_t*)0x20001d7a = 2; *(uint8_t*)0x20001d7b = 4; *(uint16_t*)0x20001d7c = 0x203; *(uint8_t*)0x20001d7e = 1; *(uint8_t*)0x20001d7f = 2; *(uint16_t*)0x20001d80 = 7; *(uint8_t*)0x20001d82 = 0xfd; *(uint8_t*)0x20001d83 = 0; *(uint8_t*)0x20001d84 = 7; *(uint8_t*)0x20001d85 = 0x24; *(uint8_t*)0x20001d86 = 8; *(uint8_t*)0x20001d87 = 2; *(uint16_t*)0x20001d88 = 4; *(uint8_t*)0x20001d8a = 0x40; *(uint8_t*)0x20001d8b = 9; *(uint8_t*)0x20001d8c = 0x24; *(uint8_t*)0x20001d8d = 3; *(uint8_t*)0x20001d8e = 2; *(uint16_t*)0x20001d8f = 0x101; *(uint8_t*)0x20001d91 = 4; *(uint8_t*)0x20001d92 = 4; *(uint8_t*)0x20001d93 = 5; *(uint8_t*)0x20001d94 = 9; *(uint8_t*)0x20001d95 = 4; *(uint8_t*)0x20001d96 = 1; *(uint8_t*)0x20001d97 = 0; *(uint8_t*)0x20001d98 = 0; *(uint8_t*)0x20001d99 = 1; *(uint8_t*)0x20001d9a = 2; *(uint8_t*)0x20001d9b = 0; *(uint8_t*)0x20001d9c = 0; *(uint8_t*)0x20001d9d = 9; *(uint8_t*)0x20001d9e = 4; *(uint8_t*)0x20001d9f = 1; *(uint8_t*)0x20001da0 = 1; *(uint8_t*)0x20001da1 = 1; *(uint8_t*)0x20001da2 = 1; *(uint8_t*)0x20001da3 = 2; *(uint8_t*)0x20001da4 = 0; *(uint8_t*)0x20001da5 = 0; *(uint8_t*)0x20001da6 = 9; *(uint8_t*)0x20001da7 = 5; *(uint8_t*)0x20001da8 = 1; *(uint8_t*)0x20001da9 = 9; *(uint16_t*)0x20001daa = 0x200; *(uint8_t*)0x20001dac = 0xfc; *(uint8_t*)0x20001dad = 9; *(uint8_t*)0x20001dae = 7; *(uint8_t*)0x20001daf = 7; *(uint8_t*)0x20001db0 = 0x25; *(uint8_t*)0x20001db1 = 1; *(uint8_t*)0x20001db2 = 0; *(uint8_t*)0x20001db3 = 2; *(uint16_t*)0x20001db4 = 8; *(uint8_t*)0x20001db6 = 9; *(uint8_t*)0x20001db7 = 4; *(uint8_t*)0x20001db8 = 2; *(uint8_t*)0x20001db9 = 0; *(uint8_t*)0x20001dba = 0; *(uint8_t*)0x20001dbb = 1; *(uint8_t*)0x20001dbc = 2; *(uint8_t*)0x20001dbd = 0; *(uint8_t*)0x20001dbe = 0; *(uint8_t*)0x20001dbf = 9; *(uint8_t*)0x20001dc0 = 4; *(uint8_t*)0x20001dc1 = 2; *(uint8_t*)0x20001dc2 = 1; *(uint8_t*)0x20001dc3 = 1; *(uint8_t*)0x20001dc4 = 1; *(uint8_t*)0x20001dc5 = 2; *(uint8_t*)0x20001dc6 = 0; *(uint8_t*)0x20001dc7 = 0; *(uint8_t*)0x20001dc8 = 0x12; *(uint8_t*)0x20001dc9 = 0x24; *(uint8_t*)0x20001dca = 2; *(uint8_t*)0x20001dcb = 2; *(uint16_t*)0x20001dcc = 8; *(uint16_t*)0x20001dce = 7; *(uint8_t*)0x20001dd0 = -1; memcpy((void*)0x20001dd1, "\x6c\xce\x23\xa5\x1a\x59\x66\x0a\x8a", 9); *(uint8_t*)0x20001dda = 0xc; *(uint8_t*)0x20001ddb = 0x24; *(uint8_t*)0x20001ddc = 2; *(uint8_t*)0x20001ddd = 1; *(uint8_t*)0x20001dde = 7; *(uint8_t*)0x20001ddf = 2; *(uint8_t*)0x20001de0 = 0xd6; *(uint8_t*)0x20001de1 = 0x40; memcpy((void*)0x20001de2, "\xa5\xe2\x12", 3); memcpy((void*)0x20001de5, "l", 1); *(uint8_t*)0x20001de6 = 9; *(uint8_t*)0x20001de7 = 5; *(uint8_t*)0x20001de8 = 0x82; *(uint8_t*)0x20001de9 = 9; *(uint16_t*)0x20001dea = 0x3ff; *(uint8_t*)0x20001dec = 3; *(uint8_t*)0x20001ded = 0; *(uint8_t*)0x20001dee = 0xac; *(uint8_t*)0x20001def = 7; *(uint8_t*)0x20001df0 = 0x25; *(uint8_t*)0x20001df1 = 1; *(uint8_t*)0x20001df2 = 3; *(uint8_t*)0x20001df3 = 4; *(uint16_t*)0x20001df4 = 5; *(uint32_t*)0x20001f40 = 0xa; *(uint64_t*)0x20001f44 = 0x20001e00; *(uint8_t*)0x20001e00 = 0xa; *(uint8_t*)0x20001e01 = 6; *(uint16_t*)0x20001e02 = 0x200; *(uint8_t*)0x20001e04 = -1; *(uint8_t*)0x20001e05 = 2; *(uint8_t*)0x20001e06 = 7; *(uint8_t*)0x20001e07 = 0x10; *(uint8_t*)0x20001e08 = 6; *(uint8_t*)0x20001e09 = 0; *(uint32_t*)0x20001f4c = 5; *(uint64_t*)0x20001f50 = 0x20001e40; *(uint8_t*)0x20001e40 = 5; *(uint8_t*)0x20001e41 = 0xf; *(uint16_t*)0x20001e42 = 5; *(uint8_t*)0x20001e44 = 0; *(uint32_t*)0x20001f58 = 2; *(uint32_t*)0x20001f5c = 0x52; *(uint64_t*)0x20001f60 = 0x20001e80; *(uint8_t*)0x20001e80 = 0x52; *(uint8_t*)0x20001e81 = 3; memcpy((void*)0x20001e82, "\x4b\xcf\xbc\x74\x9d\x26\xd0\xfb\xc2\x0c\x2e\x20\x2a\x04\x2e\x8b\xb1\x67\xca\xdf\x5c\x2b\xcd\xbd\x07\xdd\xe6\x67\x1d\xa7\xdd\x40\x03\x06\xb2\x6f\x22\x0f\xef\x4a\x33\x97\xf0\xa9\x5a\x4b\x8c\xa5\xba\xfd\x5a\x4f\xa8\xb9\x9d\x24\x50\x5f\x7a\x27\xac\x07\xa1\x6b\xbb\x02\xd5\x24\xc0\xbb\xfa\x3a\xf8\xe3\x18\xdf\x58\xfe\xb1\x43", 80); *(uint32_t*)0x20001f68 = 4; *(uint64_t*)0x20001f6c = 0x20001f00; *(uint8_t*)0x20001f00 = 4; *(uint8_t*)0x20001f01 = 3; *(uint16_t*)0x20001f02 = 0x807; res = -1; res = syz_usb_connect(6, 0xb6, 0x20001d40, 0x20001f40); if (res != -1) r[12] = res; break; case 36: syz_usb_disconnect(r[12]); break; case 37: syz_usb_ep_read(r[10], 6, 0xd6, 0x20001f80); break; case 38: *(uint8_t*)0x20002080 = 0x12; *(uint8_t*)0x20002081 = 1; *(uint16_t*)0x20002082 = 0x110; *(uint8_t*)0x20002084 = 2; *(uint8_t*)0x20002085 = 0; *(uint8_t*)0x20002086 = 0; *(uint8_t*)0x20002087 = -1; *(uint16_t*)0x20002088 = 0x525; *(uint16_t*)0x2000208a = 0xa4a1; *(uint16_t*)0x2000208c = 0x40; *(uint8_t*)0x2000208e = 1; *(uint8_t*)0x2000208f = 2; *(uint8_t*)0x20002090 = 3; *(uint8_t*)0x20002091 = 1; *(uint8_t*)0x20002092 = 9; *(uint8_t*)0x20002093 = 2; *(uint16_t*)0x20002094 = 0x3d; *(uint8_t*)0x20002096 = 1; *(uint8_t*)0x20002097 = 1; *(uint8_t*)0x20002098 = 9; *(uint8_t*)0x20002099 = 0xc0; *(uint8_t*)0x2000209a = 0xb3; *(uint8_t*)0x2000209b = 9; *(uint8_t*)0x2000209c = 4; *(uint8_t*)0x2000209d = 0; *(uint8_t*)0x2000209e = 8; *(uint8_t*)0x2000209f = 3; *(uint8_t*)0x200020a0 = 2; *(uint8_t*)0x200020a1 = 6; *(uint8_t*)0x200020a2 = 0; *(uint8_t*)0x200020a3 = 1; *(uint8_t*)0x200020a4 = 7; *(uint8_t*)0x200020a5 = 0x24; *(uint8_t*)0x200020a6 = 6; *(uint8_t*)0x200020a7 = 0; *(uint8_t*)0x200020a8 = 0; memcpy((void*)0x200020a9, "\x93\xb5", 2); *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 0x24; *(uint8_t*)0x200020ad = 0; *(uint16_t*)0x200020ae = 1; *(uint8_t*)0x200020b0 = 0xd; *(uint8_t*)0x200020b1 = 0x24; *(uint8_t*)0x200020b2 = 0xf; *(uint8_t*)0x200020b3 = 1; *(uint32_t*)0x200020b4 = 5; *(uint16_t*)0x200020b8 = 0xdf0; *(uint16_t*)0x200020ba = 0xa5e2; *(uint8_t*)0x200020bc = -1; *(uint8_t*)0x200020bd = 9; *(uint8_t*)0x200020be = 5; *(uint8_t*)0x200020bf = 0x82; *(uint8_t*)0x200020c0 = 2; *(uint16_t*)0x200020c1 = 0x40; *(uint8_t*)0x200020c3 = 0; *(uint8_t*)0x200020c4 = 0x40; *(uint8_t*)0x200020c5 = 0x20; *(uint8_t*)0x200020c6 = 9; *(uint8_t*)0x200020c7 = 5; *(uint8_t*)0x200020c8 = 3; *(uint8_t*)0x200020c9 = 2; *(uint16_t*)0x200020ca = 8; *(uint8_t*)0x200020cc = 0x20; *(uint8_t*)0x200020cd = -1; *(uint8_t*)0x200020ce = 4; *(uint32_t*)0x20002640 = 0xa; *(uint64_t*)0x20002644 = 0x20002100; *(uint8_t*)0x20002100 = 0xa; *(uint8_t*)0x20002101 = 6; *(uint16_t*)0x20002102 = 0x250; *(uint8_t*)0x20002104 = 0; *(uint8_t*)0x20002105 = 0x81; *(uint8_t*)0x20002106 = 0x20; *(uint8_t*)0x20002107 = 0x20; *(uint8_t*)0x20002108 = 3; *(uint8_t*)0x20002109 = 0; *(uint32_t*)0x2000264c = 5; *(uint64_t*)0x20002650 = 0x20002140; *(uint8_t*)0x20002140 = 5; *(uint8_t*)0x20002141 = 0xf; *(uint16_t*)0x20002142 = 5; *(uint8_t*)0x20002144 = 0; *(uint32_t*)0x20002658 = 8; *(uint32_t*)0x2000265c = 0xcd; *(uint64_t*)0x20002660 = 0x20002180; *(uint8_t*)0x20002180 = 0xcd; *(uint8_t*)0x20002181 = 3; memcpy((void*)0x20002182, "\x2e\x83\x3d\xbc\x02\x86\x82\x12\xd3\xec\x73\x52\xfb\x0d\xe8\xa0\x5e\xcf\x66\x18\x59\xde\xbe\x23\xba\x73\x5f\xb9\x0a\x26\x85\x3e\x0d\x4c\x9b\xfc\xeb\xac\x70\xce\x40\x53\x9a\x98\xcf\x89\x47\xe0\x6b\xb7\x5d\xe0\xa9\x20\x5e\x0b\x79\x1c\xb4\xf9\xe7\xaa\x0a\xe1\x14\x9e\x93\x94\xff\xef\x26\x6f\x96\xe0\xc7\x5a\xb7\x28\xca\xdb\xc3\x12\x57\x0e\xfe\xd7\x37\x09\x0a\x62\x51\xc0\x9e\x1a\x5d\x38\xa0\xc6\xf1\xec\x4a\xe0\x55\x86\x3d\x69\xe4\xdc\xf3\x6d\x97\x4d\x2b\xe3\xe4\x87\xc7\xd2\xf1\xdb\x21\x61\xe9\x3b\x7d\x15\x2c\xe0\x46\xf0\x30\xb3\x6d\x08\x32\x89\xed\xdd\x71\x05\xed\x8e\xae\xd4\x9f\x71\x10\x17\xba\xab\xde\x9d\x5f\x01\xcd\x47\x38\x50\x3d\x32\x26\x69\x55\x4f\xcf\x3b\x5a\x65\xb0\x51\x97\x33\xb0\x7a\x7f\x3c\xff\xdc\x92\xb0\x38\x2c\x66\x12\x0c\x41\xaa\xe8\x85\x68\xc7\x52\xf7\x9d\x50\x1f\xd4\xda\x58\xe6\x87\x9e\x7e", 203); *(uint32_t*)0x20002668 = 4; *(uint64_t*)0x2000266c = 0x20002280; *(uint8_t*)0x20002280 = 4; *(uint8_t*)0x20002281 = 3; *(uint16_t*)0x20002282 = 0x3c0a; *(uint32_t*)0x20002674 = 4; *(uint64_t*)0x20002678 = 0x200022c0; *(uint8_t*)0x200022c0 = 4; *(uint8_t*)0x200022c1 = 3; *(uint16_t*)0x200022c2 = 0x3801; *(uint32_t*)0x20002680 = 0x1f; *(uint64_t*)0x20002684 = 0x20002300; *(uint8_t*)0x20002300 = 0x1f; *(uint8_t*)0x20002301 = 3; memcpy((void*)0x20002302, "\xa6\x70\xc3\x58\x2d\x38\x96\x7a\xc4\x85\x45\x5e\x8a\x40\xac\xb6\xf5\xdf\x24\xab\x49\xa4\xc6\xbb\x43\xd5\x84\xed\xf7", 29); *(uint32_t*)0x2000268c = 4; *(uint64_t*)0x20002690 = 0x20002340; *(uint8_t*)0x20002340 = 4; *(uint8_t*)0x20002341 = 3; *(uint16_t*)0x20002342 = 0x44f; *(uint32_t*)0x20002698 = 0xe1; *(uint64_t*)0x2000269c = 0x20002380; *(uint8_t*)0x20002380 = 0xe1; *(uint8_t*)0x20002381 = 3; memcpy((void*)0x20002382, "\xbe\x2c\xe1\x8f\xae\x6d\xa9\xf1\xaa\x4b\x97\x21\x97\xbe\x7a\x6c\xe4\xb2\x83\xc3\xe0\x02\x7e\x6d\xa1\x3d\x86\x39\xf6\x74\xea\x9c\x64\x28\x9b\x33\xc0\xe1\x43\x5b\x7c\x16\x54\xa5\x69\x12\x7b\x26\xad\x53\x77\x4f\x2b\x6b\x20\x57\x9f\xac\x6f\xaf\xfe\x12\x94\x9e\xe4\xb0\xd3\xcd\x2d\x89\x0c\xff\x2d\x7e\x9b\xb4\x3b\x60\x2a\x39\x4e\xfd\x49\x75\x18\x4f\x7e\xec\xab\x16\xa3\xf1\x87\xca\xb4\xc2\xca\x01\xac\x5b\xc9\xc5\x5c\x8b\xb9\x81\x32\x3d\x91\x9f\x77\x35\x5b\x3c\xe7\x42\x8d\xa6\x2a\xf8\x0c\x76\xb1\x85\xe1\x0a\xc7\xb1\xcc\x95\x0e\xcc\x71\x5c\x3e\x0a\x1e\x14\x23\x11\xb6\x29\x41\xe0\x62\x91\xb3\x0d\x2d\x3c\x7d\x46\x8d\xfb\xe2\x83\xc9\x1f\xc0\x83\x3d\xb0\x68\xe7\xbf\x39\x7c\x23\x35\x75\x79\x02\x29\xce\x51\x3b\xbd\xc4\x38\x7d\x81\xb3\x02\x7e\xf6\x8b\x20\xde\x25\xd9\xf1\xff\x32\xb9\x5c\xba\x44\x3b\x9e\x7f\xba\x49\x91\x43\xe8\x41\xa6\x19\x0c\x6e\xcb\x29\x06\xfe\x42\x30\xf8\x39\xba\x8c\x3c\x73\xea", 223); *(uint32_t*)0x200026a4 = 0xc1; *(uint64_t*)0x200026a8 = 0x20002480; *(uint8_t*)0x20002480 = 0xc1; *(uint8_t*)0x20002481 = 3; memcpy((void*)0x20002482, "\xf1\x7d\xb2\xea\x26\xd9\x0b\xa9\x3d\x1d\xbd\x3d\x94\x82\x88\x21\x72\xcc\x15\x8b\x4c\xc4\x3c\x36\xd1\x2b\xb9\x4e\x06\xfc\x7a\xba\x0d\x96\xba\x62\xa3\x8b\x39\xb7\x7b\xb6\x6a\x8b\x4b\xa6\xfe\x26\x0c\x87\x74\x64\xdc\x10\x12\x44\x9a\x3a\x6a\xb5\xb8\x0e\x66\x7a\x3a\x01\xdb\x8d\xd1\xdc\x34\x68\xb0\xd7\x28\x93\xad\xf2\x5b\xd1\xa7\xb9\xdc\xdd\xf5\x69\x12\x2a\x73\x02\x6b\x76\xfd\x0e\x25\xd7\x44\x0c\xa5\xdb\x63\x5b\x3f\xc9\x01\x3f\xd7\x90\x99\xa7\xd7\xe8\x1d\xb8\x74\x5b\xc9\xd0\xa6\xc9\x38\x79\x1d\x2c\xbf\xd1\x0f\x1c\x62\x8c\xa1\x7a\xf9\x93\xb7\x02\xc1\xed\xe3\x0d\xa1\x88\x25\x67\xce\x28\x7f\x66\xb2\x3e\xbf\x40\x8a\x2d\x9c\x63\xe1\xcb\x0b\x27\x95\x27\x3e\xfa\x81\x53\x56\x1c\x3c\x3e\xeb\x71\xd1\x2a\xa0\x87\xe9\x25\x55\x26\xb5\x28\xf5\x38\xaf\x4a\xbd\x41\xcf\x89\x01", 191); *(uint32_t*)0x200026b0 = 0xc0; *(uint64_t*)0x200026b4 = 0x20002580; *(uint8_t*)0x20002580 = 0xc0; *(uint8_t*)0x20002581 = 3; memcpy((void*)0x20002582, "\x6f\x57\xd6\xa5\x96\x20\x2e\xbf\x5a\x75\xb9\x72\x49\x11\xf9\x1a\x3d\x92\xae\x1a\xc8\x1a\xbb\x9c\x1b\x13\x4a\x76\xe6\x65\x90\xf6\xeb\x8d\xd8\x4c\xc1\x09\x60\xb8\xd2\x23\x94\x7d\x1c\x2e\x77\x1b\x94\xe7\x29\xd8\x34\x18\xf4\x14\x21\x3f\xf8\xb9\x06\x77\x03\x30\xbe\xa7\x0e\x59\xfe\x4d\x8b\xa5\x37\xfb\xcf\xd3\xc4\xbf\xc4\xea\x3b\x64\x0c\x31\x12\x92\x6d\x8c\x78\xee\xe8\x39\x72\x09\x00\xc5\x05\xcc\x01\x3c\x12\x63\xdc\xf2\x7b\x6c\x0f\x87\xfc\xb8\x7f\x40\xcb\x6b\xde\x31\x54\xcc\xd6\x3e\x65\xa4\x8c\x86\xc5\x8a\x38\x57\xf6\x8f\x88\x08\x20\x3f\xb2\x8d\x95\xe7\x4a\x18\x65\xeb\x8f\x82\xfe\x95\x35\x62\xa1\x47\x51\xed\x18\xf2\x51\xe5\x11\x53\x70\xd2\xbc\x19\x14\x5c\xcf\x3a\xbe\xae\x4c\x81\xfb\x1d\x97\xf6\x2e\x03\x5d\xb7\x3d\x11\xab\x7e\xc5\x96\xbc\x7a\x36\x86\x55\xc6", 190); res = -1; res = syz_usb_connect(4, 0x4f, 0x20002080, 0x20002640); if (res != -1) r[13] = res; break; case 39: memcpy((void*)0x200026c0, "\x01\xdf\x42\x94\xf0\x1f\xe1\xf9\x43\xb7\x80\xcc\xad\x76\xab\x8a\x48\x35\x3c\xbc\xe5\x48\x12\x83\xfb\x7d\x07\xe3\x29\x52\x05\x54\x49\xb6\x58\x1b\x36\x93\xb6\x7e\xde\xa7\xf1\x03\x54\x2f\xd1\xdc\xcf\x21\xa4\xf8\xce\x11\xf5\x24\x82\xa5\x50\xdd\x31\x99\xda\x83\x0c\x3e\x19\xff\x1a\x99\x6c\xe1\x42\x4b\x13\x49\x5e\x70\x4b\xe3\xf8\xc1\x06\xd0\x83\x38\xa6\x9d\xb2\x9c\x70\xd0\x40\xba\x40\x50\x16\xd9\x02\x55\xd8\x1d\x11\x5d\x9c\x6c\x9c\x13\xb9\x57\x89\xba\x2d\x4e\xe0\xf0\x05\xd9\x5b", 119); syz_usb_ep_write(r[13], 8, 0x77, 0x200026c0); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :269:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :269:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor940508517 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/7 (0.64s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox: Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x8002, 0x0) io_cancel(0x0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x4c60440ee16d4a1f, 0xd548, r0, &(0x7f0000000040)="a4c6b70d40b18d2f71b9ebf1a97cc4f8bfe52c766208fe1c5ff6e6c20fb4d4104d", 0x21, 0x7, 0x0, 0x1}, &(0x7f00000000c0)) ioctl$TUNSETOFFLOAD(0xffffffffffffffff, 0x400454d0, 0x18) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/avc/cache_stats\x00', 0x0, 0x0) ioctl$DRM_IOCTL_MODE_GETGAMMA(r1, 0xc02064a4, &(0x7f0000000200)={0x6, 0x1, &(0x7f0000000140)=[0x6], &(0x7f0000000180)=[0xb572, 0x2, 0x200, 0x6126, 0xffff, 0x800b], &(0x7f00000001c0)=[0x100, 0x8001, 0x7ff, 0x56, 0x3, 0x6, 0xafa4, 0xfff]}) socket$inet6_sctp(0xa, 0x5, 0x84) r2 = syz_open_dev$vcsa(&(0x7f0000000240)='/dev/vcsa#\x00', 0x8, 0x40040) io_uring_setup(0x4a7d, &(0x7f0000000280)={0x0, 0x431f, 0x2, 0x2, 0x24c, 0x0, r2}) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(0xffffffffffffffff, 0x10e, 0x2, &(0x7f0000000300)=0x14, 0x4) socket$ipx(0x4, 0x2, 0x0) syz_emit_ethernet(0xd6, &(0x7f0000000000)={@dev={[], 0x15}, @remote, @void, {@mpls_uc={0x8847, {[{0x1}, {0x80}], @ipv4=@udp={{0x9, 0x4, 0x3, 0x8, 0xc0, 0x64, 0x0, 0x1, 0x11, 0x0, @private=0xa010102, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@timestamp={0x44, 0x10, 0x90, 0x0, 0xf, [0x3, 0x100, 0x9]}]}}, {0x4e20, 0x4e23, 0x9c, 0x0, @wg=@initiation={0x1, 0x1, "a10791f36e091a364d6a214aed3281686b2e1062e4a21dad7e7ea6823c2ad66b", "a9e3b061cb2d16f0f38c93866bab239c5e95fabc9ad7549cc53f24821564c8e31a773c62bd34e62116070c998cf80ff5", "8a6048e68f5476ba71edf7dea37145a3397262db3b25376fb9b698e1", {"108d38c5f12837a8dff49317e1fbf2b1", "6e6f91a5d2fea35b7d2aa0227b5c79de"}}}}}}}}, 0x0) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_cmd_complete={{0xe, 0x7}, @hci_rp_read_enc_key_size={{0x7}, {0x3, 0xc8, 0xfe}}}}, 0xa) syz_execute_func(&(0x7f0000000140)="ab8f2908955c4432c421b45580858a318ec4a1845756f3673664d9e064461c0dc441b55588a00ffe49f2f042808c3e2808000000c4825dde32f3420f9ade") syz_extract_tcp_res(&(0x7f0000000180), 0x47a0, 0x1ff) syz_genetlink_get_family_id$SEG6(&(0x7f00000001c0)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x2, 0xc4) r3 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x0, 0x1000, 0xffffffffffffffff, 0x0) syz_io_uring_complete(r3) syz_io_uring_setup(0x61d6, &(0x7f0000000200)={0x0, 0x19c8, 0x1, 0x0, 0x90, 0x0, 0xffffffffffffffff}, &(0x7f0000ff9000/0x4000)=nil, &(0x7f0000ff9000/0x1000)=nil, &(0x7f0000000280), &(0x7f00000002c0)) r5 = mmap$IORING_OFF_SQES(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2000004, 0x100, r4, 0x10000000) r6 = openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000300)='/selinux/checkreqprot\x00', 0x22040, 0x0) r7 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(r3, r5, &(0x7f0000000380)=@IORING_OP_EPOLL_CTL=@add={0x1d, 0x1, 0x0, r6, &(0x7f0000000340)={0xa}, r4, 0x1, 0x0, 0x1, {0x0, r7}}, 0x5) syz_kvm_setup_cpu$arm64(r6, 0xffffffffffffffff, &(0x7f0000fe7000/0x18000)=nil, &(0x7f0000000400)=[{0x0, &(0x7f00000003c0)="c66bf51c003b684cd1f56d7dbcd2dea7675293e4d016955fb884320ccefef52142eef0b61d389959e4e475075b6b11cdbe1c", 0x32}], 0x1, 0x0, &(0x7f0000000440), 0x1) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x2000000, 0x1000, 0xffffffffffffffff, 0x8000000) syz_memcpy_off$IO_URING_METADATA_FLAGS(r8, 0x114, &(0x7f0000000480)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f00000004c0)='afs\x00', &(0x7f0000000500)='./file0\x00', 0x1f, 0x7, &(0x7f00000008c0)=[{&(0x7f0000000540), 0x0, 0x32}, {&(0x7f0000000580)="3a7a72ca9b2a422afbeba2d7a84338cb03951839451af3f3031d0030db11a08c0eb2244dab7f4fd9442cd55370fbacdc330d3ee2188137d0ad9772c7ae54fae92d1941e049bdcb3b8f645ea6a7d746404286d56dfd7a41fb29e2987d8d73b3679fae427f5af08185e4ffda153228a3ac82bf94f17752ed78dfe5b9a4", 0x7c, 0xee5}, {&(0x7f0000000600)="a963e9743e9c3d092a0ab1d68a13fe85f80ed94358ab9ad4029dff3433a3223c650d6a96505ec9a3d6cd09ad3f268fcdd1248aa43ef138a79b0c4c116f7178b5fc5cc49fa303201e8c7ef4e322434105ecdc912ae672510b34c01aa3890c90f27200de2b65c4bd20", 0x68, 0x10000}, {&(0x7f0000000680)="6ac443efa9855dda4fa3a982abc060ebf1a6785feba77cd70d486a29f4", 0x1d, 0x2}, {&(0x7f00000006c0)="3229202fd13c8ab6d554d8dfb6a8661805f53c5e81671bf5d702aa4c17cad107cfc6a8fe702b26942c632a4ed0e1010440b51b99785c112a0bda8c286267ac9cb4e695376a13d9937dfe154239c4ea04f38539a8e557dbcc8909420c76b2587b42aa2d61bf395fe913bad86ddf17a8f1b3212d0f0a6bc2e7841ef2e2ee0be05901f028c7c65e1c2cb641f556508fbf322da030de7846ad39004082c128a0ffb60c1b801bfd69a0e5f37b51feb78d97240f45f3ce17a28abbd89bd16cd2d06c74488990aba36ff006e8ae3622ec18fa76b767be88f192f94af15e23d74217738a1d48ef2c3e1c0a557203045e3ba25e9cd38efa64", 0xf4, 0x6}, {&(0x7f00000007c0)="414d78403490275a206495f93cf62229596a76f622d42e737bfa148fc2385d9c82946ce95d9b7665c148bfd723f5248ffcb6a4fc8265de9da9e34ff0577dd719233d7ef9610b9b9d98d4f2cedcc5351cb7234e0a8345f81e603a002c13d898f1084656c51be00526c6b7977b287809591c51a288acec3e570a94cc77420195f2a81a77896f9f081b173c24ada23041ea2e7253698601d83769094d3489", 0x9d, 0x1}, {&(0x7f0000000880)="3cc0a154977d26882d94f1c108a6287b15e835bf2d9ebcfd925c4569c9de9d463b929158990d2f48", 0x28, 0xfffffffffffffbff}], 0x1015005, &(0x7f0000000980)={[{@flock_strict='flock=strict'}, {@flock_write='flock=write'}, {@source={'source', 0x3d, '\xeb'}}, {@autocell='autocell'}]}) syz_open_dev$I2C(&(0x7f00000009c0)='/dev/i2c-#\x00', 0x10000, 0x6840) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000a40)={0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x3, &(0x7f0000000a00)='.\\\x00'}, 0x30) syz_open_procfs(r9, &(0x7f0000000a80)='status\x00') syz_open_pts(0xffffffffffffffff, 0x8000) syz_read_part_table(0x6, 0x0, &(0x7f0000000ac0)) r10 = syz_usb_connect(0x6, 0x714, &(0x7f0000000b00)={{0x12, 0x1, 0x250, 0xa8, 0x9c, 0xcc, 0xff, 0x499, 0x150c, 0xbaf4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x702, 0x3, 0x2, 0x5, 0x80, 0x1f, [{{0x9, 0x4, 0x7d, 0x0, 0xb, 0x5c, 0x68, 0x45, 0xb8, [@generic={0x64, 0xcc88dcc324ea21e6, "25bba193734e4eb87cbd6a4c961ef01e6c960fa27de2e0b2883e73bcb56b371cc2f94a39ee59f21237d7fd38bafea3bebf15967e66fda6114d34b349e1868ef95cc0a06305d016cd2cc723334035a110f9da197afa79a6b045fac5f7d5bb639e4541"}, @uac_control={{0xa, 0x24, 0x1, 0x7, 0x80}}], [{{0x9, 0x5, 0x1, 0x3, 0x200, 0x81, 0x1, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x1000}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0xe8, 0xc6, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0x6}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0x8, 0xb4, 0x3}}, {{0x9, 0x5, 0x2, 0x1, 0x200, 0x2, 0x6, 0x20}}, {{0x9, 0x5, 0x7, 0x2, 0x3ff, 0x29, 0x4, 0x4c}}, {{0x9, 0x5, 0x5, 0x0, 0x200, 0x2, 0x22, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x27}]}}, {{0x9, 0x5, 0xe, 0xc, 0x20, 0x40, 0x9, 0x1f, [@generic={0x4f, 0x1, "f148d84407f5b8dfda7c13b68281b7d14209551093f91b2d8f891d9f3b8ff07a8c2b56bcbfa744ea1da69fb116c71d11fa13b6a2c464e65d7c706ae25e0ad836d328f30928af26fe9d4f3f1dc1"}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x18, 0xfc0}]}}, {{0x9, 0x5, 0x4, 0x0, 0x400, 0x0, 0x80, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x2}, @generic={0xf7, 0x30, "abdddd4f9b3f7c940f59ac5d6ac220f766834597348690edd45dbcad8d7200db7184991d2539df54e5ad82e5d58b0366ea3b341be9a30b4b2bd66bf00479628cb477c82938f8d3c106a7e18b0e5485a0b1611aba1d8ad3c740fc3d9accb5d7b293b90b168c3f2c69798135b562475fe2a3b8f619572251662787bf749f673a35ee80ea76edd0fc7b3177f24f50d68aced6902ecf5e0a1d3126d9530946abac7a85799194748f34eef3e249c0ede1511b67626c06322ba0b3133ad7eab46cc07a995f011d24781983c1709a03ac2ef165a9b91ed9e75e221905a932c3501d40566916d63f2fae4e9798fab8e16a1d364f019c0ebdb0"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x40, 0xfe, 0x20, 0x9, [@generic={0xed, 0x1, "97480b619ece3491718d870d1333f7f3cbe03367ac7f15be1793cf2d635af67af88cfea526ad45ea67c39ade3d19918d55ea598a7807fd2c56addfb52f42756bfc602c04560e981a38783ca3dd8ba431c267592bc004b2f53e49082dac6a7848b929dcf53f151f4c9ae6f8912fffd9199bcdcd8b95fdc2dfaa22d3a731f3c4aa3447d4183b1cb4ccceb36e6937f2275c89ce0ba83f40c2c7dbf13b41770a0f125b10ded7eefe7a1824f9eef4938310a55c121bf1a9259f551672b8a0a52feac5cbc5ab96a5491ef533d7be14764e9da531ffef82f8612a740fb58756f7cb6092abb15aa6cf0494cb7106f1"}, @generic={0xd3, 0x8, "4e8e034ee97501ac382574d2a72527c5e0c832618bc6a1ea16c3f323258971633a0333991ad99754b006c95c4de5f901ec1b8d86bd47c564bd2aef08df3c224a3e6e40846554eed2734d71ce3392967ef55c96b3da0aa5481f31c351cf1859cbee244e751c60cfadc233cb6002ee6ff4cc2c9b76378f5b6e410c014f25cb9fff68f8a6ff5b81b6d09b9c7a2aaf848bd247ed21b13aa8d35bcb7bf2fa6b8cbf55299edbce15e788d1f93cff322399249ac080f2d47bd3f27e7a6de184904811722536d0a2330e3e511146faab9864d1b183"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x2c, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc9, 0xbb}, @generic={0x1f, 0x31, "e44d51a15a720f099dadeb93262552a935424229d3f4d12edc1baa9f88"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x8, 0x49, 0x40, 0x55}}]}}, {{0x9, 0x4, 0xfe, 0x33, 0x2, 0xa2, 0x17, 0x9a, 0x2, [@cdc_ncm={{0x9, 0x24, 0x6, 0x0, 0x1, "fb7ffde8"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x4, 0x9f54, 0x267, 0x1}, {0x6, 0x24, 0x1a, 0x9, 0x9}, [@mbim={0xc, 0x24, 0x1b, 0xffff, 0x1, 0x20, 0x6, 0x6, 0x6}, @mdlm={0x15, 0x24, 0x12, 0x3}, @mbim={0xc, 0x24, 0x1b, 0x91, 0x5, 0x1, 0xff, 0x5, 0x35}, @acm={0x4, 0x24, 0x2, 0x1}]}], [{{0x9, 0x5, 0xa, 0x10, 0x8, 0x80, 0xc1, 0x4, [@generic={0xb8, 0x30, "e384dcf03ac39540e5a22199f71a53ba428c3b720290f0276bcca0cd15405f6c930497af5eb320a433cc553d6e0108edbf793ef0240ff269b4ff96d6822bcb48cebae2a5cead65786ebecd5f300c08606d3322b8360029bd21312dac493361e1b08f2adca4dc49a004fefdf7a3a525ae5de11f0a691a41b869d9b9a5d90d5a7b5ebe9e5773b97efe98e3895377a424e30ef22fd2ffa2532f1bb3c1a4e3b86afc08b2659aa2e556f190e27f83619a1618d371e102c558"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x40, 0x4, 0x0, 0x1f}}]}}, {{0x9, 0x4, 0x74, 0x90, 0xa, 0xff, 0x5d, 0x1, 0x81, [@generic={0x6c, 0x4, "deaf8476cc5855ffb6d22d6ceb2977348ba86dee7d9e22e0c46477b06c0db514bb5383a62a402cc6e0795ddda510cf4238b2c64b657a1111efc0e4aacf9e40802dd0eeb69f271c1e6fe0ee5e9f48122832e6a80a4d7a6611e3fd2dca49d351908ff9a48ca20c78a69c65"}, @hid_hid={0x9, 0x21, 0x7, 0x7, 0x1, {0x22, 0xab5}}], [{{0x9, 0x5, 0x0, 0x0, 0x200, 0x4, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x40, 0x0, 0x7f, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xff}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0xfa, 0x5}]}}, {{0x9, 0x5, 0x3, 0x3, 0x3ff, 0x80, 0x7f, 0x8}}, {{0x9, 0x5, 0x5, 0x1, 0x20, 0x4, 0x3c, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x800}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0xff, 0x14, 0x3f}}, {{0x9, 0x5, 0x4, 0x0, 0x20, 0x1, 0x1, 0x56}}, {{0x9, 0x5, 0xc, 0x10, 0x8, 0x1, 0x5, 0x2, [@generic={0x20, 0x4, "6ddd4104cef7b1f7b2dddabb24ea94be1e8ac9fbba62cd71c1a1cbfa4e73"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x10, 0x0, 0x6, 0xf8, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x3, 0x8000}, @generic={0x98, 0x21, "e7bac6d3443cdfcdf9c24b6978dbfb9dd1824a5964cbfa0fe64296d5794c6159bc30b802a59b5c7a49b534035df56bbc488652ee31c601d5326507016bd445a1c09df231cf5781190daaba0cbd84a172640327b8c1a1d90bfab18f24961ffe12a0486a239c79a259c537652603dcbd4b2b7342ae0d715a7543f4d08bb557bddcd3bca83590b57c30eee2ce95f6c7102f646af828a496"}]}}, {{0x9, 0x5, 0x2, 0x3, 0x400, 0x3, 0x2, 0x8}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xff, 0x4, 0x6}}]}}]}}]}}, &(0x7f0000001540)={0xa, &(0x7f0000001240)={0xa, 0x6, 0x300, 0xff, 0x81, 0x6, 0xf7, 0xc4}, 0xf, &(0x7f0000001280)={0x5, 0xf, 0xf, 0x1, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x8, 0x1f, 0xfff}]}, 0x5, [{0x4, &(0x7f00000012c0)=@lang_id={0x4, 0x3, 0xc07}}, {0x54, &(0x7f0000001300)=@string={0x54, 0x3, "321d457f2f5ab9fcb1118c960631fd85a75ead829136aa2a6cc0311451035fe17b956eb8fa52d495a311a6c03f0ae84c86f0ed78daebfa15db7bc5788c9724baf4582dc0ec1ba6681a76b0a1bfc5de9daecc"}}, {0xd3, &(0x7f0000001380)=@string={0xd3, 0x3, "18336fc5623ba1410634c4050bcf3b488ea41867d059dcdcd2c368d848fe5147323c0ba4e51d7cf2a3d150258f8cc2569bd79e951ea95a318de31d146c37a7cf712f1fcd440390852c8d5216f8d23a9918b0e053521eb670ad3ee0fb8a93a8d7bad7199eebe12a3b02107ac4542bc6497977e3308b407bf364982f4fc9c330f9a75ccb65c8688d5c247ad06c20ccf01465e3ab09fc777f73474c2cd053b848ad3255b5adc81e033d2a0fac5061ea52dacf46e88e8c2e388deb91d2d9fc124255909336418e743bda4cb4f73c6b75af9a9b"}}, {0x4, &(0x7f0000001480)=@lang_id={0x4, 0x3, 0x42b}}, {0x5a, &(0x7f00000014c0)=@string={0x5a, 0x3, "4d85f31420ff1ceda25d118d33a6ebbce888c12d90eb54c827d149c8dcbd99f3893b35d1da6c776b1b5d084b308cdf93474167f266199f440a03fc3e3438031b8725dde6029a629c0843bedf048b8409b153f903d657d22b"}}]}) r11 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000015c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r11, &(0x7f00000017c0)={0x2c, &(0x7f0000001640)={0x0, 0x24, 0x5e, {0x5e, 0x9, "50d3392d02ebd229338b7e7170b984d04907f9cee984f83f84c9518b9dd91785fe2d66e10426ff86d8e7d663538306240171790d7f776664bdfd68d3df43cdf6d0e3ab3d2a62953092a2d7ce2fcdfe2cf50026869a4bcd066af9ddbd"}}, &(0x7f00000016c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x449}}, &(0x7f0000001700)={0x0, 0xf, 0x19, {0x5, 0xf, 0x19, 0x1, [@ss_container_id={0x14, 0x10, 0x4, 0x3f, "0ff611988b42043bdd16f18b9b82f6cf"}]}}, &(0x7f0000001740)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x0, 0x9, 0x68, "60c511fa", "23e3f532"}}, &(0x7f0000001780)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x5, 0x0, 0x2, 0x7, 0x8, 0x5, 0x200}}}, &(0x7f0000001c80)={0x84, &(0x7f0000001800)={0x0, 0x16, 0x92, "e49c4e0fdf521d4bb83a1c78b9b6f32eb6e38fba1432727c391749727c41815dc3fc4193cf0fc247b32c61dd80f26629d7cf714fc080157701405e55e4d1ae2b758c66821044d2e8094f1bd75ccf9600454726e5df9764082d537012ad6fa00a11bf546f5d86af482a8f0b0574287a4c5640bd1a225a60d1961cd56b3b48cf69d776cd8bbac5dc1544bf6b94b3519383f9c5"}, &(0x7f00000018c0)={0x0, 0xa, 0x1, 0xea}, &(0x7f0000001900)={0x0, 0x8, 0x1, 0xc0}, &(0x7f0000001940)={0x20, 0x0, 0x4, {0x3, 0x20d99a38c1aec065}}, &(0x7f0000001980)={0x20, 0x0, 0x8, {0x200, 0x2, [0x0]}}, &(0x7f00000019c0)={0x40, 0x7, 0x2}, &(0x7f0000001a00)={0x40, 0x9, 0x1, 0x7}, &(0x7f0000001a40)={0x40, 0xb, 0x2, ',e'}, &(0x7f0000001a80)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000001ac0)={0x40, 0x13, 0x6, @random="cba5d8d51787"}, &(0x7f0000001b00)={0x40, 0x17, 0x6, @dev={[], 0x1b}}, &(0x7f0000001b40)={0x40, 0x19, 0x2, "09ef"}, &(0x7f0000001b80)={0x40, 0x1a, 0x2, 0x200}, &(0x7f0000001bc0)={0x40, 0x1c, 0x1, 0x20}, &(0x7f0000001c00)={0x40, 0x1e, 0x1, 0x81}, &(0x7f0000001c40)={0x40, 0x21, 0x1, 0x40}}) r12 = syz_usb_connect$uac1(0x6, 0xb6, &(0x7f0000001d40)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xa4, 0x3, 0x1, 0x8, 0x80, 0x1f, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x7f, 0x24}, [@mixer_unit={0xb, 0x24, 0x4, 0x3, 0x3f, "e3a7ba11b773"}, @input_terminal={0xc, 0x24, 0x2, 0x4, 0x203, 0x1, 0x2, 0x7, 0xfd}, @extension_unit={0x7, 0x24, 0x8, 0x2, 0x4, 0x40}, @output_terminal={0x9, 0x24, 0x3, 0x2, 0x101, 0x4, 0x4, 0x5}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {}, {{0x9, 0x5, 0x1, 0x9, 0x200, 0xfc, 0x9, 0x7, {0x7, 0x25, 0x1, 0x0, 0x2, 0x8}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x8, 0x7, 0xff, "6cce23a51a59660a8a"}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x7, 0x2, 0xd6, 0x40, "a5e212", 'l'}]}, {{0x9, 0x5, 0x82, 0x9, 0x3ff, 0x3, 0x0, 0xac, {0x7, 0x25, 0x1, 0x3, 0x4, 0x5}}}}}}}]}}, &(0x7f0000001f40)={0xa, &(0x7f0000001e00)={0xa, 0x6, 0x200, 0xff, 0x2, 0x7, 0x10, 0x6}, 0x5, &(0x7f0000001e40)={0x5, 0xf, 0x5}, 0x2, [{0x52, &(0x7f0000001e80)=@string={0x52, 0x3, "4bcfbc749d26d0fbc20c2e202a042e8bb167cadf5c2bcdbd07dde6671da7dd400306b26f220fef4a3397f0a95a4b8ca5bafd5a4fa8b99d24505f7a27ac07a16bbb02d524c0bbfa3af8e318df58feb143"}}, {0x4, &(0x7f0000001f00)=@lang_id={0x4, 0x3, 0x807}}]}) syz_usb_disconnect(r12) syz_usb_ep_read(r10, 0x6, 0xd6, &(0x7f0000001f80)=""/214) r13 = syz_usb_connect$cdc_ecm(0x4, 0x4f, &(0x7f0000002080)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0xff, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x3d, 0x1, 0x1, 0x9, 0xc0, 0xb3, [{{0x9, 0x4, 0x0, 0x8, 0x3, 0x2, 0x6, 0x0, 0x1, {{0x7, 0x24, 0x6, 0x0, 0x0, "93b5"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x5, 0xdf0, 0xa5e2, 0xff}}, {[], {{0x9, 0x5, 0x82, 0x2, 0x40, 0x0, 0x40, 0x20}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x20, 0xff, 0x4}}}}}]}}]}}, &(0x7f0000002640)={0xa, &(0x7f0000002100)={0xa, 0x6, 0x250, 0x0, 0x81, 0x20, 0x20, 0x3}, 0x5, &(0x7f0000002140)={0x5, 0xf, 0x5}, 0x8, [{0xcd, &(0x7f0000002180)=@string={0xcd, 0x3, "2e833dbc02868212d3ec7352fb0de8a05ecf661859debe23ba735fb90a26853e0d4c9bfcebac70ce40539a98cf8947e06bb75de0a9205e0b791cb4f9e7aa0ae1149e9394ffef266f96e0c75ab728cadbc312570efed737090a6251c09e1a5d38a0c6f1ec4ae055863d69e4dcf36d974d2be3e487c7d2f1db2161e93b7d152ce046f030b36d083289eddd7105ed8eaed49f711017baabde9d5f01cd4738503d322669554fcf3b5a65b0519733b07a7f3cffdc92b0382c66120c41aae88568c752f79d501fd4da58e6879e7e"}}, {0x4, &(0x7f0000002280)=@lang_id={0x4, 0x3, 0x3c0a}}, {0x4, &(0x7f00000022c0)=@lang_id={0x4, 0x3, 0x3801}}, {0x1f, &(0x7f0000002300)=@string={0x1f, 0x3, "a670c3582d38967ac485455e8a40acb6f5df24ab49a4c6bb43d584edf7"}}, {0x4, &(0x7f0000002340)=@lang_id={0x4, 0x3, 0x44f}}, {0xe1, &(0x7f0000002380)=@string={0xe1, 0x3, "be2ce18fae6da9f1aa4b972197be7a6ce4b283c3e0027e6da13d8639f674ea9c64289b33c0e1435b7c1654a569127b26ad53774f2b6b20579fac6faffe12949ee4b0d3cd2d890cff2d7e9bb43b602a394efd4975184f7eecab16a3f187cab4c2ca01ac5bc9c55c8bb981323d919f77355b3ce7428da62af80c76b185e10ac7b1cc950ecc715c3e0a1e142311b62941e06291b30d2d3c7d468dfbe283c91fc0833db068e7bf397c233575790229ce513bbdc4387d81b3027ef68b20de25d9f1ff32b95cba443b9e7fba499143e841a6190c6ecb2906fe4230f839ba8c3c73ea"}}, {0xc1, &(0x7f0000002480)=@string={0xc1, 0x3, "f17db2ea26d90ba93d1dbd3d9482882172cc158b4cc43c36d12bb94e06fc7aba0d96ba62a38b39b77bb66a8b4ba6fe260c877464dc1012449a3a6ab5b80e667a3a01db8dd1dc3468b0d72893adf25bd1a7b9dcddf569122a73026b76fd0e25d7440ca5db635b3fc9013fd79099a7d7e81db8745bc9d0a6c938791d2cbfd10f1c628ca17af993b702c1ede30da1882567ce287f66b23ebf408a2d9c63e1cb0b2795273efa8153561c3c3eeb71d12aa087e9255526b528f538af4abd41cf8901"}}, {0xc0, &(0x7f0000002580)=@string={0xc0, 0x3, "6f57d6a596202ebf5a75b9724911f91a3d92ae1ac81abb9c1b134a76e66590f6eb8dd84cc10960b8d223947d1c2e771b94e729d83418f414213ff8b906770330bea70e59fe4d8ba537fbcfd3c4bfc4ea3b640c3112926d8c78eee839720900c505cc013c1263dcf27b6c0f87fcb87f40cb6bde3154ccd63e65a48c86c58a3857f68f8808203fb28d95e74a1865eb8f82fe953562a14751ed18f251e5115370d2bc19145ccf3abeae4c81fb1d97f62e035db73d11ab7ec596bc7a368655c6"}}]}) syz_usb_ep_write(r13, 0x8, 0x77, &(0x7f00000026c0)="01df4294f01fe1f943b780ccad76ab8a48353cbce5481283fb7d07e32952055449b6581b3693b67edea7f103542fd1dccf21a4f8ce11f52482a550dd3199da830c3e19ff1a996ce1424b13495e704be3f8c106d08338a69db29c70d040ba405016d90255d81d115d9c6c9c13b95789ba2d4ee0f005d95b") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 #define SQ_ARRAY_OFFSET(sq_entries,cq_entries) (round_up(CQ_CQES_OFFSET + cq_entries * SIZEOF_IO_URING_CQE, 64)) uint32_t round_up(uint32_t x, uint32_t a) { return (x + a - 1) & ~(a - 1); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = SQ_ARRAY_OFFSET(sq_ring_entries, cq_ring_entries); if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { return syscall(__NR_socket, domain, type, proto); } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 40; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 26 ? 50 : 0) + (call == 32 ? 3000 : 0) + (call == 33 ? 3000 : 0) + (call == 34 ? 300 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 3000 : 0) + (call == 39 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_bpf #define __NR_bpf 321 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[14] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/dsp\000", 9); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0x8002ul, 0ul); if (res != -1) r[0] = res; break; case 1: *(uint64_t*)0x20000080 = 0; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 0; *(uint16_t*)0x20000090 = 0x4a1f; *(uint16_t*)0x20000092 = 0xd548; *(uint32_t*)0x20000094 = r[0]; *(uint64_t*)0x20000098 = 0x20000040; memcpy((void*)0x20000040, "\xa4\xc6\xb7\x0d\x40\xb1\x8d\x2f\x71\xb9\xeb\xf1\xa9\x7c\xc4\xf8\xbf\xe5\x2c\x76\x62\x08\xfe\x1c\x5f\xf6\xe6\xc2\x0f\xb4\xd4\x10\x4d", 33); *(uint64_t*)0x200000a0 = 0x21; *(uint64_t*)0x200000a8 = 7; *(uint64_t*)0x200000b0 = 0; *(uint32_t*)0x200000b8 = 1; *(uint32_t*)0x200000bc = -1; syscall(__NR_io_cancel, 0ul, 0x20000080ul, 0x200000c0ul); break; case 2: syscall(__NR_ioctl, -1, 0x400454d0, 0x18ul); break; case 3: memcpy((void*)0x20000100, "/selinux/avc/cache_stats\000", 25); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000100ul, 0ul, 0ul); if (res != -1) r[1] = res; break; case 4: *(uint32_t*)0x20000200 = 6; *(uint32_t*)0x20000204 = 1; *(uint64_t*)0x20000208 = 0x20000140; *(uint16_t*)0x20000140 = 6; *(uint64_t*)0x20000210 = 0x20000180; *(uint16_t*)0x20000180 = 0xb572; *(uint16_t*)0x20000182 = 2; *(uint16_t*)0x20000184 = 0x200; *(uint16_t*)0x20000186 = 0x6126; *(uint16_t*)0x20000188 = -1; *(uint16_t*)0x2000018a = 0x800b; *(uint64_t*)0x20000218 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x100; *(uint16_t*)0x200001c2 = 0x8001; *(uint16_t*)0x200001c4 = 0x7ff; *(uint16_t*)0x200001c6 = 0x56; *(uint16_t*)0x200001c8 = 3; *(uint16_t*)0x200001ca = 6; *(uint16_t*)0x200001cc = 0xafa4; *(uint16_t*)0x200001ce = 0xfff; syscall(__NR_ioctl, r[1], 0xc02064a4, 0x20000200ul); break; case 5: syscall(__NR_socket, 0xaul, 5ul, 0x84); break; case 6: memcpy((void*)0x20000240, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20000240, 8, 0x40040); if (res != -1) r[2] = res; break; case 7: *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0x431f; *(uint32_t*)0x20000288 = 2; *(uint32_t*)0x2000028c = 2; *(uint32_t*)0x20000290 = 0x24c; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = r[2]; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; *(uint32_t*)0x200002b8 = 0; *(uint32_t*)0x200002bc = 0; *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0; *(uint32_t*)0x200002c8 = 0; *(uint32_t*)0x200002cc = 0; *(uint32_t*)0x200002d0 = 0; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = 0; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; syscall(__NR_io_uring_setup, 0x4a7d, 0x20000280ul); break; case 8: *(uint32_t*)0x20000300 = 0x14; syscall(__NR_setsockopt, -1, 0x10e, 2, 0x20000300ul, 4ul); break; case 9: syscall(__NR_socket, 4ul, 2ul, 0); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0x15; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0x8847); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 1, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 24, 8); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0x80, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 24, 8); STORE_BY_BITMASK(uint8_t, , 0x20000016, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000017, 3, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000017, 8, 2, 6); *(uint16_t*)0x20000018 = htobe16(0xc0); *(uint16_t*)0x2000001a = htobe16(0x64); *(uint16_t*)0x2000001c = htobe16(0); *(uint8_t*)0x2000001e = 1; *(uint8_t*)0x2000001f = 0x11; *(uint16_t*)0x20000020 = htobe16(0); *(uint32_t*)0x20000022 = htobe32(0xa010102); *(uint8_t*)0x20000026 = 0xac; *(uint8_t*)0x20000027 = 0x1e; *(uint8_t*)0x20000028 = 1; *(uint8_t*)0x20000029 = 1; *(uint8_t*)0x2000002a = 0x44; *(uint8_t*)0x2000002b = 0x10; *(uint8_t*)0x2000002c = 0x90; STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0xf, 4, 4); *(uint32_t*)0x2000002e = htobe32(3); *(uint32_t*)0x20000032 = htobe32(0x100); *(uint32_t*)0x20000036 = htobe32(9); *(uint16_t*)0x2000003a = htobe16(0x4e20); *(uint16_t*)0x2000003c = htobe16(0x4e23); *(uint16_t*)0x2000003e = htobe16(0x9c); *(uint16_t*)0x20000040 = htobe16(0); *(uint32_t*)0x20000042 = 1; *(uint32_t*)0x20000046 = 1; memcpy((void*)0x2000004a, "\xa1\x07\x91\xf3\x6e\x09\x1a\x36\x4d\x6a\x21\x4a\xed\x32\x81\x68\x6b\x2e\x10\x62\xe4\xa2\x1d\xad\x7e\x7e\xa6\x82\x3c\x2a\xd6\x6b", 32); memcpy((void*)0x2000006a, "\xa9\xe3\xb0\x61\xcb\x2d\x16\xf0\xf3\x8c\x93\x86\x6b\xab\x23\x9c\x5e\x95\xfa\xbc\x9a\xd7\x54\x9c\xc5\x3f\x24\x82\x15\x64\xc8\xe3\x1a\x77\x3c\x62\xbd\x34\xe6\x21\x16\x07\x0c\x99\x8c\xf8\x0f\xf5", 48); memcpy((void*)0x2000009a, "\x8a\x60\x48\xe6\x8f\x54\x76\xba\x71\xed\xf7\xde\xa3\x71\x45\xa3\x39\x72\x62\xdb\x3b\x25\x37\x6f\xb9\xb6\x98\xe1", 28); memcpy((void*)0x200000b6, "\x10\x8d\x38\xc5\xf1\x28\x37\xa8\xdf\xf4\x93\x17\xe1\xfb\xf2\xb1", 16); memcpy((void*)0x200000c6, "\x6e\x6f\x91\xa5\xd2\xfe\xa3\x5b\x7d\x2a\xa0\x22\x7b\x5c\x79\xde", 16); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x20000022, 4); csum_inet_update(&csum_1, (const uint8_t*)0x20000026, 4); uint16_t csum_1_chunk_2 = 0x1100; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 2); uint16_t csum_1_chunk_3 = 0x9c00; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 2); csum_inet_update(&csum_1, (const uint8_t*)0x2000003a, 156); *(uint16_t*)0x20000040 = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x20000016, 36); *(uint16_t*)0x20000020 = csum_inet_digest(&csum_2); break; case 11: *(uint8_t*)0x20000100 = 4; *(uint8_t*)0x20000101 = 0xe; *(uint8_t*)0x20000102 = 7; *(uint8_t*)0x20000103 = 7; *(uint16_t*)0x20000104 = 0x1408; *(uint8_t*)0x20000106 = 3; *(uint16_t*)0x20000107 = 0xc8; *(uint8_t*)0x20000109 = 0xfe; break; case 12: memcpy((void*)0x20000140, "\xab\x8f\x29\x08\x95\x5c\x44\x32\xc4\x21\xb4\x55\x80\x85\x8a\x31\x8e\xc4\xa1\x84\x57\x56\xf3\x67\x36\x64\xd9\xe0\x64\x46\x1c\x0d\xc4\x41\xb5\x55\x88\xa0\x0f\xfe\x49\xf2\xf0\x42\x80\x8c\x3e\x28\x08\x00\x00\x00\xc4\x82\x5d\xde\x32\xf3\x42\x0f\x9a\xde", 62); syz_execute_func(0x20000140); break; case 13: break; case 14: memcpy((void*)0x200001c0, "SEG6\000", 5); syz_genetlink_get_family_id(0x200001c0); break; case 15: syz_init_net_socket(3, 2, 0xc4); break; case 16: res = syscall(__NR_mmap, 0x20ffc000ul, 0x1000ul, 0ul, 0x1000ul, -1, 0ul); if (res != -1) r[3] = res; break; case 17: syz_io_uring_complete(r[3]); break; case 18: *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0x19c8; *(uint32_t*)0x20000208 = 1; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0x90; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = -1; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; *(uint32_t*)0x20000238 = 0; *(uint32_t*)0x2000023c = 0; *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; res = -1; res = syz_io_uring_setup(0x61d6, 0x20000200, 0x20ff9000, 0x20ff9000, 0x20000280, 0x200002c0); if (res != -1) r[4] = *(uint32_t*)0x20000218; break; case 19: res = syscall(__NR_mmap, 0x20ffc000ul, 0x3000ul, 0x2000004ul, 0x100ul, r[4], 0x10000000ul); if (res != -1) r[5] = res; break; case 20: memcpy((void*)0x20000300, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000300ul, 0x22040ul, 0ul); if (res != -1) r[6] = res; break; case 21: res = syscall(__NR_io_uring_register, -1, 9ul, 0ul, 0ul); if (res != -1) r[7] = res; break; case 22: *(uint8_t*)0x20000380 = 0x1d; *(uint8_t*)0x20000381 = 1; *(uint16_t*)0x20000382 = 0; *(uint32_t*)0x20000384 = r[6]; *(uint64_t*)0x20000388 = 0x20000340; *(uint32_t*)0x20000340 = 0xa; *(uint64_t*)0x20000344 = 0; *(uint32_t*)0x20000390 = r[4]; *(uint32_t*)0x20000394 = 1; *(uint32_t*)0x20000398 = 0; *(uint64_t*)0x200003a0 = 1; *(uint16_t*)0x200003a8 = 0; *(uint16_t*)0x200003aa = r[7]; *(uint8_t*)0x200003ac = 0; *(uint8_t*)0x200003ad = 0; *(uint8_t*)0x200003ae = 0; *(uint8_t*)0x200003af = 0; *(uint8_t*)0x200003b0 = 0; *(uint8_t*)0x200003b1 = 0; *(uint8_t*)0x200003b2 = 0; *(uint8_t*)0x200003b3 = 0; *(uint8_t*)0x200003b4 = 0; *(uint8_t*)0x200003b5 = 0; *(uint8_t*)0x200003b6 = 0; *(uint8_t*)0x200003b7 = 0; *(uint8_t*)0x200003b8 = 0; *(uint8_t*)0x200003b9 = 0; *(uint8_t*)0x200003ba = 0; *(uint8_t*)0x200003bb = 0; *(uint8_t*)0x200003bc = 0; *(uint8_t*)0x200003bd = 0; *(uint8_t*)0x200003be = 0; *(uint8_t*)0x200003bf = 0; syz_io_uring_submit(r[3], r[5], 0x20000380, 5); break; case 23: *(uint64_t*)0x20000400 = 0; *(uint64_t*)0x20000408 = 0x200003c0; memcpy((void*)0x200003c0, "\xc6\x6b\xf5\x1c\x00\x3b\x68\x4c\xd1\xf5\x6d\x7d\xbc\xd2\xde\xa7\x67\x52\x93\xe4\xd0\x16\x95\x5f\xb8\x84\x32\x0c\xce\xfe\xf5\x21\x42\xee\xf0\xb6\x1d\x38\x99\x59\xe4\xe4\x75\x07\x5b\x6b\x11\xcd\xbe\x1c", 50); *(uint64_t*)0x20000410 = 0x32; *(uint64_t*)0x20000440 = 1; *(uint64_t*)0x20000448 = 0; syz_kvm_setup_cpu(r[6], -1, 0x20fe7000, 0x20000400, 1, 0, 0x20000440, 1); break; case 24: res = syscall(__NR_mmap, 0x20ffb000ul, 0x4000ul, 0x2000000ul, 0x1000ul, -1, 0x8000000ul); if (res != -1) r[8] = res; break; case 25: *(uint32_t*)0x20000480 = 1; syz_memcpy_off(r[8], 0x114, 0x20000480, 0, 4); break; case 26: memcpy((void*)0x200004c0, "afs\000", 4); memcpy((void*)0x20000500, "./file0\000", 8); *(uint64_t*)0x200008c0 = 0x20000540; *(uint64_t*)0x200008c8 = 0; *(uint64_t*)0x200008d0 = 0x32; *(uint64_t*)0x200008d8 = 0x20000580; memcpy((void*)0x20000580, "\x3a\x7a\x72\xca\x9b\x2a\x42\x2a\xfb\xeb\xa2\xd7\xa8\x43\x38\xcb\x03\x95\x18\x39\x45\x1a\xf3\xf3\x03\x1d\x00\x30\xdb\x11\xa0\x8c\x0e\xb2\x24\x4d\xab\x7f\x4f\xd9\x44\x2c\xd5\x53\x70\xfb\xac\xdc\x33\x0d\x3e\xe2\x18\x81\x37\xd0\xad\x97\x72\xc7\xae\x54\xfa\xe9\x2d\x19\x41\xe0\x49\xbd\xcb\x3b\x8f\x64\x5e\xa6\xa7\xd7\x46\x40\x42\x86\xd5\x6d\xfd\x7a\x41\xfb\x29\xe2\x98\x7d\x8d\x73\xb3\x67\x9f\xae\x42\x7f\x5a\xf0\x81\x85\xe4\xff\xda\x15\x32\x28\xa3\xac\x82\xbf\x94\xf1\x77\x52\xed\x78\xdf\xe5\xb9\xa4", 124); *(uint64_t*)0x200008e0 = 0x7c; *(uint64_t*)0x200008e8 = 0xee5; *(uint64_t*)0x200008f0 = 0x20000600; memcpy((void*)0x20000600, "\xa9\x63\xe9\x74\x3e\x9c\x3d\x09\x2a\x0a\xb1\xd6\x8a\x13\xfe\x85\xf8\x0e\xd9\x43\x58\xab\x9a\xd4\x02\x9d\xff\x34\x33\xa3\x22\x3c\x65\x0d\x6a\x96\x50\x5e\xc9\xa3\xd6\xcd\x09\xad\x3f\x26\x8f\xcd\xd1\x24\x8a\xa4\x3e\xf1\x38\xa7\x9b\x0c\x4c\x11\x6f\x71\x78\xb5\xfc\x5c\xc4\x9f\xa3\x03\x20\x1e\x8c\x7e\xf4\xe3\x22\x43\x41\x05\xec\xdc\x91\x2a\xe6\x72\x51\x0b\x34\xc0\x1a\xa3\x89\x0c\x90\xf2\x72\x00\xde\x2b\x65\xc4\xbd\x20", 104); *(uint64_t*)0x200008f8 = 0x68; *(uint64_t*)0x20000900 = 0x10000; *(uint64_t*)0x20000908 = 0x20000680; memcpy((void*)0x20000680, "\x6a\xc4\x43\xef\xa9\x85\x5d\xda\x4f\xa3\xa9\x82\xab\xc0\x60\xeb\xf1\xa6\x78\x5f\xeb\xa7\x7c\xd7\x0d\x48\x6a\x29\xf4", 29); *(uint64_t*)0x20000910 = 0x1d; *(uint64_t*)0x20000918 = 2; *(uint64_t*)0x20000920 = 0x200006c0; memcpy((void*)0x200006c0, "\x32\x29\x20\x2f\xd1\x3c\x8a\xb6\xd5\x54\xd8\xdf\xb6\xa8\x66\x18\x05\xf5\x3c\x5e\x81\x67\x1b\xf5\xd7\x02\xaa\x4c\x17\xca\xd1\x07\xcf\xc6\xa8\xfe\x70\x2b\x26\x94\x2c\x63\x2a\x4e\xd0\xe1\x01\x04\x40\xb5\x1b\x99\x78\x5c\x11\x2a\x0b\xda\x8c\x28\x62\x67\xac\x9c\xb4\xe6\x95\x37\x6a\x13\xd9\x93\x7d\xfe\x15\x42\x39\xc4\xea\x04\xf3\x85\x39\xa8\xe5\x57\xdb\xcc\x89\x09\x42\x0c\x76\xb2\x58\x7b\x42\xaa\x2d\x61\xbf\x39\x5f\xe9\x13\xba\xd8\x6d\xdf\x17\xa8\xf1\xb3\x21\x2d\x0f\x0a\x6b\xc2\xe7\x84\x1e\xf2\xe2\xee\x0b\xe0\x59\x01\xf0\x28\xc7\xc6\x5e\x1c\x2c\xb6\x41\xf5\x56\x50\x8f\xbf\x32\x2d\xa0\x30\xde\x78\x46\xad\x39\x00\x40\x82\xc1\x28\xa0\xff\xb6\x0c\x1b\x80\x1b\xfd\x69\xa0\xe5\xf3\x7b\x51\xfe\xb7\x8d\x97\x24\x0f\x45\xf3\xce\x17\xa2\x8a\xbb\xd8\x9b\xd1\x6c\xd2\xd0\x6c\x74\x48\x89\x90\xab\xa3\x6f\xf0\x06\xe8\xae\x36\x22\xec\x18\xfa\x76\xb7\x67\xbe\x88\xf1\x92\xf9\x4a\xf1\x5e\x23\xd7\x42\x17\x73\x8a\x1d\x48\xef\x2c\x3e\x1c\x0a\x55\x72\x03\x04\x5e\x3b\xa2\x5e\x9c\xd3\x8e\xfa\x64", 244); *(uint64_t*)0x20000928 = 0xf4; *(uint64_t*)0x20000930 = 6; *(uint64_t*)0x20000938 = 0x200007c0; memcpy((void*)0x200007c0, "\x41\x4d\x78\x40\x34\x90\x27\x5a\x20\x64\x95\xf9\x3c\xf6\x22\x29\x59\x6a\x76\xf6\x22\xd4\x2e\x73\x7b\xfa\x14\x8f\xc2\x38\x5d\x9c\x82\x94\x6c\xe9\x5d\x9b\x76\x65\xc1\x48\xbf\xd7\x23\xf5\x24\x8f\xfc\xb6\xa4\xfc\x82\x65\xde\x9d\xa9\xe3\x4f\xf0\x57\x7d\xd7\x19\x23\x3d\x7e\xf9\x61\x0b\x9b\x9d\x98\xd4\xf2\xce\xdc\xc5\x35\x1c\xb7\x23\x4e\x0a\x83\x45\xf8\x1e\x60\x3a\x00\x2c\x13\xd8\x98\xf1\x08\x46\x56\xc5\x1b\xe0\x05\x26\xc6\xb7\x97\x7b\x28\x78\x09\x59\x1c\x51\xa2\x88\xac\xec\x3e\x57\x0a\x94\xcc\x77\x42\x01\x95\xf2\xa8\x1a\x77\x89\x6f\x9f\x08\x1b\x17\x3c\x24\xad\xa2\x30\x41\xea\x2e\x72\x53\x69\x86\x01\xd8\x37\x69\x09\x4d\x34\x89", 157); *(uint64_t*)0x20000940 = 0x9d; *(uint64_t*)0x20000948 = 1; *(uint64_t*)0x20000950 = 0x20000880; memcpy((void*)0x20000880, "\x3c\xc0\xa1\x54\x97\x7d\x26\x88\x2d\x94\xf1\xc1\x08\xa6\x28\x7b\x15\xe8\x35\xbf\x2d\x9e\xbc\xfd\x92\x5c\x45\x69\xc9\xde\x9d\x46\x3b\x92\x91\x58\x99\x0d\x2f\x48", 40); *(uint64_t*)0x20000958 = 0x28; *(uint64_t*)0x20000960 = 0xfffffffffffffbff; memcpy((void*)0x20000980, "flock=strict", 12); *(uint8_t*)0x2000098c = 0x2c; memcpy((void*)0x2000098d, "flock=write", 11); *(uint8_t*)0x20000998 = 0x2c; memcpy((void*)0x20000999, "source", 6); *(uint8_t*)0x2000099f = 0x3d; memcpy((void*)0x200009a0, "\353", 1); *(uint8_t*)0x200009a1 = 0x2c; memcpy((void*)0x200009a2, "autocell", 8); *(uint8_t*)0x200009aa = 0x2c; *(uint8_t*)0x200009ab = 0; syz_mount_image(0x200004c0, 0x20000500, 0x1f, 7, 0x200008c0, 0x1015005, 0x20000980); break; case 27: memcpy((void*)0x200009c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200009c0, 0x10000, 0x6840); break; case 28: *(uint32_t*)0x20000a40 = -1; *(uint32_t*)0x20000a44 = -1; *(uint32_t*)0x20000a48 = 0; *(uint32_t*)0x20000a4c = 3; *(uint64_t*)0x20000a50 = 0x20000a00; memcpy((void*)0x20000a00, ".\\\000", 3); *(uint32_t*)0x20000a58 = 0; *(uint32_t*)0x20000a5c = 0; *(uint64_t*)0x20000a60 = 0; *(uint64_t*)0x20000a68 = 0; res = syscall(__NR_bpf, 0x14ul, 0x20000a40ul, 0x30ul); if (res != -1) r[9] = *(uint32_t*)0x20000a40; break; case 29: memcpy((void*)0x20000a80, "status\000", 7); syz_open_procfs(r[9], 0x20000a80); break; case 30: syz_open_pts(-1, 0x8000); break; case 31: syz_read_part_table(6, 0, 0x20000ac0); break; case 32: *(uint8_t*)0x20000b00 = 0x12; *(uint8_t*)0x20000b01 = 1; *(uint16_t*)0x20000b02 = 0x250; *(uint8_t*)0x20000b04 = 0xa8; *(uint8_t*)0x20000b05 = 0x9c; *(uint8_t*)0x20000b06 = 0xcc; *(uint8_t*)0x20000b07 = -1; *(uint16_t*)0x20000b08 = 0x499; *(uint16_t*)0x20000b0a = 0x150c; *(uint16_t*)0x20000b0c = 0xbaf4; *(uint8_t*)0x20000b0e = 1; *(uint8_t*)0x20000b0f = 2; *(uint8_t*)0x20000b10 = 3; *(uint8_t*)0x20000b11 = 1; *(uint8_t*)0x20000b12 = 9; *(uint8_t*)0x20000b13 = 2; *(uint16_t*)0x20000b14 = 0x702; *(uint8_t*)0x20000b16 = 3; *(uint8_t*)0x20000b17 = 2; *(uint8_t*)0x20000b18 = 5; *(uint8_t*)0x20000b19 = 0x80; *(uint8_t*)0x20000b1a = 0x1f; *(uint8_t*)0x20000b1b = 9; *(uint8_t*)0x20000b1c = 4; *(uint8_t*)0x20000b1d = 0x7d; *(uint8_t*)0x20000b1e = 0; *(uint8_t*)0x20000b1f = 0xb; *(uint8_t*)0x20000b20 = 0x5c; *(uint8_t*)0x20000b21 = 0x68; *(uint8_t*)0x20000b22 = 0x45; *(uint8_t*)0x20000b23 = 0xb8; *(uint8_t*)0x20000b24 = 0x64; *(uint8_t*)0x20000b25 = 0xe6; memcpy((void*)0x20000b26, "\x25\xbb\xa1\x93\x73\x4e\x4e\xb8\x7c\xbd\x6a\x4c\x96\x1e\xf0\x1e\x6c\x96\x0f\xa2\x7d\xe2\xe0\xb2\x88\x3e\x73\xbc\xb5\x6b\x37\x1c\xc2\xf9\x4a\x39\xee\x59\xf2\x12\x37\xd7\xfd\x38\xba\xfe\xa3\xbe\xbf\x15\x96\x7e\x66\xfd\xa6\x11\x4d\x34\xb3\x49\xe1\x86\x8e\xf9\x5c\xc0\xa0\x63\x05\xd0\x16\xcd\x2c\xc7\x23\x33\x40\x35\xa1\x10\xf9\xda\x19\x7a\xfa\x79\xa6\xb0\x45\xfa\xc5\xf7\xd5\xbb\x63\x9e\x45\x41", 98); *(uint8_t*)0x20000b88 = 0xa; *(uint8_t*)0x20000b89 = 0x24; *(uint8_t*)0x20000b8a = 1; *(uint16_t*)0x20000b8b = 7; *(uint8_t*)0x20000b8d = 0x80; *(uint8_t*)0x20000b8e = 2; *(uint8_t*)0x20000b8f = 1; *(uint8_t*)0x20000b90 = 2; *(uint8_t*)0x20000b91 = 9; *(uint8_t*)0x20000b92 = 5; *(uint8_t*)0x20000b93 = 1; *(uint8_t*)0x20000b94 = 3; *(uint16_t*)0x20000b95 = 0x200; *(uint8_t*)0x20000b97 = 0x81; *(uint8_t*)0x20000b98 = 1; *(uint8_t*)0x20000b99 = 9; *(uint8_t*)0x20000b9a = 7; *(uint8_t*)0x20000b9b = 0x25; *(uint8_t*)0x20000b9c = 1; *(uint8_t*)0x20000b9d = 1; *(uint8_t*)0x20000b9e = 9; *(uint16_t*)0x20000b9f = 0x1000; *(uint8_t*)0x20000ba1 = 9; *(uint8_t*)0x20000ba2 = 5; *(uint8_t*)0x20000ba3 = 6; *(uint8_t*)0x20000ba4 = 8; *(uint16_t*)0x20000ba5 = 0x400; *(uint8_t*)0x20000ba7 = 0xe8; *(uint8_t*)0x20000ba8 = 0xc6; *(uint8_t*)0x20000ba9 = -1; *(uint8_t*)0x20000baa = 7; *(uint8_t*)0x20000bab = 0x25; *(uint8_t*)0x20000bac = 1; *(uint8_t*)0x20000bad = 1; *(uint8_t*)0x20000bae = 0x81; *(uint16_t*)0x20000baf = 6; *(uint8_t*)0x20000bb1 = 9; *(uint8_t*)0x20000bb2 = 5; *(uint8_t*)0x20000bb3 = 0xd; *(uint8_t*)0x20000bb4 = 0; *(uint16_t*)0x20000bb5 = 0x20; *(uint8_t*)0x20000bb7 = 8; *(uint8_t*)0x20000bb8 = 0xb4; *(uint8_t*)0x20000bb9 = 3; *(uint8_t*)0x20000bba = 9; *(uint8_t*)0x20000bbb = 5; *(uint8_t*)0x20000bbc = 2; *(uint8_t*)0x20000bbd = 1; *(uint16_t*)0x20000bbe = 0x200; *(uint8_t*)0x20000bc0 = 2; *(uint8_t*)0x20000bc1 = 6; *(uint8_t*)0x20000bc2 = 0x20; *(uint8_t*)0x20000bc3 = 9; *(uint8_t*)0x20000bc4 = 5; *(uint8_t*)0x20000bc5 = 7; *(uint8_t*)0x20000bc6 = 2; *(uint16_t*)0x20000bc7 = 0x3ff; *(uint8_t*)0x20000bc9 = 0x29; *(uint8_t*)0x20000bca = 4; *(uint8_t*)0x20000bcb = 0x4c; *(uint8_t*)0x20000bcc = 9; *(uint8_t*)0x20000bcd = 5; *(uint8_t*)0x20000bce = 5; *(uint8_t*)0x20000bcf = 0; *(uint16_t*)0x20000bd0 = 0x200; *(uint8_t*)0x20000bd2 = 2; *(uint8_t*)0x20000bd3 = 0x22; *(uint8_t*)0x20000bd4 = 5; *(uint8_t*)0x20000bd5 = 7; *(uint8_t*)0x20000bd6 = 0x25; *(uint8_t*)0x20000bd7 = 1; *(uint8_t*)0x20000bd8 = 0; *(uint8_t*)0x20000bd9 = 7; *(uint16_t*)0x20000bda = 0x27; *(uint8_t*)0x20000bdc = 9; *(uint8_t*)0x20000bdd = 5; *(uint8_t*)0x20000bde = 0xe; *(uint8_t*)0x20000bdf = 0xc; *(uint16_t*)0x20000be0 = 0x20; *(uint8_t*)0x20000be2 = 0x40; *(uint8_t*)0x20000be3 = 9; *(uint8_t*)0x20000be4 = 0x1f; *(uint8_t*)0x20000be5 = 0x4f; *(uint8_t*)0x20000be6 = 1; memcpy((void*)0x20000be7, "\xf1\x48\xd8\x44\x07\xf5\xb8\xdf\xda\x7c\x13\xb6\x82\x81\xb7\xd1\x42\x09\x55\x10\x93\xf9\x1b\x2d\x8f\x89\x1d\x9f\x3b\x8f\xf0\x7a\x8c\x2b\x56\xbc\xbf\xa7\x44\xea\x1d\xa6\x9f\xb1\x16\xc7\x1d\x11\xfa\x13\xb6\xa2\xc4\x64\xe6\x5d\x7c\x70\x6a\xe2\x5e\x0a\xd8\x36\xd3\x28\xf3\x09\x28\xaf\x26\xfe\x9d\x4f\x3f\x1d\xc1", 77); *(uint8_t*)0x20000c34 = 7; *(uint8_t*)0x20000c35 = 0x25; *(uint8_t*)0x20000c36 = 1; *(uint8_t*)0x20000c37 = 0x82; *(uint8_t*)0x20000c38 = 0x18; *(uint16_t*)0x20000c39 = 0xfc0; *(uint8_t*)0x20000c3b = 9; *(uint8_t*)0x20000c3c = 5; *(uint8_t*)0x20000c3d = 4; *(uint8_t*)0x20000c3e = 0; *(uint16_t*)0x20000c3f = 0x400; *(uint8_t*)0x20000c41 = 0; *(uint8_t*)0x20000c42 = 0x80; *(uint8_t*)0x20000c43 = 7; *(uint8_t*)0x20000c44 = 7; *(uint8_t*)0x20000c45 = 0x25; *(uint8_t*)0x20000c46 = 1; *(uint8_t*)0x20000c47 = 2; *(uint8_t*)0x20000c48 = 4; *(uint16_t*)0x20000c49 = 2; *(uint8_t*)0x20000c4b = 0xf7; *(uint8_t*)0x20000c4c = 0x30; memcpy((void*)0x20000c4d, "\xab\xdd\xdd\x4f\x9b\x3f\x7c\x94\x0f\x59\xac\x5d\x6a\xc2\x20\xf7\x66\x83\x45\x97\x34\x86\x90\xed\xd4\x5d\xbc\xad\x8d\x72\x00\xdb\x71\x84\x99\x1d\x25\x39\xdf\x54\xe5\xad\x82\xe5\xd5\x8b\x03\x66\xea\x3b\x34\x1b\xe9\xa3\x0b\x4b\x2b\xd6\x6b\xf0\x04\x79\x62\x8c\xb4\x77\xc8\x29\x38\xf8\xd3\xc1\x06\xa7\xe1\x8b\x0e\x54\x85\xa0\xb1\x61\x1a\xba\x1d\x8a\xd3\xc7\x40\xfc\x3d\x9a\xcc\xb5\xd7\xb2\x93\xb9\x0b\x16\x8c\x3f\x2c\x69\x79\x81\x35\xb5\x62\x47\x5f\xe2\xa3\xb8\xf6\x19\x57\x22\x51\x66\x27\x87\xbf\x74\x9f\x67\x3a\x35\xee\x80\xea\x76\xed\xd0\xfc\x7b\x31\x77\xf2\x4f\x50\xd6\x8a\xce\xd6\x90\x2e\xcf\x5e\x0a\x1d\x31\x26\xd9\x53\x09\x46\xab\xac\x7a\x85\x79\x91\x94\x74\x8f\x34\xee\xf3\xe2\x49\xc0\xed\xe1\x51\x1b\x67\x62\x6c\x06\x32\x2b\xa0\xb3\x13\x3a\xd7\xea\xb4\x6c\xc0\x7a\x99\x5f\x01\x1d\x24\x78\x19\x83\xc1\x70\x9a\x03\xac\x2e\xf1\x65\xa9\xb9\x1e\xd9\xe7\x5e\x22\x19\x05\xa9\x32\xc3\x50\x1d\x40\x56\x69\x16\xd6\x3f\x2f\xae\x4e\x97\x98\xfa\xb8\xe1\x6a\x1d\x36\x4f\x01\x9c\x0e\xbd\xb0", 245); *(uint8_t*)0x20000d42 = 9; *(uint8_t*)0x20000d43 = 5; *(uint8_t*)0x20000d44 = 2; *(uint8_t*)0x20000d45 = 0; *(uint16_t*)0x20000d46 = 0x40; *(uint8_t*)0x20000d48 = 0xfe; *(uint8_t*)0x20000d49 = 0x20; *(uint8_t*)0x20000d4a = 9; *(uint8_t*)0x20000d4b = 0xed; *(uint8_t*)0x20000d4c = 1; memcpy((void*)0x20000d4d, "\x97\x48\x0b\x61\x9e\xce\x34\x91\x71\x8d\x87\x0d\x13\x33\xf7\xf3\xcb\xe0\x33\x67\xac\x7f\x15\xbe\x17\x93\xcf\x2d\x63\x5a\xf6\x7a\xf8\x8c\xfe\xa5\x26\xad\x45\xea\x67\xc3\x9a\xde\x3d\x19\x91\x8d\x55\xea\x59\x8a\x78\x07\xfd\x2c\x56\xad\xdf\xb5\x2f\x42\x75\x6b\xfc\x60\x2c\x04\x56\x0e\x98\x1a\x38\x78\x3c\xa3\xdd\x8b\xa4\x31\xc2\x67\x59\x2b\xc0\x04\xb2\xf5\x3e\x49\x08\x2d\xac\x6a\x78\x48\xb9\x29\xdc\xf5\x3f\x15\x1f\x4c\x9a\xe6\xf8\x91\x2f\xff\xd9\x19\x9b\xcd\xcd\x8b\x95\xfd\xc2\xdf\xaa\x22\xd3\xa7\x31\xf3\xc4\xaa\x34\x47\xd4\x18\x3b\x1c\xb4\xcc\xce\xb3\x6e\x69\x37\xf2\x27\x5c\x89\xce\x0b\xa8\x3f\x40\xc2\xc7\xdb\xf1\x3b\x41\x77\x0a\x0f\x12\x5b\x10\xde\xd7\xee\xfe\x7a\x18\x24\xf9\xee\xf4\x93\x83\x10\xa5\x5c\x12\x1b\xf1\xa9\x25\x9f\x55\x16\x72\xb8\xa0\xa5\x2f\xea\xc5\xcb\xc5\xab\x96\xa5\x49\x1e\xf5\x33\xd7\xbe\x14\x76\x4e\x9d\xa5\x31\xff\xef\x82\xf8\x61\x2a\x74\x0f\xb5\x87\x56\xf7\xcb\x60\x92\xab\xb1\x5a\xa6\xcf\x04\x94\xcb\x71\x06\xf1", 235); *(uint8_t*)0x20000e38 = 0xd3; *(uint8_t*)0x20000e39 = 8; memcpy((void*)0x20000e3a, "\x4e\x8e\x03\x4e\xe9\x75\x01\xac\x38\x25\x74\xd2\xa7\x25\x27\xc5\xe0\xc8\x32\x61\x8b\xc6\xa1\xea\x16\xc3\xf3\x23\x25\x89\x71\x63\x3a\x03\x33\x99\x1a\xd9\x97\x54\xb0\x06\xc9\x5c\x4d\xe5\xf9\x01\xec\x1b\x8d\x86\xbd\x47\xc5\x64\xbd\x2a\xef\x08\xdf\x3c\x22\x4a\x3e\x6e\x40\x84\x65\x54\xee\xd2\x73\x4d\x71\xce\x33\x92\x96\x7e\xf5\x5c\x96\xb3\xda\x0a\xa5\x48\x1f\x31\xc3\x51\xcf\x18\x59\xcb\xee\x24\x4e\x75\x1c\x60\xcf\xad\xc2\x33\xcb\x60\x02\xee\x6f\xf4\xcc\x2c\x9b\x76\x37\x8f\x5b\x6e\x41\x0c\x01\x4f\x25\xcb\x9f\xff\x68\xf8\xa6\xff\x5b\x81\xb6\xd0\x9b\x9c\x7a\x2a\xaf\x84\x8b\xd2\x47\xed\x21\xb1\x3a\xa8\xd3\x5b\xcb\x7b\xf2\xfa\x6b\x8c\xbf\x55\x29\x9e\xdb\xce\x15\xe7\x88\xd1\xf9\x3c\xff\x32\x23\x99\x24\x9a\xc0\x80\xf2\xd4\x7b\xd3\xf2\x7e\x7a\x6d\xe1\x84\x90\x48\x11\x72\x25\x36\xd0\xa2\x33\x0e\x3e\x51\x11\x46\xfa\xab\x98\x64\xd1\xb1\x83", 209); *(uint8_t*)0x20000f0b = 9; *(uint8_t*)0x20000f0c = 5; *(uint8_t*)0x20000f0d = 0xb; *(uint8_t*)0x20000f0e = 0; *(uint16_t*)0x20000f0f = 0x10; *(uint8_t*)0x20000f11 = 0x2c; *(uint8_t*)0x20000f12 = 9; *(uint8_t*)0x20000f13 = 6; *(uint8_t*)0x20000f14 = 7; *(uint8_t*)0x20000f15 = 0x25; *(uint8_t*)0x20000f16 = 1; *(uint8_t*)0x20000f17 = 0x80; *(uint8_t*)0x20000f18 = 0xc9; *(uint16_t*)0x20000f19 = 0xbb; *(uint8_t*)0x20000f1b = 0x1f; *(uint8_t*)0x20000f1c = 0x31; memcpy((void*)0x20000f1d, "\xe4\x4d\x51\xa1\x5a\x72\x0f\x09\x9d\xad\xeb\x93\x26\x25\x52\xa9\x35\x42\x42\x29\xd3\xf4\xd1\x2e\xdc\x1b\xaa\x9f\x88", 29); *(uint8_t*)0x20000f3a = 9; *(uint8_t*)0x20000f3b = 5; *(uint8_t*)0x20000f3c = 0xc; *(uint8_t*)0x20000f3d = 0; *(uint16_t*)0x20000f3e = 8; *(uint8_t*)0x20000f40 = 0x49; *(uint8_t*)0x20000f41 = 0x40; *(uint8_t*)0x20000f42 = 0x55; *(uint8_t*)0x20000f43 = 9; *(uint8_t*)0x20000f44 = 4; *(uint8_t*)0x20000f45 = 0xfe; *(uint8_t*)0x20000f46 = 0x33; *(uint8_t*)0x20000f47 = 2; *(uint8_t*)0x20000f48 = 0xa2; *(uint8_t*)0x20000f49 = 0x17; *(uint8_t*)0x20000f4a = 0x9a; *(uint8_t*)0x20000f4b = 2; *(uint8_t*)0x20000f4c = 9; *(uint8_t*)0x20000f4d = 0x24; *(uint8_t*)0x20000f4e = 6; *(uint8_t*)0x20000f4f = 0; *(uint8_t*)0x20000f50 = 1; memcpy((void*)0x20000f51, "\xfb\x7f\xfd\xe8", 4); *(uint8_t*)0x20000f55 = 5; *(uint8_t*)0x20000f56 = 0x24; *(uint8_t*)0x20000f57 = 0; *(uint16_t*)0x20000f58 = 1; *(uint8_t*)0x20000f5a = 0xd; *(uint8_t*)0x20000f5b = 0x24; *(uint8_t*)0x20000f5c = 0xf; *(uint8_t*)0x20000f5d = 1; *(uint32_t*)0x20000f5e = 4; *(uint16_t*)0x20000f62 = 0x9f54; *(uint16_t*)0x20000f64 = 0x267; *(uint8_t*)0x20000f66 = 1; *(uint8_t*)0x20000f67 = 6; *(uint8_t*)0x20000f68 = 0x24; *(uint8_t*)0x20000f69 = 0x1a; *(uint16_t*)0x20000f6a = 9; *(uint8_t*)0x20000f6c = 9; *(uint8_t*)0x20000f6d = 0xc; *(uint8_t*)0x20000f6e = 0x24; *(uint8_t*)0x20000f6f = 0x1b; *(uint16_t*)0x20000f70 = -1; *(uint16_t*)0x20000f72 = 1; *(uint8_t*)0x20000f74 = 0x20; *(uint8_t*)0x20000f75 = 6; *(uint16_t*)0x20000f76 = 6; *(uint8_t*)0x20000f78 = 6; *(uint8_t*)0x20000f79 = 0x15; *(uint8_t*)0x20000f7a = 0x24; *(uint8_t*)0x20000f7b = 0x12; *(uint16_t*)0x20000f7c = 3; *(uint64_t*)0x20000f7e = 0x14f5e048ba817a3; *(uint64_t*)0x20000f86 = 0x2a397ecbffc007a6; *(uint8_t*)0x20000f8e = 0xc; *(uint8_t*)0x20000f8f = 0x24; *(uint8_t*)0x20000f90 = 0x1b; *(uint16_t*)0x20000f91 = 0x91; *(uint16_t*)0x20000f93 = 5; *(uint8_t*)0x20000f95 = 1; *(uint8_t*)0x20000f96 = -1; *(uint16_t*)0x20000f97 = 5; *(uint8_t*)0x20000f99 = 0x35; *(uint8_t*)0x20000f9a = 4; *(uint8_t*)0x20000f9b = 0x24; *(uint8_t*)0x20000f9c = 2; *(uint8_t*)0x20000f9d = 1; *(uint8_t*)0x20000f9e = 9; *(uint8_t*)0x20000f9f = 5; *(uint8_t*)0x20000fa0 = 0xa; *(uint8_t*)0x20000fa1 = 0x10; *(uint16_t*)0x20000fa2 = 8; *(uint8_t*)0x20000fa4 = 0x80; *(uint8_t*)0x20000fa5 = 0xc1; *(uint8_t*)0x20000fa6 = 4; *(uint8_t*)0x20000fa7 = 0xb8; *(uint8_t*)0x20000fa8 = 0x30; memcpy((void*)0x20000fa9, "\xe3\x84\xdc\xf0\x3a\xc3\x95\x40\xe5\xa2\x21\x99\xf7\x1a\x53\xba\x42\x8c\x3b\x72\x02\x90\xf0\x27\x6b\xcc\xa0\xcd\x15\x40\x5f\x6c\x93\x04\x97\xaf\x5e\xb3\x20\xa4\x33\xcc\x55\x3d\x6e\x01\x08\xed\xbf\x79\x3e\xf0\x24\x0f\xf2\x69\xb4\xff\x96\xd6\x82\x2b\xcb\x48\xce\xba\xe2\xa5\xce\xad\x65\x78\x6e\xbe\xcd\x5f\x30\x0c\x08\x60\x6d\x33\x22\xb8\x36\x00\x29\xbd\x21\x31\x2d\xac\x49\x33\x61\xe1\xb0\x8f\x2a\xdc\xa4\xdc\x49\xa0\x04\xfe\xfd\xf7\xa3\xa5\x25\xae\x5d\xe1\x1f\x0a\x69\x1a\x41\xb8\x69\xd9\xb9\xa5\xd9\x0d\x5a\x7b\x5e\xbe\x9e\x57\x73\xb9\x7e\xfe\x98\xe3\x89\x53\x77\xa4\x24\xe3\x0e\xf2\x2f\xd2\xff\xa2\x53\x2f\x1b\xb3\xc1\xa4\xe3\xb8\x6a\xfc\x08\xb2\x65\x9a\xa2\xe5\x56\xf1\x90\xe2\x7f\x83\x61\x9a\x16\x18\xd3\x71\xe1\x02\xc5\x58", 182); *(uint8_t*)0x2000105f = 9; *(uint8_t*)0x20001060 = 5; *(uint8_t*)0x20001061 = 0x80; *(uint8_t*)0x20001062 = 1; *(uint16_t*)0x20001063 = 0x40; *(uint8_t*)0x20001065 = 4; *(uint8_t*)0x20001066 = 0; *(uint8_t*)0x20001067 = 0x1f; *(uint8_t*)0x20001068 = 9; *(uint8_t*)0x20001069 = 4; *(uint8_t*)0x2000106a = 0x74; *(uint8_t*)0x2000106b = 0x90; *(uint8_t*)0x2000106c = 0xa; *(uint8_t*)0x2000106d = -1; *(uint8_t*)0x2000106e = 0x5d; *(uint8_t*)0x2000106f = 1; *(uint8_t*)0x20001070 = 0x81; *(uint8_t*)0x20001071 = 0x6c; *(uint8_t*)0x20001072 = 4; memcpy((void*)0x20001073, "\xde\xaf\x84\x76\xcc\x58\x55\xff\xb6\xd2\x2d\x6c\xeb\x29\x77\x34\x8b\xa8\x6d\xee\x7d\x9e\x22\xe0\xc4\x64\x77\xb0\x6c\x0d\xb5\x14\xbb\x53\x83\xa6\x2a\x40\x2c\xc6\xe0\x79\x5d\xdd\xa5\x10\xcf\x42\x38\xb2\xc6\x4b\x65\x7a\x11\x11\xef\xc0\xe4\xaa\xcf\x9e\x40\x80\x2d\xd0\xee\xb6\x9f\x27\x1c\x1e\x6f\xe0\xee\x5e\x9f\x48\x12\x28\x32\xe6\xa8\x0a\x4d\x7a\x66\x11\xe3\xfd\x2d\xca\x49\xd3\x51\x90\x8f\xf9\xa4\x8c\xa2\x0c\x78\xa6\x9c\x65", 106); *(uint8_t*)0x200010dd = 9; *(uint8_t*)0x200010de = 0x21; *(uint16_t*)0x200010df = 7; *(uint8_t*)0x200010e1 = 7; *(uint8_t*)0x200010e2 = 1; *(uint8_t*)0x200010e3 = 0x22; *(uint16_t*)0x200010e4 = 0xab5; *(uint8_t*)0x200010e6 = 9; *(uint8_t*)0x200010e7 = 5; *(uint8_t*)0x200010e8 = 0; *(uint8_t*)0x200010e9 = 0; *(uint16_t*)0x200010ea = 0x200; *(uint8_t*)0x200010ec = 4; *(uint8_t*)0x200010ed = 7; *(uint8_t*)0x200010ee = 0; *(uint8_t*)0x200010ef = 9; *(uint8_t*)0x200010f0 = 5; *(uint8_t*)0x200010f1 = 0x80; *(uint8_t*)0x200010f2 = 0xc; *(uint16_t*)0x200010f3 = 0x40; *(uint8_t*)0x200010f5 = 0; *(uint8_t*)0x200010f6 = 0x7f; *(uint8_t*)0x200010f7 = -1; *(uint8_t*)0x200010f8 = 7; *(uint8_t*)0x200010f9 = 0x25; *(uint8_t*)0x200010fa = 1; *(uint8_t*)0x200010fb = 0; *(uint8_t*)0x200010fc = 0; *(uint16_t*)0x200010fd = 0xff; *(uint8_t*)0x200010ff = 7; *(uint8_t*)0x20001100 = 0x25; *(uint8_t*)0x20001101 = 1; *(uint8_t*)0x20001102 = 2; *(uint8_t*)0x20001103 = 0xfa; *(uint16_t*)0x20001104 = 5; *(uint8_t*)0x20001106 = 9; *(uint8_t*)0x20001107 = 5; *(uint8_t*)0x20001108 = 3; *(uint8_t*)0x20001109 = 3; *(uint16_t*)0x2000110a = 0x3ff; *(uint8_t*)0x2000110c = 0x80; *(uint8_t*)0x2000110d = 0x7f; *(uint8_t*)0x2000110e = 8; *(uint8_t*)0x2000110f = 9; *(uint8_t*)0x20001110 = 5; *(uint8_t*)0x20001111 = 5; *(uint8_t*)0x20001112 = 1; *(uint16_t*)0x20001113 = 0x20; *(uint8_t*)0x20001115 = 4; *(uint8_t*)0x20001116 = 0x3c; *(uint8_t*)0x20001117 = 4; *(uint8_t*)0x20001118 = 7; *(uint8_t*)0x20001119 = 0x25; *(uint8_t*)0x2000111a = 1; *(uint8_t*)0x2000111b = 0x80; *(uint8_t*)0x2000111c = 0x40; *(uint16_t*)0x2000111d = 0x800; *(uint8_t*)0x2000111f = 9; *(uint8_t*)0x20001120 = 5; *(uint8_t*)0x20001121 = 0xd; *(uint8_t*)0x20001122 = 0; *(uint16_t*)0x20001123 = 0x20; *(uint8_t*)0x20001125 = -1; *(uint8_t*)0x20001126 = 0x14; *(uint8_t*)0x20001127 = 0x3f; *(uint8_t*)0x20001128 = 9; *(uint8_t*)0x20001129 = 5; *(uint8_t*)0x2000112a = 4; *(uint8_t*)0x2000112b = 0; *(uint16_t*)0x2000112c = 0x20; *(uint8_t*)0x2000112e = 1; *(uint8_t*)0x2000112f = 1; *(uint8_t*)0x20001130 = 0x56; *(uint8_t*)0x20001131 = 9; *(uint8_t*)0x20001132 = 5; *(uint8_t*)0x20001133 = 0xc; *(uint8_t*)0x20001134 = 0x10; *(uint16_t*)0x20001135 = 8; *(uint8_t*)0x20001137 = 1; *(uint8_t*)0x20001138 = 5; *(uint8_t*)0x20001139 = 2; *(uint8_t*)0x2000113a = 0x20; *(uint8_t*)0x2000113b = 4; memcpy((void*)0x2000113c, "\x6d\xdd\x41\x04\xce\xf7\xb1\xf7\xb2\xdd\xda\xbb\x24\xea\x94\xbe\x1e\x8a\xc9\xfb\xba\x62\xcd\x71\xc1\xa1\xcb\xfa\x4e\x73", 30); *(uint8_t*)0x2000115a = 9; *(uint8_t*)0x2000115b = 5; *(uint8_t*)0x2000115c = 7; *(uint8_t*)0x2000115d = 4; *(uint16_t*)0x2000115e = 0x10; *(uint8_t*)0x20001160 = 0; *(uint8_t*)0x20001161 = 6; *(uint8_t*)0x20001162 = 0xf8; *(uint8_t*)0x20001163 = 7; *(uint8_t*)0x20001164 = 0x25; *(uint8_t*)0x20001165 = 1; *(uint8_t*)0x20001166 = 0x80; *(uint8_t*)0x20001167 = 3; *(uint16_t*)0x20001168 = 0x8000; *(uint8_t*)0x2000116a = 0x98; *(uint8_t*)0x2000116b = 0x21; memcpy((void*)0x2000116c, "\xe7\xba\xc6\xd3\x44\x3c\xdf\xcd\xf9\xc2\x4b\x69\x78\xdb\xfb\x9d\xd1\x82\x4a\x59\x64\xcb\xfa\x0f\xe6\x42\x96\xd5\x79\x4c\x61\x59\xbc\x30\xb8\x02\xa5\x9b\x5c\x7a\x49\xb5\x34\x03\x5d\xf5\x6b\xbc\x48\x86\x52\xee\x31\xc6\x01\xd5\x32\x65\x07\x01\x6b\xd4\x45\xa1\xc0\x9d\xf2\x31\xcf\x57\x81\x19\x0d\xaa\xba\x0c\xbd\x84\xa1\x72\x64\x03\x27\xb8\xc1\xa1\xd9\x0b\xfa\xb1\x8f\x24\x96\x1f\xfe\x12\xa0\x48\x6a\x23\x9c\x79\xa2\x59\xc5\x37\x65\x26\x03\xdc\xbd\x4b\x2b\x73\x42\xae\x0d\x71\x5a\x75\x43\xf4\xd0\x8b\xb5\x57\xbd\xdc\xd3\xbc\xa8\x35\x90\xb5\x7c\x30\xee\xe2\xce\x95\xf6\xc7\x10\x2f\x64\x6a\xf8\x28\xa4\x96", 150); *(uint8_t*)0x20001202 = 9; *(uint8_t*)0x20001203 = 5; *(uint8_t*)0x20001204 = 2; *(uint8_t*)0x20001205 = 3; *(uint16_t*)0x20001206 = 0x400; *(uint8_t*)0x20001208 = 3; *(uint8_t*)0x20001209 = 2; *(uint8_t*)0x2000120a = 8; *(uint8_t*)0x2000120b = 9; *(uint8_t*)0x2000120c = 5; *(uint8_t*)0x2000120d = 6; *(uint8_t*)0x2000120e = 0x10; *(uint16_t*)0x2000120f = 0x20; *(uint8_t*)0x20001211 = -1; *(uint8_t*)0x20001212 = 4; *(uint8_t*)0x20001213 = 6; *(uint32_t*)0x20001540 = 0xa; *(uint64_t*)0x20001544 = 0x20001240; *(uint8_t*)0x20001240 = 0xa; *(uint8_t*)0x20001241 = 6; *(uint16_t*)0x20001242 = 0x300; *(uint8_t*)0x20001244 = -1; *(uint8_t*)0x20001245 = 0x81; *(uint8_t*)0x20001246 = 6; *(uint8_t*)0x20001247 = 0xf7; *(uint8_t*)0x20001248 = 0xc4; *(uint8_t*)0x20001249 = 0; *(uint32_t*)0x2000154c = 0xf; *(uint64_t*)0x20001550 = 0x20001280; *(uint8_t*)0x20001280 = 5; *(uint8_t*)0x20001281 = 0xf; *(uint16_t*)0x20001282 = 0xf; *(uint8_t*)0x20001284 = 1; *(uint8_t*)0x20001285 = 0xa; *(uint8_t*)0x20001286 = 0x10; *(uint8_t*)0x20001287 = 3; *(uint8_t*)0x20001288 = 0; *(uint16_t*)0x20001289 = 0; *(uint8_t*)0x2000128b = 8; *(uint8_t*)0x2000128c = 0x1f; *(uint16_t*)0x2000128d = 0xfff; *(uint32_t*)0x20001558 = 5; *(uint32_t*)0x2000155c = 4; *(uint64_t*)0x20001560 = 0x200012c0; *(uint8_t*)0x200012c0 = 4; *(uint8_t*)0x200012c1 = 3; *(uint16_t*)0x200012c2 = 0xc07; *(uint32_t*)0x20001568 = 0x54; *(uint64_t*)0x2000156c = 0x20001300; *(uint8_t*)0x20001300 = 0x54; *(uint8_t*)0x20001301 = 3; memcpy((void*)0x20001302, "\x32\x1d\x45\x7f\x2f\x5a\xb9\xfc\xb1\x11\x8c\x96\x06\x31\xfd\x85\xa7\x5e\xad\x82\x91\x36\xaa\x2a\x6c\xc0\x31\x14\x51\x03\x5f\xe1\x7b\x95\x6e\xb8\xfa\x52\xd4\x95\xa3\x11\xa6\xc0\x3f\x0a\xe8\x4c\x86\xf0\xed\x78\xda\xeb\xfa\x15\xdb\x7b\xc5\x78\x8c\x97\x24\xba\xf4\x58\x2d\xc0\xec\x1b\xa6\x68\x1a\x76\xb0\xa1\xbf\xc5\xde\x9d\xae\xcc", 82); *(uint32_t*)0x20001574 = 0xd3; *(uint64_t*)0x20001578 = 0x20001380; *(uint8_t*)0x20001380 = 0xd3; *(uint8_t*)0x20001381 = 3; memcpy((void*)0x20001382, "\x18\x33\x6f\xc5\x62\x3b\xa1\x41\x06\x34\xc4\x05\x0b\xcf\x3b\x48\x8e\xa4\x18\x67\xd0\x59\xdc\xdc\xd2\xc3\x68\xd8\x48\xfe\x51\x47\x32\x3c\x0b\xa4\xe5\x1d\x7c\xf2\xa3\xd1\x50\x25\x8f\x8c\xc2\x56\x9b\xd7\x9e\x95\x1e\xa9\x5a\x31\x8d\xe3\x1d\x14\x6c\x37\xa7\xcf\x71\x2f\x1f\xcd\x44\x03\x90\x85\x2c\x8d\x52\x16\xf8\xd2\x3a\x99\x18\xb0\xe0\x53\x52\x1e\xb6\x70\xad\x3e\xe0\xfb\x8a\x93\xa8\xd7\xba\xd7\x19\x9e\xeb\xe1\x2a\x3b\x02\x10\x7a\xc4\x54\x2b\xc6\x49\x79\x77\xe3\x30\x8b\x40\x7b\xf3\x64\x98\x2f\x4f\xc9\xc3\x30\xf9\xa7\x5c\xcb\x65\xc8\x68\x8d\x5c\x24\x7a\xd0\x6c\x20\xcc\xf0\x14\x65\xe3\xab\x09\xfc\x77\x7f\x73\x47\x4c\x2c\xd0\x53\xb8\x48\xad\x32\x55\xb5\xad\xc8\x1e\x03\x3d\x2a\x0f\xac\x50\x61\xea\x52\xda\xcf\x46\xe8\x8e\x8c\x2e\x38\x8d\xeb\x91\xd2\xd9\xfc\x12\x42\x55\x90\x93\x36\x41\x8e\x74\x3b\xda\x4c\xb4\xf7\x3c\x6b\x75\xaf\x9a\x9b", 209); *(uint32_t*)0x20001580 = 4; *(uint64_t*)0x20001584 = 0x20001480; *(uint8_t*)0x20001480 = 4; *(uint8_t*)0x20001481 = 3; *(uint16_t*)0x20001482 = 0x42b; *(uint32_t*)0x2000158c = 0x5a; *(uint64_t*)0x20001590 = 0x200014c0; *(uint8_t*)0x200014c0 = 0x5a; *(uint8_t*)0x200014c1 = 3; memcpy((void*)0x200014c2, "\x4d\x85\xf3\x14\x20\xff\x1c\xed\xa2\x5d\x11\x8d\x33\xa6\xeb\xbc\xe8\x88\xc1\x2d\x90\xeb\x54\xc8\x27\xd1\x49\xc8\xdc\xbd\x99\xf3\x89\x3b\x35\xd1\xda\x6c\x77\x6b\x1b\x5d\x08\x4b\x30\x8c\xdf\x93\x47\x41\x67\xf2\x66\x19\x9f\x44\x0a\x03\xfc\x3e\x34\x38\x03\x1b\x87\x25\xdd\xe6\x02\x9a\x62\x9c\x08\x43\xbe\xdf\x04\x8b\x84\x09\xb1\x53\xf9\x03\xd6\x57\xd2\x2b", 88); res = -1; res = syz_usb_connect(6, 0x714, 0x20000b00, 0x20001540); if (res != -1) r[10] = res; break; case 33: *(uint8_t*)0x200015c0 = 0x12; *(uint8_t*)0x200015c1 = 1; *(uint16_t*)0x200015c2 = 0x200; *(uint8_t*)0x200015c4 = -1; *(uint8_t*)0x200015c5 = -1; *(uint8_t*)0x200015c6 = -1; *(uint8_t*)0x200015c7 = 0x40; *(uint16_t*)0x200015c8 = 0xcf3; *(uint16_t*)0x200015ca = 0x9271; *(uint16_t*)0x200015cc = 0x108; *(uint8_t*)0x200015ce = 1; *(uint8_t*)0x200015cf = 2; *(uint8_t*)0x200015d0 = 3; *(uint8_t*)0x200015d1 = 1; *(uint8_t*)0x200015d2 = 9; *(uint8_t*)0x200015d3 = 2; *(uint16_t*)0x200015d4 = 0x48; *(uint8_t*)0x200015d6 = 1; *(uint8_t*)0x200015d7 = 1; *(uint8_t*)0x200015d8 = 0; *(uint8_t*)0x200015d9 = 0x80; *(uint8_t*)0x200015da = 0xfa; *(uint8_t*)0x200015db = 9; *(uint8_t*)0x200015dc = 4; *(uint8_t*)0x200015dd = 0; *(uint8_t*)0x200015de = 0; *(uint8_t*)0x200015df = 6; *(uint8_t*)0x200015e0 = -1; *(uint8_t*)0x200015e1 = 0; *(uint8_t*)0x200015e2 = 0; *(uint8_t*)0x200015e3 = 0; *(uint8_t*)0x200015e4 = 9; *(uint8_t*)0x200015e5 = 5; *(uint8_t*)0x200015e6 = 1; *(uint8_t*)0x200015e7 = 2; *(uint16_t*)0x200015e8 = 0x200; *(uint8_t*)0x200015ea = 0; *(uint8_t*)0x200015eb = 0; *(uint8_t*)0x200015ec = 0; *(uint8_t*)0x200015ed = 9; *(uint8_t*)0x200015ee = 5; *(uint8_t*)0x200015ef = 0x82; *(uint8_t*)0x200015f0 = 2; *(uint16_t*)0x200015f1 = 0x200; *(uint8_t*)0x200015f3 = 0; *(uint8_t*)0x200015f4 = 0; *(uint8_t*)0x200015f5 = 0; *(uint8_t*)0x200015f6 = 9; *(uint8_t*)0x200015f7 = 5; *(uint8_t*)0x200015f8 = 0x83; *(uint8_t*)0x200015f9 = 3; *(uint16_t*)0x200015fa = 0x40; *(uint8_t*)0x200015fc = 1; *(uint8_t*)0x200015fd = 0; *(uint8_t*)0x200015fe = 0; *(uint8_t*)0x200015ff = 9; *(uint8_t*)0x20001600 = 5; *(uint8_t*)0x20001601 = 4; *(uint8_t*)0x20001602 = 3; *(uint16_t*)0x20001603 = 0x40; *(uint8_t*)0x20001605 = 1; *(uint8_t*)0x20001606 = 0; *(uint8_t*)0x20001607 = 0; *(uint8_t*)0x20001608 = 9; *(uint8_t*)0x20001609 = 5; *(uint8_t*)0x2000160a = 5; *(uint8_t*)0x2000160b = 2; *(uint16_t*)0x2000160c = 0x200; *(uint8_t*)0x2000160e = 0; *(uint8_t*)0x2000160f = 0; *(uint8_t*)0x20001610 = 0; *(uint8_t*)0x20001611 = 9; *(uint8_t*)0x20001612 = 5; *(uint8_t*)0x20001613 = 6; *(uint8_t*)0x20001614 = 2; *(uint16_t*)0x20001615 = 0x200; *(uint8_t*)0x20001617 = 0; *(uint8_t*)0x20001618 = 0; *(uint8_t*)0x20001619 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200015c0, 0); if (res != -1) r[11] = res; break; case 34: *(uint32_t*)0x200017c0 = 0x2c; *(uint64_t*)0x200017c4 = 0x20001640; *(uint8_t*)0x20001640 = 0; *(uint8_t*)0x20001641 = 0x24; *(uint32_t*)0x20001642 = 0x5e; *(uint8_t*)0x20001646 = 0x5e; *(uint8_t*)0x20001647 = 9; memcpy((void*)0x20001648, "\x50\xd3\x39\x2d\x02\xeb\xd2\x29\x33\x8b\x7e\x71\x70\xb9\x84\xd0\x49\x07\xf9\xce\xe9\x84\xf8\x3f\x84\xc9\x51\x8b\x9d\xd9\x17\x85\xfe\x2d\x66\xe1\x04\x26\xff\x86\xd8\xe7\xd6\x63\x53\x83\x06\x24\x01\x71\x79\x0d\x7f\x77\x66\x64\xbd\xfd\x68\xd3\xdf\x43\xcd\xf6\xd0\xe3\xab\x3d\x2a\x62\x95\x30\x92\xa2\xd7\xce\x2f\xcd\xfe\x2c\xf5\x00\x26\x86\x9a\x4b\xcd\x06\x6a\xf9\xdd\xbd", 92); *(uint64_t*)0x200017cc = 0x200016c0; *(uint8_t*)0x200016c0 = 0; *(uint8_t*)0x200016c1 = 3; *(uint32_t*)0x200016c2 = 4; *(uint8_t*)0x200016c6 = 4; *(uint8_t*)0x200016c7 = 3; *(uint16_t*)0x200016c8 = 0x449; *(uint64_t*)0x200017d4 = 0x20001700; *(uint8_t*)0x20001700 = 0; *(uint8_t*)0x20001701 = 0xf; *(uint32_t*)0x20001702 = 0x19; *(uint8_t*)0x20001706 = 5; *(uint8_t*)0x20001707 = 0xf; *(uint16_t*)0x20001708 = 0x19; *(uint8_t*)0x2000170a = 1; *(uint8_t*)0x2000170b = 0x14; *(uint8_t*)0x2000170c = 0x10; *(uint8_t*)0x2000170d = 4; *(uint8_t*)0x2000170e = 0x3f; memcpy((void*)0x2000170f, "\x0f\xf6\x11\x98\x8b\x42\x04\x3b\xdd\x16\xf1\x8b\x9b\x82\xf6\xcf", 16); *(uint64_t*)0x200017dc = 0x20001740; *(uint8_t*)0x20001740 = 0x20; *(uint8_t*)0x20001741 = 0x29; *(uint32_t*)0x20001742 = 0xf; *(uint8_t*)0x20001746 = 0xf; *(uint8_t*)0x20001747 = 0x29; *(uint8_t*)0x20001748 = 0; *(uint16_t*)0x20001749 = 0; *(uint8_t*)0x2000174b = 9; *(uint8_t*)0x2000174c = 0x68; memcpy((void*)0x2000174d, "\x60\xc5\x11\xfa", 4); memcpy((void*)0x20001751, "\x23\xe3\xf5\x32", 4); *(uint64_t*)0x200017e4 = 0x20001780; *(uint8_t*)0x20001780 = 0x20; *(uint8_t*)0x20001781 = 0x2a; *(uint32_t*)0x20001782 = 0xc; *(uint8_t*)0x20001786 = 0xc; *(uint8_t*)0x20001787 = 0x2a; *(uint8_t*)0x20001788 = 5; *(uint16_t*)0x20001789 = 0; *(uint8_t*)0x2000178b = 2; *(uint8_t*)0x2000178c = 7; *(uint8_t*)0x2000178d = 8; *(uint16_t*)0x2000178e = 5; *(uint16_t*)0x20001790 = 0x200; *(uint32_t*)0x20001c80 = 0x84; *(uint64_t*)0x20001c84 = 0x20001800; *(uint8_t*)0x20001800 = 0; *(uint8_t*)0x20001801 = 0x16; *(uint32_t*)0x20001802 = 0x92; memcpy((void*)0x20001806, "\xe4\x9c\x4e\x0f\xdf\x52\x1d\x4b\xb8\x3a\x1c\x78\xb9\xb6\xf3\x2e\xb6\xe3\x8f\xba\x14\x32\x72\x7c\x39\x17\x49\x72\x7c\x41\x81\x5d\xc3\xfc\x41\x93\xcf\x0f\xc2\x47\xb3\x2c\x61\xdd\x80\xf2\x66\x29\xd7\xcf\x71\x4f\xc0\x80\x15\x77\x01\x40\x5e\x55\xe4\xd1\xae\x2b\x75\x8c\x66\x82\x10\x44\xd2\xe8\x09\x4f\x1b\xd7\x5c\xcf\x96\x00\x45\x47\x26\xe5\xdf\x97\x64\x08\x2d\x53\x70\x12\xad\x6f\xa0\x0a\x11\xbf\x54\x6f\x5d\x86\xaf\x48\x2a\x8f\x0b\x05\x74\x28\x7a\x4c\x56\x40\xbd\x1a\x22\x5a\x60\xd1\x96\x1c\xd5\x6b\x3b\x48\xcf\x69\xd7\x76\xcd\x8b\xba\xc5\xdc\x15\x44\xbf\x6b\x94\xb3\x51\x93\x83\xf9\xc5", 146); *(uint64_t*)0x20001c8c = 0x200018c0; *(uint8_t*)0x200018c0 = 0; *(uint8_t*)0x200018c1 = 0xa; *(uint32_t*)0x200018c2 = 1; *(uint8_t*)0x200018c6 = 0xea; *(uint64_t*)0x20001c94 = 0x20001900; *(uint8_t*)0x20001900 = 0; *(uint8_t*)0x20001901 = 8; *(uint32_t*)0x20001902 = 1; *(uint8_t*)0x20001906 = 0xc0; *(uint64_t*)0x20001c9c = 0x20001940; *(uint8_t*)0x20001940 = 0x20; *(uint8_t*)0x20001941 = 0; *(uint32_t*)0x20001942 = 4; *(uint16_t*)0x20001946 = 3; *(uint16_t*)0x20001948 = 0xc065; *(uint64_t*)0x20001ca4 = 0x20001980; *(uint8_t*)0x20001980 = 0x20; *(uint8_t*)0x20001981 = 0; *(uint32_t*)0x20001982 = 8; *(uint16_t*)0x20001986 = 0x200; *(uint16_t*)0x20001988 = 2; *(uint32_t*)0x2000198a = 0; *(uint64_t*)0x20001cac = 0x200019c0; *(uint8_t*)0x200019c0 = 0x40; *(uint8_t*)0x200019c1 = 7; *(uint32_t*)0x200019c2 = 2; *(uint16_t*)0x200019c6 = 0; *(uint64_t*)0x20001cb4 = 0x20001a00; *(uint8_t*)0x20001a00 = 0x40; *(uint8_t*)0x20001a01 = 9; *(uint32_t*)0x20001a02 = 1; *(uint8_t*)0x20001a06 = 7; *(uint64_t*)0x20001cbc = 0x20001a40; *(uint8_t*)0x20001a40 = 0x40; *(uint8_t*)0x20001a41 = 0xb; *(uint32_t*)0x20001a42 = 2; memcpy((void*)0x20001a46, ",e", 2); *(uint64_t*)0x20001cc4 = 0x20001a80; *(uint8_t*)0x20001a80 = 0x40; *(uint8_t*)0x20001a81 = 0xf; *(uint32_t*)0x20001a82 = 2; *(uint16_t*)0x20001a86 = 0xa; *(uint64_t*)0x20001ccc = 0x20001ac0; *(uint8_t*)0x20001ac0 = 0x40; *(uint8_t*)0x20001ac1 = 0x13; *(uint32_t*)0x20001ac2 = 6; memcpy((void*)0x20001ac6, "\xcb\xa5\xd8\xd5\x17\x87", 6); *(uint64_t*)0x20001cd4 = 0x20001b00; *(uint8_t*)0x20001b00 = 0x40; *(uint8_t*)0x20001b01 = 0x17; *(uint32_t*)0x20001b02 = 6; *(uint8_t*)0x20001b06 = 0xaa; *(uint8_t*)0x20001b07 = 0xaa; *(uint8_t*)0x20001b08 = 0xaa; *(uint8_t*)0x20001b09 = 0xaa; *(uint8_t*)0x20001b0a = 0xaa; *(uint8_t*)0x20001b0b = 0x1b; *(uint64_t*)0x20001cdc = 0x20001b40; *(uint8_t*)0x20001b40 = 0x40; *(uint8_t*)0x20001b41 = 0x19; *(uint32_t*)0x20001b42 = 2; memcpy((void*)0x20001b46, "\x09\xef", 2); *(uint64_t*)0x20001ce4 = 0x20001b80; *(uint8_t*)0x20001b80 = 0x40; *(uint8_t*)0x20001b81 = 0x1a; *(uint32_t*)0x20001b82 = 2; *(uint16_t*)0x20001b86 = 0x200; *(uint64_t*)0x20001cec = 0x20001bc0; *(uint8_t*)0x20001bc0 = 0x40; *(uint8_t*)0x20001bc1 = 0x1c; *(uint32_t*)0x20001bc2 = 1; *(uint8_t*)0x20001bc6 = 0x20; *(uint64_t*)0x20001cf4 = 0x20001c00; *(uint8_t*)0x20001c00 = 0x40; *(uint8_t*)0x20001c01 = 0x1e; *(uint32_t*)0x20001c02 = 1; *(uint8_t*)0x20001c06 = 0x81; *(uint64_t*)0x20001cfc = 0x20001c40; *(uint8_t*)0x20001c40 = 0x40; *(uint8_t*)0x20001c41 = 0x21; *(uint32_t*)0x20001c42 = 1; *(uint8_t*)0x20001c46 = 0x40; syz_usb_control_io(r[11], 0x200017c0, 0x20001c80); break; case 35: *(uint8_t*)0x20001d40 = 0x12; *(uint8_t*)0x20001d41 = 1; *(uint16_t*)0x20001d42 = 0x300; *(uint8_t*)0x20001d44 = 0; *(uint8_t*)0x20001d45 = 0; *(uint8_t*)0x20001d46 = 0; *(uint8_t*)0x20001d47 = 0x40; *(uint16_t*)0x20001d48 = 0x1d6b; *(uint16_t*)0x20001d4a = 0x101; *(uint16_t*)0x20001d4c = 0x40; *(uint8_t*)0x20001d4e = 1; *(uint8_t*)0x20001d4f = 2; *(uint8_t*)0x20001d50 = 3; *(uint8_t*)0x20001d51 = 1; *(uint8_t*)0x20001d52 = 9; *(uint8_t*)0x20001d53 = 2; *(uint16_t*)0x20001d54 = 0xa4; *(uint8_t*)0x20001d56 = 3; *(uint8_t*)0x20001d57 = 1; *(uint8_t*)0x20001d58 = 8; *(uint8_t*)0x20001d59 = 0x80; *(uint8_t*)0x20001d5a = 0x1f; *(uint8_t*)0x20001d5b = 9; *(uint8_t*)0x20001d5c = 4; *(uint8_t*)0x20001d5d = 0; *(uint8_t*)0x20001d5e = 0; *(uint8_t*)0x20001d5f = 0; *(uint8_t*)0x20001d60 = 1; *(uint8_t*)0x20001d61 = 1; *(uint8_t*)0x20001d62 = 0; *(uint8_t*)0x20001d63 = 0; *(uint8_t*)0x20001d64 = 0xa; *(uint8_t*)0x20001d65 = 0x24; *(uint8_t*)0x20001d66 = 1; *(uint16_t*)0x20001d67 = 0x7f; *(uint8_t*)0x20001d69 = 0x24; *(uint8_t*)0x20001d6a = 2; *(uint8_t*)0x20001d6b = 1; *(uint8_t*)0x20001d6c = 2; *(uint8_t*)0x20001d6d = 0xb; *(uint8_t*)0x20001d6e = 0x24; *(uint8_t*)0x20001d6f = 4; *(uint8_t*)0x20001d70 = 3; *(uint8_t*)0x20001d71 = 0x3f; memcpy((void*)0x20001d72, "\xe3\xa7\xba\x11\xb7\x73", 6); *(uint8_t*)0x20001d78 = 0xc; *(uint8_t*)0x20001d79 = 0x24; *(uint8_t*)0x20001d7a = 2; *(uint8_t*)0x20001d7b = 4; *(uint16_t*)0x20001d7c = 0x203; *(uint8_t*)0x20001d7e = 1; *(uint8_t*)0x20001d7f = 2; *(uint16_t*)0x20001d80 = 7; *(uint8_t*)0x20001d82 = 0xfd; *(uint8_t*)0x20001d83 = 0; *(uint8_t*)0x20001d84 = 7; *(uint8_t*)0x20001d85 = 0x24; *(uint8_t*)0x20001d86 = 8; *(uint8_t*)0x20001d87 = 2; *(uint16_t*)0x20001d88 = 4; *(uint8_t*)0x20001d8a = 0x40; *(uint8_t*)0x20001d8b = 9; *(uint8_t*)0x20001d8c = 0x24; *(uint8_t*)0x20001d8d = 3; *(uint8_t*)0x20001d8e = 2; *(uint16_t*)0x20001d8f = 0x101; *(uint8_t*)0x20001d91 = 4; *(uint8_t*)0x20001d92 = 4; *(uint8_t*)0x20001d93 = 5; *(uint8_t*)0x20001d94 = 9; *(uint8_t*)0x20001d95 = 4; *(uint8_t*)0x20001d96 = 1; *(uint8_t*)0x20001d97 = 0; *(uint8_t*)0x20001d98 = 0; *(uint8_t*)0x20001d99 = 1; *(uint8_t*)0x20001d9a = 2; *(uint8_t*)0x20001d9b = 0; *(uint8_t*)0x20001d9c = 0; *(uint8_t*)0x20001d9d = 9; *(uint8_t*)0x20001d9e = 4; *(uint8_t*)0x20001d9f = 1; *(uint8_t*)0x20001da0 = 1; *(uint8_t*)0x20001da1 = 1; *(uint8_t*)0x20001da2 = 1; *(uint8_t*)0x20001da3 = 2; *(uint8_t*)0x20001da4 = 0; *(uint8_t*)0x20001da5 = 0; *(uint8_t*)0x20001da6 = 9; *(uint8_t*)0x20001da7 = 5; *(uint8_t*)0x20001da8 = 1; *(uint8_t*)0x20001da9 = 9; *(uint16_t*)0x20001daa = 0x200; *(uint8_t*)0x20001dac = 0xfc; *(uint8_t*)0x20001dad = 9; *(uint8_t*)0x20001dae = 7; *(uint8_t*)0x20001daf = 7; *(uint8_t*)0x20001db0 = 0x25; *(uint8_t*)0x20001db1 = 1; *(uint8_t*)0x20001db2 = 0; *(uint8_t*)0x20001db3 = 2; *(uint16_t*)0x20001db4 = 8; *(uint8_t*)0x20001db6 = 9; *(uint8_t*)0x20001db7 = 4; *(uint8_t*)0x20001db8 = 2; *(uint8_t*)0x20001db9 = 0; *(uint8_t*)0x20001dba = 0; *(uint8_t*)0x20001dbb = 1; *(uint8_t*)0x20001dbc = 2; *(uint8_t*)0x20001dbd = 0; *(uint8_t*)0x20001dbe = 0; *(uint8_t*)0x20001dbf = 9; *(uint8_t*)0x20001dc0 = 4; *(uint8_t*)0x20001dc1 = 2; *(uint8_t*)0x20001dc2 = 1; *(uint8_t*)0x20001dc3 = 1; *(uint8_t*)0x20001dc4 = 1; *(uint8_t*)0x20001dc5 = 2; *(uint8_t*)0x20001dc6 = 0; *(uint8_t*)0x20001dc7 = 0; *(uint8_t*)0x20001dc8 = 0x12; *(uint8_t*)0x20001dc9 = 0x24; *(uint8_t*)0x20001dca = 2; *(uint8_t*)0x20001dcb = 2; *(uint16_t*)0x20001dcc = 8; *(uint16_t*)0x20001dce = 7; *(uint8_t*)0x20001dd0 = -1; memcpy((void*)0x20001dd1, "\x6c\xce\x23\xa5\x1a\x59\x66\x0a\x8a", 9); *(uint8_t*)0x20001dda = 0xc; *(uint8_t*)0x20001ddb = 0x24; *(uint8_t*)0x20001ddc = 2; *(uint8_t*)0x20001ddd = 1; *(uint8_t*)0x20001dde = 7; *(uint8_t*)0x20001ddf = 2; *(uint8_t*)0x20001de0 = 0xd6; *(uint8_t*)0x20001de1 = 0x40; memcpy((void*)0x20001de2, "\xa5\xe2\x12", 3); memcpy((void*)0x20001de5, "l", 1); *(uint8_t*)0x20001de6 = 9; *(uint8_t*)0x20001de7 = 5; *(uint8_t*)0x20001de8 = 0x82; *(uint8_t*)0x20001de9 = 9; *(uint16_t*)0x20001dea = 0x3ff; *(uint8_t*)0x20001dec = 3; *(uint8_t*)0x20001ded = 0; *(uint8_t*)0x20001dee = 0xac; *(uint8_t*)0x20001def = 7; *(uint8_t*)0x20001df0 = 0x25; *(uint8_t*)0x20001df1 = 1; *(uint8_t*)0x20001df2 = 3; *(uint8_t*)0x20001df3 = 4; *(uint16_t*)0x20001df4 = 5; *(uint32_t*)0x20001f40 = 0xa; *(uint64_t*)0x20001f44 = 0x20001e00; *(uint8_t*)0x20001e00 = 0xa; *(uint8_t*)0x20001e01 = 6; *(uint16_t*)0x20001e02 = 0x200; *(uint8_t*)0x20001e04 = -1; *(uint8_t*)0x20001e05 = 2; *(uint8_t*)0x20001e06 = 7; *(uint8_t*)0x20001e07 = 0x10; *(uint8_t*)0x20001e08 = 6; *(uint8_t*)0x20001e09 = 0; *(uint32_t*)0x20001f4c = 5; *(uint64_t*)0x20001f50 = 0x20001e40; *(uint8_t*)0x20001e40 = 5; *(uint8_t*)0x20001e41 = 0xf; *(uint16_t*)0x20001e42 = 5; *(uint8_t*)0x20001e44 = 0; *(uint32_t*)0x20001f58 = 2; *(uint32_t*)0x20001f5c = 0x52; *(uint64_t*)0x20001f60 = 0x20001e80; *(uint8_t*)0x20001e80 = 0x52; *(uint8_t*)0x20001e81 = 3; memcpy((void*)0x20001e82, "\x4b\xcf\xbc\x74\x9d\x26\xd0\xfb\xc2\x0c\x2e\x20\x2a\x04\x2e\x8b\xb1\x67\xca\xdf\x5c\x2b\xcd\xbd\x07\xdd\xe6\x67\x1d\xa7\xdd\x40\x03\x06\xb2\x6f\x22\x0f\xef\x4a\x33\x97\xf0\xa9\x5a\x4b\x8c\xa5\xba\xfd\x5a\x4f\xa8\xb9\x9d\x24\x50\x5f\x7a\x27\xac\x07\xa1\x6b\xbb\x02\xd5\x24\xc0\xbb\xfa\x3a\xf8\xe3\x18\xdf\x58\xfe\xb1\x43", 80); *(uint32_t*)0x20001f68 = 4; *(uint64_t*)0x20001f6c = 0x20001f00; *(uint8_t*)0x20001f00 = 4; *(uint8_t*)0x20001f01 = 3; *(uint16_t*)0x20001f02 = 0x807; res = -1; res = syz_usb_connect(6, 0xb6, 0x20001d40, 0x20001f40); if (res != -1) r[12] = res; break; case 36: syz_usb_disconnect(r[12]); break; case 37: syz_usb_ep_read(r[10], 6, 0xd6, 0x20001f80); break; case 38: *(uint8_t*)0x20002080 = 0x12; *(uint8_t*)0x20002081 = 1; *(uint16_t*)0x20002082 = 0x110; *(uint8_t*)0x20002084 = 2; *(uint8_t*)0x20002085 = 0; *(uint8_t*)0x20002086 = 0; *(uint8_t*)0x20002087 = -1; *(uint16_t*)0x20002088 = 0x525; *(uint16_t*)0x2000208a = 0xa4a1; *(uint16_t*)0x2000208c = 0x40; *(uint8_t*)0x2000208e = 1; *(uint8_t*)0x2000208f = 2; *(uint8_t*)0x20002090 = 3; *(uint8_t*)0x20002091 = 1; *(uint8_t*)0x20002092 = 9; *(uint8_t*)0x20002093 = 2; *(uint16_t*)0x20002094 = 0x3d; *(uint8_t*)0x20002096 = 1; *(uint8_t*)0x20002097 = 1; *(uint8_t*)0x20002098 = 9; *(uint8_t*)0x20002099 = 0xc0; *(uint8_t*)0x2000209a = 0xb3; *(uint8_t*)0x2000209b = 9; *(uint8_t*)0x2000209c = 4; *(uint8_t*)0x2000209d = 0; *(uint8_t*)0x2000209e = 8; *(uint8_t*)0x2000209f = 3; *(uint8_t*)0x200020a0 = 2; *(uint8_t*)0x200020a1 = 6; *(uint8_t*)0x200020a2 = 0; *(uint8_t*)0x200020a3 = 1; *(uint8_t*)0x200020a4 = 7; *(uint8_t*)0x200020a5 = 0x24; *(uint8_t*)0x200020a6 = 6; *(uint8_t*)0x200020a7 = 0; *(uint8_t*)0x200020a8 = 0; memcpy((void*)0x200020a9, "\x93\xb5", 2); *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 0x24; *(uint8_t*)0x200020ad = 0; *(uint16_t*)0x200020ae = 1; *(uint8_t*)0x200020b0 = 0xd; *(uint8_t*)0x200020b1 = 0x24; *(uint8_t*)0x200020b2 = 0xf; *(uint8_t*)0x200020b3 = 1; *(uint32_t*)0x200020b4 = 5; *(uint16_t*)0x200020b8 = 0xdf0; *(uint16_t*)0x200020ba = 0xa5e2; *(uint8_t*)0x200020bc = -1; *(uint8_t*)0x200020bd = 9; *(uint8_t*)0x200020be = 5; *(uint8_t*)0x200020bf = 0x82; *(uint8_t*)0x200020c0 = 2; *(uint16_t*)0x200020c1 = 0x40; *(uint8_t*)0x200020c3 = 0; *(uint8_t*)0x200020c4 = 0x40; *(uint8_t*)0x200020c5 = 0x20; *(uint8_t*)0x200020c6 = 9; *(uint8_t*)0x200020c7 = 5; *(uint8_t*)0x200020c8 = 3; *(uint8_t*)0x200020c9 = 2; *(uint16_t*)0x200020ca = 8; *(uint8_t*)0x200020cc = 0x20; *(uint8_t*)0x200020cd = -1; *(uint8_t*)0x200020ce = 4; *(uint32_t*)0x20002640 = 0xa; *(uint64_t*)0x20002644 = 0x20002100; *(uint8_t*)0x20002100 = 0xa; *(uint8_t*)0x20002101 = 6; *(uint16_t*)0x20002102 = 0x250; *(uint8_t*)0x20002104 = 0; *(uint8_t*)0x20002105 = 0x81; *(uint8_t*)0x20002106 = 0x20; *(uint8_t*)0x20002107 = 0x20; *(uint8_t*)0x20002108 = 3; *(uint8_t*)0x20002109 = 0; *(uint32_t*)0x2000264c = 5; *(uint64_t*)0x20002650 = 0x20002140; *(uint8_t*)0x20002140 = 5; *(uint8_t*)0x20002141 = 0xf; *(uint16_t*)0x20002142 = 5; *(uint8_t*)0x20002144 = 0; *(uint32_t*)0x20002658 = 8; *(uint32_t*)0x2000265c = 0xcd; *(uint64_t*)0x20002660 = 0x20002180; *(uint8_t*)0x20002180 = 0xcd; *(uint8_t*)0x20002181 = 3; memcpy((void*)0x20002182, "\x2e\x83\x3d\xbc\x02\x86\x82\x12\xd3\xec\x73\x52\xfb\x0d\xe8\xa0\x5e\xcf\x66\x18\x59\xde\xbe\x23\xba\x73\x5f\xb9\x0a\x26\x85\x3e\x0d\x4c\x9b\xfc\xeb\xac\x70\xce\x40\x53\x9a\x98\xcf\x89\x47\xe0\x6b\xb7\x5d\xe0\xa9\x20\x5e\x0b\x79\x1c\xb4\xf9\xe7\xaa\x0a\xe1\x14\x9e\x93\x94\xff\xef\x26\x6f\x96\xe0\xc7\x5a\xb7\x28\xca\xdb\xc3\x12\x57\x0e\xfe\xd7\x37\x09\x0a\x62\x51\xc0\x9e\x1a\x5d\x38\xa0\xc6\xf1\xec\x4a\xe0\x55\x86\x3d\x69\xe4\xdc\xf3\x6d\x97\x4d\x2b\xe3\xe4\x87\xc7\xd2\xf1\xdb\x21\x61\xe9\x3b\x7d\x15\x2c\xe0\x46\xf0\x30\xb3\x6d\x08\x32\x89\xed\xdd\x71\x05\xed\x8e\xae\xd4\x9f\x71\x10\x17\xba\xab\xde\x9d\x5f\x01\xcd\x47\x38\x50\x3d\x32\x26\x69\x55\x4f\xcf\x3b\x5a\x65\xb0\x51\x97\x33\xb0\x7a\x7f\x3c\xff\xdc\x92\xb0\x38\x2c\x66\x12\x0c\x41\xaa\xe8\x85\x68\xc7\x52\xf7\x9d\x50\x1f\xd4\xda\x58\xe6\x87\x9e\x7e", 203); *(uint32_t*)0x20002668 = 4; *(uint64_t*)0x2000266c = 0x20002280; *(uint8_t*)0x20002280 = 4; *(uint8_t*)0x20002281 = 3; *(uint16_t*)0x20002282 = 0x3c0a; *(uint32_t*)0x20002674 = 4; *(uint64_t*)0x20002678 = 0x200022c0; *(uint8_t*)0x200022c0 = 4; *(uint8_t*)0x200022c1 = 3; *(uint16_t*)0x200022c2 = 0x3801; *(uint32_t*)0x20002680 = 0x1f; *(uint64_t*)0x20002684 = 0x20002300; *(uint8_t*)0x20002300 = 0x1f; *(uint8_t*)0x20002301 = 3; memcpy((void*)0x20002302, "\xa6\x70\xc3\x58\x2d\x38\x96\x7a\xc4\x85\x45\x5e\x8a\x40\xac\xb6\xf5\xdf\x24\xab\x49\xa4\xc6\xbb\x43\xd5\x84\xed\xf7", 29); *(uint32_t*)0x2000268c = 4; *(uint64_t*)0x20002690 = 0x20002340; *(uint8_t*)0x20002340 = 4; *(uint8_t*)0x20002341 = 3; *(uint16_t*)0x20002342 = 0x44f; *(uint32_t*)0x20002698 = 0xe1; *(uint64_t*)0x2000269c = 0x20002380; *(uint8_t*)0x20002380 = 0xe1; *(uint8_t*)0x20002381 = 3; memcpy((void*)0x20002382, "\xbe\x2c\xe1\x8f\xae\x6d\xa9\xf1\xaa\x4b\x97\x21\x97\xbe\x7a\x6c\xe4\xb2\x83\xc3\xe0\x02\x7e\x6d\xa1\x3d\x86\x39\xf6\x74\xea\x9c\x64\x28\x9b\x33\xc0\xe1\x43\x5b\x7c\x16\x54\xa5\x69\x12\x7b\x26\xad\x53\x77\x4f\x2b\x6b\x20\x57\x9f\xac\x6f\xaf\xfe\x12\x94\x9e\xe4\xb0\xd3\xcd\x2d\x89\x0c\xff\x2d\x7e\x9b\xb4\x3b\x60\x2a\x39\x4e\xfd\x49\x75\x18\x4f\x7e\xec\xab\x16\xa3\xf1\x87\xca\xb4\xc2\xca\x01\xac\x5b\xc9\xc5\x5c\x8b\xb9\x81\x32\x3d\x91\x9f\x77\x35\x5b\x3c\xe7\x42\x8d\xa6\x2a\xf8\x0c\x76\xb1\x85\xe1\x0a\xc7\xb1\xcc\x95\x0e\xcc\x71\x5c\x3e\x0a\x1e\x14\x23\x11\xb6\x29\x41\xe0\x62\x91\xb3\x0d\x2d\x3c\x7d\x46\x8d\xfb\xe2\x83\xc9\x1f\xc0\x83\x3d\xb0\x68\xe7\xbf\x39\x7c\x23\x35\x75\x79\x02\x29\xce\x51\x3b\xbd\xc4\x38\x7d\x81\xb3\x02\x7e\xf6\x8b\x20\xde\x25\xd9\xf1\xff\x32\xb9\x5c\xba\x44\x3b\x9e\x7f\xba\x49\x91\x43\xe8\x41\xa6\x19\x0c\x6e\xcb\x29\x06\xfe\x42\x30\xf8\x39\xba\x8c\x3c\x73\xea", 223); *(uint32_t*)0x200026a4 = 0xc1; *(uint64_t*)0x200026a8 = 0x20002480; *(uint8_t*)0x20002480 = 0xc1; *(uint8_t*)0x20002481 = 3; memcpy((void*)0x20002482, "\xf1\x7d\xb2\xea\x26\xd9\x0b\xa9\x3d\x1d\xbd\x3d\x94\x82\x88\x21\x72\xcc\x15\x8b\x4c\xc4\x3c\x36\xd1\x2b\xb9\x4e\x06\xfc\x7a\xba\x0d\x96\xba\x62\xa3\x8b\x39\xb7\x7b\xb6\x6a\x8b\x4b\xa6\xfe\x26\x0c\x87\x74\x64\xdc\x10\x12\x44\x9a\x3a\x6a\xb5\xb8\x0e\x66\x7a\x3a\x01\xdb\x8d\xd1\xdc\x34\x68\xb0\xd7\x28\x93\xad\xf2\x5b\xd1\xa7\xb9\xdc\xdd\xf5\x69\x12\x2a\x73\x02\x6b\x76\xfd\x0e\x25\xd7\x44\x0c\xa5\xdb\x63\x5b\x3f\xc9\x01\x3f\xd7\x90\x99\xa7\xd7\xe8\x1d\xb8\x74\x5b\xc9\xd0\xa6\xc9\x38\x79\x1d\x2c\xbf\xd1\x0f\x1c\x62\x8c\xa1\x7a\xf9\x93\xb7\x02\xc1\xed\xe3\x0d\xa1\x88\x25\x67\xce\x28\x7f\x66\xb2\x3e\xbf\x40\x8a\x2d\x9c\x63\xe1\xcb\x0b\x27\x95\x27\x3e\xfa\x81\x53\x56\x1c\x3c\x3e\xeb\x71\xd1\x2a\xa0\x87\xe9\x25\x55\x26\xb5\x28\xf5\x38\xaf\x4a\xbd\x41\xcf\x89\x01", 191); *(uint32_t*)0x200026b0 = 0xc0; *(uint64_t*)0x200026b4 = 0x20002580; *(uint8_t*)0x20002580 = 0xc0; *(uint8_t*)0x20002581 = 3; memcpy((void*)0x20002582, "\x6f\x57\xd6\xa5\x96\x20\x2e\xbf\x5a\x75\xb9\x72\x49\x11\xf9\x1a\x3d\x92\xae\x1a\xc8\x1a\xbb\x9c\x1b\x13\x4a\x76\xe6\x65\x90\xf6\xeb\x8d\xd8\x4c\xc1\x09\x60\xb8\xd2\x23\x94\x7d\x1c\x2e\x77\x1b\x94\xe7\x29\xd8\x34\x18\xf4\x14\x21\x3f\xf8\xb9\x06\x77\x03\x30\xbe\xa7\x0e\x59\xfe\x4d\x8b\xa5\x37\xfb\xcf\xd3\xc4\xbf\xc4\xea\x3b\x64\x0c\x31\x12\x92\x6d\x8c\x78\xee\xe8\x39\x72\x09\x00\xc5\x05\xcc\x01\x3c\x12\x63\xdc\xf2\x7b\x6c\x0f\x87\xfc\xb8\x7f\x40\xcb\x6b\xde\x31\x54\xcc\xd6\x3e\x65\xa4\x8c\x86\xc5\x8a\x38\x57\xf6\x8f\x88\x08\x20\x3f\xb2\x8d\x95\xe7\x4a\x18\x65\xeb\x8f\x82\xfe\x95\x35\x62\xa1\x47\x51\xed\x18\xf2\x51\xe5\x11\x53\x70\xd2\xbc\x19\x14\x5c\xcf\x3a\xbe\xae\x4c\x81\xfb\x1d\x97\xf6\x2e\x03\x5d\xb7\x3d\x11\xab\x7e\xc5\x96\xbc\x7a\x36\x86\x55\xc6", 190); res = -1; res = syz_usb_connect(4, 0x4f, 0x20002080, 0x20002640); if (res != -1) r[13] = res; break; case 39: memcpy((void*)0x200026c0, "\x01\xdf\x42\x94\xf0\x1f\xe1\xf9\x43\xb7\x80\xcc\xad\x76\xab\x8a\x48\x35\x3c\xbc\xe5\x48\x12\x83\xfb\x7d\x07\xe3\x29\x52\x05\x54\x49\xb6\x58\x1b\x36\x93\xb6\x7e\xde\xa7\xf1\x03\x54\x2f\xd1\xdc\xcf\x21\xa4\xf8\xce\x11\xf5\x24\x82\xa5\x50\xdd\x31\x99\xda\x83\x0c\x3e\x19\xff\x1a\x99\x6c\xe1\x42\x4b\x13\x49\x5e\x70\x4b\xe3\xf8\xc1\x06\xd0\x83\x38\xa6\x9d\xb2\x9c\x70\xd0\x40\xba\x40\x50\x16\xd9\x02\x55\xd8\x1d\x11\x5d\x9c\x6c\x9c\x13\xb9\x57\x89\xba\x2d\x4e\xe0\xf0\x05\xd9\x5b", 119); syz_usb_ep_write(r[13], 8, 0x77, 0x200026c0); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); use_temporary_dir(); loop(); return 0; } : In function ‘syz_io_uring_setup’: :277:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :277:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor796871052 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/12 (0.63s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:true NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x8002, 0x0) io_cancel(0x0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x4c60440ee16d4a1f, 0xd548, r0, &(0x7f0000000040)="a4c6b70d40b18d2f71b9ebf1a97cc4f8bfe52c766208fe1c5ff6e6c20fb4d4104d", 0x21, 0x7, 0x0, 0x1}, &(0x7f00000000c0)) ioctl$TUNSETOFFLOAD(0xffffffffffffffff, 0x400454d0, 0x18) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/avc/cache_stats\x00', 0x0, 0x0) ioctl$DRM_IOCTL_MODE_GETGAMMA(r1, 0xc02064a4, &(0x7f0000000200)={0x6, 0x1, &(0x7f0000000140)=[0x6], &(0x7f0000000180)=[0xb572, 0x2, 0x200, 0x6126, 0xffff, 0x800b], &(0x7f00000001c0)=[0x100, 0x8001, 0x7ff, 0x56, 0x3, 0x6, 0xafa4, 0xfff]}) socket$inet6_sctp(0xa, 0x5, 0x84) r2 = syz_open_dev$vcsa(&(0x7f0000000240)='/dev/vcsa#\x00', 0x8, 0x40040) io_uring_setup(0x4a7d, &(0x7f0000000280)={0x0, 0x431f, 0x2, 0x2, 0x24c, 0x0, r2}) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(0xffffffffffffffff, 0x10e, 0x2, &(0x7f0000000300)=0x14, 0x4) socket$ipx(0x4, 0x2, 0x0) syz_emit_ethernet(0xd6, &(0x7f0000000000)={@dev={[], 0x15}, @remote, @void, {@mpls_uc={0x8847, {[{0x1}, {0x80}], @ipv4=@udp={{0x9, 0x4, 0x3, 0x8, 0xc0, 0x64, 0x0, 0x1, 0x11, 0x0, @private=0xa010102, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@timestamp={0x44, 0x10, 0x90, 0x0, 0xf, [0x3, 0x100, 0x9]}]}}, {0x4e20, 0x4e23, 0x9c, 0x0, @wg=@initiation={0x1, 0x1, "a10791f36e091a364d6a214aed3281686b2e1062e4a21dad7e7ea6823c2ad66b", "a9e3b061cb2d16f0f38c93866bab239c5e95fabc9ad7549cc53f24821564c8e31a773c62bd34e62116070c998cf80ff5", "8a6048e68f5476ba71edf7dea37145a3397262db3b25376fb9b698e1", {"108d38c5f12837a8dff49317e1fbf2b1", "6e6f91a5d2fea35b7d2aa0227b5c79de"}}}}}}}}, 0x0) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_cmd_complete={{0xe, 0x7}, @hci_rp_read_enc_key_size={{0x7}, {0x3, 0xc8, 0xfe}}}}, 0xa) syz_execute_func(&(0x7f0000000140)="ab8f2908955c4432c421b45580858a318ec4a1845756f3673664d9e064461c0dc441b55588a00ffe49f2f042808c3e2808000000c4825dde32f3420f9ade") syz_extract_tcp_res(&(0x7f0000000180), 0x47a0, 0x1ff) syz_genetlink_get_family_id$SEG6(&(0x7f00000001c0)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x2, 0xc4) r3 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x0, 0x1000, 0xffffffffffffffff, 0x0) syz_io_uring_complete(r3) syz_io_uring_setup(0x61d6, &(0x7f0000000200)={0x0, 0x19c8, 0x1, 0x0, 0x90, 0x0, 0xffffffffffffffff}, &(0x7f0000ff9000/0x4000)=nil, &(0x7f0000ff9000/0x1000)=nil, &(0x7f0000000280), &(0x7f00000002c0)) r5 = mmap$IORING_OFF_SQES(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2000004, 0x100, r4, 0x10000000) r6 = openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000300)='/selinux/checkreqprot\x00', 0x22040, 0x0) r7 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(r3, r5, &(0x7f0000000380)=@IORING_OP_EPOLL_CTL=@add={0x1d, 0x1, 0x0, r6, &(0x7f0000000340)={0xa}, r4, 0x1, 0x0, 0x1, {0x0, r7}}, 0x5) syz_kvm_setup_cpu$arm64(r6, 0xffffffffffffffff, &(0x7f0000fe7000/0x18000)=nil, &(0x7f0000000400)=[{0x0, &(0x7f00000003c0)="c66bf51c003b684cd1f56d7dbcd2dea7675293e4d016955fb884320ccefef52142eef0b61d389959e4e475075b6b11cdbe1c", 0x32}], 0x1, 0x0, &(0x7f0000000440), 0x1) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x2000000, 0x1000, 0xffffffffffffffff, 0x8000000) syz_memcpy_off$IO_URING_METADATA_FLAGS(r8, 0x114, &(0x7f0000000480)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f00000004c0)='afs\x00', &(0x7f0000000500)='./file0\x00', 0x1f, 0x7, &(0x7f00000008c0)=[{&(0x7f0000000540), 0x0, 0x32}, {&(0x7f0000000580)="3a7a72ca9b2a422afbeba2d7a84338cb03951839451af3f3031d0030db11a08c0eb2244dab7f4fd9442cd55370fbacdc330d3ee2188137d0ad9772c7ae54fae92d1941e049bdcb3b8f645ea6a7d746404286d56dfd7a41fb29e2987d8d73b3679fae427f5af08185e4ffda153228a3ac82bf94f17752ed78dfe5b9a4", 0x7c, 0xee5}, {&(0x7f0000000600)="a963e9743e9c3d092a0ab1d68a13fe85f80ed94358ab9ad4029dff3433a3223c650d6a96505ec9a3d6cd09ad3f268fcdd1248aa43ef138a79b0c4c116f7178b5fc5cc49fa303201e8c7ef4e322434105ecdc912ae672510b34c01aa3890c90f27200de2b65c4bd20", 0x68, 0x10000}, {&(0x7f0000000680)="6ac443efa9855dda4fa3a982abc060ebf1a6785feba77cd70d486a29f4", 0x1d, 0x2}, {&(0x7f00000006c0)="3229202fd13c8ab6d554d8dfb6a8661805f53c5e81671bf5d702aa4c17cad107cfc6a8fe702b26942c632a4ed0e1010440b51b99785c112a0bda8c286267ac9cb4e695376a13d9937dfe154239c4ea04f38539a8e557dbcc8909420c76b2587b42aa2d61bf395fe913bad86ddf17a8f1b3212d0f0a6bc2e7841ef2e2ee0be05901f028c7c65e1c2cb641f556508fbf322da030de7846ad39004082c128a0ffb60c1b801bfd69a0e5f37b51feb78d97240f45f3ce17a28abbd89bd16cd2d06c74488990aba36ff006e8ae3622ec18fa76b767be88f192f94af15e23d74217738a1d48ef2c3e1c0a557203045e3ba25e9cd38efa64", 0xf4, 0x6}, {&(0x7f00000007c0)="414d78403490275a206495f93cf62229596a76f622d42e737bfa148fc2385d9c82946ce95d9b7665c148bfd723f5248ffcb6a4fc8265de9da9e34ff0577dd719233d7ef9610b9b9d98d4f2cedcc5351cb7234e0a8345f81e603a002c13d898f1084656c51be00526c6b7977b287809591c51a288acec3e570a94cc77420195f2a81a77896f9f081b173c24ada23041ea2e7253698601d83769094d3489", 0x9d, 0x1}, {&(0x7f0000000880)="3cc0a154977d26882d94f1c108a6287b15e835bf2d9ebcfd925c4569c9de9d463b929158990d2f48", 0x28, 0xfffffffffffffbff}], 0x1015005, &(0x7f0000000980)={[{@flock_strict='flock=strict'}, {@flock_write='flock=write'}, {@source={'source', 0x3d, '\xeb'}}, {@autocell='autocell'}]}) syz_open_dev$I2C(&(0x7f00000009c0)='/dev/i2c-#\x00', 0x10000, 0x6840) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000a40)={0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x3, &(0x7f0000000a00)='.\\\x00'}, 0x30) syz_open_procfs(r9, &(0x7f0000000a80)='status\x00') syz_open_pts(0xffffffffffffffff, 0x8000) syz_read_part_table(0x6, 0x0, &(0x7f0000000ac0)) r10 = syz_usb_connect(0x6, 0x714, &(0x7f0000000b00)={{0x12, 0x1, 0x250, 0xa8, 0x9c, 0xcc, 0xff, 0x499, 0x150c, 0xbaf4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x702, 0x3, 0x2, 0x5, 0x80, 0x1f, [{{0x9, 0x4, 0x7d, 0x0, 0xb, 0x5c, 0x68, 0x45, 0xb8, [@generic={0x64, 0xcc88dcc324ea21e6, "25bba193734e4eb87cbd6a4c961ef01e6c960fa27de2e0b2883e73bcb56b371cc2f94a39ee59f21237d7fd38bafea3bebf15967e66fda6114d34b349e1868ef95cc0a06305d016cd2cc723334035a110f9da197afa79a6b045fac5f7d5bb639e4541"}, @uac_control={{0xa, 0x24, 0x1, 0x7, 0x80}}], [{{0x9, 0x5, 0x1, 0x3, 0x200, 0x81, 0x1, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x1000}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0xe8, 0xc6, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0x6}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0x8, 0xb4, 0x3}}, {{0x9, 0x5, 0x2, 0x1, 0x200, 0x2, 0x6, 0x20}}, {{0x9, 0x5, 0x7, 0x2, 0x3ff, 0x29, 0x4, 0x4c}}, {{0x9, 0x5, 0x5, 0x0, 0x200, 0x2, 0x22, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x27}]}}, {{0x9, 0x5, 0xe, 0xc, 0x20, 0x40, 0x9, 0x1f, [@generic={0x4f, 0x1, "f148d84407f5b8dfda7c13b68281b7d14209551093f91b2d8f891d9f3b8ff07a8c2b56bcbfa744ea1da69fb116c71d11fa13b6a2c464e65d7c706ae25e0ad836d328f30928af26fe9d4f3f1dc1"}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x18, 0xfc0}]}}, {{0x9, 0x5, 0x4, 0x0, 0x400, 0x0, 0x80, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x2}, @generic={0xf7, 0x30, "abdddd4f9b3f7c940f59ac5d6ac220f766834597348690edd45dbcad8d7200db7184991d2539df54e5ad82e5d58b0366ea3b341be9a30b4b2bd66bf00479628cb477c82938f8d3c106a7e18b0e5485a0b1611aba1d8ad3c740fc3d9accb5d7b293b90b168c3f2c69798135b562475fe2a3b8f619572251662787bf749f673a35ee80ea76edd0fc7b3177f24f50d68aced6902ecf5e0a1d3126d9530946abac7a85799194748f34eef3e249c0ede1511b67626c06322ba0b3133ad7eab46cc07a995f011d24781983c1709a03ac2ef165a9b91ed9e75e221905a932c3501d40566916d63f2fae4e9798fab8e16a1d364f019c0ebdb0"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x40, 0xfe, 0x20, 0x9, [@generic={0xed, 0x1, "97480b619ece3491718d870d1333f7f3cbe03367ac7f15be1793cf2d635af67af88cfea526ad45ea67c39ade3d19918d55ea598a7807fd2c56addfb52f42756bfc602c04560e981a38783ca3dd8ba431c267592bc004b2f53e49082dac6a7848b929dcf53f151f4c9ae6f8912fffd9199bcdcd8b95fdc2dfaa22d3a731f3c4aa3447d4183b1cb4ccceb36e6937f2275c89ce0ba83f40c2c7dbf13b41770a0f125b10ded7eefe7a1824f9eef4938310a55c121bf1a9259f551672b8a0a52feac5cbc5ab96a5491ef533d7be14764e9da531ffef82f8612a740fb58756f7cb6092abb15aa6cf0494cb7106f1"}, @generic={0xd3, 0x8, "4e8e034ee97501ac382574d2a72527c5e0c832618bc6a1ea16c3f323258971633a0333991ad99754b006c95c4de5f901ec1b8d86bd47c564bd2aef08df3c224a3e6e40846554eed2734d71ce3392967ef55c96b3da0aa5481f31c351cf1859cbee244e751c60cfadc233cb6002ee6ff4cc2c9b76378f5b6e410c014f25cb9fff68f8a6ff5b81b6d09b9c7a2aaf848bd247ed21b13aa8d35bcb7bf2fa6b8cbf55299edbce15e788d1f93cff322399249ac080f2d47bd3f27e7a6de184904811722536d0a2330e3e511146faab9864d1b183"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x2c, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc9, 0xbb}, @generic={0x1f, 0x31, "e44d51a15a720f099dadeb93262552a935424229d3f4d12edc1baa9f88"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x8, 0x49, 0x40, 0x55}}]}}, {{0x9, 0x4, 0xfe, 0x33, 0x2, 0xa2, 0x17, 0x9a, 0x2, [@cdc_ncm={{0x9, 0x24, 0x6, 0x0, 0x1, "fb7ffde8"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x4, 0x9f54, 0x267, 0x1}, {0x6, 0x24, 0x1a, 0x9, 0x9}, [@mbim={0xc, 0x24, 0x1b, 0xffff, 0x1, 0x20, 0x6, 0x6, 0x6}, @mdlm={0x15, 0x24, 0x12, 0x3}, @mbim={0xc, 0x24, 0x1b, 0x91, 0x5, 0x1, 0xff, 0x5, 0x35}, @acm={0x4, 0x24, 0x2, 0x1}]}], [{{0x9, 0x5, 0xa, 0x10, 0x8, 0x80, 0xc1, 0x4, [@generic={0xb8, 0x30, "e384dcf03ac39540e5a22199f71a53ba428c3b720290f0276bcca0cd15405f6c930497af5eb320a433cc553d6e0108edbf793ef0240ff269b4ff96d6822bcb48cebae2a5cead65786ebecd5f300c08606d3322b8360029bd21312dac493361e1b08f2adca4dc49a004fefdf7a3a525ae5de11f0a691a41b869d9b9a5d90d5a7b5ebe9e5773b97efe98e3895377a424e30ef22fd2ffa2532f1bb3c1a4e3b86afc08b2659aa2e556f190e27f83619a1618d371e102c558"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x40, 0x4, 0x0, 0x1f}}]}}, {{0x9, 0x4, 0x74, 0x90, 0xa, 0xff, 0x5d, 0x1, 0x81, [@generic={0x6c, 0x4, "deaf8476cc5855ffb6d22d6ceb2977348ba86dee7d9e22e0c46477b06c0db514bb5383a62a402cc6e0795ddda510cf4238b2c64b657a1111efc0e4aacf9e40802dd0eeb69f271c1e6fe0ee5e9f48122832e6a80a4d7a6611e3fd2dca49d351908ff9a48ca20c78a69c65"}, @hid_hid={0x9, 0x21, 0x7, 0x7, 0x1, {0x22, 0xab5}}], [{{0x9, 0x5, 0x0, 0x0, 0x200, 0x4, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x40, 0x0, 0x7f, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xff}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0xfa, 0x5}]}}, {{0x9, 0x5, 0x3, 0x3, 0x3ff, 0x80, 0x7f, 0x8}}, {{0x9, 0x5, 0x5, 0x1, 0x20, 0x4, 0x3c, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x800}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0xff, 0x14, 0x3f}}, {{0x9, 0x5, 0x4, 0x0, 0x20, 0x1, 0x1, 0x56}}, {{0x9, 0x5, 0xc, 0x10, 0x8, 0x1, 0x5, 0x2, [@generic={0x20, 0x4, "6ddd4104cef7b1f7b2dddabb24ea94be1e8ac9fbba62cd71c1a1cbfa4e73"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x10, 0x0, 0x6, 0xf8, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x3, 0x8000}, @generic={0x98, 0x21, "e7bac6d3443cdfcdf9c24b6978dbfb9dd1824a5964cbfa0fe64296d5794c6159bc30b802a59b5c7a49b534035df56bbc488652ee31c601d5326507016bd445a1c09df231cf5781190daaba0cbd84a172640327b8c1a1d90bfab18f24961ffe12a0486a239c79a259c537652603dcbd4b2b7342ae0d715a7543f4d08bb557bddcd3bca83590b57c30eee2ce95f6c7102f646af828a496"}]}}, {{0x9, 0x5, 0x2, 0x3, 0x400, 0x3, 0x2, 0x8}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xff, 0x4, 0x6}}]}}]}}]}}, &(0x7f0000001540)={0xa, &(0x7f0000001240)={0xa, 0x6, 0x300, 0xff, 0x81, 0x6, 0xf7, 0xc4}, 0xf, &(0x7f0000001280)={0x5, 0xf, 0xf, 0x1, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x8, 0x1f, 0xfff}]}, 0x5, [{0x4, &(0x7f00000012c0)=@lang_id={0x4, 0x3, 0xc07}}, {0x54, &(0x7f0000001300)=@string={0x54, 0x3, "321d457f2f5ab9fcb1118c960631fd85a75ead829136aa2a6cc0311451035fe17b956eb8fa52d495a311a6c03f0ae84c86f0ed78daebfa15db7bc5788c9724baf4582dc0ec1ba6681a76b0a1bfc5de9daecc"}}, {0xd3, &(0x7f0000001380)=@string={0xd3, 0x3, "18336fc5623ba1410634c4050bcf3b488ea41867d059dcdcd2c368d848fe5147323c0ba4e51d7cf2a3d150258f8cc2569bd79e951ea95a318de31d146c37a7cf712f1fcd440390852c8d5216f8d23a9918b0e053521eb670ad3ee0fb8a93a8d7bad7199eebe12a3b02107ac4542bc6497977e3308b407bf364982f4fc9c330f9a75ccb65c8688d5c247ad06c20ccf01465e3ab09fc777f73474c2cd053b848ad3255b5adc81e033d2a0fac5061ea52dacf46e88e8c2e388deb91d2d9fc124255909336418e743bda4cb4f73c6b75af9a9b"}}, {0x4, &(0x7f0000001480)=@lang_id={0x4, 0x3, 0x42b}}, {0x5a, &(0x7f00000014c0)=@string={0x5a, 0x3, "4d85f31420ff1ceda25d118d33a6ebbce888c12d90eb54c827d149c8dcbd99f3893b35d1da6c776b1b5d084b308cdf93474167f266199f440a03fc3e3438031b8725dde6029a629c0843bedf048b8409b153f903d657d22b"}}]}) r11 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000015c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r11, &(0x7f00000017c0)={0x2c, &(0x7f0000001640)={0x0, 0x24, 0x5e, {0x5e, 0x9, "50d3392d02ebd229338b7e7170b984d04907f9cee984f83f84c9518b9dd91785fe2d66e10426ff86d8e7d663538306240171790d7f776664bdfd68d3df43cdf6d0e3ab3d2a62953092a2d7ce2fcdfe2cf50026869a4bcd066af9ddbd"}}, &(0x7f00000016c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x449}}, &(0x7f0000001700)={0x0, 0xf, 0x19, {0x5, 0xf, 0x19, 0x1, [@ss_container_id={0x14, 0x10, 0x4, 0x3f, "0ff611988b42043bdd16f18b9b82f6cf"}]}}, &(0x7f0000001740)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x0, 0x9, 0x68, "60c511fa", "23e3f532"}}, &(0x7f0000001780)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x5, 0x0, 0x2, 0x7, 0x8, 0x5, 0x200}}}, &(0x7f0000001c80)={0x84, &(0x7f0000001800)={0x0, 0x16, 0x92, "e49c4e0fdf521d4bb83a1c78b9b6f32eb6e38fba1432727c391749727c41815dc3fc4193cf0fc247b32c61dd80f26629d7cf714fc080157701405e55e4d1ae2b758c66821044d2e8094f1bd75ccf9600454726e5df9764082d537012ad6fa00a11bf546f5d86af482a8f0b0574287a4c5640bd1a225a60d1961cd56b3b48cf69d776cd8bbac5dc1544bf6b94b3519383f9c5"}, &(0x7f00000018c0)={0x0, 0xa, 0x1, 0xea}, &(0x7f0000001900)={0x0, 0x8, 0x1, 0xc0}, &(0x7f0000001940)={0x20, 0x0, 0x4, {0x3, 0x20d99a38c1aec065}}, &(0x7f0000001980)={0x20, 0x0, 0x8, {0x200, 0x2, [0x0]}}, &(0x7f00000019c0)={0x40, 0x7, 0x2}, &(0x7f0000001a00)={0x40, 0x9, 0x1, 0x7}, &(0x7f0000001a40)={0x40, 0xb, 0x2, ',e'}, &(0x7f0000001a80)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000001ac0)={0x40, 0x13, 0x6, @random="cba5d8d51787"}, &(0x7f0000001b00)={0x40, 0x17, 0x6, @dev={[], 0x1b}}, &(0x7f0000001b40)={0x40, 0x19, 0x2, "09ef"}, &(0x7f0000001b80)={0x40, 0x1a, 0x2, 0x200}, &(0x7f0000001bc0)={0x40, 0x1c, 0x1, 0x20}, &(0x7f0000001c00)={0x40, 0x1e, 0x1, 0x81}, &(0x7f0000001c40)={0x40, 0x21, 0x1, 0x40}}) r12 = syz_usb_connect$uac1(0x6, 0xb6, &(0x7f0000001d40)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xa4, 0x3, 0x1, 0x8, 0x80, 0x1f, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x7f, 0x24}, [@mixer_unit={0xb, 0x24, 0x4, 0x3, 0x3f, "e3a7ba11b773"}, @input_terminal={0xc, 0x24, 0x2, 0x4, 0x203, 0x1, 0x2, 0x7, 0xfd}, @extension_unit={0x7, 0x24, 0x8, 0x2, 0x4, 0x40}, @output_terminal={0x9, 0x24, 0x3, 0x2, 0x101, 0x4, 0x4, 0x5}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {}, {{0x9, 0x5, 0x1, 0x9, 0x200, 0xfc, 0x9, 0x7, {0x7, 0x25, 0x1, 0x0, 0x2, 0x8}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x8, 0x7, 0xff, "6cce23a51a59660a8a"}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x7, 0x2, 0xd6, 0x40, "a5e212", 'l'}]}, {{0x9, 0x5, 0x82, 0x9, 0x3ff, 0x3, 0x0, 0xac, {0x7, 0x25, 0x1, 0x3, 0x4, 0x5}}}}}}}]}}, &(0x7f0000001f40)={0xa, &(0x7f0000001e00)={0xa, 0x6, 0x200, 0xff, 0x2, 0x7, 0x10, 0x6}, 0x5, &(0x7f0000001e40)={0x5, 0xf, 0x5}, 0x2, [{0x52, &(0x7f0000001e80)=@string={0x52, 0x3, "4bcfbc749d26d0fbc20c2e202a042e8bb167cadf5c2bcdbd07dde6671da7dd400306b26f220fef4a3397f0a95a4b8ca5bafd5a4fa8b99d24505f7a27ac07a16bbb02d524c0bbfa3af8e318df58feb143"}}, {0x4, &(0x7f0000001f00)=@lang_id={0x4, 0x3, 0x807}}]}) syz_usb_disconnect(r12) syz_usb_ep_read(r10, 0x6, 0xd6, &(0x7f0000001f80)=""/214) r13 = syz_usb_connect$cdc_ecm(0x4, 0x4f, &(0x7f0000002080)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0xff, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x3d, 0x1, 0x1, 0x9, 0xc0, 0xb3, [{{0x9, 0x4, 0x0, 0x8, 0x3, 0x2, 0x6, 0x0, 0x1, {{0x7, 0x24, 0x6, 0x0, 0x0, "93b5"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x5, 0xdf0, 0xa5e2, 0xff}}, {[], {{0x9, 0x5, 0x82, 0x2, 0x40, 0x0, 0x40, 0x20}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x20, 0xff, 0x4}}}}}]}}]}}, &(0x7f0000002640)={0xa, &(0x7f0000002100)={0xa, 0x6, 0x250, 0x0, 0x81, 0x20, 0x20, 0x3}, 0x5, &(0x7f0000002140)={0x5, 0xf, 0x5}, 0x8, [{0xcd, &(0x7f0000002180)=@string={0xcd, 0x3, "2e833dbc02868212d3ec7352fb0de8a05ecf661859debe23ba735fb90a26853e0d4c9bfcebac70ce40539a98cf8947e06bb75de0a9205e0b791cb4f9e7aa0ae1149e9394ffef266f96e0c75ab728cadbc312570efed737090a6251c09e1a5d38a0c6f1ec4ae055863d69e4dcf36d974d2be3e487c7d2f1db2161e93b7d152ce046f030b36d083289eddd7105ed8eaed49f711017baabde9d5f01cd4738503d322669554fcf3b5a65b0519733b07a7f3cffdc92b0382c66120c41aae88568c752f79d501fd4da58e6879e7e"}}, {0x4, &(0x7f0000002280)=@lang_id={0x4, 0x3, 0x3c0a}}, {0x4, &(0x7f00000022c0)=@lang_id={0x4, 0x3, 0x3801}}, {0x1f, &(0x7f0000002300)=@string={0x1f, 0x3, "a670c3582d38967ac485455e8a40acb6f5df24ab49a4c6bb43d584edf7"}}, {0x4, &(0x7f0000002340)=@lang_id={0x4, 0x3, 0x44f}}, {0xe1, &(0x7f0000002380)=@string={0xe1, 0x3, "be2ce18fae6da9f1aa4b972197be7a6ce4b283c3e0027e6da13d8639f674ea9c64289b33c0e1435b7c1654a569127b26ad53774f2b6b20579fac6faffe12949ee4b0d3cd2d890cff2d7e9bb43b602a394efd4975184f7eecab16a3f187cab4c2ca01ac5bc9c55c8bb981323d919f77355b3ce7428da62af80c76b185e10ac7b1cc950ecc715c3e0a1e142311b62941e06291b30d2d3c7d468dfbe283c91fc0833db068e7bf397c233575790229ce513bbdc4387d81b3027ef68b20de25d9f1ff32b95cba443b9e7fba499143e841a6190c6ecb2906fe4230f839ba8c3c73ea"}}, {0xc1, &(0x7f0000002480)=@string={0xc1, 0x3, "f17db2ea26d90ba93d1dbd3d9482882172cc158b4cc43c36d12bb94e06fc7aba0d96ba62a38b39b77bb66a8b4ba6fe260c877464dc1012449a3a6ab5b80e667a3a01db8dd1dc3468b0d72893adf25bd1a7b9dcddf569122a73026b76fd0e25d7440ca5db635b3fc9013fd79099a7d7e81db8745bc9d0a6c938791d2cbfd10f1c628ca17af993b702c1ede30da1882567ce287f66b23ebf408a2d9c63e1cb0b2795273efa8153561c3c3eeb71d12aa087e9255526b528f538af4abd41cf8901"}}, {0xc0, &(0x7f0000002580)=@string={0xc0, 0x3, "6f57d6a596202ebf5a75b9724911f91a3d92ae1ac81abb9c1b134a76e66590f6eb8dd84cc10960b8d223947d1c2e771b94e729d83418f414213ff8b906770330bea70e59fe4d8ba537fbcfd3c4bfc4ea3b640c3112926d8c78eee839720900c505cc013c1263dcf27b6c0f87fcb87f40cb6bde3154ccd63e65a48c86c58a3857f68f8808203fb28d95e74a1865eb8f82fe953562a14751ed18f251e5115370d2bc19145ccf3abeae4c81fb1d97f62e035db73d11ab7ec596bc7a368655c6"}}]}) syz_usb_ep_write(r13, 0x8, 0x77, &(0x7f00000026c0)="01df4294f01fe1f943b780ccad76ab8a48353cbce5481283fb7d07e32952055449b6581b3693b67edea7f103542fd1dccf21a4f8ce11f52482a550dd3199da830c3e19ff1a996ce1424b13495e704be3f8c106d08338a69db29c70d040ba405016d90255d81d115d9c6c9c13b95789ba2d4ee0f005d95b") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 #define SQ_ARRAY_OFFSET(sq_entries,cq_entries) (round_up(CQ_CQES_OFFSET + cq_entries * SIZEOF_IO_URING_CQE, 64)) uint32_t round_up(uint32_t x, uint32_t a) { return (x + a - 1) & ~(a - 1); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = SQ_ARRAY_OFFSET(sq_ring_entries, cq_ring_entries); if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } #define KMEMLEAK_FILE "/sys/kernel/debug/kmemleak" static void setup_leak() { if (!write_file(KMEMLEAK_FILE, "scan")) exit(1); sleep(5); if (!write_file(KMEMLEAK_FILE, "scan")) exit(1); if (!write_file(KMEMLEAK_FILE, "clear")) exit(1); } static void check_leaks(void) { int fd = open(KMEMLEAK_FILE, O_RDWR); if (fd == -1) exit(1); uint64_t start = current_time_ms(); if (write(fd, "scan", 4) != 4) exit(1); sleep(1); while (current_time_ms() - start < 4 * 1000) sleep(1); if (write(fd, "scan", 4) != 4) exit(1); static char buf[128 << 10]; ssize_t n = read(fd, buf, sizeof(buf) - 1); if (n < 0) exit(1); int nleaks = 0; if (n != 0) { sleep(1); if (write(fd, "scan", 4) != 4) exit(1); if (lseek(fd, 0, SEEK_SET) < 0) exit(1); n = read(fd, buf, sizeof(buf) - 1); if (n < 0) exit(1); buf[n] = 0; char* pos = buf; char* end = buf + n; while (pos < end) { char* next = strstr(pos + 1, "unreferenced object"); if (!next) next = end; char prev = *next; *next = 0; fprintf(stderr, "BUG: memory leak\n%s\n", pos); *next = prev; pos = next; nleaks++; } } if (write(fd, "clear", 5) != 5) exit(1); close(fd); if (nleaks) exit(1); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 40; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 26 ? 50 : 0) + (call == 32 ? 3000 : 0) + (call == 33 ? 3000 : 0) + (call == 34 ? 300 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 3000 : 0) + (call == 39 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); check_leaks(); } } #ifndef __NR_bpf #define __NR_bpf 321 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[14] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/dsp\000", 9); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0x8002ul, 0ul); if (res != -1) r[0] = res; break; case 1: *(uint64_t*)0x20000080 = 0; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 0; *(uint16_t*)0x20000090 = 0x4a1f; *(uint16_t*)0x20000092 = 0xd548; *(uint32_t*)0x20000094 = r[0]; *(uint64_t*)0x20000098 = 0x20000040; memcpy((void*)0x20000040, "\xa4\xc6\xb7\x0d\x40\xb1\x8d\x2f\x71\xb9\xeb\xf1\xa9\x7c\xc4\xf8\xbf\xe5\x2c\x76\x62\x08\xfe\x1c\x5f\xf6\xe6\xc2\x0f\xb4\xd4\x10\x4d", 33); *(uint64_t*)0x200000a0 = 0x21; *(uint64_t*)0x200000a8 = 7; *(uint64_t*)0x200000b0 = 0; *(uint32_t*)0x200000b8 = 1; *(uint32_t*)0x200000bc = -1; syscall(__NR_io_cancel, 0ul, 0x20000080ul, 0x200000c0ul); break; case 2: syscall(__NR_ioctl, -1, 0x400454d0, 0x18ul); break; case 3: memcpy((void*)0x20000100, "/selinux/avc/cache_stats\000", 25); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000100ul, 0ul, 0ul); if (res != -1) r[1] = res; break; case 4: *(uint32_t*)0x20000200 = 6; *(uint32_t*)0x20000204 = 1; *(uint64_t*)0x20000208 = 0x20000140; *(uint16_t*)0x20000140 = 6; *(uint64_t*)0x20000210 = 0x20000180; *(uint16_t*)0x20000180 = 0xb572; *(uint16_t*)0x20000182 = 2; *(uint16_t*)0x20000184 = 0x200; *(uint16_t*)0x20000186 = 0x6126; *(uint16_t*)0x20000188 = -1; *(uint16_t*)0x2000018a = 0x800b; *(uint64_t*)0x20000218 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x100; *(uint16_t*)0x200001c2 = 0x8001; *(uint16_t*)0x200001c4 = 0x7ff; *(uint16_t*)0x200001c6 = 0x56; *(uint16_t*)0x200001c8 = 3; *(uint16_t*)0x200001ca = 6; *(uint16_t*)0x200001cc = 0xafa4; *(uint16_t*)0x200001ce = 0xfff; syscall(__NR_ioctl, r[1], 0xc02064a4, 0x20000200ul); break; case 5: syscall(__NR_socket, 0xaul, 5ul, 0x84); break; case 6: memcpy((void*)0x20000240, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20000240, 8, 0x40040); if (res != -1) r[2] = res; break; case 7: *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0x431f; *(uint32_t*)0x20000288 = 2; *(uint32_t*)0x2000028c = 2; *(uint32_t*)0x20000290 = 0x24c; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = r[2]; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; *(uint32_t*)0x200002b8 = 0; *(uint32_t*)0x200002bc = 0; *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0; *(uint32_t*)0x200002c8 = 0; *(uint32_t*)0x200002cc = 0; *(uint32_t*)0x200002d0 = 0; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = 0; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; syscall(__NR_io_uring_setup, 0x4a7d, 0x20000280ul); break; case 8: *(uint32_t*)0x20000300 = 0x14; syscall(__NR_setsockopt, -1, 0x10e, 2, 0x20000300ul, 4ul); break; case 9: syscall(__NR_socket, 4ul, 2ul, 0); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0x15; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0x8847); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 1, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 24, 8); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0x80, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 24, 8); STORE_BY_BITMASK(uint8_t, , 0x20000016, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000017, 3, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000017, 8, 2, 6); *(uint16_t*)0x20000018 = htobe16(0xc0); *(uint16_t*)0x2000001a = htobe16(0x64); *(uint16_t*)0x2000001c = htobe16(0); *(uint8_t*)0x2000001e = 1; *(uint8_t*)0x2000001f = 0x11; *(uint16_t*)0x20000020 = htobe16(0); *(uint32_t*)0x20000022 = htobe32(0xa010102); *(uint8_t*)0x20000026 = 0xac; *(uint8_t*)0x20000027 = 0x1e; *(uint8_t*)0x20000028 = 1; *(uint8_t*)0x20000029 = 1; *(uint8_t*)0x2000002a = 0x44; *(uint8_t*)0x2000002b = 0x10; *(uint8_t*)0x2000002c = 0x90; STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0xf, 4, 4); *(uint32_t*)0x2000002e = htobe32(3); *(uint32_t*)0x20000032 = htobe32(0x100); *(uint32_t*)0x20000036 = htobe32(9); *(uint16_t*)0x2000003a = htobe16(0x4e20); *(uint16_t*)0x2000003c = htobe16(0x4e23); *(uint16_t*)0x2000003e = htobe16(0x9c); *(uint16_t*)0x20000040 = htobe16(0); *(uint32_t*)0x20000042 = 1; *(uint32_t*)0x20000046 = 1; memcpy((void*)0x2000004a, "\xa1\x07\x91\xf3\x6e\x09\x1a\x36\x4d\x6a\x21\x4a\xed\x32\x81\x68\x6b\x2e\x10\x62\xe4\xa2\x1d\xad\x7e\x7e\xa6\x82\x3c\x2a\xd6\x6b", 32); memcpy((void*)0x2000006a, "\xa9\xe3\xb0\x61\xcb\x2d\x16\xf0\xf3\x8c\x93\x86\x6b\xab\x23\x9c\x5e\x95\xfa\xbc\x9a\xd7\x54\x9c\xc5\x3f\x24\x82\x15\x64\xc8\xe3\x1a\x77\x3c\x62\xbd\x34\xe6\x21\x16\x07\x0c\x99\x8c\xf8\x0f\xf5", 48); memcpy((void*)0x2000009a, "\x8a\x60\x48\xe6\x8f\x54\x76\xba\x71\xed\xf7\xde\xa3\x71\x45\xa3\x39\x72\x62\xdb\x3b\x25\x37\x6f\xb9\xb6\x98\xe1", 28); memcpy((void*)0x200000b6, "\x10\x8d\x38\xc5\xf1\x28\x37\xa8\xdf\xf4\x93\x17\xe1\xfb\xf2\xb1", 16); memcpy((void*)0x200000c6, "\x6e\x6f\x91\xa5\xd2\xfe\xa3\x5b\x7d\x2a\xa0\x22\x7b\x5c\x79\xde", 16); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x20000022, 4); csum_inet_update(&csum_1, (const uint8_t*)0x20000026, 4); uint16_t csum_1_chunk_2 = 0x1100; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 2); uint16_t csum_1_chunk_3 = 0x9c00; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 2); csum_inet_update(&csum_1, (const uint8_t*)0x2000003a, 156); *(uint16_t*)0x20000040 = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x20000016, 36); *(uint16_t*)0x20000020 = csum_inet_digest(&csum_2); break; case 11: *(uint8_t*)0x20000100 = 4; *(uint8_t*)0x20000101 = 0xe; *(uint8_t*)0x20000102 = 7; *(uint8_t*)0x20000103 = 7; *(uint16_t*)0x20000104 = 0x1408; *(uint8_t*)0x20000106 = 3; *(uint16_t*)0x20000107 = 0xc8; *(uint8_t*)0x20000109 = 0xfe; break; case 12: memcpy((void*)0x20000140, "\xab\x8f\x29\x08\x95\x5c\x44\x32\xc4\x21\xb4\x55\x80\x85\x8a\x31\x8e\xc4\xa1\x84\x57\x56\xf3\x67\x36\x64\xd9\xe0\x64\x46\x1c\x0d\xc4\x41\xb5\x55\x88\xa0\x0f\xfe\x49\xf2\xf0\x42\x80\x8c\x3e\x28\x08\x00\x00\x00\xc4\x82\x5d\xde\x32\xf3\x42\x0f\x9a\xde", 62); syz_execute_func(0x20000140); break; case 13: break; case 14: memcpy((void*)0x200001c0, "SEG6\000", 5); syz_genetlink_get_family_id(0x200001c0); break; case 15: syz_init_net_socket(3, 2, 0xc4); break; case 16: res = syscall(__NR_mmap, 0x20ffc000ul, 0x1000ul, 0ul, 0x1000ul, -1, 0ul); if (res != -1) r[3] = res; break; case 17: syz_io_uring_complete(r[3]); break; case 18: *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0x19c8; *(uint32_t*)0x20000208 = 1; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0x90; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = -1; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; *(uint32_t*)0x20000238 = 0; *(uint32_t*)0x2000023c = 0; *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; res = -1; res = syz_io_uring_setup(0x61d6, 0x20000200, 0x20ff9000, 0x20ff9000, 0x20000280, 0x200002c0); if (res != -1) r[4] = *(uint32_t*)0x20000218; break; case 19: res = syscall(__NR_mmap, 0x20ffc000ul, 0x3000ul, 0x2000004ul, 0x100ul, r[4], 0x10000000ul); if (res != -1) r[5] = res; break; case 20: memcpy((void*)0x20000300, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000300ul, 0x22040ul, 0ul); if (res != -1) r[6] = res; break; case 21: res = syscall(__NR_io_uring_register, -1, 9ul, 0ul, 0ul); if (res != -1) r[7] = res; break; case 22: *(uint8_t*)0x20000380 = 0x1d; *(uint8_t*)0x20000381 = 1; *(uint16_t*)0x20000382 = 0; *(uint32_t*)0x20000384 = r[6]; *(uint64_t*)0x20000388 = 0x20000340; *(uint32_t*)0x20000340 = 0xa; *(uint64_t*)0x20000344 = 0; *(uint32_t*)0x20000390 = r[4]; *(uint32_t*)0x20000394 = 1; *(uint32_t*)0x20000398 = 0; *(uint64_t*)0x200003a0 = 1; *(uint16_t*)0x200003a8 = 0; *(uint16_t*)0x200003aa = r[7]; *(uint8_t*)0x200003ac = 0; *(uint8_t*)0x200003ad = 0; *(uint8_t*)0x200003ae = 0; *(uint8_t*)0x200003af = 0; *(uint8_t*)0x200003b0 = 0; *(uint8_t*)0x200003b1 = 0; *(uint8_t*)0x200003b2 = 0; *(uint8_t*)0x200003b3 = 0; *(uint8_t*)0x200003b4 = 0; *(uint8_t*)0x200003b5 = 0; *(uint8_t*)0x200003b6 = 0; *(uint8_t*)0x200003b7 = 0; *(uint8_t*)0x200003b8 = 0; *(uint8_t*)0x200003b9 = 0; *(uint8_t*)0x200003ba = 0; *(uint8_t*)0x200003bb = 0; *(uint8_t*)0x200003bc = 0; *(uint8_t*)0x200003bd = 0; *(uint8_t*)0x200003be = 0; *(uint8_t*)0x200003bf = 0; syz_io_uring_submit(r[3], r[5], 0x20000380, 5); break; case 23: *(uint64_t*)0x20000400 = 0; *(uint64_t*)0x20000408 = 0x200003c0; memcpy((void*)0x200003c0, "\xc6\x6b\xf5\x1c\x00\x3b\x68\x4c\xd1\xf5\x6d\x7d\xbc\xd2\xde\xa7\x67\x52\x93\xe4\xd0\x16\x95\x5f\xb8\x84\x32\x0c\xce\xfe\xf5\x21\x42\xee\xf0\xb6\x1d\x38\x99\x59\xe4\xe4\x75\x07\x5b\x6b\x11\xcd\xbe\x1c", 50); *(uint64_t*)0x20000410 = 0x32; *(uint64_t*)0x20000440 = 1; *(uint64_t*)0x20000448 = 0; syz_kvm_setup_cpu(r[6], -1, 0x20fe7000, 0x20000400, 1, 0, 0x20000440, 1); break; case 24: res = syscall(__NR_mmap, 0x20ffb000ul, 0x4000ul, 0x2000000ul, 0x1000ul, -1, 0x8000000ul); if (res != -1) r[8] = res; break; case 25: *(uint32_t*)0x20000480 = 1; syz_memcpy_off(r[8], 0x114, 0x20000480, 0, 4); break; case 26: memcpy((void*)0x200004c0, "afs\000", 4); memcpy((void*)0x20000500, "./file0\000", 8); *(uint64_t*)0x200008c0 = 0x20000540; *(uint64_t*)0x200008c8 = 0; *(uint64_t*)0x200008d0 = 0x32; *(uint64_t*)0x200008d8 = 0x20000580; memcpy((void*)0x20000580, "\x3a\x7a\x72\xca\x9b\x2a\x42\x2a\xfb\xeb\xa2\xd7\xa8\x43\x38\xcb\x03\x95\x18\x39\x45\x1a\xf3\xf3\x03\x1d\x00\x30\xdb\x11\xa0\x8c\x0e\xb2\x24\x4d\xab\x7f\x4f\xd9\x44\x2c\xd5\x53\x70\xfb\xac\xdc\x33\x0d\x3e\xe2\x18\x81\x37\xd0\xad\x97\x72\xc7\xae\x54\xfa\xe9\x2d\x19\x41\xe0\x49\xbd\xcb\x3b\x8f\x64\x5e\xa6\xa7\xd7\x46\x40\x42\x86\xd5\x6d\xfd\x7a\x41\xfb\x29\xe2\x98\x7d\x8d\x73\xb3\x67\x9f\xae\x42\x7f\x5a\xf0\x81\x85\xe4\xff\xda\x15\x32\x28\xa3\xac\x82\xbf\x94\xf1\x77\x52\xed\x78\xdf\xe5\xb9\xa4", 124); *(uint64_t*)0x200008e0 = 0x7c; *(uint64_t*)0x200008e8 = 0xee5; *(uint64_t*)0x200008f0 = 0x20000600; memcpy((void*)0x20000600, "\xa9\x63\xe9\x74\x3e\x9c\x3d\x09\x2a\x0a\xb1\xd6\x8a\x13\xfe\x85\xf8\x0e\xd9\x43\x58\xab\x9a\xd4\x02\x9d\xff\x34\x33\xa3\x22\x3c\x65\x0d\x6a\x96\x50\x5e\xc9\xa3\xd6\xcd\x09\xad\x3f\x26\x8f\xcd\xd1\x24\x8a\xa4\x3e\xf1\x38\xa7\x9b\x0c\x4c\x11\x6f\x71\x78\xb5\xfc\x5c\xc4\x9f\xa3\x03\x20\x1e\x8c\x7e\xf4\xe3\x22\x43\x41\x05\xec\xdc\x91\x2a\xe6\x72\x51\x0b\x34\xc0\x1a\xa3\x89\x0c\x90\xf2\x72\x00\xde\x2b\x65\xc4\xbd\x20", 104); *(uint64_t*)0x200008f8 = 0x68; *(uint64_t*)0x20000900 = 0x10000; *(uint64_t*)0x20000908 = 0x20000680; memcpy((void*)0x20000680, "\x6a\xc4\x43\xef\xa9\x85\x5d\xda\x4f\xa3\xa9\x82\xab\xc0\x60\xeb\xf1\xa6\x78\x5f\xeb\xa7\x7c\xd7\x0d\x48\x6a\x29\xf4", 29); *(uint64_t*)0x20000910 = 0x1d; *(uint64_t*)0x20000918 = 2; *(uint64_t*)0x20000920 = 0x200006c0; memcpy((void*)0x200006c0, "\x32\x29\x20\x2f\xd1\x3c\x8a\xb6\xd5\x54\xd8\xdf\xb6\xa8\x66\x18\x05\xf5\x3c\x5e\x81\x67\x1b\xf5\xd7\x02\xaa\x4c\x17\xca\xd1\x07\xcf\xc6\xa8\xfe\x70\x2b\x26\x94\x2c\x63\x2a\x4e\xd0\xe1\x01\x04\x40\xb5\x1b\x99\x78\x5c\x11\x2a\x0b\xda\x8c\x28\x62\x67\xac\x9c\xb4\xe6\x95\x37\x6a\x13\xd9\x93\x7d\xfe\x15\x42\x39\xc4\xea\x04\xf3\x85\x39\xa8\xe5\x57\xdb\xcc\x89\x09\x42\x0c\x76\xb2\x58\x7b\x42\xaa\x2d\x61\xbf\x39\x5f\xe9\x13\xba\xd8\x6d\xdf\x17\xa8\xf1\xb3\x21\x2d\x0f\x0a\x6b\xc2\xe7\x84\x1e\xf2\xe2\xee\x0b\xe0\x59\x01\xf0\x28\xc7\xc6\x5e\x1c\x2c\xb6\x41\xf5\x56\x50\x8f\xbf\x32\x2d\xa0\x30\xde\x78\x46\xad\x39\x00\x40\x82\xc1\x28\xa0\xff\xb6\x0c\x1b\x80\x1b\xfd\x69\xa0\xe5\xf3\x7b\x51\xfe\xb7\x8d\x97\x24\x0f\x45\xf3\xce\x17\xa2\x8a\xbb\xd8\x9b\xd1\x6c\xd2\xd0\x6c\x74\x48\x89\x90\xab\xa3\x6f\xf0\x06\xe8\xae\x36\x22\xec\x18\xfa\x76\xb7\x67\xbe\x88\xf1\x92\xf9\x4a\xf1\x5e\x23\xd7\x42\x17\x73\x8a\x1d\x48\xef\x2c\x3e\x1c\x0a\x55\x72\x03\x04\x5e\x3b\xa2\x5e\x9c\xd3\x8e\xfa\x64", 244); *(uint64_t*)0x20000928 = 0xf4; *(uint64_t*)0x20000930 = 6; *(uint64_t*)0x20000938 = 0x200007c0; memcpy((void*)0x200007c0, "\x41\x4d\x78\x40\x34\x90\x27\x5a\x20\x64\x95\xf9\x3c\xf6\x22\x29\x59\x6a\x76\xf6\x22\xd4\x2e\x73\x7b\xfa\x14\x8f\xc2\x38\x5d\x9c\x82\x94\x6c\xe9\x5d\x9b\x76\x65\xc1\x48\xbf\xd7\x23\xf5\x24\x8f\xfc\xb6\xa4\xfc\x82\x65\xde\x9d\xa9\xe3\x4f\xf0\x57\x7d\xd7\x19\x23\x3d\x7e\xf9\x61\x0b\x9b\x9d\x98\xd4\xf2\xce\xdc\xc5\x35\x1c\xb7\x23\x4e\x0a\x83\x45\xf8\x1e\x60\x3a\x00\x2c\x13\xd8\x98\xf1\x08\x46\x56\xc5\x1b\xe0\x05\x26\xc6\xb7\x97\x7b\x28\x78\x09\x59\x1c\x51\xa2\x88\xac\xec\x3e\x57\x0a\x94\xcc\x77\x42\x01\x95\xf2\xa8\x1a\x77\x89\x6f\x9f\x08\x1b\x17\x3c\x24\xad\xa2\x30\x41\xea\x2e\x72\x53\x69\x86\x01\xd8\x37\x69\x09\x4d\x34\x89", 157); *(uint64_t*)0x20000940 = 0x9d; *(uint64_t*)0x20000948 = 1; *(uint64_t*)0x20000950 = 0x20000880; memcpy((void*)0x20000880, "\x3c\xc0\xa1\x54\x97\x7d\x26\x88\x2d\x94\xf1\xc1\x08\xa6\x28\x7b\x15\xe8\x35\xbf\x2d\x9e\xbc\xfd\x92\x5c\x45\x69\xc9\xde\x9d\x46\x3b\x92\x91\x58\x99\x0d\x2f\x48", 40); *(uint64_t*)0x20000958 = 0x28; *(uint64_t*)0x20000960 = 0xfffffffffffffbff; memcpy((void*)0x20000980, "flock=strict", 12); *(uint8_t*)0x2000098c = 0x2c; memcpy((void*)0x2000098d, "flock=write", 11); *(uint8_t*)0x20000998 = 0x2c; memcpy((void*)0x20000999, "source", 6); *(uint8_t*)0x2000099f = 0x3d; memcpy((void*)0x200009a0, "\353", 1); *(uint8_t*)0x200009a1 = 0x2c; memcpy((void*)0x200009a2, "autocell", 8); *(uint8_t*)0x200009aa = 0x2c; *(uint8_t*)0x200009ab = 0; syz_mount_image(0x200004c0, 0x20000500, 0x1f, 7, 0x200008c0, 0x1015005, 0x20000980); break; case 27: memcpy((void*)0x200009c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200009c0, 0x10000, 0x6840); break; case 28: *(uint32_t*)0x20000a40 = -1; *(uint32_t*)0x20000a44 = -1; *(uint32_t*)0x20000a48 = 0; *(uint32_t*)0x20000a4c = 3; *(uint64_t*)0x20000a50 = 0x20000a00; memcpy((void*)0x20000a00, ".\\\000", 3); *(uint32_t*)0x20000a58 = 0; *(uint32_t*)0x20000a5c = 0; *(uint64_t*)0x20000a60 = 0; *(uint64_t*)0x20000a68 = 0; res = syscall(__NR_bpf, 0x14ul, 0x20000a40ul, 0x30ul); if (res != -1) r[9] = *(uint32_t*)0x20000a40; break; case 29: memcpy((void*)0x20000a80, "status\000", 7); syz_open_procfs(r[9], 0x20000a80); break; case 30: syz_open_pts(-1, 0x8000); break; case 31: syz_read_part_table(6, 0, 0x20000ac0); break; case 32: *(uint8_t*)0x20000b00 = 0x12; *(uint8_t*)0x20000b01 = 1; *(uint16_t*)0x20000b02 = 0x250; *(uint8_t*)0x20000b04 = 0xa8; *(uint8_t*)0x20000b05 = 0x9c; *(uint8_t*)0x20000b06 = 0xcc; *(uint8_t*)0x20000b07 = -1; *(uint16_t*)0x20000b08 = 0x499; *(uint16_t*)0x20000b0a = 0x150c; *(uint16_t*)0x20000b0c = 0xbaf4; *(uint8_t*)0x20000b0e = 1; *(uint8_t*)0x20000b0f = 2; *(uint8_t*)0x20000b10 = 3; *(uint8_t*)0x20000b11 = 1; *(uint8_t*)0x20000b12 = 9; *(uint8_t*)0x20000b13 = 2; *(uint16_t*)0x20000b14 = 0x702; *(uint8_t*)0x20000b16 = 3; *(uint8_t*)0x20000b17 = 2; *(uint8_t*)0x20000b18 = 5; *(uint8_t*)0x20000b19 = 0x80; *(uint8_t*)0x20000b1a = 0x1f; *(uint8_t*)0x20000b1b = 9; *(uint8_t*)0x20000b1c = 4; *(uint8_t*)0x20000b1d = 0x7d; *(uint8_t*)0x20000b1e = 0; *(uint8_t*)0x20000b1f = 0xb; *(uint8_t*)0x20000b20 = 0x5c; *(uint8_t*)0x20000b21 = 0x68; *(uint8_t*)0x20000b22 = 0x45; *(uint8_t*)0x20000b23 = 0xb8; *(uint8_t*)0x20000b24 = 0x64; *(uint8_t*)0x20000b25 = 0xe6; memcpy((void*)0x20000b26, "\x25\xbb\xa1\x93\x73\x4e\x4e\xb8\x7c\xbd\x6a\x4c\x96\x1e\xf0\x1e\x6c\x96\x0f\xa2\x7d\xe2\xe0\xb2\x88\x3e\x73\xbc\xb5\x6b\x37\x1c\xc2\xf9\x4a\x39\xee\x59\xf2\x12\x37\xd7\xfd\x38\xba\xfe\xa3\xbe\xbf\x15\x96\x7e\x66\xfd\xa6\x11\x4d\x34\xb3\x49\xe1\x86\x8e\xf9\x5c\xc0\xa0\x63\x05\xd0\x16\xcd\x2c\xc7\x23\x33\x40\x35\xa1\x10\xf9\xda\x19\x7a\xfa\x79\xa6\xb0\x45\xfa\xc5\xf7\xd5\xbb\x63\x9e\x45\x41", 98); *(uint8_t*)0x20000b88 = 0xa; *(uint8_t*)0x20000b89 = 0x24; *(uint8_t*)0x20000b8a = 1; *(uint16_t*)0x20000b8b = 7; *(uint8_t*)0x20000b8d = 0x80; *(uint8_t*)0x20000b8e = 2; *(uint8_t*)0x20000b8f = 1; *(uint8_t*)0x20000b90 = 2; *(uint8_t*)0x20000b91 = 9; *(uint8_t*)0x20000b92 = 5; *(uint8_t*)0x20000b93 = 1; *(uint8_t*)0x20000b94 = 3; *(uint16_t*)0x20000b95 = 0x200; *(uint8_t*)0x20000b97 = 0x81; *(uint8_t*)0x20000b98 = 1; *(uint8_t*)0x20000b99 = 9; *(uint8_t*)0x20000b9a = 7; *(uint8_t*)0x20000b9b = 0x25; *(uint8_t*)0x20000b9c = 1; *(uint8_t*)0x20000b9d = 1; *(uint8_t*)0x20000b9e = 9; *(uint16_t*)0x20000b9f = 0x1000; *(uint8_t*)0x20000ba1 = 9; *(uint8_t*)0x20000ba2 = 5; *(uint8_t*)0x20000ba3 = 6; *(uint8_t*)0x20000ba4 = 8; *(uint16_t*)0x20000ba5 = 0x400; *(uint8_t*)0x20000ba7 = 0xe8; *(uint8_t*)0x20000ba8 = 0xc6; *(uint8_t*)0x20000ba9 = -1; *(uint8_t*)0x20000baa = 7; *(uint8_t*)0x20000bab = 0x25; *(uint8_t*)0x20000bac = 1; *(uint8_t*)0x20000bad = 1; *(uint8_t*)0x20000bae = 0x81; *(uint16_t*)0x20000baf = 6; *(uint8_t*)0x20000bb1 = 9; *(uint8_t*)0x20000bb2 = 5; *(uint8_t*)0x20000bb3 = 0xd; *(uint8_t*)0x20000bb4 = 0; *(uint16_t*)0x20000bb5 = 0x20; *(uint8_t*)0x20000bb7 = 8; *(uint8_t*)0x20000bb8 = 0xb4; *(uint8_t*)0x20000bb9 = 3; *(uint8_t*)0x20000bba = 9; *(uint8_t*)0x20000bbb = 5; *(uint8_t*)0x20000bbc = 2; *(uint8_t*)0x20000bbd = 1; *(uint16_t*)0x20000bbe = 0x200; *(uint8_t*)0x20000bc0 = 2; *(uint8_t*)0x20000bc1 = 6; *(uint8_t*)0x20000bc2 = 0x20; *(uint8_t*)0x20000bc3 = 9; *(uint8_t*)0x20000bc4 = 5; *(uint8_t*)0x20000bc5 = 7; *(uint8_t*)0x20000bc6 = 2; *(uint16_t*)0x20000bc7 = 0x3ff; *(uint8_t*)0x20000bc9 = 0x29; *(uint8_t*)0x20000bca = 4; *(uint8_t*)0x20000bcb = 0x4c; *(uint8_t*)0x20000bcc = 9; *(uint8_t*)0x20000bcd = 5; *(uint8_t*)0x20000bce = 5; *(uint8_t*)0x20000bcf = 0; *(uint16_t*)0x20000bd0 = 0x200; *(uint8_t*)0x20000bd2 = 2; *(uint8_t*)0x20000bd3 = 0x22; *(uint8_t*)0x20000bd4 = 5; *(uint8_t*)0x20000bd5 = 7; *(uint8_t*)0x20000bd6 = 0x25; *(uint8_t*)0x20000bd7 = 1; *(uint8_t*)0x20000bd8 = 0; *(uint8_t*)0x20000bd9 = 7; *(uint16_t*)0x20000bda = 0x27; *(uint8_t*)0x20000bdc = 9; *(uint8_t*)0x20000bdd = 5; *(uint8_t*)0x20000bde = 0xe; *(uint8_t*)0x20000bdf = 0xc; *(uint16_t*)0x20000be0 = 0x20; *(uint8_t*)0x20000be2 = 0x40; *(uint8_t*)0x20000be3 = 9; *(uint8_t*)0x20000be4 = 0x1f; *(uint8_t*)0x20000be5 = 0x4f; *(uint8_t*)0x20000be6 = 1; memcpy((void*)0x20000be7, "\xf1\x48\xd8\x44\x07\xf5\xb8\xdf\xda\x7c\x13\xb6\x82\x81\xb7\xd1\x42\x09\x55\x10\x93\xf9\x1b\x2d\x8f\x89\x1d\x9f\x3b\x8f\xf0\x7a\x8c\x2b\x56\xbc\xbf\xa7\x44\xea\x1d\xa6\x9f\xb1\x16\xc7\x1d\x11\xfa\x13\xb6\xa2\xc4\x64\xe6\x5d\x7c\x70\x6a\xe2\x5e\x0a\xd8\x36\xd3\x28\xf3\x09\x28\xaf\x26\xfe\x9d\x4f\x3f\x1d\xc1", 77); *(uint8_t*)0x20000c34 = 7; *(uint8_t*)0x20000c35 = 0x25; *(uint8_t*)0x20000c36 = 1; *(uint8_t*)0x20000c37 = 0x82; *(uint8_t*)0x20000c38 = 0x18; *(uint16_t*)0x20000c39 = 0xfc0; *(uint8_t*)0x20000c3b = 9; *(uint8_t*)0x20000c3c = 5; *(uint8_t*)0x20000c3d = 4; *(uint8_t*)0x20000c3e = 0; *(uint16_t*)0x20000c3f = 0x400; *(uint8_t*)0x20000c41 = 0; *(uint8_t*)0x20000c42 = 0x80; *(uint8_t*)0x20000c43 = 7; *(uint8_t*)0x20000c44 = 7; *(uint8_t*)0x20000c45 = 0x25; *(uint8_t*)0x20000c46 = 1; *(uint8_t*)0x20000c47 = 2; *(uint8_t*)0x20000c48 = 4; *(uint16_t*)0x20000c49 = 2; *(uint8_t*)0x20000c4b = 0xf7; *(uint8_t*)0x20000c4c = 0x30; memcpy((void*)0x20000c4d, "\xab\xdd\xdd\x4f\x9b\x3f\x7c\x94\x0f\x59\xac\x5d\x6a\xc2\x20\xf7\x66\x83\x45\x97\x34\x86\x90\xed\xd4\x5d\xbc\xad\x8d\x72\x00\xdb\x71\x84\x99\x1d\x25\x39\xdf\x54\xe5\xad\x82\xe5\xd5\x8b\x03\x66\xea\x3b\x34\x1b\xe9\xa3\x0b\x4b\x2b\xd6\x6b\xf0\x04\x79\x62\x8c\xb4\x77\xc8\x29\x38\xf8\xd3\xc1\x06\xa7\xe1\x8b\x0e\x54\x85\xa0\xb1\x61\x1a\xba\x1d\x8a\xd3\xc7\x40\xfc\x3d\x9a\xcc\xb5\xd7\xb2\x93\xb9\x0b\x16\x8c\x3f\x2c\x69\x79\x81\x35\xb5\x62\x47\x5f\xe2\xa3\xb8\xf6\x19\x57\x22\x51\x66\x27\x87\xbf\x74\x9f\x67\x3a\x35\xee\x80\xea\x76\xed\xd0\xfc\x7b\x31\x77\xf2\x4f\x50\xd6\x8a\xce\xd6\x90\x2e\xcf\x5e\x0a\x1d\x31\x26\xd9\x53\x09\x46\xab\xac\x7a\x85\x79\x91\x94\x74\x8f\x34\xee\xf3\xe2\x49\xc0\xed\xe1\x51\x1b\x67\x62\x6c\x06\x32\x2b\xa0\xb3\x13\x3a\xd7\xea\xb4\x6c\xc0\x7a\x99\x5f\x01\x1d\x24\x78\x19\x83\xc1\x70\x9a\x03\xac\x2e\xf1\x65\xa9\xb9\x1e\xd9\xe7\x5e\x22\x19\x05\xa9\x32\xc3\x50\x1d\x40\x56\x69\x16\xd6\x3f\x2f\xae\x4e\x97\x98\xfa\xb8\xe1\x6a\x1d\x36\x4f\x01\x9c\x0e\xbd\xb0", 245); *(uint8_t*)0x20000d42 = 9; *(uint8_t*)0x20000d43 = 5; *(uint8_t*)0x20000d44 = 2; *(uint8_t*)0x20000d45 = 0; *(uint16_t*)0x20000d46 = 0x40; *(uint8_t*)0x20000d48 = 0xfe; *(uint8_t*)0x20000d49 = 0x20; *(uint8_t*)0x20000d4a = 9; *(uint8_t*)0x20000d4b = 0xed; *(uint8_t*)0x20000d4c = 1; memcpy((void*)0x20000d4d, "\x97\x48\x0b\x61\x9e\xce\x34\x91\x71\x8d\x87\x0d\x13\x33\xf7\xf3\xcb\xe0\x33\x67\xac\x7f\x15\xbe\x17\x93\xcf\x2d\x63\x5a\xf6\x7a\xf8\x8c\xfe\xa5\x26\xad\x45\xea\x67\xc3\x9a\xde\x3d\x19\x91\x8d\x55\xea\x59\x8a\x78\x07\xfd\x2c\x56\xad\xdf\xb5\x2f\x42\x75\x6b\xfc\x60\x2c\x04\x56\x0e\x98\x1a\x38\x78\x3c\xa3\xdd\x8b\xa4\x31\xc2\x67\x59\x2b\xc0\x04\xb2\xf5\x3e\x49\x08\x2d\xac\x6a\x78\x48\xb9\x29\xdc\xf5\x3f\x15\x1f\x4c\x9a\xe6\xf8\x91\x2f\xff\xd9\x19\x9b\xcd\xcd\x8b\x95\xfd\xc2\xdf\xaa\x22\xd3\xa7\x31\xf3\xc4\xaa\x34\x47\xd4\x18\x3b\x1c\xb4\xcc\xce\xb3\x6e\x69\x37\xf2\x27\x5c\x89\xce\x0b\xa8\x3f\x40\xc2\xc7\xdb\xf1\x3b\x41\x77\x0a\x0f\x12\x5b\x10\xde\xd7\xee\xfe\x7a\x18\x24\xf9\xee\xf4\x93\x83\x10\xa5\x5c\x12\x1b\xf1\xa9\x25\x9f\x55\x16\x72\xb8\xa0\xa5\x2f\xea\xc5\xcb\xc5\xab\x96\xa5\x49\x1e\xf5\x33\xd7\xbe\x14\x76\x4e\x9d\xa5\x31\xff\xef\x82\xf8\x61\x2a\x74\x0f\xb5\x87\x56\xf7\xcb\x60\x92\xab\xb1\x5a\xa6\xcf\x04\x94\xcb\x71\x06\xf1", 235); *(uint8_t*)0x20000e38 = 0xd3; *(uint8_t*)0x20000e39 = 8; memcpy((void*)0x20000e3a, "\x4e\x8e\x03\x4e\xe9\x75\x01\xac\x38\x25\x74\xd2\xa7\x25\x27\xc5\xe0\xc8\x32\x61\x8b\xc6\xa1\xea\x16\xc3\xf3\x23\x25\x89\x71\x63\x3a\x03\x33\x99\x1a\xd9\x97\x54\xb0\x06\xc9\x5c\x4d\xe5\xf9\x01\xec\x1b\x8d\x86\xbd\x47\xc5\x64\xbd\x2a\xef\x08\xdf\x3c\x22\x4a\x3e\x6e\x40\x84\x65\x54\xee\xd2\x73\x4d\x71\xce\x33\x92\x96\x7e\xf5\x5c\x96\xb3\xda\x0a\xa5\x48\x1f\x31\xc3\x51\xcf\x18\x59\xcb\xee\x24\x4e\x75\x1c\x60\xcf\xad\xc2\x33\xcb\x60\x02\xee\x6f\xf4\xcc\x2c\x9b\x76\x37\x8f\x5b\x6e\x41\x0c\x01\x4f\x25\xcb\x9f\xff\x68\xf8\xa6\xff\x5b\x81\xb6\xd0\x9b\x9c\x7a\x2a\xaf\x84\x8b\xd2\x47\xed\x21\xb1\x3a\xa8\xd3\x5b\xcb\x7b\xf2\xfa\x6b\x8c\xbf\x55\x29\x9e\xdb\xce\x15\xe7\x88\xd1\xf9\x3c\xff\x32\x23\x99\x24\x9a\xc0\x80\xf2\xd4\x7b\xd3\xf2\x7e\x7a\x6d\xe1\x84\x90\x48\x11\x72\x25\x36\xd0\xa2\x33\x0e\x3e\x51\x11\x46\xfa\xab\x98\x64\xd1\xb1\x83", 209); *(uint8_t*)0x20000f0b = 9; *(uint8_t*)0x20000f0c = 5; *(uint8_t*)0x20000f0d = 0xb; *(uint8_t*)0x20000f0e = 0; *(uint16_t*)0x20000f0f = 0x10; *(uint8_t*)0x20000f11 = 0x2c; *(uint8_t*)0x20000f12 = 9; *(uint8_t*)0x20000f13 = 6; *(uint8_t*)0x20000f14 = 7; *(uint8_t*)0x20000f15 = 0x25; *(uint8_t*)0x20000f16 = 1; *(uint8_t*)0x20000f17 = 0x80; *(uint8_t*)0x20000f18 = 0xc9; *(uint16_t*)0x20000f19 = 0xbb; *(uint8_t*)0x20000f1b = 0x1f; *(uint8_t*)0x20000f1c = 0x31; memcpy((void*)0x20000f1d, "\xe4\x4d\x51\xa1\x5a\x72\x0f\x09\x9d\xad\xeb\x93\x26\x25\x52\xa9\x35\x42\x42\x29\xd3\xf4\xd1\x2e\xdc\x1b\xaa\x9f\x88", 29); *(uint8_t*)0x20000f3a = 9; *(uint8_t*)0x20000f3b = 5; *(uint8_t*)0x20000f3c = 0xc; *(uint8_t*)0x20000f3d = 0; *(uint16_t*)0x20000f3e = 8; *(uint8_t*)0x20000f40 = 0x49; *(uint8_t*)0x20000f41 = 0x40; *(uint8_t*)0x20000f42 = 0x55; *(uint8_t*)0x20000f43 = 9; *(uint8_t*)0x20000f44 = 4; *(uint8_t*)0x20000f45 = 0xfe; *(uint8_t*)0x20000f46 = 0x33; *(uint8_t*)0x20000f47 = 2; *(uint8_t*)0x20000f48 = 0xa2; *(uint8_t*)0x20000f49 = 0x17; *(uint8_t*)0x20000f4a = 0x9a; *(uint8_t*)0x20000f4b = 2; *(uint8_t*)0x20000f4c = 9; *(uint8_t*)0x20000f4d = 0x24; *(uint8_t*)0x20000f4e = 6; *(uint8_t*)0x20000f4f = 0; *(uint8_t*)0x20000f50 = 1; memcpy((void*)0x20000f51, "\xfb\x7f\xfd\xe8", 4); *(uint8_t*)0x20000f55 = 5; *(uint8_t*)0x20000f56 = 0x24; *(uint8_t*)0x20000f57 = 0; *(uint16_t*)0x20000f58 = 1; *(uint8_t*)0x20000f5a = 0xd; *(uint8_t*)0x20000f5b = 0x24; *(uint8_t*)0x20000f5c = 0xf; *(uint8_t*)0x20000f5d = 1; *(uint32_t*)0x20000f5e = 4; *(uint16_t*)0x20000f62 = 0x9f54; *(uint16_t*)0x20000f64 = 0x267; *(uint8_t*)0x20000f66 = 1; *(uint8_t*)0x20000f67 = 6; *(uint8_t*)0x20000f68 = 0x24; *(uint8_t*)0x20000f69 = 0x1a; *(uint16_t*)0x20000f6a = 9; *(uint8_t*)0x20000f6c = 9; *(uint8_t*)0x20000f6d = 0xc; *(uint8_t*)0x20000f6e = 0x24; *(uint8_t*)0x20000f6f = 0x1b; *(uint16_t*)0x20000f70 = -1; *(uint16_t*)0x20000f72 = 1; *(uint8_t*)0x20000f74 = 0x20; *(uint8_t*)0x20000f75 = 6; *(uint16_t*)0x20000f76 = 6; *(uint8_t*)0x20000f78 = 6; *(uint8_t*)0x20000f79 = 0x15; *(uint8_t*)0x20000f7a = 0x24; *(uint8_t*)0x20000f7b = 0x12; *(uint16_t*)0x20000f7c = 3; *(uint64_t*)0x20000f7e = 0x14f5e048ba817a3; *(uint64_t*)0x20000f86 = 0x2a397ecbffc007a6; *(uint8_t*)0x20000f8e = 0xc; *(uint8_t*)0x20000f8f = 0x24; *(uint8_t*)0x20000f90 = 0x1b; *(uint16_t*)0x20000f91 = 0x91; *(uint16_t*)0x20000f93 = 5; *(uint8_t*)0x20000f95 = 1; *(uint8_t*)0x20000f96 = -1; *(uint16_t*)0x20000f97 = 5; *(uint8_t*)0x20000f99 = 0x35; *(uint8_t*)0x20000f9a = 4; *(uint8_t*)0x20000f9b = 0x24; *(uint8_t*)0x20000f9c = 2; *(uint8_t*)0x20000f9d = 1; *(uint8_t*)0x20000f9e = 9; *(uint8_t*)0x20000f9f = 5; *(uint8_t*)0x20000fa0 = 0xa; *(uint8_t*)0x20000fa1 = 0x10; *(uint16_t*)0x20000fa2 = 8; *(uint8_t*)0x20000fa4 = 0x80; *(uint8_t*)0x20000fa5 = 0xc1; *(uint8_t*)0x20000fa6 = 4; *(uint8_t*)0x20000fa7 = 0xb8; *(uint8_t*)0x20000fa8 = 0x30; memcpy((void*)0x20000fa9, "\xe3\x84\xdc\xf0\x3a\xc3\x95\x40\xe5\xa2\x21\x99\xf7\x1a\x53\xba\x42\x8c\x3b\x72\x02\x90\xf0\x27\x6b\xcc\xa0\xcd\x15\x40\x5f\x6c\x93\x04\x97\xaf\x5e\xb3\x20\xa4\x33\xcc\x55\x3d\x6e\x01\x08\xed\xbf\x79\x3e\xf0\x24\x0f\xf2\x69\xb4\xff\x96\xd6\x82\x2b\xcb\x48\xce\xba\xe2\xa5\xce\xad\x65\x78\x6e\xbe\xcd\x5f\x30\x0c\x08\x60\x6d\x33\x22\xb8\x36\x00\x29\xbd\x21\x31\x2d\xac\x49\x33\x61\xe1\xb0\x8f\x2a\xdc\xa4\xdc\x49\xa0\x04\xfe\xfd\xf7\xa3\xa5\x25\xae\x5d\xe1\x1f\x0a\x69\x1a\x41\xb8\x69\xd9\xb9\xa5\xd9\x0d\x5a\x7b\x5e\xbe\x9e\x57\x73\xb9\x7e\xfe\x98\xe3\x89\x53\x77\xa4\x24\xe3\x0e\xf2\x2f\xd2\xff\xa2\x53\x2f\x1b\xb3\xc1\xa4\xe3\xb8\x6a\xfc\x08\xb2\x65\x9a\xa2\xe5\x56\xf1\x90\xe2\x7f\x83\x61\x9a\x16\x18\xd3\x71\xe1\x02\xc5\x58", 182); *(uint8_t*)0x2000105f = 9; *(uint8_t*)0x20001060 = 5; *(uint8_t*)0x20001061 = 0x80; *(uint8_t*)0x20001062 = 1; *(uint16_t*)0x20001063 = 0x40; *(uint8_t*)0x20001065 = 4; *(uint8_t*)0x20001066 = 0; *(uint8_t*)0x20001067 = 0x1f; *(uint8_t*)0x20001068 = 9; *(uint8_t*)0x20001069 = 4; *(uint8_t*)0x2000106a = 0x74; *(uint8_t*)0x2000106b = 0x90; *(uint8_t*)0x2000106c = 0xa; *(uint8_t*)0x2000106d = -1; *(uint8_t*)0x2000106e = 0x5d; *(uint8_t*)0x2000106f = 1; *(uint8_t*)0x20001070 = 0x81; *(uint8_t*)0x20001071 = 0x6c; *(uint8_t*)0x20001072 = 4; memcpy((void*)0x20001073, "\xde\xaf\x84\x76\xcc\x58\x55\xff\xb6\xd2\x2d\x6c\xeb\x29\x77\x34\x8b\xa8\x6d\xee\x7d\x9e\x22\xe0\xc4\x64\x77\xb0\x6c\x0d\xb5\x14\xbb\x53\x83\xa6\x2a\x40\x2c\xc6\xe0\x79\x5d\xdd\xa5\x10\xcf\x42\x38\xb2\xc6\x4b\x65\x7a\x11\x11\xef\xc0\xe4\xaa\xcf\x9e\x40\x80\x2d\xd0\xee\xb6\x9f\x27\x1c\x1e\x6f\xe0\xee\x5e\x9f\x48\x12\x28\x32\xe6\xa8\x0a\x4d\x7a\x66\x11\xe3\xfd\x2d\xca\x49\xd3\x51\x90\x8f\xf9\xa4\x8c\xa2\x0c\x78\xa6\x9c\x65", 106); *(uint8_t*)0x200010dd = 9; *(uint8_t*)0x200010de = 0x21; *(uint16_t*)0x200010df = 7; *(uint8_t*)0x200010e1 = 7; *(uint8_t*)0x200010e2 = 1; *(uint8_t*)0x200010e3 = 0x22; *(uint16_t*)0x200010e4 = 0xab5; *(uint8_t*)0x200010e6 = 9; *(uint8_t*)0x200010e7 = 5; *(uint8_t*)0x200010e8 = 0; *(uint8_t*)0x200010e9 = 0; *(uint16_t*)0x200010ea = 0x200; *(uint8_t*)0x200010ec = 4; *(uint8_t*)0x200010ed = 7; *(uint8_t*)0x200010ee = 0; *(uint8_t*)0x200010ef = 9; *(uint8_t*)0x200010f0 = 5; *(uint8_t*)0x200010f1 = 0x80; *(uint8_t*)0x200010f2 = 0xc; *(uint16_t*)0x200010f3 = 0x40; *(uint8_t*)0x200010f5 = 0; *(uint8_t*)0x200010f6 = 0x7f; *(uint8_t*)0x200010f7 = -1; *(uint8_t*)0x200010f8 = 7; *(uint8_t*)0x200010f9 = 0x25; *(uint8_t*)0x200010fa = 1; *(uint8_t*)0x200010fb = 0; *(uint8_t*)0x200010fc = 0; *(uint16_t*)0x200010fd = 0xff; *(uint8_t*)0x200010ff = 7; *(uint8_t*)0x20001100 = 0x25; *(uint8_t*)0x20001101 = 1; *(uint8_t*)0x20001102 = 2; *(uint8_t*)0x20001103 = 0xfa; *(uint16_t*)0x20001104 = 5; *(uint8_t*)0x20001106 = 9; *(uint8_t*)0x20001107 = 5; *(uint8_t*)0x20001108 = 3; *(uint8_t*)0x20001109 = 3; *(uint16_t*)0x2000110a = 0x3ff; *(uint8_t*)0x2000110c = 0x80; *(uint8_t*)0x2000110d = 0x7f; *(uint8_t*)0x2000110e = 8; *(uint8_t*)0x2000110f = 9; *(uint8_t*)0x20001110 = 5; *(uint8_t*)0x20001111 = 5; *(uint8_t*)0x20001112 = 1; *(uint16_t*)0x20001113 = 0x20; *(uint8_t*)0x20001115 = 4; *(uint8_t*)0x20001116 = 0x3c; *(uint8_t*)0x20001117 = 4; *(uint8_t*)0x20001118 = 7; *(uint8_t*)0x20001119 = 0x25; *(uint8_t*)0x2000111a = 1; *(uint8_t*)0x2000111b = 0x80; *(uint8_t*)0x2000111c = 0x40; *(uint16_t*)0x2000111d = 0x800; *(uint8_t*)0x2000111f = 9; *(uint8_t*)0x20001120 = 5; *(uint8_t*)0x20001121 = 0xd; *(uint8_t*)0x20001122 = 0; *(uint16_t*)0x20001123 = 0x20; *(uint8_t*)0x20001125 = -1; *(uint8_t*)0x20001126 = 0x14; *(uint8_t*)0x20001127 = 0x3f; *(uint8_t*)0x20001128 = 9; *(uint8_t*)0x20001129 = 5; *(uint8_t*)0x2000112a = 4; *(uint8_t*)0x2000112b = 0; *(uint16_t*)0x2000112c = 0x20; *(uint8_t*)0x2000112e = 1; *(uint8_t*)0x2000112f = 1; *(uint8_t*)0x20001130 = 0x56; *(uint8_t*)0x20001131 = 9; *(uint8_t*)0x20001132 = 5; *(uint8_t*)0x20001133 = 0xc; *(uint8_t*)0x20001134 = 0x10; *(uint16_t*)0x20001135 = 8; *(uint8_t*)0x20001137 = 1; *(uint8_t*)0x20001138 = 5; *(uint8_t*)0x20001139 = 2; *(uint8_t*)0x2000113a = 0x20; *(uint8_t*)0x2000113b = 4; memcpy((void*)0x2000113c, "\x6d\xdd\x41\x04\xce\xf7\xb1\xf7\xb2\xdd\xda\xbb\x24\xea\x94\xbe\x1e\x8a\xc9\xfb\xba\x62\xcd\x71\xc1\xa1\xcb\xfa\x4e\x73", 30); *(uint8_t*)0x2000115a = 9; *(uint8_t*)0x2000115b = 5; *(uint8_t*)0x2000115c = 7; *(uint8_t*)0x2000115d = 4; *(uint16_t*)0x2000115e = 0x10; *(uint8_t*)0x20001160 = 0; *(uint8_t*)0x20001161 = 6; *(uint8_t*)0x20001162 = 0xf8; *(uint8_t*)0x20001163 = 7; *(uint8_t*)0x20001164 = 0x25; *(uint8_t*)0x20001165 = 1; *(uint8_t*)0x20001166 = 0x80; *(uint8_t*)0x20001167 = 3; *(uint16_t*)0x20001168 = 0x8000; *(uint8_t*)0x2000116a = 0x98; *(uint8_t*)0x2000116b = 0x21; memcpy((void*)0x2000116c, "\xe7\xba\xc6\xd3\x44\x3c\xdf\xcd\xf9\xc2\x4b\x69\x78\xdb\xfb\x9d\xd1\x82\x4a\x59\x64\xcb\xfa\x0f\xe6\x42\x96\xd5\x79\x4c\x61\x59\xbc\x30\xb8\x02\xa5\x9b\x5c\x7a\x49\xb5\x34\x03\x5d\xf5\x6b\xbc\x48\x86\x52\xee\x31\xc6\x01\xd5\x32\x65\x07\x01\x6b\xd4\x45\xa1\xc0\x9d\xf2\x31\xcf\x57\x81\x19\x0d\xaa\xba\x0c\xbd\x84\xa1\x72\x64\x03\x27\xb8\xc1\xa1\xd9\x0b\xfa\xb1\x8f\x24\x96\x1f\xfe\x12\xa0\x48\x6a\x23\x9c\x79\xa2\x59\xc5\x37\x65\x26\x03\xdc\xbd\x4b\x2b\x73\x42\xae\x0d\x71\x5a\x75\x43\xf4\xd0\x8b\xb5\x57\xbd\xdc\xd3\xbc\xa8\x35\x90\xb5\x7c\x30\xee\xe2\xce\x95\xf6\xc7\x10\x2f\x64\x6a\xf8\x28\xa4\x96", 150); *(uint8_t*)0x20001202 = 9; *(uint8_t*)0x20001203 = 5; *(uint8_t*)0x20001204 = 2; *(uint8_t*)0x20001205 = 3; *(uint16_t*)0x20001206 = 0x400; *(uint8_t*)0x20001208 = 3; *(uint8_t*)0x20001209 = 2; *(uint8_t*)0x2000120a = 8; *(uint8_t*)0x2000120b = 9; *(uint8_t*)0x2000120c = 5; *(uint8_t*)0x2000120d = 6; *(uint8_t*)0x2000120e = 0x10; *(uint16_t*)0x2000120f = 0x20; *(uint8_t*)0x20001211 = -1; *(uint8_t*)0x20001212 = 4; *(uint8_t*)0x20001213 = 6; *(uint32_t*)0x20001540 = 0xa; *(uint64_t*)0x20001544 = 0x20001240; *(uint8_t*)0x20001240 = 0xa; *(uint8_t*)0x20001241 = 6; *(uint16_t*)0x20001242 = 0x300; *(uint8_t*)0x20001244 = -1; *(uint8_t*)0x20001245 = 0x81; *(uint8_t*)0x20001246 = 6; *(uint8_t*)0x20001247 = 0xf7; *(uint8_t*)0x20001248 = 0xc4; *(uint8_t*)0x20001249 = 0; *(uint32_t*)0x2000154c = 0xf; *(uint64_t*)0x20001550 = 0x20001280; *(uint8_t*)0x20001280 = 5; *(uint8_t*)0x20001281 = 0xf; *(uint16_t*)0x20001282 = 0xf; *(uint8_t*)0x20001284 = 1; *(uint8_t*)0x20001285 = 0xa; *(uint8_t*)0x20001286 = 0x10; *(uint8_t*)0x20001287 = 3; *(uint8_t*)0x20001288 = 0; *(uint16_t*)0x20001289 = 0; *(uint8_t*)0x2000128b = 8; *(uint8_t*)0x2000128c = 0x1f; *(uint16_t*)0x2000128d = 0xfff; *(uint32_t*)0x20001558 = 5; *(uint32_t*)0x2000155c = 4; *(uint64_t*)0x20001560 = 0x200012c0; *(uint8_t*)0x200012c0 = 4; *(uint8_t*)0x200012c1 = 3; *(uint16_t*)0x200012c2 = 0xc07; *(uint32_t*)0x20001568 = 0x54; *(uint64_t*)0x2000156c = 0x20001300; *(uint8_t*)0x20001300 = 0x54; *(uint8_t*)0x20001301 = 3; memcpy((void*)0x20001302, "\x32\x1d\x45\x7f\x2f\x5a\xb9\xfc\xb1\x11\x8c\x96\x06\x31\xfd\x85\xa7\x5e\xad\x82\x91\x36\xaa\x2a\x6c\xc0\x31\x14\x51\x03\x5f\xe1\x7b\x95\x6e\xb8\xfa\x52\xd4\x95\xa3\x11\xa6\xc0\x3f\x0a\xe8\x4c\x86\xf0\xed\x78\xda\xeb\xfa\x15\xdb\x7b\xc5\x78\x8c\x97\x24\xba\xf4\x58\x2d\xc0\xec\x1b\xa6\x68\x1a\x76\xb0\xa1\xbf\xc5\xde\x9d\xae\xcc", 82); *(uint32_t*)0x20001574 = 0xd3; *(uint64_t*)0x20001578 = 0x20001380; *(uint8_t*)0x20001380 = 0xd3; *(uint8_t*)0x20001381 = 3; memcpy((void*)0x20001382, "\x18\x33\x6f\xc5\x62\x3b\xa1\x41\x06\x34\xc4\x05\x0b\xcf\x3b\x48\x8e\xa4\x18\x67\xd0\x59\xdc\xdc\xd2\xc3\x68\xd8\x48\xfe\x51\x47\x32\x3c\x0b\xa4\xe5\x1d\x7c\xf2\xa3\xd1\x50\x25\x8f\x8c\xc2\x56\x9b\xd7\x9e\x95\x1e\xa9\x5a\x31\x8d\xe3\x1d\x14\x6c\x37\xa7\xcf\x71\x2f\x1f\xcd\x44\x03\x90\x85\x2c\x8d\x52\x16\xf8\xd2\x3a\x99\x18\xb0\xe0\x53\x52\x1e\xb6\x70\xad\x3e\xe0\xfb\x8a\x93\xa8\xd7\xba\xd7\x19\x9e\xeb\xe1\x2a\x3b\x02\x10\x7a\xc4\x54\x2b\xc6\x49\x79\x77\xe3\x30\x8b\x40\x7b\xf3\x64\x98\x2f\x4f\xc9\xc3\x30\xf9\xa7\x5c\xcb\x65\xc8\x68\x8d\x5c\x24\x7a\xd0\x6c\x20\xcc\xf0\x14\x65\xe3\xab\x09\xfc\x77\x7f\x73\x47\x4c\x2c\xd0\x53\xb8\x48\xad\x32\x55\xb5\xad\xc8\x1e\x03\x3d\x2a\x0f\xac\x50\x61\xea\x52\xda\xcf\x46\xe8\x8e\x8c\x2e\x38\x8d\xeb\x91\xd2\xd9\xfc\x12\x42\x55\x90\x93\x36\x41\x8e\x74\x3b\xda\x4c\xb4\xf7\x3c\x6b\x75\xaf\x9a\x9b", 209); *(uint32_t*)0x20001580 = 4; *(uint64_t*)0x20001584 = 0x20001480; *(uint8_t*)0x20001480 = 4; *(uint8_t*)0x20001481 = 3; *(uint16_t*)0x20001482 = 0x42b; *(uint32_t*)0x2000158c = 0x5a; *(uint64_t*)0x20001590 = 0x200014c0; *(uint8_t*)0x200014c0 = 0x5a; *(uint8_t*)0x200014c1 = 3; memcpy((void*)0x200014c2, "\x4d\x85\xf3\x14\x20\xff\x1c\xed\xa2\x5d\x11\x8d\x33\xa6\xeb\xbc\xe8\x88\xc1\x2d\x90\xeb\x54\xc8\x27\xd1\x49\xc8\xdc\xbd\x99\xf3\x89\x3b\x35\xd1\xda\x6c\x77\x6b\x1b\x5d\x08\x4b\x30\x8c\xdf\x93\x47\x41\x67\xf2\x66\x19\x9f\x44\x0a\x03\xfc\x3e\x34\x38\x03\x1b\x87\x25\xdd\xe6\x02\x9a\x62\x9c\x08\x43\xbe\xdf\x04\x8b\x84\x09\xb1\x53\xf9\x03\xd6\x57\xd2\x2b", 88); res = -1; res = syz_usb_connect(6, 0x714, 0x20000b00, 0x20001540); if (res != -1) r[10] = res; break; case 33: *(uint8_t*)0x200015c0 = 0x12; *(uint8_t*)0x200015c1 = 1; *(uint16_t*)0x200015c2 = 0x200; *(uint8_t*)0x200015c4 = -1; *(uint8_t*)0x200015c5 = -1; *(uint8_t*)0x200015c6 = -1; *(uint8_t*)0x200015c7 = 0x40; *(uint16_t*)0x200015c8 = 0xcf3; *(uint16_t*)0x200015ca = 0x9271; *(uint16_t*)0x200015cc = 0x108; *(uint8_t*)0x200015ce = 1; *(uint8_t*)0x200015cf = 2; *(uint8_t*)0x200015d0 = 3; *(uint8_t*)0x200015d1 = 1; *(uint8_t*)0x200015d2 = 9; *(uint8_t*)0x200015d3 = 2; *(uint16_t*)0x200015d4 = 0x48; *(uint8_t*)0x200015d6 = 1; *(uint8_t*)0x200015d7 = 1; *(uint8_t*)0x200015d8 = 0; *(uint8_t*)0x200015d9 = 0x80; *(uint8_t*)0x200015da = 0xfa; *(uint8_t*)0x200015db = 9; *(uint8_t*)0x200015dc = 4; *(uint8_t*)0x200015dd = 0; *(uint8_t*)0x200015de = 0; *(uint8_t*)0x200015df = 6; *(uint8_t*)0x200015e0 = -1; *(uint8_t*)0x200015e1 = 0; *(uint8_t*)0x200015e2 = 0; *(uint8_t*)0x200015e3 = 0; *(uint8_t*)0x200015e4 = 9; *(uint8_t*)0x200015e5 = 5; *(uint8_t*)0x200015e6 = 1; *(uint8_t*)0x200015e7 = 2; *(uint16_t*)0x200015e8 = 0x200; *(uint8_t*)0x200015ea = 0; *(uint8_t*)0x200015eb = 0; *(uint8_t*)0x200015ec = 0; *(uint8_t*)0x200015ed = 9; *(uint8_t*)0x200015ee = 5; *(uint8_t*)0x200015ef = 0x82; *(uint8_t*)0x200015f0 = 2; *(uint16_t*)0x200015f1 = 0x200; *(uint8_t*)0x200015f3 = 0; *(uint8_t*)0x200015f4 = 0; *(uint8_t*)0x200015f5 = 0; *(uint8_t*)0x200015f6 = 9; *(uint8_t*)0x200015f7 = 5; *(uint8_t*)0x200015f8 = 0x83; *(uint8_t*)0x200015f9 = 3; *(uint16_t*)0x200015fa = 0x40; *(uint8_t*)0x200015fc = 1; *(uint8_t*)0x200015fd = 0; *(uint8_t*)0x200015fe = 0; *(uint8_t*)0x200015ff = 9; *(uint8_t*)0x20001600 = 5; *(uint8_t*)0x20001601 = 4; *(uint8_t*)0x20001602 = 3; *(uint16_t*)0x20001603 = 0x40; *(uint8_t*)0x20001605 = 1; *(uint8_t*)0x20001606 = 0; *(uint8_t*)0x20001607 = 0; *(uint8_t*)0x20001608 = 9; *(uint8_t*)0x20001609 = 5; *(uint8_t*)0x2000160a = 5; *(uint8_t*)0x2000160b = 2; *(uint16_t*)0x2000160c = 0x200; *(uint8_t*)0x2000160e = 0; *(uint8_t*)0x2000160f = 0; *(uint8_t*)0x20001610 = 0; *(uint8_t*)0x20001611 = 9; *(uint8_t*)0x20001612 = 5; *(uint8_t*)0x20001613 = 6; *(uint8_t*)0x20001614 = 2; *(uint16_t*)0x20001615 = 0x200; *(uint8_t*)0x20001617 = 0; *(uint8_t*)0x20001618 = 0; *(uint8_t*)0x20001619 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200015c0, 0); if (res != -1) r[11] = res; break; case 34: *(uint32_t*)0x200017c0 = 0x2c; *(uint64_t*)0x200017c4 = 0x20001640; *(uint8_t*)0x20001640 = 0; *(uint8_t*)0x20001641 = 0x24; *(uint32_t*)0x20001642 = 0x5e; *(uint8_t*)0x20001646 = 0x5e; *(uint8_t*)0x20001647 = 9; memcpy((void*)0x20001648, "\x50\xd3\x39\x2d\x02\xeb\xd2\x29\x33\x8b\x7e\x71\x70\xb9\x84\xd0\x49\x07\xf9\xce\xe9\x84\xf8\x3f\x84\xc9\x51\x8b\x9d\xd9\x17\x85\xfe\x2d\x66\xe1\x04\x26\xff\x86\xd8\xe7\xd6\x63\x53\x83\x06\x24\x01\x71\x79\x0d\x7f\x77\x66\x64\xbd\xfd\x68\xd3\xdf\x43\xcd\xf6\xd0\xe3\xab\x3d\x2a\x62\x95\x30\x92\xa2\xd7\xce\x2f\xcd\xfe\x2c\xf5\x00\x26\x86\x9a\x4b\xcd\x06\x6a\xf9\xdd\xbd", 92); *(uint64_t*)0x200017cc = 0x200016c0; *(uint8_t*)0x200016c0 = 0; *(uint8_t*)0x200016c1 = 3; *(uint32_t*)0x200016c2 = 4; *(uint8_t*)0x200016c6 = 4; *(uint8_t*)0x200016c7 = 3; *(uint16_t*)0x200016c8 = 0x449; *(uint64_t*)0x200017d4 = 0x20001700; *(uint8_t*)0x20001700 = 0; *(uint8_t*)0x20001701 = 0xf; *(uint32_t*)0x20001702 = 0x19; *(uint8_t*)0x20001706 = 5; *(uint8_t*)0x20001707 = 0xf; *(uint16_t*)0x20001708 = 0x19; *(uint8_t*)0x2000170a = 1; *(uint8_t*)0x2000170b = 0x14; *(uint8_t*)0x2000170c = 0x10; *(uint8_t*)0x2000170d = 4; *(uint8_t*)0x2000170e = 0x3f; memcpy((void*)0x2000170f, "\x0f\xf6\x11\x98\x8b\x42\x04\x3b\xdd\x16\xf1\x8b\x9b\x82\xf6\xcf", 16); *(uint64_t*)0x200017dc = 0x20001740; *(uint8_t*)0x20001740 = 0x20; *(uint8_t*)0x20001741 = 0x29; *(uint32_t*)0x20001742 = 0xf; *(uint8_t*)0x20001746 = 0xf; *(uint8_t*)0x20001747 = 0x29; *(uint8_t*)0x20001748 = 0; *(uint16_t*)0x20001749 = 0; *(uint8_t*)0x2000174b = 9; *(uint8_t*)0x2000174c = 0x68; memcpy((void*)0x2000174d, "\x60\xc5\x11\xfa", 4); memcpy((void*)0x20001751, "\x23\xe3\xf5\x32", 4); *(uint64_t*)0x200017e4 = 0x20001780; *(uint8_t*)0x20001780 = 0x20; *(uint8_t*)0x20001781 = 0x2a; *(uint32_t*)0x20001782 = 0xc; *(uint8_t*)0x20001786 = 0xc; *(uint8_t*)0x20001787 = 0x2a; *(uint8_t*)0x20001788 = 5; *(uint16_t*)0x20001789 = 0; *(uint8_t*)0x2000178b = 2; *(uint8_t*)0x2000178c = 7; *(uint8_t*)0x2000178d = 8; *(uint16_t*)0x2000178e = 5; *(uint16_t*)0x20001790 = 0x200; *(uint32_t*)0x20001c80 = 0x84; *(uint64_t*)0x20001c84 = 0x20001800; *(uint8_t*)0x20001800 = 0; *(uint8_t*)0x20001801 = 0x16; *(uint32_t*)0x20001802 = 0x92; memcpy((void*)0x20001806, "\xe4\x9c\x4e\x0f\xdf\x52\x1d\x4b\xb8\x3a\x1c\x78\xb9\xb6\xf3\x2e\xb6\xe3\x8f\xba\x14\x32\x72\x7c\x39\x17\x49\x72\x7c\x41\x81\x5d\xc3\xfc\x41\x93\xcf\x0f\xc2\x47\xb3\x2c\x61\xdd\x80\xf2\x66\x29\xd7\xcf\x71\x4f\xc0\x80\x15\x77\x01\x40\x5e\x55\xe4\xd1\xae\x2b\x75\x8c\x66\x82\x10\x44\xd2\xe8\x09\x4f\x1b\xd7\x5c\xcf\x96\x00\x45\x47\x26\xe5\xdf\x97\x64\x08\x2d\x53\x70\x12\xad\x6f\xa0\x0a\x11\xbf\x54\x6f\x5d\x86\xaf\x48\x2a\x8f\x0b\x05\x74\x28\x7a\x4c\x56\x40\xbd\x1a\x22\x5a\x60\xd1\x96\x1c\xd5\x6b\x3b\x48\xcf\x69\xd7\x76\xcd\x8b\xba\xc5\xdc\x15\x44\xbf\x6b\x94\xb3\x51\x93\x83\xf9\xc5", 146); *(uint64_t*)0x20001c8c = 0x200018c0; *(uint8_t*)0x200018c0 = 0; *(uint8_t*)0x200018c1 = 0xa; *(uint32_t*)0x200018c2 = 1; *(uint8_t*)0x200018c6 = 0xea; *(uint64_t*)0x20001c94 = 0x20001900; *(uint8_t*)0x20001900 = 0; *(uint8_t*)0x20001901 = 8; *(uint32_t*)0x20001902 = 1; *(uint8_t*)0x20001906 = 0xc0; *(uint64_t*)0x20001c9c = 0x20001940; *(uint8_t*)0x20001940 = 0x20; *(uint8_t*)0x20001941 = 0; *(uint32_t*)0x20001942 = 4; *(uint16_t*)0x20001946 = 3; *(uint16_t*)0x20001948 = 0xc065; *(uint64_t*)0x20001ca4 = 0x20001980; *(uint8_t*)0x20001980 = 0x20; *(uint8_t*)0x20001981 = 0; *(uint32_t*)0x20001982 = 8; *(uint16_t*)0x20001986 = 0x200; *(uint16_t*)0x20001988 = 2; *(uint32_t*)0x2000198a = 0; *(uint64_t*)0x20001cac = 0x200019c0; *(uint8_t*)0x200019c0 = 0x40; *(uint8_t*)0x200019c1 = 7; *(uint32_t*)0x200019c2 = 2; *(uint16_t*)0x200019c6 = 0; *(uint64_t*)0x20001cb4 = 0x20001a00; *(uint8_t*)0x20001a00 = 0x40; *(uint8_t*)0x20001a01 = 9; *(uint32_t*)0x20001a02 = 1; *(uint8_t*)0x20001a06 = 7; *(uint64_t*)0x20001cbc = 0x20001a40; *(uint8_t*)0x20001a40 = 0x40; *(uint8_t*)0x20001a41 = 0xb; *(uint32_t*)0x20001a42 = 2; memcpy((void*)0x20001a46, ",e", 2); *(uint64_t*)0x20001cc4 = 0x20001a80; *(uint8_t*)0x20001a80 = 0x40; *(uint8_t*)0x20001a81 = 0xf; *(uint32_t*)0x20001a82 = 2; *(uint16_t*)0x20001a86 = 0xa; *(uint64_t*)0x20001ccc = 0x20001ac0; *(uint8_t*)0x20001ac0 = 0x40; *(uint8_t*)0x20001ac1 = 0x13; *(uint32_t*)0x20001ac2 = 6; memcpy((void*)0x20001ac6, "\xcb\xa5\xd8\xd5\x17\x87", 6); *(uint64_t*)0x20001cd4 = 0x20001b00; *(uint8_t*)0x20001b00 = 0x40; *(uint8_t*)0x20001b01 = 0x17; *(uint32_t*)0x20001b02 = 6; *(uint8_t*)0x20001b06 = 0xaa; *(uint8_t*)0x20001b07 = 0xaa; *(uint8_t*)0x20001b08 = 0xaa; *(uint8_t*)0x20001b09 = 0xaa; *(uint8_t*)0x20001b0a = 0xaa; *(uint8_t*)0x20001b0b = 0x1b; *(uint64_t*)0x20001cdc = 0x20001b40; *(uint8_t*)0x20001b40 = 0x40; *(uint8_t*)0x20001b41 = 0x19; *(uint32_t*)0x20001b42 = 2; memcpy((void*)0x20001b46, "\x09\xef", 2); *(uint64_t*)0x20001ce4 = 0x20001b80; *(uint8_t*)0x20001b80 = 0x40; *(uint8_t*)0x20001b81 = 0x1a; *(uint32_t*)0x20001b82 = 2; *(uint16_t*)0x20001b86 = 0x200; *(uint64_t*)0x20001cec = 0x20001bc0; *(uint8_t*)0x20001bc0 = 0x40; *(uint8_t*)0x20001bc1 = 0x1c; *(uint32_t*)0x20001bc2 = 1; *(uint8_t*)0x20001bc6 = 0x20; *(uint64_t*)0x20001cf4 = 0x20001c00; *(uint8_t*)0x20001c00 = 0x40; *(uint8_t*)0x20001c01 = 0x1e; *(uint32_t*)0x20001c02 = 1; *(uint8_t*)0x20001c06 = 0x81; *(uint64_t*)0x20001cfc = 0x20001c40; *(uint8_t*)0x20001c40 = 0x40; *(uint8_t*)0x20001c41 = 0x21; *(uint32_t*)0x20001c42 = 1; *(uint8_t*)0x20001c46 = 0x40; syz_usb_control_io(r[11], 0x200017c0, 0x20001c80); break; case 35: *(uint8_t*)0x20001d40 = 0x12; *(uint8_t*)0x20001d41 = 1; *(uint16_t*)0x20001d42 = 0x300; *(uint8_t*)0x20001d44 = 0; *(uint8_t*)0x20001d45 = 0; *(uint8_t*)0x20001d46 = 0; *(uint8_t*)0x20001d47 = 0x40; *(uint16_t*)0x20001d48 = 0x1d6b; *(uint16_t*)0x20001d4a = 0x101; *(uint16_t*)0x20001d4c = 0x40; *(uint8_t*)0x20001d4e = 1; *(uint8_t*)0x20001d4f = 2; *(uint8_t*)0x20001d50 = 3; *(uint8_t*)0x20001d51 = 1; *(uint8_t*)0x20001d52 = 9; *(uint8_t*)0x20001d53 = 2; *(uint16_t*)0x20001d54 = 0xa4; *(uint8_t*)0x20001d56 = 3; *(uint8_t*)0x20001d57 = 1; *(uint8_t*)0x20001d58 = 8; *(uint8_t*)0x20001d59 = 0x80; *(uint8_t*)0x20001d5a = 0x1f; *(uint8_t*)0x20001d5b = 9; *(uint8_t*)0x20001d5c = 4; *(uint8_t*)0x20001d5d = 0; *(uint8_t*)0x20001d5e = 0; *(uint8_t*)0x20001d5f = 0; *(uint8_t*)0x20001d60 = 1; *(uint8_t*)0x20001d61 = 1; *(uint8_t*)0x20001d62 = 0; *(uint8_t*)0x20001d63 = 0; *(uint8_t*)0x20001d64 = 0xa; *(uint8_t*)0x20001d65 = 0x24; *(uint8_t*)0x20001d66 = 1; *(uint16_t*)0x20001d67 = 0x7f; *(uint8_t*)0x20001d69 = 0x24; *(uint8_t*)0x20001d6a = 2; *(uint8_t*)0x20001d6b = 1; *(uint8_t*)0x20001d6c = 2; *(uint8_t*)0x20001d6d = 0xb; *(uint8_t*)0x20001d6e = 0x24; *(uint8_t*)0x20001d6f = 4; *(uint8_t*)0x20001d70 = 3; *(uint8_t*)0x20001d71 = 0x3f; memcpy((void*)0x20001d72, "\xe3\xa7\xba\x11\xb7\x73", 6); *(uint8_t*)0x20001d78 = 0xc; *(uint8_t*)0x20001d79 = 0x24; *(uint8_t*)0x20001d7a = 2; *(uint8_t*)0x20001d7b = 4; *(uint16_t*)0x20001d7c = 0x203; *(uint8_t*)0x20001d7e = 1; *(uint8_t*)0x20001d7f = 2; *(uint16_t*)0x20001d80 = 7; *(uint8_t*)0x20001d82 = 0xfd; *(uint8_t*)0x20001d83 = 0; *(uint8_t*)0x20001d84 = 7; *(uint8_t*)0x20001d85 = 0x24; *(uint8_t*)0x20001d86 = 8; *(uint8_t*)0x20001d87 = 2; *(uint16_t*)0x20001d88 = 4; *(uint8_t*)0x20001d8a = 0x40; *(uint8_t*)0x20001d8b = 9; *(uint8_t*)0x20001d8c = 0x24; *(uint8_t*)0x20001d8d = 3; *(uint8_t*)0x20001d8e = 2; *(uint16_t*)0x20001d8f = 0x101; *(uint8_t*)0x20001d91 = 4; *(uint8_t*)0x20001d92 = 4; *(uint8_t*)0x20001d93 = 5; *(uint8_t*)0x20001d94 = 9; *(uint8_t*)0x20001d95 = 4; *(uint8_t*)0x20001d96 = 1; *(uint8_t*)0x20001d97 = 0; *(uint8_t*)0x20001d98 = 0; *(uint8_t*)0x20001d99 = 1; *(uint8_t*)0x20001d9a = 2; *(uint8_t*)0x20001d9b = 0; *(uint8_t*)0x20001d9c = 0; *(uint8_t*)0x20001d9d = 9; *(uint8_t*)0x20001d9e = 4; *(uint8_t*)0x20001d9f = 1; *(uint8_t*)0x20001da0 = 1; *(uint8_t*)0x20001da1 = 1; *(uint8_t*)0x20001da2 = 1; *(uint8_t*)0x20001da3 = 2; *(uint8_t*)0x20001da4 = 0; *(uint8_t*)0x20001da5 = 0; *(uint8_t*)0x20001da6 = 9; *(uint8_t*)0x20001da7 = 5; *(uint8_t*)0x20001da8 = 1; *(uint8_t*)0x20001da9 = 9; *(uint16_t*)0x20001daa = 0x200; *(uint8_t*)0x20001dac = 0xfc; *(uint8_t*)0x20001dad = 9; *(uint8_t*)0x20001dae = 7; *(uint8_t*)0x20001daf = 7; *(uint8_t*)0x20001db0 = 0x25; *(uint8_t*)0x20001db1 = 1; *(uint8_t*)0x20001db2 = 0; *(uint8_t*)0x20001db3 = 2; *(uint16_t*)0x20001db4 = 8; *(uint8_t*)0x20001db6 = 9; *(uint8_t*)0x20001db7 = 4; *(uint8_t*)0x20001db8 = 2; *(uint8_t*)0x20001db9 = 0; *(uint8_t*)0x20001dba = 0; *(uint8_t*)0x20001dbb = 1; *(uint8_t*)0x20001dbc = 2; *(uint8_t*)0x20001dbd = 0; *(uint8_t*)0x20001dbe = 0; *(uint8_t*)0x20001dbf = 9; *(uint8_t*)0x20001dc0 = 4; *(uint8_t*)0x20001dc1 = 2; *(uint8_t*)0x20001dc2 = 1; *(uint8_t*)0x20001dc3 = 1; *(uint8_t*)0x20001dc4 = 1; *(uint8_t*)0x20001dc5 = 2; *(uint8_t*)0x20001dc6 = 0; *(uint8_t*)0x20001dc7 = 0; *(uint8_t*)0x20001dc8 = 0x12; *(uint8_t*)0x20001dc9 = 0x24; *(uint8_t*)0x20001dca = 2; *(uint8_t*)0x20001dcb = 2; *(uint16_t*)0x20001dcc = 8; *(uint16_t*)0x20001dce = 7; *(uint8_t*)0x20001dd0 = -1; memcpy((void*)0x20001dd1, "\x6c\xce\x23\xa5\x1a\x59\x66\x0a\x8a", 9); *(uint8_t*)0x20001dda = 0xc; *(uint8_t*)0x20001ddb = 0x24; *(uint8_t*)0x20001ddc = 2; *(uint8_t*)0x20001ddd = 1; *(uint8_t*)0x20001dde = 7; *(uint8_t*)0x20001ddf = 2; *(uint8_t*)0x20001de0 = 0xd6; *(uint8_t*)0x20001de1 = 0x40; memcpy((void*)0x20001de2, "\xa5\xe2\x12", 3); memcpy((void*)0x20001de5, "l", 1); *(uint8_t*)0x20001de6 = 9; *(uint8_t*)0x20001de7 = 5; *(uint8_t*)0x20001de8 = 0x82; *(uint8_t*)0x20001de9 = 9; *(uint16_t*)0x20001dea = 0x3ff; *(uint8_t*)0x20001dec = 3; *(uint8_t*)0x20001ded = 0; *(uint8_t*)0x20001dee = 0xac; *(uint8_t*)0x20001def = 7; *(uint8_t*)0x20001df0 = 0x25; *(uint8_t*)0x20001df1 = 1; *(uint8_t*)0x20001df2 = 3; *(uint8_t*)0x20001df3 = 4; *(uint16_t*)0x20001df4 = 5; *(uint32_t*)0x20001f40 = 0xa; *(uint64_t*)0x20001f44 = 0x20001e00; *(uint8_t*)0x20001e00 = 0xa; *(uint8_t*)0x20001e01 = 6; *(uint16_t*)0x20001e02 = 0x200; *(uint8_t*)0x20001e04 = -1; *(uint8_t*)0x20001e05 = 2; *(uint8_t*)0x20001e06 = 7; *(uint8_t*)0x20001e07 = 0x10; *(uint8_t*)0x20001e08 = 6; *(uint8_t*)0x20001e09 = 0; *(uint32_t*)0x20001f4c = 5; *(uint64_t*)0x20001f50 = 0x20001e40; *(uint8_t*)0x20001e40 = 5; *(uint8_t*)0x20001e41 = 0xf; *(uint16_t*)0x20001e42 = 5; *(uint8_t*)0x20001e44 = 0; *(uint32_t*)0x20001f58 = 2; *(uint32_t*)0x20001f5c = 0x52; *(uint64_t*)0x20001f60 = 0x20001e80; *(uint8_t*)0x20001e80 = 0x52; *(uint8_t*)0x20001e81 = 3; memcpy((void*)0x20001e82, "\x4b\xcf\xbc\x74\x9d\x26\xd0\xfb\xc2\x0c\x2e\x20\x2a\x04\x2e\x8b\xb1\x67\xca\xdf\x5c\x2b\xcd\xbd\x07\xdd\xe6\x67\x1d\xa7\xdd\x40\x03\x06\xb2\x6f\x22\x0f\xef\x4a\x33\x97\xf0\xa9\x5a\x4b\x8c\xa5\xba\xfd\x5a\x4f\xa8\xb9\x9d\x24\x50\x5f\x7a\x27\xac\x07\xa1\x6b\xbb\x02\xd5\x24\xc0\xbb\xfa\x3a\xf8\xe3\x18\xdf\x58\xfe\xb1\x43", 80); *(uint32_t*)0x20001f68 = 4; *(uint64_t*)0x20001f6c = 0x20001f00; *(uint8_t*)0x20001f00 = 4; *(uint8_t*)0x20001f01 = 3; *(uint16_t*)0x20001f02 = 0x807; res = -1; res = syz_usb_connect(6, 0xb6, 0x20001d40, 0x20001f40); if (res != -1) r[12] = res; break; case 36: syz_usb_disconnect(r[12]); break; case 37: syz_usb_ep_read(r[10], 6, 0xd6, 0x20001f80); break; case 38: *(uint8_t*)0x20002080 = 0x12; *(uint8_t*)0x20002081 = 1; *(uint16_t*)0x20002082 = 0x110; *(uint8_t*)0x20002084 = 2; *(uint8_t*)0x20002085 = 0; *(uint8_t*)0x20002086 = 0; *(uint8_t*)0x20002087 = -1; *(uint16_t*)0x20002088 = 0x525; *(uint16_t*)0x2000208a = 0xa4a1; *(uint16_t*)0x2000208c = 0x40; *(uint8_t*)0x2000208e = 1; *(uint8_t*)0x2000208f = 2; *(uint8_t*)0x20002090 = 3; *(uint8_t*)0x20002091 = 1; *(uint8_t*)0x20002092 = 9; *(uint8_t*)0x20002093 = 2; *(uint16_t*)0x20002094 = 0x3d; *(uint8_t*)0x20002096 = 1; *(uint8_t*)0x20002097 = 1; *(uint8_t*)0x20002098 = 9; *(uint8_t*)0x20002099 = 0xc0; *(uint8_t*)0x2000209a = 0xb3; *(uint8_t*)0x2000209b = 9; *(uint8_t*)0x2000209c = 4; *(uint8_t*)0x2000209d = 0; *(uint8_t*)0x2000209e = 8; *(uint8_t*)0x2000209f = 3; *(uint8_t*)0x200020a0 = 2; *(uint8_t*)0x200020a1 = 6; *(uint8_t*)0x200020a2 = 0; *(uint8_t*)0x200020a3 = 1; *(uint8_t*)0x200020a4 = 7; *(uint8_t*)0x200020a5 = 0x24; *(uint8_t*)0x200020a6 = 6; *(uint8_t*)0x200020a7 = 0; *(uint8_t*)0x200020a8 = 0; memcpy((void*)0x200020a9, "\x93\xb5", 2); *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 0x24; *(uint8_t*)0x200020ad = 0; *(uint16_t*)0x200020ae = 1; *(uint8_t*)0x200020b0 = 0xd; *(uint8_t*)0x200020b1 = 0x24; *(uint8_t*)0x200020b2 = 0xf; *(uint8_t*)0x200020b3 = 1; *(uint32_t*)0x200020b4 = 5; *(uint16_t*)0x200020b8 = 0xdf0; *(uint16_t*)0x200020ba = 0xa5e2; *(uint8_t*)0x200020bc = -1; *(uint8_t*)0x200020bd = 9; *(uint8_t*)0x200020be = 5; *(uint8_t*)0x200020bf = 0x82; *(uint8_t*)0x200020c0 = 2; *(uint16_t*)0x200020c1 = 0x40; *(uint8_t*)0x200020c3 = 0; *(uint8_t*)0x200020c4 = 0x40; *(uint8_t*)0x200020c5 = 0x20; *(uint8_t*)0x200020c6 = 9; *(uint8_t*)0x200020c7 = 5; *(uint8_t*)0x200020c8 = 3; *(uint8_t*)0x200020c9 = 2; *(uint16_t*)0x200020ca = 8; *(uint8_t*)0x200020cc = 0x20; *(uint8_t*)0x200020cd = -1; *(uint8_t*)0x200020ce = 4; *(uint32_t*)0x20002640 = 0xa; *(uint64_t*)0x20002644 = 0x20002100; *(uint8_t*)0x20002100 = 0xa; *(uint8_t*)0x20002101 = 6; *(uint16_t*)0x20002102 = 0x250; *(uint8_t*)0x20002104 = 0; *(uint8_t*)0x20002105 = 0x81; *(uint8_t*)0x20002106 = 0x20; *(uint8_t*)0x20002107 = 0x20; *(uint8_t*)0x20002108 = 3; *(uint8_t*)0x20002109 = 0; *(uint32_t*)0x2000264c = 5; *(uint64_t*)0x20002650 = 0x20002140; *(uint8_t*)0x20002140 = 5; *(uint8_t*)0x20002141 = 0xf; *(uint16_t*)0x20002142 = 5; *(uint8_t*)0x20002144 = 0; *(uint32_t*)0x20002658 = 8; *(uint32_t*)0x2000265c = 0xcd; *(uint64_t*)0x20002660 = 0x20002180; *(uint8_t*)0x20002180 = 0xcd; *(uint8_t*)0x20002181 = 3; memcpy((void*)0x20002182, "\x2e\x83\x3d\xbc\x02\x86\x82\x12\xd3\xec\x73\x52\xfb\x0d\xe8\xa0\x5e\xcf\x66\x18\x59\xde\xbe\x23\xba\x73\x5f\xb9\x0a\x26\x85\x3e\x0d\x4c\x9b\xfc\xeb\xac\x70\xce\x40\x53\x9a\x98\xcf\x89\x47\xe0\x6b\xb7\x5d\xe0\xa9\x20\x5e\x0b\x79\x1c\xb4\xf9\xe7\xaa\x0a\xe1\x14\x9e\x93\x94\xff\xef\x26\x6f\x96\xe0\xc7\x5a\xb7\x28\xca\xdb\xc3\x12\x57\x0e\xfe\xd7\x37\x09\x0a\x62\x51\xc0\x9e\x1a\x5d\x38\xa0\xc6\xf1\xec\x4a\xe0\x55\x86\x3d\x69\xe4\xdc\xf3\x6d\x97\x4d\x2b\xe3\xe4\x87\xc7\xd2\xf1\xdb\x21\x61\xe9\x3b\x7d\x15\x2c\xe0\x46\xf0\x30\xb3\x6d\x08\x32\x89\xed\xdd\x71\x05\xed\x8e\xae\xd4\x9f\x71\x10\x17\xba\xab\xde\x9d\x5f\x01\xcd\x47\x38\x50\x3d\x32\x26\x69\x55\x4f\xcf\x3b\x5a\x65\xb0\x51\x97\x33\xb0\x7a\x7f\x3c\xff\xdc\x92\xb0\x38\x2c\x66\x12\x0c\x41\xaa\xe8\x85\x68\xc7\x52\xf7\x9d\x50\x1f\xd4\xda\x58\xe6\x87\x9e\x7e", 203); *(uint32_t*)0x20002668 = 4; *(uint64_t*)0x2000266c = 0x20002280; *(uint8_t*)0x20002280 = 4; *(uint8_t*)0x20002281 = 3; *(uint16_t*)0x20002282 = 0x3c0a; *(uint32_t*)0x20002674 = 4; *(uint64_t*)0x20002678 = 0x200022c0; *(uint8_t*)0x200022c0 = 4; *(uint8_t*)0x200022c1 = 3; *(uint16_t*)0x200022c2 = 0x3801; *(uint32_t*)0x20002680 = 0x1f; *(uint64_t*)0x20002684 = 0x20002300; *(uint8_t*)0x20002300 = 0x1f; *(uint8_t*)0x20002301 = 3; memcpy((void*)0x20002302, "\xa6\x70\xc3\x58\x2d\x38\x96\x7a\xc4\x85\x45\x5e\x8a\x40\xac\xb6\xf5\xdf\x24\xab\x49\xa4\xc6\xbb\x43\xd5\x84\xed\xf7", 29); *(uint32_t*)0x2000268c = 4; *(uint64_t*)0x20002690 = 0x20002340; *(uint8_t*)0x20002340 = 4; *(uint8_t*)0x20002341 = 3; *(uint16_t*)0x20002342 = 0x44f; *(uint32_t*)0x20002698 = 0xe1; *(uint64_t*)0x2000269c = 0x20002380; *(uint8_t*)0x20002380 = 0xe1; *(uint8_t*)0x20002381 = 3; memcpy((void*)0x20002382, "\xbe\x2c\xe1\x8f\xae\x6d\xa9\xf1\xaa\x4b\x97\x21\x97\xbe\x7a\x6c\xe4\xb2\x83\xc3\xe0\x02\x7e\x6d\xa1\x3d\x86\x39\xf6\x74\xea\x9c\x64\x28\x9b\x33\xc0\xe1\x43\x5b\x7c\x16\x54\xa5\x69\x12\x7b\x26\xad\x53\x77\x4f\x2b\x6b\x20\x57\x9f\xac\x6f\xaf\xfe\x12\x94\x9e\xe4\xb0\xd3\xcd\x2d\x89\x0c\xff\x2d\x7e\x9b\xb4\x3b\x60\x2a\x39\x4e\xfd\x49\x75\x18\x4f\x7e\xec\xab\x16\xa3\xf1\x87\xca\xb4\xc2\xca\x01\xac\x5b\xc9\xc5\x5c\x8b\xb9\x81\x32\x3d\x91\x9f\x77\x35\x5b\x3c\xe7\x42\x8d\xa6\x2a\xf8\x0c\x76\xb1\x85\xe1\x0a\xc7\xb1\xcc\x95\x0e\xcc\x71\x5c\x3e\x0a\x1e\x14\x23\x11\xb6\x29\x41\xe0\x62\x91\xb3\x0d\x2d\x3c\x7d\x46\x8d\xfb\xe2\x83\xc9\x1f\xc0\x83\x3d\xb0\x68\xe7\xbf\x39\x7c\x23\x35\x75\x79\x02\x29\xce\x51\x3b\xbd\xc4\x38\x7d\x81\xb3\x02\x7e\xf6\x8b\x20\xde\x25\xd9\xf1\xff\x32\xb9\x5c\xba\x44\x3b\x9e\x7f\xba\x49\x91\x43\xe8\x41\xa6\x19\x0c\x6e\xcb\x29\x06\xfe\x42\x30\xf8\x39\xba\x8c\x3c\x73\xea", 223); *(uint32_t*)0x200026a4 = 0xc1; *(uint64_t*)0x200026a8 = 0x20002480; *(uint8_t*)0x20002480 = 0xc1; *(uint8_t*)0x20002481 = 3; memcpy((void*)0x20002482, "\xf1\x7d\xb2\xea\x26\xd9\x0b\xa9\x3d\x1d\xbd\x3d\x94\x82\x88\x21\x72\xcc\x15\x8b\x4c\xc4\x3c\x36\xd1\x2b\xb9\x4e\x06\xfc\x7a\xba\x0d\x96\xba\x62\xa3\x8b\x39\xb7\x7b\xb6\x6a\x8b\x4b\xa6\xfe\x26\x0c\x87\x74\x64\xdc\x10\x12\x44\x9a\x3a\x6a\xb5\xb8\x0e\x66\x7a\x3a\x01\xdb\x8d\xd1\xdc\x34\x68\xb0\xd7\x28\x93\xad\xf2\x5b\xd1\xa7\xb9\xdc\xdd\xf5\x69\x12\x2a\x73\x02\x6b\x76\xfd\x0e\x25\xd7\x44\x0c\xa5\xdb\x63\x5b\x3f\xc9\x01\x3f\xd7\x90\x99\xa7\xd7\xe8\x1d\xb8\x74\x5b\xc9\xd0\xa6\xc9\x38\x79\x1d\x2c\xbf\xd1\x0f\x1c\x62\x8c\xa1\x7a\xf9\x93\xb7\x02\xc1\xed\xe3\x0d\xa1\x88\x25\x67\xce\x28\x7f\x66\xb2\x3e\xbf\x40\x8a\x2d\x9c\x63\xe1\xcb\x0b\x27\x95\x27\x3e\xfa\x81\x53\x56\x1c\x3c\x3e\xeb\x71\xd1\x2a\xa0\x87\xe9\x25\x55\x26\xb5\x28\xf5\x38\xaf\x4a\xbd\x41\xcf\x89\x01", 191); *(uint32_t*)0x200026b0 = 0xc0; *(uint64_t*)0x200026b4 = 0x20002580; *(uint8_t*)0x20002580 = 0xc0; *(uint8_t*)0x20002581 = 3; memcpy((void*)0x20002582, "\x6f\x57\xd6\xa5\x96\x20\x2e\xbf\x5a\x75\xb9\x72\x49\x11\xf9\x1a\x3d\x92\xae\x1a\xc8\x1a\xbb\x9c\x1b\x13\x4a\x76\xe6\x65\x90\xf6\xeb\x8d\xd8\x4c\xc1\x09\x60\xb8\xd2\x23\x94\x7d\x1c\x2e\x77\x1b\x94\xe7\x29\xd8\x34\x18\xf4\x14\x21\x3f\xf8\xb9\x06\x77\x03\x30\xbe\xa7\x0e\x59\xfe\x4d\x8b\xa5\x37\xfb\xcf\xd3\xc4\xbf\xc4\xea\x3b\x64\x0c\x31\x12\x92\x6d\x8c\x78\xee\xe8\x39\x72\x09\x00\xc5\x05\xcc\x01\x3c\x12\x63\xdc\xf2\x7b\x6c\x0f\x87\xfc\xb8\x7f\x40\xcb\x6b\xde\x31\x54\xcc\xd6\x3e\x65\xa4\x8c\x86\xc5\x8a\x38\x57\xf6\x8f\x88\x08\x20\x3f\xb2\x8d\x95\xe7\x4a\x18\x65\xeb\x8f\x82\xfe\x95\x35\x62\xa1\x47\x51\xed\x18\xf2\x51\xe5\x11\x53\x70\xd2\xbc\x19\x14\x5c\xcf\x3a\xbe\xae\x4c\x81\xfb\x1d\x97\xf6\x2e\x03\x5d\xb7\x3d\x11\xab\x7e\xc5\x96\xbc\x7a\x36\x86\x55\xc6", 190); res = -1; res = syz_usb_connect(4, 0x4f, 0x20002080, 0x20002640); if (res != -1) r[13] = res; break; case 39: memcpy((void*)0x200026c0, "\x01\xdf\x42\x94\xf0\x1f\xe1\xf9\x43\xb7\x80\xcc\xad\x76\xab\x8a\x48\x35\x3c\xbc\xe5\x48\x12\x83\xfb\x7d\x07\xe3\x29\x52\x05\x54\x49\xb6\x58\x1b\x36\x93\xb6\x7e\xde\xa7\xf1\x03\x54\x2f\xd1\xdc\xcf\x21\xa4\xf8\xce\x11\xf5\x24\x82\xa5\x50\xdd\x31\x99\xda\x83\x0c\x3e\x19\xff\x1a\x99\x6c\xe1\x42\x4b\x13\x49\x5e\x70\x4b\xe3\xf8\xc1\x06\xd0\x83\x38\xa6\x9d\xb2\x9c\x70\xd0\x40\xba\x40\x50\x16\xd9\x02\x55\xd8\x1d\x11\x5d\x9c\x6c\x9c\x13\xb9\x57\x89\xba\x2d\x4e\xe0\xf0\x05\xd9\x5b", 119); syz_usb_ep_write(r[13], 8, 0x77, 0x200026c0); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); setup_leak(); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :281:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :281:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor760317620 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/19 (0.64s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:true DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x8002, 0x0) io_cancel(0x0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x4c60440ee16d4a1f, 0xd548, r0, &(0x7f0000000040)="a4c6b70d40b18d2f71b9ebf1a97cc4f8bfe52c766208fe1c5ff6e6c20fb4d4104d", 0x21, 0x7, 0x0, 0x1}, &(0x7f00000000c0)) ioctl$TUNSETOFFLOAD(0xffffffffffffffff, 0x400454d0, 0x18) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/avc/cache_stats\x00', 0x0, 0x0) ioctl$DRM_IOCTL_MODE_GETGAMMA(r1, 0xc02064a4, &(0x7f0000000200)={0x6, 0x1, &(0x7f0000000140)=[0x6], &(0x7f0000000180)=[0xb572, 0x2, 0x200, 0x6126, 0xffff, 0x800b], &(0x7f00000001c0)=[0x100, 0x8001, 0x7ff, 0x56, 0x3, 0x6, 0xafa4, 0xfff]}) socket$inet6_sctp(0xa, 0x5, 0x84) r2 = syz_open_dev$vcsa(&(0x7f0000000240)='/dev/vcsa#\x00', 0x8, 0x40040) io_uring_setup(0x4a7d, &(0x7f0000000280)={0x0, 0x431f, 0x2, 0x2, 0x24c, 0x0, r2}) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(0xffffffffffffffff, 0x10e, 0x2, &(0x7f0000000300)=0x14, 0x4) socket$ipx(0x4, 0x2, 0x0) syz_emit_ethernet(0xd6, &(0x7f0000000000)={@dev={[], 0x15}, @remote, @void, {@mpls_uc={0x8847, {[{0x1}, {0x80}], @ipv4=@udp={{0x9, 0x4, 0x3, 0x8, 0xc0, 0x64, 0x0, 0x1, 0x11, 0x0, @private=0xa010102, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@timestamp={0x44, 0x10, 0x90, 0x0, 0xf, [0x3, 0x100, 0x9]}]}}, {0x4e20, 0x4e23, 0x9c, 0x0, @wg=@initiation={0x1, 0x1, "a10791f36e091a364d6a214aed3281686b2e1062e4a21dad7e7ea6823c2ad66b", "a9e3b061cb2d16f0f38c93866bab239c5e95fabc9ad7549cc53f24821564c8e31a773c62bd34e62116070c998cf80ff5", "8a6048e68f5476ba71edf7dea37145a3397262db3b25376fb9b698e1", {"108d38c5f12837a8dff49317e1fbf2b1", "6e6f91a5d2fea35b7d2aa0227b5c79de"}}}}}}}}, 0x0) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_cmd_complete={{0xe, 0x7}, @hci_rp_read_enc_key_size={{0x7}, {0x3, 0xc8, 0xfe}}}}, 0xa) syz_execute_func(&(0x7f0000000140)="ab8f2908955c4432c421b45580858a318ec4a1845756f3673664d9e064461c0dc441b55588a00ffe49f2f042808c3e2808000000c4825dde32f3420f9ade") syz_extract_tcp_res(&(0x7f0000000180), 0x47a0, 0x1ff) syz_genetlink_get_family_id$SEG6(&(0x7f00000001c0)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x2, 0xc4) r3 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x0, 0x1000, 0xffffffffffffffff, 0x0) syz_io_uring_complete(r3) syz_io_uring_setup(0x61d6, &(0x7f0000000200)={0x0, 0x19c8, 0x1, 0x0, 0x90, 0x0, 0xffffffffffffffff}, &(0x7f0000ff9000/0x4000)=nil, &(0x7f0000ff9000/0x1000)=nil, &(0x7f0000000280), &(0x7f00000002c0)) r5 = mmap$IORING_OFF_SQES(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2000004, 0x100, r4, 0x10000000) r6 = openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000300)='/selinux/checkreqprot\x00', 0x22040, 0x0) r7 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(r3, r5, &(0x7f0000000380)=@IORING_OP_EPOLL_CTL=@add={0x1d, 0x1, 0x0, r6, &(0x7f0000000340)={0xa}, r4, 0x1, 0x0, 0x1, {0x0, r7}}, 0x5) syz_kvm_setup_cpu$arm64(r6, 0xffffffffffffffff, &(0x7f0000fe7000/0x18000)=nil, &(0x7f0000000400)=[{0x0, &(0x7f00000003c0)="c66bf51c003b684cd1f56d7dbcd2dea7675293e4d016955fb884320ccefef52142eef0b61d389959e4e475075b6b11cdbe1c", 0x32}], 0x1, 0x0, &(0x7f0000000440), 0x1) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x2000000, 0x1000, 0xffffffffffffffff, 0x8000000) syz_memcpy_off$IO_URING_METADATA_FLAGS(r8, 0x114, &(0x7f0000000480)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f00000004c0)='afs\x00', &(0x7f0000000500)='./file0\x00', 0x1f, 0x7, &(0x7f00000008c0)=[{&(0x7f0000000540), 0x0, 0x32}, {&(0x7f0000000580)="3a7a72ca9b2a422afbeba2d7a84338cb03951839451af3f3031d0030db11a08c0eb2244dab7f4fd9442cd55370fbacdc330d3ee2188137d0ad9772c7ae54fae92d1941e049bdcb3b8f645ea6a7d746404286d56dfd7a41fb29e2987d8d73b3679fae427f5af08185e4ffda153228a3ac82bf94f17752ed78dfe5b9a4", 0x7c, 0xee5}, {&(0x7f0000000600)="a963e9743e9c3d092a0ab1d68a13fe85f80ed94358ab9ad4029dff3433a3223c650d6a96505ec9a3d6cd09ad3f268fcdd1248aa43ef138a79b0c4c116f7178b5fc5cc49fa303201e8c7ef4e322434105ecdc912ae672510b34c01aa3890c90f27200de2b65c4bd20", 0x68, 0x10000}, {&(0x7f0000000680)="6ac443efa9855dda4fa3a982abc060ebf1a6785feba77cd70d486a29f4", 0x1d, 0x2}, {&(0x7f00000006c0)="3229202fd13c8ab6d554d8dfb6a8661805f53c5e81671bf5d702aa4c17cad107cfc6a8fe702b26942c632a4ed0e1010440b51b99785c112a0bda8c286267ac9cb4e695376a13d9937dfe154239c4ea04f38539a8e557dbcc8909420c76b2587b42aa2d61bf395fe913bad86ddf17a8f1b3212d0f0a6bc2e7841ef2e2ee0be05901f028c7c65e1c2cb641f556508fbf322da030de7846ad39004082c128a0ffb60c1b801bfd69a0e5f37b51feb78d97240f45f3ce17a28abbd89bd16cd2d06c74488990aba36ff006e8ae3622ec18fa76b767be88f192f94af15e23d74217738a1d48ef2c3e1c0a557203045e3ba25e9cd38efa64", 0xf4, 0x6}, {&(0x7f00000007c0)="414d78403490275a206495f93cf62229596a76f622d42e737bfa148fc2385d9c82946ce95d9b7665c148bfd723f5248ffcb6a4fc8265de9da9e34ff0577dd719233d7ef9610b9b9d98d4f2cedcc5351cb7234e0a8345f81e603a002c13d898f1084656c51be00526c6b7977b287809591c51a288acec3e570a94cc77420195f2a81a77896f9f081b173c24ada23041ea2e7253698601d83769094d3489", 0x9d, 0x1}, {&(0x7f0000000880)="3cc0a154977d26882d94f1c108a6287b15e835bf2d9ebcfd925c4569c9de9d463b929158990d2f48", 0x28, 0xfffffffffffffbff}], 0x1015005, &(0x7f0000000980)={[{@flock_strict='flock=strict'}, {@flock_write='flock=write'}, {@source={'source', 0x3d, '\xeb'}}, {@autocell='autocell'}]}) syz_open_dev$I2C(&(0x7f00000009c0)='/dev/i2c-#\x00', 0x10000, 0x6840) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000a40)={0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x3, &(0x7f0000000a00)='.\\\x00'}, 0x30) syz_open_procfs(r9, &(0x7f0000000a80)='status\x00') syz_open_pts(0xffffffffffffffff, 0x8000) syz_read_part_table(0x6, 0x0, &(0x7f0000000ac0)) r10 = syz_usb_connect(0x6, 0x714, &(0x7f0000000b00)={{0x12, 0x1, 0x250, 0xa8, 0x9c, 0xcc, 0xff, 0x499, 0x150c, 0xbaf4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x702, 0x3, 0x2, 0x5, 0x80, 0x1f, [{{0x9, 0x4, 0x7d, 0x0, 0xb, 0x5c, 0x68, 0x45, 0xb8, [@generic={0x64, 0xcc88dcc324ea21e6, "25bba193734e4eb87cbd6a4c961ef01e6c960fa27de2e0b2883e73bcb56b371cc2f94a39ee59f21237d7fd38bafea3bebf15967e66fda6114d34b349e1868ef95cc0a06305d016cd2cc723334035a110f9da197afa79a6b045fac5f7d5bb639e4541"}, @uac_control={{0xa, 0x24, 0x1, 0x7, 0x80}}], [{{0x9, 0x5, 0x1, 0x3, 0x200, 0x81, 0x1, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x1000}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0xe8, 0xc6, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0x6}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0x8, 0xb4, 0x3}}, {{0x9, 0x5, 0x2, 0x1, 0x200, 0x2, 0x6, 0x20}}, {{0x9, 0x5, 0x7, 0x2, 0x3ff, 0x29, 0x4, 0x4c}}, {{0x9, 0x5, 0x5, 0x0, 0x200, 0x2, 0x22, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x27}]}}, {{0x9, 0x5, 0xe, 0xc, 0x20, 0x40, 0x9, 0x1f, [@generic={0x4f, 0x1, "f148d84407f5b8dfda7c13b68281b7d14209551093f91b2d8f891d9f3b8ff07a8c2b56bcbfa744ea1da69fb116c71d11fa13b6a2c464e65d7c706ae25e0ad836d328f30928af26fe9d4f3f1dc1"}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x18, 0xfc0}]}}, {{0x9, 0x5, 0x4, 0x0, 0x400, 0x0, 0x80, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x2}, @generic={0xf7, 0x30, "abdddd4f9b3f7c940f59ac5d6ac220f766834597348690edd45dbcad8d7200db7184991d2539df54e5ad82e5d58b0366ea3b341be9a30b4b2bd66bf00479628cb477c82938f8d3c106a7e18b0e5485a0b1611aba1d8ad3c740fc3d9accb5d7b293b90b168c3f2c69798135b562475fe2a3b8f619572251662787bf749f673a35ee80ea76edd0fc7b3177f24f50d68aced6902ecf5e0a1d3126d9530946abac7a85799194748f34eef3e249c0ede1511b67626c06322ba0b3133ad7eab46cc07a995f011d24781983c1709a03ac2ef165a9b91ed9e75e221905a932c3501d40566916d63f2fae4e9798fab8e16a1d364f019c0ebdb0"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x40, 0xfe, 0x20, 0x9, [@generic={0xed, 0x1, "97480b619ece3491718d870d1333f7f3cbe03367ac7f15be1793cf2d635af67af88cfea526ad45ea67c39ade3d19918d55ea598a7807fd2c56addfb52f42756bfc602c04560e981a38783ca3dd8ba431c267592bc004b2f53e49082dac6a7848b929dcf53f151f4c9ae6f8912fffd9199bcdcd8b95fdc2dfaa22d3a731f3c4aa3447d4183b1cb4ccceb36e6937f2275c89ce0ba83f40c2c7dbf13b41770a0f125b10ded7eefe7a1824f9eef4938310a55c121bf1a9259f551672b8a0a52feac5cbc5ab96a5491ef533d7be14764e9da531ffef82f8612a740fb58756f7cb6092abb15aa6cf0494cb7106f1"}, @generic={0xd3, 0x8, "4e8e034ee97501ac382574d2a72527c5e0c832618bc6a1ea16c3f323258971633a0333991ad99754b006c95c4de5f901ec1b8d86bd47c564bd2aef08df3c224a3e6e40846554eed2734d71ce3392967ef55c96b3da0aa5481f31c351cf1859cbee244e751c60cfadc233cb6002ee6ff4cc2c9b76378f5b6e410c014f25cb9fff68f8a6ff5b81b6d09b9c7a2aaf848bd247ed21b13aa8d35bcb7bf2fa6b8cbf55299edbce15e788d1f93cff322399249ac080f2d47bd3f27e7a6de184904811722536d0a2330e3e511146faab9864d1b183"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x2c, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc9, 0xbb}, @generic={0x1f, 0x31, "e44d51a15a720f099dadeb93262552a935424229d3f4d12edc1baa9f88"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x8, 0x49, 0x40, 0x55}}]}}, {{0x9, 0x4, 0xfe, 0x33, 0x2, 0xa2, 0x17, 0x9a, 0x2, [@cdc_ncm={{0x9, 0x24, 0x6, 0x0, 0x1, "fb7ffde8"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x4, 0x9f54, 0x267, 0x1}, {0x6, 0x24, 0x1a, 0x9, 0x9}, [@mbim={0xc, 0x24, 0x1b, 0xffff, 0x1, 0x20, 0x6, 0x6, 0x6}, @mdlm={0x15, 0x24, 0x12, 0x3}, @mbim={0xc, 0x24, 0x1b, 0x91, 0x5, 0x1, 0xff, 0x5, 0x35}, @acm={0x4, 0x24, 0x2, 0x1}]}], [{{0x9, 0x5, 0xa, 0x10, 0x8, 0x80, 0xc1, 0x4, [@generic={0xb8, 0x30, "e384dcf03ac39540e5a22199f71a53ba428c3b720290f0276bcca0cd15405f6c930497af5eb320a433cc553d6e0108edbf793ef0240ff269b4ff96d6822bcb48cebae2a5cead65786ebecd5f300c08606d3322b8360029bd21312dac493361e1b08f2adca4dc49a004fefdf7a3a525ae5de11f0a691a41b869d9b9a5d90d5a7b5ebe9e5773b97efe98e3895377a424e30ef22fd2ffa2532f1bb3c1a4e3b86afc08b2659aa2e556f190e27f83619a1618d371e102c558"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x40, 0x4, 0x0, 0x1f}}]}}, {{0x9, 0x4, 0x74, 0x90, 0xa, 0xff, 0x5d, 0x1, 0x81, [@generic={0x6c, 0x4, "deaf8476cc5855ffb6d22d6ceb2977348ba86dee7d9e22e0c46477b06c0db514bb5383a62a402cc6e0795ddda510cf4238b2c64b657a1111efc0e4aacf9e40802dd0eeb69f271c1e6fe0ee5e9f48122832e6a80a4d7a6611e3fd2dca49d351908ff9a48ca20c78a69c65"}, @hid_hid={0x9, 0x21, 0x7, 0x7, 0x1, {0x22, 0xab5}}], [{{0x9, 0x5, 0x0, 0x0, 0x200, 0x4, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x40, 0x0, 0x7f, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xff}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0xfa, 0x5}]}}, {{0x9, 0x5, 0x3, 0x3, 0x3ff, 0x80, 0x7f, 0x8}}, {{0x9, 0x5, 0x5, 0x1, 0x20, 0x4, 0x3c, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x800}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0xff, 0x14, 0x3f}}, {{0x9, 0x5, 0x4, 0x0, 0x20, 0x1, 0x1, 0x56}}, {{0x9, 0x5, 0xc, 0x10, 0x8, 0x1, 0x5, 0x2, [@generic={0x20, 0x4, "6ddd4104cef7b1f7b2dddabb24ea94be1e8ac9fbba62cd71c1a1cbfa4e73"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x10, 0x0, 0x6, 0xf8, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x3, 0x8000}, @generic={0x98, 0x21, "e7bac6d3443cdfcdf9c24b6978dbfb9dd1824a5964cbfa0fe64296d5794c6159bc30b802a59b5c7a49b534035df56bbc488652ee31c601d5326507016bd445a1c09df231cf5781190daaba0cbd84a172640327b8c1a1d90bfab18f24961ffe12a0486a239c79a259c537652603dcbd4b2b7342ae0d715a7543f4d08bb557bddcd3bca83590b57c30eee2ce95f6c7102f646af828a496"}]}}, {{0x9, 0x5, 0x2, 0x3, 0x400, 0x3, 0x2, 0x8}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xff, 0x4, 0x6}}]}}]}}]}}, &(0x7f0000001540)={0xa, &(0x7f0000001240)={0xa, 0x6, 0x300, 0xff, 0x81, 0x6, 0xf7, 0xc4}, 0xf, &(0x7f0000001280)={0x5, 0xf, 0xf, 0x1, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x8, 0x1f, 0xfff}]}, 0x5, [{0x4, &(0x7f00000012c0)=@lang_id={0x4, 0x3, 0xc07}}, {0x54, &(0x7f0000001300)=@string={0x54, 0x3, "321d457f2f5ab9fcb1118c960631fd85a75ead829136aa2a6cc0311451035fe17b956eb8fa52d495a311a6c03f0ae84c86f0ed78daebfa15db7bc5788c9724baf4582dc0ec1ba6681a76b0a1bfc5de9daecc"}}, {0xd3, &(0x7f0000001380)=@string={0xd3, 0x3, "18336fc5623ba1410634c4050bcf3b488ea41867d059dcdcd2c368d848fe5147323c0ba4e51d7cf2a3d150258f8cc2569bd79e951ea95a318de31d146c37a7cf712f1fcd440390852c8d5216f8d23a9918b0e053521eb670ad3ee0fb8a93a8d7bad7199eebe12a3b02107ac4542bc6497977e3308b407bf364982f4fc9c330f9a75ccb65c8688d5c247ad06c20ccf01465e3ab09fc777f73474c2cd053b848ad3255b5adc81e033d2a0fac5061ea52dacf46e88e8c2e388deb91d2d9fc124255909336418e743bda4cb4f73c6b75af9a9b"}}, {0x4, &(0x7f0000001480)=@lang_id={0x4, 0x3, 0x42b}}, {0x5a, &(0x7f00000014c0)=@string={0x5a, 0x3, "4d85f31420ff1ceda25d118d33a6ebbce888c12d90eb54c827d149c8dcbd99f3893b35d1da6c776b1b5d084b308cdf93474167f266199f440a03fc3e3438031b8725dde6029a629c0843bedf048b8409b153f903d657d22b"}}]}) r11 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000015c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r11, &(0x7f00000017c0)={0x2c, &(0x7f0000001640)={0x0, 0x24, 0x5e, {0x5e, 0x9, "50d3392d02ebd229338b7e7170b984d04907f9cee984f83f84c9518b9dd91785fe2d66e10426ff86d8e7d663538306240171790d7f776664bdfd68d3df43cdf6d0e3ab3d2a62953092a2d7ce2fcdfe2cf50026869a4bcd066af9ddbd"}}, &(0x7f00000016c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x449}}, &(0x7f0000001700)={0x0, 0xf, 0x19, {0x5, 0xf, 0x19, 0x1, [@ss_container_id={0x14, 0x10, 0x4, 0x3f, "0ff611988b42043bdd16f18b9b82f6cf"}]}}, &(0x7f0000001740)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x0, 0x9, 0x68, "60c511fa", "23e3f532"}}, &(0x7f0000001780)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x5, 0x0, 0x2, 0x7, 0x8, 0x5, 0x200}}}, &(0x7f0000001c80)={0x84, &(0x7f0000001800)={0x0, 0x16, 0x92, "e49c4e0fdf521d4bb83a1c78b9b6f32eb6e38fba1432727c391749727c41815dc3fc4193cf0fc247b32c61dd80f26629d7cf714fc080157701405e55e4d1ae2b758c66821044d2e8094f1bd75ccf9600454726e5df9764082d537012ad6fa00a11bf546f5d86af482a8f0b0574287a4c5640bd1a225a60d1961cd56b3b48cf69d776cd8bbac5dc1544bf6b94b3519383f9c5"}, &(0x7f00000018c0)={0x0, 0xa, 0x1, 0xea}, &(0x7f0000001900)={0x0, 0x8, 0x1, 0xc0}, &(0x7f0000001940)={0x20, 0x0, 0x4, {0x3, 0x20d99a38c1aec065}}, &(0x7f0000001980)={0x20, 0x0, 0x8, {0x200, 0x2, [0x0]}}, &(0x7f00000019c0)={0x40, 0x7, 0x2}, &(0x7f0000001a00)={0x40, 0x9, 0x1, 0x7}, &(0x7f0000001a40)={0x40, 0xb, 0x2, ',e'}, &(0x7f0000001a80)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000001ac0)={0x40, 0x13, 0x6, @random="cba5d8d51787"}, &(0x7f0000001b00)={0x40, 0x17, 0x6, @dev={[], 0x1b}}, &(0x7f0000001b40)={0x40, 0x19, 0x2, "09ef"}, &(0x7f0000001b80)={0x40, 0x1a, 0x2, 0x200}, &(0x7f0000001bc0)={0x40, 0x1c, 0x1, 0x20}, &(0x7f0000001c00)={0x40, 0x1e, 0x1, 0x81}, &(0x7f0000001c40)={0x40, 0x21, 0x1, 0x40}}) r12 = syz_usb_connect$uac1(0x6, 0xb6, &(0x7f0000001d40)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xa4, 0x3, 0x1, 0x8, 0x80, 0x1f, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x7f, 0x24}, [@mixer_unit={0xb, 0x24, 0x4, 0x3, 0x3f, "e3a7ba11b773"}, @input_terminal={0xc, 0x24, 0x2, 0x4, 0x203, 0x1, 0x2, 0x7, 0xfd}, @extension_unit={0x7, 0x24, 0x8, 0x2, 0x4, 0x40}, @output_terminal={0x9, 0x24, 0x3, 0x2, 0x101, 0x4, 0x4, 0x5}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {}, {{0x9, 0x5, 0x1, 0x9, 0x200, 0xfc, 0x9, 0x7, {0x7, 0x25, 0x1, 0x0, 0x2, 0x8}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x8, 0x7, 0xff, "6cce23a51a59660a8a"}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x7, 0x2, 0xd6, 0x40, "a5e212", 'l'}]}, {{0x9, 0x5, 0x82, 0x9, 0x3ff, 0x3, 0x0, 0xac, {0x7, 0x25, 0x1, 0x3, 0x4, 0x5}}}}}}}]}}, &(0x7f0000001f40)={0xa, &(0x7f0000001e00)={0xa, 0x6, 0x200, 0xff, 0x2, 0x7, 0x10, 0x6}, 0x5, &(0x7f0000001e40)={0x5, 0xf, 0x5}, 0x2, [{0x52, &(0x7f0000001e80)=@string={0x52, 0x3, "4bcfbc749d26d0fbc20c2e202a042e8bb167cadf5c2bcdbd07dde6671da7dd400306b26f220fef4a3397f0a95a4b8ca5bafd5a4fa8b99d24505f7a27ac07a16bbb02d524c0bbfa3af8e318df58feb143"}}, {0x4, &(0x7f0000001f00)=@lang_id={0x4, 0x3, 0x807}}]}) syz_usb_disconnect(r12) syz_usb_ep_read(r10, 0x6, 0xd6, &(0x7f0000001f80)=""/214) r13 = syz_usb_connect$cdc_ecm(0x4, 0x4f, &(0x7f0000002080)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0xff, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x3d, 0x1, 0x1, 0x9, 0xc0, 0xb3, [{{0x9, 0x4, 0x0, 0x8, 0x3, 0x2, 0x6, 0x0, 0x1, {{0x7, 0x24, 0x6, 0x0, 0x0, "93b5"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x5, 0xdf0, 0xa5e2, 0xff}}, {[], {{0x9, 0x5, 0x82, 0x2, 0x40, 0x0, 0x40, 0x20}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x20, 0xff, 0x4}}}}}]}}]}}, &(0x7f0000002640)={0xa, &(0x7f0000002100)={0xa, 0x6, 0x250, 0x0, 0x81, 0x20, 0x20, 0x3}, 0x5, &(0x7f0000002140)={0x5, 0xf, 0x5}, 0x8, [{0xcd, &(0x7f0000002180)=@string={0xcd, 0x3, "2e833dbc02868212d3ec7352fb0de8a05ecf661859debe23ba735fb90a26853e0d4c9bfcebac70ce40539a98cf8947e06bb75de0a9205e0b791cb4f9e7aa0ae1149e9394ffef266f96e0c75ab728cadbc312570efed737090a6251c09e1a5d38a0c6f1ec4ae055863d69e4dcf36d974d2be3e487c7d2f1db2161e93b7d152ce046f030b36d083289eddd7105ed8eaed49f711017baabde9d5f01cd4738503d322669554fcf3b5a65b0519733b07a7f3cffdc92b0382c66120c41aae88568c752f79d501fd4da58e6879e7e"}}, {0x4, &(0x7f0000002280)=@lang_id={0x4, 0x3, 0x3c0a}}, {0x4, &(0x7f00000022c0)=@lang_id={0x4, 0x3, 0x3801}}, {0x1f, &(0x7f0000002300)=@string={0x1f, 0x3, "a670c3582d38967ac485455e8a40acb6f5df24ab49a4c6bb43d584edf7"}}, {0x4, &(0x7f0000002340)=@lang_id={0x4, 0x3, 0x44f}}, {0xe1, &(0x7f0000002380)=@string={0xe1, 0x3, "be2ce18fae6da9f1aa4b972197be7a6ce4b283c3e0027e6da13d8639f674ea9c64289b33c0e1435b7c1654a569127b26ad53774f2b6b20579fac6faffe12949ee4b0d3cd2d890cff2d7e9bb43b602a394efd4975184f7eecab16a3f187cab4c2ca01ac5bc9c55c8bb981323d919f77355b3ce7428da62af80c76b185e10ac7b1cc950ecc715c3e0a1e142311b62941e06291b30d2d3c7d468dfbe283c91fc0833db068e7bf397c233575790229ce513bbdc4387d81b3027ef68b20de25d9f1ff32b95cba443b9e7fba499143e841a6190c6ecb2906fe4230f839ba8c3c73ea"}}, {0xc1, &(0x7f0000002480)=@string={0xc1, 0x3, "f17db2ea26d90ba93d1dbd3d9482882172cc158b4cc43c36d12bb94e06fc7aba0d96ba62a38b39b77bb66a8b4ba6fe260c877464dc1012449a3a6ab5b80e667a3a01db8dd1dc3468b0d72893adf25bd1a7b9dcddf569122a73026b76fd0e25d7440ca5db635b3fc9013fd79099a7d7e81db8745bc9d0a6c938791d2cbfd10f1c628ca17af993b702c1ede30da1882567ce287f66b23ebf408a2d9c63e1cb0b2795273efa8153561c3c3eeb71d12aa087e9255526b528f538af4abd41cf8901"}}, {0xc0, &(0x7f0000002580)=@string={0xc0, 0x3, "6f57d6a596202ebf5a75b9724911f91a3d92ae1ac81abb9c1b134a76e66590f6eb8dd84cc10960b8d223947d1c2e771b94e729d83418f414213ff8b906770330bea70e59fe4d8ba537fbcfd3c4bfc4ea3b640c3112926d8c78eee839720900c505cc013c1263dcf27b6c0f87fcb87f40cb6bde3154ccd63e65a48c86c58a3857f68f8808203fb28d95e74a1865eb8f82fe953562a14751ed18f251e5115370d2bc19145ccf3abeae4c81fb1d97f62e035db73d11ab7ec596bc7a368655c6"}}]}) syz_usb_ep_write(r13, 0x8, 0x77, &(0x7f00000026c0)="01df4294f01fe1f943b780ccad76ab8a48353cbce5481283fb7d07e32952055449b6581b3693b67edea7f103542fd1dccf21a4f8ce11f52482a550dd3199da830c3e19ff1a996ce1424b13495e704be3f8c106d08338a69db29c70d040ba405016d90255d81d115d9c6c9c13b95789ba2d4ee0f005d95b") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 #define SQ_ARRAY_OFFSET(sq_entries,cq_entries) (round_up(CQ_CQES_OFFSET + cq_entries * SIZEOF_IO_URING_CQE, 64)) uint32_t round_up(uint32_t x, uint32_t a) { return (x + a - 1) & ~(a - 1); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = SQ_ARRAY_OFFSET(sq_ring_entries, cq_ring_entries); if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } #define KCSAN_DEBUGFS_FILE "/sys/kernel/debug/kcsan" static void setup_kcsan() { if (!write_file(KCSAN_DEBUGFS_FILE, "on")) exit(1); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 40; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 26 ? 50 : 0) + (call == 32 ? 3000 : 0) + (call == 33 ? 3000 : 0) + (call == 34 ? 300 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 3000 : 0) + (call == 39 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_bpf #define __NR_bpf 321 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[14] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/dsp\000", 9); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0x8002ul, 0ul); if (res != -1) r[0] = res; break; case 1: *(uint64_t*)0x20000080 = 0; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 0; *(uint16_t*)0x20000090 = 0x4a1f; *(uint16_t*)0x20000092 = 0xd548; *(uint32_t*)0x20000094 = r[0]; *(uint64_t*)0x20000098 = 0x20000040; memcpy((void*)0x20000040, "\xa4\xc6\xb7\x0d\x40\xb1\x8d\x2f\x71\xb9\xeb\xf1\xa9\x7c\xc4\xf8\xbf\xe5\x2c\x76\x62\x08\xfe\x1c\x5f\xf6\xe6\xc2\x0f\xb4\xd4\x10\x4d", 33); *(uint64_t*)0x200000a0 = 0x21; *(uint64_t*)0x200000a8 = 7; *(uint64_t*)0x200000b0 = 0; *(uint32_t*)0x200000b8 = 1; *(uint32_t*)0x200000bc = -1; syscall(__NR_io_cancel, 0ul, 0x20000080ul, 0x200000c0ul); break; case 2: syscall(__NR_ioctl, -1, 0x400454d0, 0x18ul); break; case 3: memcpy((void*)0x20000100, "/selinux/avc/cache_stats\000", 25); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000100ul, 0ul, 0ul); if (res != -1) r[1] = res; break; case 4: *(uint32_t*)0x20000200 = 6; *(uint32_t*)0x20000204 = 1; *(uint64_t*)0x20000208 = 0x20000140; *(uint16_t*)0x20000140 = 6; *(uint64_t*)0x20000210 = 0x20000180; *(uint16_t*)0x20000180 = 0xb572; *(uint16_t*)0x20000182 = 2; *(uint16_t*)0x20000184 = 0x200; *(uint16_t*)0x20000186 = 0x6126; *(uint16_t*)0x20000188 = -1; *(uint16_t*)0x2000018a = 0x800b; *(uint64_t*)0x20000218 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x100; *(uint16_t*)0x200001c2 = 0x8001; *(uint16_t*)0x200001c4 = 0x7ff; *(uint16_t*)0x200001c6 = 0x56; *(uint16_t*)0x200001c8 = 3; *(uint16_t*)0x200001ca = 6; *(uint16_t*)0x200001cc = 0xafa4; *(uint16_t*)0x200001ce = 0xfff; syscall(__NR_ioctl, r[1], 0xc02064a4, 0x20000200ul); break; case 5: syscall(__NR_socket, 0xaul, 5ul, 0x84); break; case 6: memcpy((void*)0x20000240, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20000240, 8, 0x40040); if (res != -1) r[2] = res; break; case 7: *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0x431f; *(uint32_t*)0x20000288 = 2; *(uint32_t*)0x2000028c = 2; *(uint32_t*)0x20000290 = 0x24c; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = r[2]; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; *(uint32_t*)0x200002b8 = 0; *(uint32_t*)0x200002bc = 0; *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0; *(uint32_t*)0x200002c8 = 0; *(uint32_t*)0x200002cc = 0; *(uint32_t*)0x200002d0 = 0; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = 0; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; syscall(__NR_io_uring_setup, 0x4a7d, 0x20000280ul); break; case 8: *(uint32_t*)0x20000300 = 0x14; syscall(__NR_setsockopt, -1, 0x10e, 2, 0x20000300ul, 4ul); break; case 9: syscall(__NR_socket, 4ul, 2ul, 0); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0x15; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0x8847); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 1, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 24, 8); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0x80, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 24, 8); STORE_BY_BITMASK(uint8_t, , 0x20000016, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000017, 3, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000017, 8, 2, 6); *(uint16_t*)0x20000018 = htobe16(0xc0); *(uint16_t*)0x2000001a = htobe16(0x64); *(uint16_t*)0x2000001c = htobe16(0); *(uint8_t*)0x2000001e = 1; *(uint8_t*)0x2000001f = 0x11; *(uint16_t*)0x20000020 = htobe16(0); *(uint32_t*)0x20000022 = htobe32(0xa010102); *(uint8_t*)0x20000026 = 0xac; *(uint8_t*)0x20000027 = 0x1e; *(uint8_t*)0x20000028 = 1; *(uint8_t*)0x20000029 = 1; *(uint8_t*)0x2000002a = 0x44; *(uint8_t*)0x2000002b = 0x10; *(uint8_t*)0x2000002c = 0x90; STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0xf, 4, 4); *(uint32_t*)0x2000002e = htobe32(3); *(uint32_t*)0x20000032 = htobe32(0x100); *(uint32_t*)0x20000036 = htobe32(9); *(uint16_t*)0x2000003a = htobe16(0x4e20); *(uint16_t*)0x2000003c = htobe16(0x4e23); *(uint16_t*)0x2000003e = htobe16(0x9c); *(uint16_t*)0x20000040 = htobe16(0); *(uint32_t*)0x20000042 = 1; *(uint32_t*)0x20000046 = 1; memcpy((void*)0x2000004a, "\xa1\x07\x91\xf3\x6e\x09\x1a\x36\x4d\x6a\x21\x4a\xed\x32\x81\x68\x6b\x2e\x10\x62\xe4\xa2\x1d\xad\x7e\x7e\xa6\x82\x3c\x2a\xd6\x6b", 32); memcpy((void*)0x2000006a, "\xa9\xe3\xb0\x61\xcb\x2d\x16\xf0\xf3\x8c\x93\x86\x6b\xab\x23\x9c\x5e\x95\xfa\xbc\x9a\xd7\x54\x9c\xc5\x3f\x24\x82\x15\x64\xc8\xe3\x1a\x77\x3c\x62\xbd\x34\xe6\x21\x16\x07\x0c\x99\x8c\xf8\x0f\xf5", 48); memcpy((void*)0x2000009a, "\x8a\x60\x48\xe6\x8f\x54\x76\xba\x71\xed\xf7\xde\xa3\x71\x45\xa3\x39\x72\x62\xdb\x3b\x25\x37\x6f\xb9\xb6\x98\xe1", 28); memcpy((void*)0x200000b6, "\x10\x8d\x38\xc5\xf1\x28\x37\xa8\xdf\xf4\x93\x17\xe1\xfb\xf2\xb1", 16); memcpy((void*)0x200000c6, "\x6e\x6f\x91\xa5\xd2\xfe\xa3\x5b\x7d\x2a\xa0\x22\x7b\x5c\x79\xde", 16); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x20000022, 4); csum_inet_update(&csum_1, (const uint8_t*)0x20000026, 4); uint16_t csum_1_chunk_2 = 0x1100; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 2); uint16_t csum_1_chunk_3 = 0x9c00; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 2); csum_inet_update(&csum_1, (const uint8_t*)0x2000003a, 156); *(uint16_t*)0x20000040 = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x20000016, 36); *(uint16_t*)0x20000020 = csum_inet_digest(&csum_2); break; case 11: *(uint8_t*)0x20000100 = 4; *(uint8_t*)0x20000101 = 0xe; *(uint8_t*)0x20000102 = 7; *(uint8_t*)0x20000103 = 7; *(uint16_t*)0x20000104 = 0x1408; *(uint8_t*)0x20000106 = 3; *(uint16_t*)0x20000107 = 0xc8; *(uint8_t*)0x20000109 = 0xfe; break; case 12: memcpy((void*)0x20000140, "\xab\x8f\x29\x08\x95\x5c\x44\x32\xc4\x21\xb4\x55\x80\x85\x8a\x31\x8e\xc4\xa1\x84\x57\x56\xf3\x67\x36\x64\xd9\xe0\x64\x46\x1c\x0d\xc4\x41\xb5\x55\x88\xa0\x0f\xfe\x49\xf2\xf0\x42\x80\x8c\x3e\x28\x08\x00\x00\x00\xc4\x82\x5d\xde\x32\xf3\x42\x0f\x9a\xde", 62); syz_execute_func(0x20000140); break; case 13: break; case 14: memcpy((void*)0x200001c0, "SEG6\000", 5); syz_genetlink_get_family_id(0x200001c0); break; case 15: syz_init_net_socket(3, 2, 0xc4); break; case 16: res = syscall(__NR_mmap, 0x20ffc000ul, 0x1000ul, 0ul, 0x1000ul, -1, 0ul); if (res != -1) r[3] = res; break; case 17: syz_io_uring_complete(r[3]); break; case 18: *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0x19c8; *(uint32_t*)0x20000208 = 1; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0x90; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = -1; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; *(uint32_t*)0x20000238 = 0; *(uint32_t*)0x2000023c = 0; *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; res = -1; res = syz_io_uring_setup(0x61d6, 0x20000200, 0x20ff9000, 0x20ff9000, 0x20000280, 0x200002c0); if (res != -1) r[4] = *(uint32_t*)0x20000218; break; case 19: res = syscall(__NR_mmap, 0x20ffc000ul, 0x3000ul, 0x2000004ul, 0x100ul, r[4], 0x10000000ul); if (res != -1) r[5] = res; break; case 20: memcpy((void*)0x20000300, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000300ul, 0x22040ul, 0ul); if (res != -1) r[6] = res; break; case 21: res = syscall(__NR_io_uring_register, -1, 9ul, 0ul, 0ul); if (res != -1) r[7] = res; break; case 22: *(uint8_t*)0x20000380 = 0x1d; *(uint8_t*)0x20000381 = 1; *(uint16_t*)0x20000382 = 0; *(uint32_t*)0x20000384 = r[6]; *(uint64_t*)0x20000388 = 0x20000340; *(uint32_t*)0x20000340 = 0xa; *(uint64_t*)0x20000344 = 0; *(uint32_t*)0x20000390 = r[4]; *(uint32_t*)0x20000394 = 1; *(uint32_t*)0x20000398 = 0; *(uint64_t*)0x200003a0 = 1; *(uint16_t*)0x200003a8 = 0; *(uint16_t*)0x200003aa = r[7]; *(uint8_t*)0x200003ac = 0; *(uint8_t*)0x200003ad = 0; *(uint8_t*)0x200003ae = 0; *(uint8_t*)0x200003af = 0; *(uint8_t*)0x200003b0 = 0; *(uint8_t*)0x200003b1 = 0; *(uint8_t*)0x200003b2 = 0; *(uint8_t*)0x200003b3 = 0; *(uint8_t*)0x200003b4 = 0; *(uint8_t*)0x200003b5 = 0; *(uint8_t*)0x200003b6 = 0; *(uint8_t*)0x200003b7 = 0; *(uint8_t*)0x200003b8 = 0; *(uint8_t*)0x200003b9 = 0; *(uint8_t*)0x200003ba = 0; *(uint8_t*)0x200003bb = 0; *(uint8_t*)0x200003bc = 0; *(uint8_t*)0x200003bd = 0; *(uint8_t*)0x200003be = 0; *(uint8_t*)0x200003bf = 0; syz_io_uring_submit(r[3], r[5], 0x20000380, 5); break; case 23: *(uint64_t*)0x20000400 = 0; *(uint64_t*)0x20000408 = 0x200003c0; memcpy((void*)0x200003c0, "\xc6\x6b\xf5\x1c\x00\x3b\x68\x4c\xd1\xf5\x6d\x7d\xbc\xd2\xde\xa7\x67\x52\x93\xe4\xd0\x16\x95\x5f\xb8\x84\x32\x0c\xce\xfe\xf5\x21\x42\xee\xf0\xb6\x1d\x38\x99\x59\xe4\xe4\x75\x07\x5b\x6b\x11\xcd\xbe\x1c", 50); *(uint64_t*)0x20000410 = 0x32; *(uint64_t*)0x20000440 = 1; *(uint64_t*)0x20000448 = 0; syz_kvm_setup_cpu(r[6], -1, 0x20fe7000, 0x20000400, 1, 0, 0x20000440, 1); break; case 24: res = syscall(__NR_mmap, 0x20ffb000ul, 0x4000ul, 0x2000000ul, 0x1000ul, -1, 0x8000000ul); if (res != -1) r[8] = res; break; case 25: *(uint32_t*)0x20000480 = 1; syz_memcpy_off(r[8], 0x114, 0x20000480, 0, 4); break; case 26: memcpy((void*)0x200004c0, "afs\000", 4); memcpy((void*)0x20000500, "./file0\000", 8); *(uint64_t*)0x200008c0 = 0x20000540; *(uint64_t*)0x200008c8 = 0; *(uint64_t*)0x200008d0 = 0x32; *(uint64_t*)0x200008d8 = 0x20000580; memcpy((void*)0x20000580, "\x3a\x7a\x72\xca\x9b\x2a\x42\x2a\xfb\xeb\xa2\xd7\xa8\x43\x38\xcb\x03\x95\x18\x39\x45\x1a\xf3\xf3\x03\x1d\x00\x30\xdb\x11\xa0\x8c\x0e\xb2\x24\x4d\xab\x7f\x4f\xd9\x44\x2c\xd5\x53\x70\xfb\xac\xdc\x33\x0d\x3e\xe2\x18\x81\x37\xd0\xad\x97\x72\xc7\xae\x54\xfa\xe9\x2d\x19\x41\xe0\x49\xbd\xcb\x3b\x8f\x64\x5e\xa6\xa7\xd7\x46\x40\x42\x86\xd5\x6d\xfd\x7a\x41\xfb\x29\xe2\x98\x7d\x8d\x73\xb3\x67\x9f\xae\x42\x7f\x5a\xf0\x81\x85\xe4\xff\xda\x15\x32\x28\xa3\xac\x82\xbf\x94\xf1\x77\x52\xed\x78\xdf\xe5\xb9\xa4", 124); *(uint64_t*)0x200008e0 = 0x7c; *(uint64_t*)0x200008e8 = 0xee5; *(uint64_t*)0x200008f0 = 0x20000600; memcpy((void*)0x20000600, "\xa9\x63\xe9\x74\x3e\x9c\x3d\x09\x2a\x0a\xb1\xd6\x8a\x13\xfe\x85\xf8\x0e\xd9\x43\x58\xab\x9a\xd4\x02\x9d\xff\x34\x33\xa3\x22\x3c\x65\x0d\x6a\x96\x50\x5e\xc9\xa3\xd6\xcd\x09\xad\x3f\x26\x8f\xcd\xd1\x24\x8a\xa4\x3e\xf1\x38\xa7\x9b\x0c\x4c\x11\x6f\x71\x78\xb5\xfc\x5c\xc4\x9f\xa3\x03\x20\x1e\x8c\x7e\xf4\xe3\x22\x43\x41\x05\xec\xdc\x91\x2a\xe6\x72\x51\x0b\x34\xc0\x1a\xa3\x89\x0c\x90\xf2\x72\x00\xde\x2b\x65\xc4\xbd\x20", 104); *(uint64_t*)0x200008f8 = 0x68; *(uint64_t*)0x20000900 = 0x10000; *(uint64_t*)0x20000908 = 0x20000680; memcpy((void*)0x20000680, "\x6a\xc4\x43\xef\xa9\x85\x5d\xda\x4f\xa3\xa9\x82\xab\xc0\x60\xeb\xf1\xa6\x78\x5f\xeb\xa7\x7c\xd7\x0d\x48\x6a\x29\xf4", 29); *(uint64_t*)0x20000910 = 0x1d; *(uint64_t*)0x20000918 = 2; *(uint64_t*)0x20000920 = 0x200006c0; memcpy((void*)0x200006c0, "\x32\x29\x20\x2f\xd1\x3c\x8a\xb6\xd5\x54\xd8\xdf\xb6\xa8\x66\x18\x05\xf5\x3c\x5e\x81\x67\x1b\xf5\xd7\x02\xaa\x4c\x17\xca\xd1\x07\xcf\xc6\xa8\xfe\x70\x2b\x26\x94\x2c\x63\x2a\x4e\xd0\xe1\x01\x04\x40\xb5\x1b\x99\x78\x5c\x11\x2a\x0b\xda\x8c\x28\x62\x67\xac\x9c\xb4\xe6\x95\x37\x6a\x13\xd9\x93\x7d\xfe\x15\x42\x39\xc4\xea\x04\xf3\x85\x39\xa8\xe5\x57\xdb\xcc\x89\x09\x42\x0c\x76\xb2\x58\x7b\x42\xaa\x2d\x61\xbf\x39\x5f\xe9\x13\xba\xd8\x6d\xdf\x17\xa8\xf1\xb3\x21\x2d\x0f\x0a\x6b\xc2\xe7\x84\x1e\xf2\xe2\xee\x0b\xe0\x59\x01\xf0\x28\xc7\xc6\x5e\x1c\x2c\xb6\x41\xf5\x56\x50\x8f\xbf\x32\x2d\xa0\x30\xde\x78\x46\xad\x39\x00\x40\x82\xc1\x28\xa0\xff\xb6\x0c\x1b\x80\x1b\xfd\x69\xa0\xe5\xf3\x7b\x51\xfe\xb7\x8d\x97\x24\x0f\x45\xf3\xce\x17\xa2\x8a\xbb\xd8\x9b\xd1\x6c\xd2\xd0\x6c\x74\x48\x89\x90\xab\xa3\x6f\xf0\x06\xe8\xae\x36\x22\xec\x18\xfa\x76\xb7\x67\xbe\x88\xf1\x92\xf9\x4a\xf1\x5e\x23\xd7\x42\x17\x73\x8a\x1d\x48\xef\x2c\x3e\x1c\x0a\x55\x72\x03\x04\x5e\x3b\xa2\x5e\x9c\xd3\x8e\xfa\x64", 244); *(uint64_t*)0x20000928 = 0xf4; *(uint64_t*)0x20000930 = 6; *(uint64_t*)0x20000938 = 0x200007c0; memcpy((void*)0x200007c0, "\x41\x4d\x78\x40\x34\x90\x27\x5a\x20\x64\x95\xf9\x3c\xf6\x22\x29\x59\x6a\x76\xf6\x22\xd4\x2e\x73\x7b\xfa\x14\x8f\xc2\x38\x5d\x9c\x82\x94\x6c\xe9\x5d\x9b\x76\x65\xc1\x48\xbf\xd7\x23\xf5\x24\x8f\xfc\xb6\xa4\xfc\x82\x65\xde\x9d\xa9\xe3\x4f\xf0\x57\x7d\xd7\x19\x23\x3d\x7e\xf9\x61\x0b\x9b\x9d\x98\xd4\xf2\xce\xdc\xc5\x35\x1c\xb7\x23\x4e\x0a\x83\x45\xf8\x1e\x60\x3a\x00\x2c\x13\xd8\x98\xf1\x08\x46\x56\xc5\x1b\xe0\x05\x26\xc6\xb7\x97\x7b\x28\x78\x09\x59\x1c\x51\xa2\x88\xac\xec\x3e\x57\x0a\x94\xcc\x77\x42\x01\x95\xf2\xa8\x1a\x77\x89\x6f\x9f\x08\x1b\x17\x3c\x24\xad\xa2\x30\x41\xea\x2e\x72\x53\x69\x86\x01\xd8\x37\x69\x09\x4d\x34\x89", 157); *(uint64_t*)0x20000940 = 0x9d; *(uint64_t*)0x20000948 = 1; *(uint64_t*)0x20000950 = 0x20000880; memcpy((void*)0x20000880, "\x3c\xc0\xa1\x54\x97\x7d\x26\x88\x2d\x94\xf1\xc1\x08\xa6\x28\x7b\x15\xe8\x35\xbf\x2d\x9e\xbc\xfd\x92\x5c\x45\x69\xc9\xde\x9d\x46\x3b\x92\x91\x58\x99\x0d\x2f\x48", 40); *(uint64_t*)0x20000958 = 0x28; *(uint64_t*)0x20000960 = 0xfffffffffffffbff; memcpy((void*)0x20000980, "flock=strict", 12); *(uint8_t*)0x2000098c = 0x2c; memcpy((void*)0x2000098d, "flock=write", 11); *(uint8_t*)0x20000998 = 0x2c; memcpy((void*)0x20000999, "source", 6); *(uint8_t*)0x2000099f = 0x3d; memcpy((void*)0x200009a0, "\353", 1); *(uint8_t*)0x200009a1 = 0x2c; memcpy((void*)0x200009a2, "autocell", 8); *(uint8_t*)0x200009aa = 0x2c; *(uint8_t*)0x200009ab = 0; syz_mount_image(0x200004c0, 0x20000500, 0x1f, 7, 0x200008c0, 0x1015005, 0x20000980); break; case 27: memcpy((void*)0x200009c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200009c0, 0x10000, 0x6840); break; case 28: *(uint32_t*)0x20000a40 = -1; *(uint32_t*)0x20000a44 = -1; *(uint32_t*)0x20000a48 = 0; *(uint32_t*)0x20000a4c = 3; *(uint64_t*)0x20000a50 = 0x20000a00; memcpy((void*)0x20000a00, ".\\\000", 3); *(uint32_t*)0x20000a58 = 0; *(uint32_t*)0x20000a5c = 0; *(uint64_t*)0x20000a60 = 0; *(uint64_t*)0x20000a68 = 0; res = syscall(__NR_bpf, 0x14ul, 0x20000a40ul, 0x30ul); if (res != -1) r[9] = *(uint32_t*)0x20000a40; break; case 29: memcpy((void*)0x20000a80, "status\000", 7); syz_open_procfs(r[9], 0x20000a80); break; case 30: syz_open_pts(-1, 0x8000); break; case 31: syz_read_part_table(6, 0, 0x20000ac0); break; case 32: *(uint8_t*)0x20000b00 = 0x12; *(uint8_t*)0x20000b01 = 1; *(uint16_t*)0x20000b02 = 0x250; *(uint8_t*)0x20000b04 = 0xa8; *(uint8_t*)0x20000b05 = 0x9c; *(uint8_t*)0x20000b06 = 0xcc; *(uint8_t*)0x20000b07 = -1; *(uint16_t*)0x20000b08 = 0x499; *(uint16_t*)0x20000b0a = 0x150c; *(uint16_t*)0x20000b0c = 0xbaf4; *(uint8_t*)0x20000b0e = 1; *(uint8_t*)0x20000b0f = 2; *(uint8_t*)0x20000b10 = 3; *(uint8_t*)0x20000b11 = 1; *(uint8_t*)0x20000b12 = 9; *(uint8_t*)0x20000b13 = 2; *(uint16_t*)0x20000b14 = 0x702; *(uint8_t*)0x20000b16 = 3; *(uint8_t*)0x20000b17 = 2; *(uint8_t*)0x20000b18 = 5; *(uint8_t*)0x20000b19 = 0x80; *(uint8_t*)0x20000b1a = 0x1f; *(uint8_t*)0x20000b1b = 9; *(uint8_t*)0x20000b1c = 4; *(uint8_t*)0x20000b1d = 0x7d; *(uint8_t*)0x20000b1e = 0; *(uint8_t*)0x20000b1f = 0xb; *(uint8_t*)0x20000b20 = 0x5c; *(uint8_t*)0x20000b21 = 0x68; *(uint8_t*)0x20000b22 = 0x45; *(uint8_t*)0x20000b23 = 0xb8; *(uint8_t*)0x20000b24 = 0x64; *(uint8_t*)0x20000b25 = 0xe6; memcpy((void*)0x20000b26, "\x25\xbb\xa1\x93\x73\x4e\x4e\xb8\x7c\xbd\x6a\x4c\x96\x1e\xf0\x1e\x6c\x96\x0f\xa2\x7d\xe2\xe0\xb2\x88\x3e\x73\xbc\xb5\x6b\x37\x1c\xc2\xf9\x4a\x39\xee\x59\xf2\x12\x37\xd7\xfd\x38\xba\xfe\xa3\xbe\xbf\x15\x96\x7e\x66\xfd\xa6\x11\x4d\x34\xb3\x49\xe1\x86\x8e\xf9\x5c\xc0\xa0\x63\x05\xd0\x16\xcd\x2c\xc7\x23\x33\x40\x35\xa1\x10\xf9\xda\x19\x7a\xfa\x79\xa6\xb0\x45\xfa\xc5\xf7\xd5\xbb\x63\x9e\x45\x41", 98); *(uint8_t*)0x20000b88 = 0xa; *(uint8_t*)0x20000b89 = 0x24; *(uint8_t*)0x20000b8a = 1; *(uint16_t*)0x20000b8b = 7; *(uint8_t*)0x20000b8d = 0x80; *(uint8_t*)0x20000b8e = 2; *(uint8_t*)0x20000b8f = 1; *(uint8_t*)0x20000b90 = 2; *(uint8_t*)0x20000b91 = 9; *(uint8_t*)0x20000b92 = 5; *(uint8_t*)0x20000b93 = 1; *(uint8_t*)0x20000b94 = 3; *(uint16_t*)0x20000b95 = 0x200; *(uint8_t*)0x20000b97 = 0x81; *(uint8_t*)0x20000b98 = 1; *(uint8_t*)0x20000b99 = 9; *(uint8_t*)0x20000b9a = 7; *(uint8_t*)0x20000b9b = 0x25; *(uint8_t*)0x20000b9c = 1; *(uint8_t*)0x20000b9d = 1; *(uint8_t*)0x20000b9e = 9; *(uint16_t*)0x20000b9f = 0x1000; *(uint8_t*)0x20000ba1 = 9; *(uint8_t*)0x20000ba2 = 5; *(uint8_t*)0x20000ba3 = 6; *(uint8_t*)0x20000ba4 = 8; *(uint16_t*)0x20000ba5 = 0x400; *(uint8_t*)0x20000ba7 = 0xe8; *(uint8_t*)0x20000ba8 = 0xc6; *(uint8_t*)0x20000ba9 = -1; *(uint8_t*)0x20000baa = 7; *(uint8_t*)0x20000bab = 0x25; *(uint8_t*)0x20000bac = 1; *(uint8_t*)0x20000bad = 1; *(uint8_t*)0x20000bae = 0x81; *(uint16_t*)0x20000baf = 6; *(uint8_t*)0x20000bb1 = 9; *(uint8_t*)0x20000bb2 = 5; *(uint8_t*)0x20000bb3 = 0xd; *(uint8_t*)0x20000bb4 = 0; *(uint16_t*)0x20000bb5 = 0x20; *(uint8_t*)0x20000bb7 = 8; *(uint8_t*)0x20000bb8 = 0xb4; *(uint8_t*)0x20000bb9 = 3; *(uint8_t*)0x20000bba = 9; *(uint8_t*)0x20000bbb = 5; *(uint8_t*)0x20000bbc = 2; *(uint8_t*)0x20000bbd = 1; *(uint16_t*)0x20000bbe = 0x200; *(uint8_t*)0x20000bc0 = 2; *(uint8_t*)0x20000bc1 = 6; *(uint8_t*)0x20000bc2 = 0x20; *(uint8_t*)0x20000bc3 = 9; *(uint8_t*)0x20000bc4 = 5; *(uint8_t*)0x20000bc5 = 7; *(uint8_t*)0x20000bc6 = 2; *(uint16_t*)0x20000bc7 = 0x3ff; *(uint8_t*)0x20000bc9 = 0x29; *(uint8_t*)0x20000bca = 4; *(uint8_t*)0x20000bcb = 0x4c; *(uint8_t*)0x20000bcc = 9; *(uint8_t*)0x20000bcd = 5; *(uint8_t*)0x20000bce = 5; *(uint8_t*)0x20000bcf = 0; *(uint16_t*)0x20000bd0 = 0x200; *(uint8_t*)0x20000bd2 = 2; *(uint8_t*)0x20000bd3 = 0x22; *(uint8_t*)0x20000bd4 = 5; *(uint8_t*)0x20000bd5 = 7; *(uint8_t*)0x20000bd6 = 0x25; *(uint8_t*)0x20000bd7 = 1; *(uint8_t*)0x20000bd8 = 0; *(uint8_t*)0x20000bd9 = 7; *(uint16_t*)0x20000bda = 0x27; *(uint8_t*)0x20000bdc = 9; *(uint8_t*)0x20000bdd = 5; *(uint8_t*)0x20000bde = 0xe; *(uint8_t*)0x20000bdf = 0xc; *(uint16_t*)0x20000be0 = 0x20; *(uint8_t*)0x20000be2 = 0x40; *(uint8_t*)0x20000be3 = 9; *(uint8_t*)0x20000be4 = 0x1f; *(uint8_t*)0x20000be5 = 0x4f; *(uint8_t*)0x20000be6 = 1; memcpy((void*)0x20000be7, "\xf1\x48\xd8\x44\x07\xf5\xb8\xdf\xda\x7c\x13\xb6\x82\x81\xb7\xd1\x42\x09\x55\x10\x93\xf9\x1b\x2d\x8f\x89\x1d\x9f\x3b\x8f\xf0\x7a\x8c\x2b\x56\xbc\xbf\xa7\x44\xea\x1d\xa6\x9f\xb1\x16\xc7\x1d\x11\xfa\x13\xb6\xa2\xc4\x64\xe6\x5d\x7c\x70\x6a\xe2\x5e\x0a\xd8\x36\xd3\x28\xf3\x09\x28\xaf\x26\xfe\x9d\x4f\x3f\x1d\xc1", 77); *(uint8_t*)0x20000c34 = 7; *(uint8_t*)0x20000c35 = 0x25; *(uint8_t*)0x20000c36 = 1; *(uint8_t*)0x20000c37 = 0x82; *(uint8_t*)0x20000c38 = 0x18; *(uint16_t*)0x20000c39 = 0xfc0; *(uint8_t*)0x20000c3b = 9; *(uint8_t*)0x20000c3c = 5; *(uint8_t*)0x20000c3d = 4; *(uint8_t*)0x20000c3e = 0; *(uint16_t*)0x20000c3f = 0x400; *(uint8_t*)0x20000c41 = 0; *(uint8_t*)0x20000c42 = 0x80; *(uint8_t*)0x20000c43 = 7; *(uint8_t*)0x20000c44 = 7; *(uint8_t*)0x20000c45 = 0x25; *(uint8_t*)0x20000c46 = 1; *(uint8_t*)0x20000c47 = 2; *(uint8_t*)0x20000c48 = 4; *(uint16_t*)0x20000c49 = 2; *(uint8_t*)0x20000c4b = 0xf7; *(uint8_t*)0x20000c4c = 0x30; memcpy((void*)0x20000c4d, "\xab\xdd\xdd\x4f\x9b\x3f\x7c\x94\x0f\x59\xac\x5d\x6a\xc2\x20\xf7\x66\x83\x45\x97\x34\x86\x90\xed\xd4\x5d\xbc\xad\x8d\x72\x00\xdb\x71\x84\x99\x1d\x25\x39\xdf\x54\xe5\xad\x82\xe5\xd5\x8b\x03\x66\xea\x3b\x34\x1b\xe9\xa3\x0b\x4b\x2b\xd6\x6b\xf0\x04\x79\x62\x8c\xb4\x77\xc8\x29\x38\xf8\xd3\xc1\x06\xa7\xe1\x8b\x0e\x54\x85\xa0\xb1\x61\x1a\xba\x1d\x8a\xd3\xc7\x40\xfc\x3d\x9a\xcc\xb5\xd7\xb2\x93\xb9\x0b\x16\x8c\x3f\x2c\x69\x79\x81\x35\xb5\x62\x47\x5f\xe2\xa3\xb8\xf6\x19\x57\x22\x51\x66\x27\x87\xbf\x74\x9f\x67\x3a\x35\xee\x80\xea\x76\xed\xd0\xfc\x7b\x31\x77\xf2\x4f\x50\xd6\x8a\xce\xd6\x90\x2e\xcf\x5e\x0a\x1d\x31\x26\xd9\x53\x09\x46\xab\xac\x7a\x85\x79\x91\x94\x74\x8f\x34\xee\xf3\xe2\x49\xc0\xed\xe1\x51\x1b\x67\x62\x6c\x06\x32\x2b\xa0\xb3\x13\x3a\xd7\xea\xb4\x6c\xc0\x7a\x99\x5f\x01\x1d\x24\x78\x19\x83\xc1\x70\x9a\x03\xac\x2e\xf1\x65\xa9\xb9\x1e\xd9\xe7\x5e\x22\x19\x05\xa9\x32\xc3\x50\x1d\x40\x56\x69\x16\xd6\x3f\x2f\xae\x4e\x97\x98\xfa\xb8\xe1\x6a\x1d\x36\x4f\x01\x9c\x0e\xbd\xb0", 245); *(uint8_t*)0x20000d42 = 9; *(uint8_t*)0x20000d43 = 5; *(uint8_t*)0x20000d44 = 2; *(uint8_t*)0x20000d45 = 0; *(uint16_t*)0x20000d46 = 0x40; *(uint8_t*)0x20000d48 = 0xfe; *(uint8_t*)0x20000d49 = 0x20; *(uint8_t*)0x20000d4a = 9; *(uint8_t*)0x20000d4b = 0xed; *(uint8_t*)0x20000d4c = 1; memcpy((void*)0x20000d4d, "\x97\x48\x0b\x61\x9e\xce\x34\x91\x71\x8d\x87\x0d\x13\x33\xf7\xf3\xcb\xe0\x33\x67\xac\x7f\x15\xbe\x17\x93\xcf\x2d\x63\x5a\xf6\x7a\xf8\x8c\xfe\xa5\x26\xad\x45\xea\x67\xc3\x9a\xde\x3d\x19\x91\x8d\x55\xea\x59\x8a\x78\x07\xfd\x2c\x56\xad\xdf\xb5\x2f\x42\x75\x6b\xfc\x60\x2c\x04\x56\x0e\x98\x1a\x38\x78\x3c\xa3\xdd\x8b\xa4\x31\xc2\x67\x59\x2b\xc0\x04\xb2\xf5\x3e\x49\x08\x2d\xac\x6a\x78\x48\xb9\x29\xdc\xf5\x3f\x15\x1f\x4c\x9a\xe6\xf8\x91\x2f\xff\xd9\x19\x9b\xcd\xcd\x8b\x95\xfd\xc2\xdf\xaa\x22\xd3\xa7\x31\xf3\xc4\xaa\x34\x47\xd4\x18\x3b\x1c\xb4\xcc\xce\xb3\x6e\x69\x37\xf2\x27\x5c\x89\xce\x0b\xa8\x3f\x40\xc2\xc7\xdb\xf1\x3b\x41\x77\x0a\x0f\x12\x5b\x10\xde\xd7\xee\xfe\x7a\x18\x24\xf9\xee\xf4\x93\x83\x10\xa5\x5c\x12\x1b\xf1\xa9\x25\x9f\x55\x16\x72\xb8\xa0\xa5\x2f\xea\xc5\xcb\xc5\xab\x96\xa5\x49\x1e\xf5\x33\xd7\xbe\x14\x76\x4e\x9d\xa5\x31\xff\xef\x82\xf8\x61\x2a\x74\x0f\xb5\x87\x56\xf7\xcb\x60\x92\xab\xb1\x5a\xa6\xcf\x04\x94\xcb\x71\x06\xf1", 235); *(uint8_t*)0x20000e38 = 0xd3; *(uint8_t*)0x20000e39 = 8; memcpy((void*)0x20000e3a, "\x4e\x8e\x03\x4e\xe9\x75\x01\xac\x38\x25\x74\xd2\xa7\x25\x27\xc5\xe0\xc8\x32\x61\x8b\xc6\xa1\xea\x16\xc3\xf3\x23\x25\x89\x71\x63\x3a\x03\x33\x99\x1a\xd9\x97\x54\xb0\x06\xc9\x5c\x4d\xe5\xf9\x01\xec\x1b\x8d\x86\xbd\x47\xc5\x64\xbd\x2a\xef\x08\xdf\x3c\x22\x4a\x3e\x6e\x40\x84\x65\x54\xee\xd2\x73\x4d\x71\xce\x33\x92\x96\x7e\xf5\x5c\x96\xb3\xda\x0a\xa5\x48\x1f\x31\xc3\x51\xcf\x18\x59\xcb\xee\x24\x4e\x75\x1c\x60\xcf\xad\xc2\x33\xcb\x60\x02\xee\x6f\xf4\xcc\x2c\x9b\x76\x37\x8f\x5b\x6e\x41\x0c\x01\x4f\x25\xcb\x9f\xff\x68\xf8\xa6\xff\x5b\x81\xb6\xd0\x9b\x9c\x7a\x2a\xaf\x84\x8b\xd2\x47\xed\x21\xb1\x3a\xa8\xd3\x5b\xcb\x7b\xf2\xfa\x6b\x8c\xbf\x55\x29\x9e\xdb\xce\x15\xe7\x88\xd1\xf9\x3c\xff\x32\x23\x99\x24\x9a\xc0\x80\xf2\xd4\x7b\xd3\xf2\x7e\x7a\x6d\xe1\x84\x90\x48\x11\x72\x25\x36\xd0\xa2\x33\x0e\x3e\x51\x11\x46\xfa\xab\x98\x64\xd1\xb1\x83", 209); *(uint8_t*)0x20000f0b = 9; *(uint8_t*)0x20000f0c = 5; *(uint8_t*)0x20000f0d = 0xb; *(uint8_t*)0x20000f0e = 0; *(uint16_t*)0x20000f0f = 0x10; *(uint8_t*)0x20000f11 = 0x2c; *(uint8_t*)0x20000f12 = 9; *(uint8_t*)0x20000f13 = 6; *(uint8_t*)0x20000f14 = 7; *(uint8_t*)0x20000f15 = 0x25; *(uint8_t*)0x20000f16 = 1; *(uint8_t*)0x20000f17 = 0x80; *(uint8_t*)0x20000f18 = 0xc9; *(uint16_t*)0x20000f19 = 0xbb; *(uint8_t*)0x20000f1b = 0x1f; *(uint8_t*)0x20000f1c = 0x31; memcpy((void*)0x20000f1d, "\xe4\x4d\x51\xa1\x5a\x72\x0f\x09\x9d\xad\xeb\x93\x26\x25\x52\xa9\x35\x42\x42\x29\xd3\xf4\xd1\x2e\xdc\x1b\xaa\x9f\x88", 29); *(uint8_t*)0x20000f3a = 9; *(uint8_t*)0x20000f3b = 5; *(uint8_t*)0x20000f3c = 0xc; *(uint8_t*)0x20000f3d = 0; *(uint16_t*)0x20000f3e = 8; *(uint8_t*)0x20000f40 = 0x49; *(uint8_t*)0x20000f41 = 0x40; *(uint8_t*)0x20000f42 = 0x55; *(uint8_t*)0x20000f43 = 9; *(uint8_t*)0x20000f44 = 4; *(uint8_t*)0x20000f45 = 0xfe; *(uint8_t*)0x20000f46 = 0x33; *(uint8_t*)0x20000f47 = 2; *(uint8_t*)0x20000f48 = 0xa2; *(uint8_t*)0x20000f49 = 0x17; *(uint8_t*)0x20000f4a = 0x9a; *(uint8_t*)0x20000f4b = 2; *(uint8_t*)0x20000f4c = 9; *(uint8_t*)0x20000f4d = 0x24; *(uint8_t*)0x20000f4e = 6; *(uint8_t*)0x20000f4f = 0; *(uint8_t*)0x20000f50 = 1; memcpy((void*)0x20000f51, "\xfb\x7f\xfd\xe8", 4); *(uint8_t*)0x20000f55 = 5; *(uint8_t*)0x20000f56 = 0x24; *(uint8_t*)0x20000f57 = 0; *(uint16_t*)0x20000f58 = 1; *(uint8_t*)0x20000f5a = 0xd; *(uint8_t*)0x20000f5b = 0x24; *(uint8_t*)0x20000f5c = 0xf; *(uint8_t*)0x20000f5d = 1; *(uint32_t*)0x20000f5e = 4; *(uint16_t*)0x20000f62 = 0x9f54; *(uint16_t*)0x20000f64 = 0x267; *(uint8_t*)0x20000f66 = 1; *(uint8_t*)0x20000f67 = 6; *(uint8_t*)0x20000f68 = 0x24; *(uint8_t*)0x20000f69 = 0x1a; *(uint16_t*)0x20000f6a = 9; *(uint8_t*)0x20000f6c = 9; *(uint8_t*)0x20000f6d = 0xc; *(uint8_t*)0x20000f6e = 0x24; *(uint8_t*)0x20000f6f = 0x1b; *(uint16_t*)0x20000f70 = -1; *(uint16_t*)0x20000f72 = 1; *(uint8_t*)0x20000f74 = 0x20; *(uint8_t*)0x20000f75 = 6; *(uint16_t*)0x20000f76 = 6; *(uint8_t*)0x20000f78 = 6; *(uint8_t*)0x20000f79 = 0x15; *(uint8_t*)0x20000f7a = 0x24; *(uint8_t*)0x20000f7b = 0x12; *(uint16_t*)0x20000f7c = 3; *(uint64_t*)0x20000f7e = 0x14f5e048ba817a3; *(uint64_t*)0x20000f86 = 0x2a397ecbffc007a6; *(uint8_t*)0x20000f8e = 0xc; *(uint8_t*)0x20000f8f = 0x24; *(uint8_t*)0x20000f90 = 0x1b; *(uint16_t*)0x20000f91 = 0x91; *(uint16_t*)0x20000f93 = 5; *(uint8_t*)0x20000f95 = 1; *(uint8_t*)0x20000f96 = -1; *(uint16_t*)0x20000f97 = 5; *(uint8_t*)0x20000f99 = 0x35; *(uint8_t*)0x20000f9a = 4; *(uint8_t*)0x20000f9b = 0x24; *(uint8_t*)0x20000f9c = 2; *(uint8_t*)0x20000f9d = 1; *(uint8_t*)0x20000f9e = 9; *(uint8_t*)0x20000f9f = 5; *(uint8_t*)0x20000fa0 = 0xa; *(uint8_t*)0x20000fa1 = 0x10; *(uint16_t*)0x20000fa2 = 8; *(uint8_t*)0x20000fa4 = 0x80; *(uint8_t*)0x20000fa5 = 0xc1; *(uint8_t*)0x20000fa6 = 4; *(uint8_t*)0x20000fa7 = 0xb8; *(uint8_t*)0x20000fa8 = 0x30; memcpy((void*)0x20000fa9, "\xe3\x84\xdc\xf0\x3a\xc3\x95\x40\xe5\xa2\x21\x99\xf7\x1a\x53\xba\x42\x8c\x3b\x72\x02\x90\xf0\x27\x6b\xcc\xa0\xcd\x15\x40\x5f\x6c\x93\x04\x97\xaf\x5e\xb3\x20\xa4\x33\xcc\x55\x3d\x6e\x01\x08\xed\xbf\x79\x3e\xf0\x24\x0f\xf2\x69\xb4\xff\x96\xd6\x82\x2b\xcb\x48\xce\xba\xe2\xa5\xce\xad\x65\x78\x6e\xbe\xcd\x5f\x30\x0c\x08\x60\x6d\x33\x22\xb8\x36\x00\x29\xbd\x21\x31\x2d\xac\x49\x33\x61\xe1\xb0\x8f\x2a\xdc\xa4\xdc\x49\xa0\x04\xfe\xfd\xf7\xa3\xa5\x25\xae\x5d\xe1\x1f\x0a\x69\x1a\x41\xb8\x69\xd9\xb9\xa5\xd9\x0d\x5a\x7b\x5e\xbe\x9e\x57\x73\xb9\x7e\xfe\x98\xe3\x89\x53\x77\xa4\x24\xe3\x0e\xf2\x2f\xd2\xff\xa2\x53\x2f\x1b\xb3\xc1\xa4\xe3\xb8\x6a\xfc\x08\xb2\x65\x9a\xa2\xe5\x56\xf1\x90\xe2\x7f\x83\x61\x9a\x16\x18\xd3\x71\xe1\x02\xc5\x58", 182); *(uint8_t*)0x2000105f = 9; *(uint8_t*)0x20001060 = 5; *(uint8_t*)0x20001061 = 0x80; *(uint8_t*)0x20001062 = 1; *(uint16_t*)0x20001063 = 0x40; *(uint8_t*)0x20001065 = 4; *(uint8_t*)0x20001066 = 0; *(uint8_t*)0x20001067 = 0x1f; *(uint8_t*)0x20001068 = 9; *(uint8_t*)0x20001069 = 4; *(uint8_t*)0x2000106a = 0x74; *(uint8_t*)0x2000106b = 0x90; *(uint8_t*)0x2000106c = 0xa; *(uint8_t*)0x2000106d = -1; *(uint8_t*)0x2000106e = 0x5d; *(uint8_t*)0x2000106f = 1; *(uint8_t*)0x20001070 = 0x81; *(uint8_t*)0x20001071 = 0x6c; *(uint8_t*)0x20001072 = 4; memcpy((void*)0x20001073, "\xde\xaf\x84\x76\xcc\x58\x55\xff\xb6\xd2\x2d\x6c\xeb\x29\x77\x34\x8b\xa8\x6d\xee\x7d\x9e\x22\xe0\xc4\x64\x77\xb0\x6c\x0d\xb5\x14\xbb\x53\x83\xa6\x2a\x40\x2c\xc6\xe0\x79\x5d\xdd\xa5\x10\xcf\x42\x38\xb2\xc6\x4b\x65\x7a\x11\x11\xef\xc0\xe4\xaa\xcf\x9e\x40\x80\x2d\xd0\xee\xb6\x9f\x27\x1c\x1e\x6f\xe0\xee\x5e\x9f\x48\x12\x28\x32\xe6\xa8\x0a\x4d\x7a\x66\x11\xe3\xfd\x2d\xca\x49\xd3\x51\x90\x8f\xf9\xa4\x8c\xa2\x0c\x78\xa6\x9c\x65", 106); *(uint8_t*)0x200010dd = 9; *(uint8_t*)0x200010de = 0x21; *(uint16_t*)0x200010df = 7; *(uint8_t*)0x200010e1 = 7; *(uint8_t*)0x200010e2 = 1; *(uint8_t*)0x200010e3 = 0x22; *(uint16_t*)0x200010e4 = 0xab5; *(uint8_t*)0x200010e6 = 9; *(uint8_t*)0x200010e7 = 5; *(uint8_t*)0x200010e8 = 0; *(uint8_t*)0x200010e9 = 0; *(uint16_t*)0x200010ea = 0x200; *(uint8_t*)0x200010ec = 4; *(uint8_t*)0x200010ed = 7; *(uint8_t*)0x200010ee = 0; *(uint8_t*)0x200010ef = 9; *(uint8_t*)0x200010f0 = 5; *(uint8_t*)0x200010f1 = 0x80; *(uint8_t*)0x200010f2 = 0xc; *(uint16_t*)0x200010f3 = 0x40; *(uint8_t*)0x200010f5 = 0; *(uint8_t*)0x200010f6 = 0x7f; *(uint8_t*)0x200010f7 = -1; *(uint8_t*)0x200010f8 = 7; *(uint8_t*)0x200010f9 = 0x25; *(uint8_t*)0x200010fa = 1; *(uint8_t*)0x200010fb = 0; *(uint8_t*)0x200010fc = 0; *(uint16_t*)0x200010fd = 0xff; *(uint8_t*)0x200010ff = 7; *(uint8_t*)0x20001100 = 0x25; *(uint8_t*)0x20001101 = 1; *(uint8_t*)0x20001102 = 2; *(uint8_t*)0x20001103 = 0xfa; *(uint16_t*)0x20001104 = 5; *(uint8_t*)0x20001106 = 9; *(uint8_t*)0x20001107 = 5; *(uint8_t*)0x20001108 = 3; *(uint8_t*)0x20001109 = 3; *(uint16_t*)0x2000110a = 0x3ff; *(uint8_t*)0x2000110c = 0x80; *(uint8_t*)0x2000110d = 0x7f; *(uint8_t*)0x2000110e = 8; *(uint8_t*)0x2000110f = 9; *(uint8_t*)0x20001110 = 5; *(uint8_t*)0x20001111 = 5; *(uint8_t*)0x20001112 = 1; *(uint16_t*)0x20001113 = 0x20; *(uint8_t*)0x20001115 = 4; *(uint8_t*)0x20001116 = 0x3c; *(uint8_t*)0x20001117 = 4; *(uint8_t*)0x20001118 = 7; *(uint8_t*)0x20001119 = 0x25; *(uint8_t*)0x2000111a = 1; *(uint8_t*)0x2000111b = 0x80; *(uint8_t*)0x2000111c = 0x40; *(uint16_t*)0x2000111d = 0x800; *(uint8_t*)0x2000111f = 9; *(uint8_t*)0x20001120 = 5; *(uint8_t*)0x20001121 = 0xd; *(uint8_t*)0x20001122 = 0; *(uint16_t*)0x20001123 = 0x20; *(uint8_t*)0x20001125 = -1; *(uint8_t*)0x20001126 = 0x14; *(uint8_t*)0x20001127 = 0x3f; *(uint8_t*)0x20001128 = 9; *(uint8_t*)0x20001129 = 5; *(uint8_t*)0x2000112a = 4; *(uint8_t*)0x2000112b = 0; *(uint16_t*)0x2000112c = 0x20; *(uint8_t*)0x2000112e = 1; *(uint8_t*)0x2000112f = 1; *(uint8_t*)0x20001130 = 0x56; *(uint8_t*)0x20001131 = 9; *(uint8_t*)0x20001132 = 5; *(uint8_t*)0x20001133 = 0xc; *(uint8_t*)0x20001134 = 0x10; *(uint16_t*)0x20001135 = 8; *(uint8_t*)0x20001137 = 1; *(uint8_t*)0x20001138 = 5; *(uint8_t*)0x20001139 = 2; *(uint8_t*)0x2000113a = 0x20; *(uint8_t*)0x2000113b = 4; memcpy((void*)0x2000113c, "\x6d\xdd\x41\x04\xce\xf7\xb1\xf7\xb2\xdd\xda\xbb\x24\xea\x94\xbe\x1e\x8a\xc9\xfb\xba\x62\xcd\x71\xc1\xa1\xcb\xfa\x4e\x73", 30); *(uint8_t*)0x2000115a = 9; *(uint8_t*)0x2000115b = 5; *(uint8_t*)0x2000115c = 7; *(uint8_t*)0x2000115d = 4; *(uint16_t*)0x2000115e = 0x10; *(uint8_t*)0x20001160 = 0; *(uint8_t*)0x20001161 = 6; *(uint8_t*)0x20001162 = 0xf8; *(uint8_t*)0x20001163 = 7; *(uint8_t*)0x20001164 = 0x25; *(uint8_t*)0x20001165 = 1; *(uint8_t*)0x20001166 = 0x80; *(uint8_t*)0x20001167 = 3; *(uint16_t*)0x20001168 = 0x8000; *(uint8_t*)0x2000116a = 0x98; *(uint8_t*)0x2000116b = 0x21; memcpy((void*)0x2000116c, "\xe7\xba\xc6\xd3\x44\x3c\xdf\xcd\xf9\xc2\x4b\x69\x78\xdb\xfb\x9d\xd1\x82\x4a\x59\x64\xcb\xfa\x0f\xe6\x42\x96\xd5\x79\x4c\x61\x59\xbc\x30\xb8\x02\xa5\x9b\x5c\x7a\x49\xb5\x34\x03\x5d\xf5\x6b\xbc\x48\x86\x52\xee\x31\xc6\x01\xd5\x32\x65\x07\x01\x6b\xd4\x45\xa1\xc0\x9d\xf2\x31\xcf\x57\x81\x19\x0d\xaa\xba\x0c\xbd\x84\xa1\x72\x64\x03\x27\xb8\xc1\xa1\xd9\x0b\xfa\xb1\x8f\x24\x96\x1f\xfe\x12\xa0\x48\x6a\x23\x9c\x79\xa2\x59\xc5\x37\x65\x26\x03\xdc\xbd\x4b\x2b\x73\x42\xae\x0d\x71\x5a\x75\x43\xf4\xd0\x8b\xb5\x57\xbd\xdc\xd3\xbc\xa8\x35\x90\xb5\x7c\x30\xee\xe2\xce\x95\xf6\xc7\x10\x2f\x64\x6a\xf8\x28\xa4\x96", 150); *(uint8_t*)0x20001202 = 9; *(uint8_t*)0x20001203 = 5; *(uint8_t*)0x20001204 = 2; *(uint8_t*)0x20001205 = 3; *(uint16_t*)0x20001206 = 0x400; *(uint8_t*)0x20001208 = 3; *(uint8_t*)0x20001209 = 2; *(uint8_t*)0x2000120a = 8; *(uint8_t*)0x2000120b = 9; *(uint8_t*)0x2000120c = 5; *(uint8_t*)0x2000120d = 6; *(uint8_t*)0x2000120e = 0x10; *(uint16_t*)0x2000120f = 0x20; *(uint8_t*)0x20001211 = -1; *(uint8_t*)0x20001212 = 4; *(uint8_t*)0x20001213 = 6; *(uint32_t*)0x20001540 = 0xa; *(uint64_t*)0x20001544 = 0x20001240; *(uint8_t*)0x20001240 = 0xa; *(uint8_t*)0x20001241 = 6; *(uint16_t*)0x20001242 = 0x300; *(uint8_t*)0x20001244 = -1; *(uint8_t*)0x20001245 = 0x81; *(uint8_t*)0x20001246 = 6; *(uint8_t*)0x20001247 = 0xf7; *(uint8_t*)0x20001248 = 0xc4; *(uint8_t*)0x20001249 = 0; *(uint32_t*)0x2000154c = 0xf; *(uint64_t*)0x20001550 = 0x20001280; *(uint8_t*)0x20001280 = 5; *(uint8_t*)0x20001281 = 0xf; *(uint16_t*)0x20001282 = 0xf; *(uint8_t*)0x20001284 = 1; *(uint8_t*)0x20001285 = 0xa; *(uint8_t*)0x20001286 = 0x10; *(uint8_t*)0x20001287 = 3; *(uint8_t*)0x20001288 = 0; *(uint16_t*)0x20001289 = 0; *(uint8_t*)0x2000128b = 8; *(uint8_t*)0x2000128c = 0x1f; *(uint16_t*)0x2000128d = 0xfff; *(uint32_t*)0x20001558 = 5; *(uint32_t*)0x2000155c = 4; *(uint64_t*)0x20001560 = 0x200012c0; *(uint8_t*)0x200012c0 = 4; *(uint8_t*)0x200012c1 = 3; *(uint16_t*)0x200012c2 = 0xc07; *(uint32_t*)0x20001568 = 0x54; *(uint64_t*)0x2000156c = 0x20001300; *(uint8_t*)0x20001300 = 0x54; *(uint8_t*)0x20001301 = 3; memcpy((void*)0x20001302, "\x32\x1d\x45\x7f\x2f\x5a\xb9\xfc\xb1\x11\x8c\x96\x06\x31\xfd\x85\xa7\x5e\xad\x82\x91\x36\xaa\x2a\x6c\xc0\x31\x14\x51\x03\x5f\xe1\x7b\x95\x6e\xb8\xfa\x52\xd4\x95\xa3\x11\xa6\xc0\x3f\x0a\xe8\x4c\x86\xf0\xed\x78\xda\xeb\xfa\x15\xdb\x7b\xc5\x78\x8c\x97\x24\xba\xf4\x58\x2d\xc0\xec\x1b\xa6\x68\x1a\x76\xb0\xa1\xbf\xc5\xde\x9d\xae\xcc", 82); *(uint32_t*)0x20001574 = 0xd3; *(uint64_t*)0x20001578 = 0x20001380; *(uint8_t*)0x20001380 = 0xd3; *(uint8_t*)0x20001381 = 3; memcpy((void*)0x20001382, "\x18\x33\x6f\xc5\x62\x3b\xa1\x41\x06\x34\xc4\x05\x0b\xcf\x3b\x48\x8e\xa4\x18\x67\xd0\x59\xdc\xdc\xd2\xc3\x68\xd8\x48\xfe\x51\x47\x32\x3c\x0b\xa4\xe5\x1d\x7c\xf2\xa3\xd1\x50\x25\x8f\x8c\xc2\x56\x9b\xd7\x9e\x95\x1e\xa9\x5a\x31\x8d\xe3\x1d\x14\x6c\x37\xa7\xcf\x71\x2f\x1f\xcd\x44\x03\x90\x85\x2c\x8d\x52\x16\xf8\xd2\x3a\x99\x18\xb0\xe0\x53\x52\x1e\xb6\x70\xad\x3e\xe0\xfb\x8a\x93\xa8\xd7\xba\xd7\x19\x9e\xeb\xe1\x2a\x3b\x02\x10\x7a\xc4\x54\x2b\xc6\x49\x79\x77\xe3\x30\x8b\x40\x7b\xf3\x64\x98\x2f\x4f\xc9\xc3\x30\xf9\xa7\x5c\xcb\x65\xc8\x68\x8d\x5c\x24\x7a\xd0\x6c\x20\xcc\xf0\x14\x65\xe3\xab\x09\xfc\x77\x7f\x73\x47\x4c\x2c\xd0\x53\xb8\x48\xad\x32\x55\xb5\xad\xc8\x1e\x03\x3d\x2a\x0f\xac\x50\x61\xea\x52\xda\xcf\x46\xe8\x8e\x8c\x2e\x38\x8d\xeb\x91\xd2\xd9\xfc\x12\x42\x55\x90\x93\x36\x41\x8e\x74\x3b\xda\x4c\xb4\xf7\x3c\x6b\x75\xaf\x9a\x9b", 209); *(uint32_t*)0x20001580 = 4; *(uint64_t*)0x20001584 = 0x20001480; *(uint8_t*)0x20001480 = 4; *(uint8_t*)0x20001481 = 3; *(uint16_t*)0x20001482 = 0x42b; *(uint32_t*)0x2000158c = 0x5a; *(uint64_t*)0x20001590 = 0x200014c0; *(uint8_t*)0x200014c0 = 0x5a; *(uint8_t*)0x200014c1 = 3; memcpy((void*)0x200014c2, "\x4d\x85\xf3\x14\x20\xff\x1c\xed\xa2\x5d\x11\x8d\x33\xa6\xeb\xbc\xe8\x88\xc1\x2d\x90\xeb\x54\xc8\x27\xd1\x49\xc8\xdc\xbd\x99\xf3\x89\x3b\x35\xd1\xda\x6c\x77\x6b\x1b\x5d\x08\x4b\x30\x8c\xdf\x93\x47\x41\x67\xf2\x66\x19\x9f\x44\x0a\x03\xfc\x3e\x34\x38\x03\x1b\x87\x25\xdd\xe6\x02\x9a\x62\x9c\x08\x43\xbe\xdf\x04\x8b\x84\x09\xb1\x53\xf9\x03\xd6\x57\xd2\x2b", 88); res = -1; res = syz_usb_connect(6, 0x714, 0x20000b00, 0x20001540); if (res != -1) r[10] = res; break; case 33: *(uint8_t*)0x200015c0 = 0x12; *(uint8_t*)0x200015c1 = 1; *(uint16_t*)0x200015c2 = 0x200; *(uint8_t*)0x200015c4 = -1; *(uint8_t*)0x200015c5 = -1; *(uint8_t*)0x200015c6 = -1; *(uint8_t*)0x200015c7 = 0x40; *(uint16_t*)0x200015c8 = 0xcf3; *(uint16_t*)0x200015ca = 0x9271; *(uint16_t*)0x200015cc = 0x108; *(uint8_t*)0x200015ce = 1; *(uint8_t*)0x200015cf = 2; *(uint8_t*)0x200015d0 = 3; *(uint8_t*)0x200015d1 = 1; *(uint8_t*)0x200015d2 = 9; *(uint8_t*)0x200015d3 = 2; *(uint16_t*)0x200015d4 = 0x48; *(uint8_t*)0x200015d6 = 1; *(uint8_t*)0x200015d7 = 1; *(uint8_t*)0x200015d8 = 0; *(uint8_t*)0x200015d9 = 0x80; *(uint8_t*)0x200015da = 0xfa; *(uint8_t*)0x200015db = 9; *(uint8_t*)0x200015dc = 4; *(uint8_t*)0x200015dd = 0; *(uint8_t*)0x200015de = 0; *(uint8_t*)0x200015df = 6; *(uint8_t*)0x200015e0 = -1; *(uint8_t*)0x200015e1 = 0; *(uint8_t*)0x200015e2 = 0; *(uint8_t*)0x200015e3 = 0; *(uint8_t*)0x200015e4 = 9; *(uint8_t*)0x200015e5 = 5; *(uint8_t*)0x200015e6 = 1; *(uint8_t*)0x200015e7 = 2; *(uint16_t*)0x200015e8 = 0x200; *(uint8_t*)0x200015ea = 0; *(uint8_t*)0x200015eb = 0; *(uint8_t*)0x200015ec = 0; *(uint8_t*)0x200015ed = 9; *(uint8_t*)0x200015ee = 5; *(uint8_t*)0x200015ef = 0x82; *(uint8_t*)0x200015f0 = 2; *(uint16_t*)0x200015f1 = 0x200; *(uint8_t*)0x200015f3 = 0; *(uint8_t*)0x200015f4 = 0; *(uint8_t*)0x200015f5 = 0; *(uint8_t*)0x200015f6 = 9; *(uint8_t*)0x200015f7 = 5; *(uint8_t*)0x200015f8 = 0x83; *(uint8_t*)0x200015f9 = 3; *(uint16_t*)0x200015fa = 0x40; *(uint8_t*)0x200015fc = 1; *(uint8_t*)0x200015fd = 0; *(uint8_t*)0x200015fe = 0; *(uint8_t*)0x200015ff = 9; *(uint8_t*)0x20001600 = 5; *(uint8_t*)0x20001601 = 4; *(uint8_t*)0x20001602 = 3; *(uint16_t*)0x20001603 = 0x40; *(uint8_t*)0x20001605 = 1; *(uint8_t*)0x20001606 = 0; *(uint8_t*)0x20001607 = 0; *(uint8_t*)0x20001608 = 9; *(uint8_t*)0x20001609 = 5; *(uint8_t*)0x2000160a = 5; *(uint8_t*)0x2000160b = 2; *(uint16_t*)0x2000160c = 0x200; *(uint8_t*)0x2000160e = 0; *(uint8_t*)0x2000160f = 0; *(uint8_t*)0x20001610 = 0; *(uint8_t*)0x20001611 = 9; *(uint8_t*)0x20001612 = 5; *(uint8_t*)0x20001613 = 6; *(uint8_t*)0x20001614 = 2; *(uint16_t*)0x20001615 = 0x200; *(uint8_t*)0x20001617 = 0; *(uint8_t*)0x20001618 = 0; *(uint8_t*)0x20001619 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200015c0, 0); if (res != -1) r[11] = res; break; case 34: *(uint32_t*)0x200017c0 = 0x2c; *(uint64_t*)0x200017c4 = 0x20001640; *(uint8_t*)0x20001640 = 0; *(uint8_t*)0x20001641 = 0x24; *(uint32_t*)0x20001642 = 0x5e; *(uint8_t*)0x20001646 = 0x5e; *(uint8_t*)0x20001647 = 9; memcpy((void*)0x20001648, "\x50\xd3\x39\x2d\x02\xeb\xd2\x29\x33\x8b\x7e\x71\x70\xb9\x84\xd0\x49\x07\xf9\xce\xe9\x84\xf8\x3f\x84\xc9\x51\x8b\x9d\xd9\x17\x85\xfe\x2d\x66\xe1\x04\x26\xff\x86\xd8\xe7\xd6\x63\x53\x83\x06\x24\x01\x71\x79\x0d\x7f\x77\x66\x64\xbd\xfd\x68\xd3\xdf\x43\xcd\xf6\xd0\xe3\xab\x3d\x2a\x62\x95\x30\x92\xa2\xd7\xce\x2f\xcd\xfe\x2c\xf5\x00\x26\x86\x9a\x4b\xcd\x06\x6a\xf9\xdd\xbd", 92); *(uint64_t*)0x200017cc = 0x200016c0; *(uint8_t*)0x200016c0 = 0; *(uint8_t*)0x200016c1 = 3; *(uint32_t*)0x200016c2 = 4; *(uint8_t*)0x200016c6 = 4; *(uint8_t*)0x200016c7 = 3; *(uint16_t*)0x200016c8 = 0x449; *(uint64_t*)0x200017d4 = 0x20001700; *(uint8_t*)0x20001700 = 0; *(uint8_t*)0x20001701 = 0xf; *(uint32_t*)0x20001702 = 0x19; *(uint8_t*)0x20001706 = 5; *(uint8_t*)0x20001707 = 0xf; *(uint16_t*)0x20001708 = 0x19; *(uint8_t*)0x2000170a = 1; *(uint8_t*)0x2000170b = 0x14; *(uint8_t*)0x2000170c = 0x10; *(uint8_t*)0x2000170d = 4; *(uint8_t*)0x2000170e = 0x3f; memcpy((void*)0x2000170f, "\x0f\xf6\x11\x98\x8b\x42\x04\x3b\xdd\x16\xf1\x8b\x9b\x82\xf6\xcf", 16); *(uint64_t*)0x200017dc = 0x20001740; *(uint8_t*)0x20001740 = 0x20; *(uint8_t*)0x20001741 = 0x29; *(uint32_t*)0x20001742 = 0xf; *(uint8_t*)0x20001746 = 0xf; *(uint8_t*)0x20001747 = 0x29; *(uint8_t*)0x20001748 = 0; *(uint16_t*)0x20001749 = 0; *(uint8_t*)0x2000174b = 9; *(uint8_t*)0x2000174c = 0x68; memcpy((void*)0x2000174d, "\x60\xc5\x11\xfa", 4); memcpy((void*)0x20001751, "\x23\xe3\xf5\x32", 4); *(uint64_t*)0x200017e4 = 0x20001780; *(uint8_t*)0x20001780 = 0x20; *(uint8_t*)0x20001781 = 0x2a; *(uint32_t*)0x20001782 = 0xc; *(uint8_t*)0x20001786 = 0xc; *(uint8_t*)0x20001787 = 0x2a; *(uint8_t*)0x20001788 = 5; *(uint16_t*)0x20001789 = 0; *(uint8_t*)0x2000178b = 2; *(uint8_t*)0x2000178c = 7; *(uint8_t*)0x2000178d = 8; *(uint16_t*)0x2000178e = 5; *(uint16_t*)0x20001790 = 0x200; *(uint32_t*)0x20001c80 = 0x84; *(uint64_t*)0x20001c84 = 0x20001800; *(uint8_t*)0x20001800 = 0; *(uint8_t*)0x20001801 = 0x16; *(uint32_t*)0x20001802 = 0x92; memcpy((void*)0x20001806, "\xe4\x9c\x4e\x0f\xdf\x52\x1d\x4b\xb8\x3a\x1c\x78\xb9\xb6\xf3\x2e\xb6\xe3\x8f\xba\x14\x32\x72\x7c\x39\x17\x49\x72\x7c\x41\x81\x5d\xc3\xfc\x41\x93\xcf\x0f\xc2\x47\xb3\x2c\x61\xdd\x80\xf2\x66\x29\xd7\xcf\x71\x4f\xc0\x80\x15\x77\x01\x40\x5e\x55\xe4\xd1\xae\x2b\x75\x8c\x66\x82\x10\x44\xd2\xe8\x09\x4f\x1b\xd7\x5c\xcf\x96\x00\x45\x47\x26\xe5\xdf\x97\x64\x08\x2d\x53\x70\x12\xad\x6f\xa0\x0a\x11\xbf\x54\x6f\x5d\x86\xaf\x48\x2a\x8f\x0b\x05\x74\x28\x7a\x4c\x56\x40\xbd\x1a\x22\x5a\x60\xd1\x96\x1c\xd5\x6b\x3b\x48\xcf\x69\xd7\x76\xcd\x8b\xba\xc5\xdc\x15\x44\xbf\x6b\x94\xb3\x51\x93\x83\xf9\xc5", 146); *(uint64_t*)0x20001c8c = 0x200018c0; *(uint8_t*)0x200018c0 = 0; *(uint8_t*)0x200018c1 = 0xa; *(uint32_t*)0x200018c2 = 1; *(uint8_t*)0x200018c6 = 0xea; *(uint64_t*)0x20001c94 = 0x20001900; *(uint8_t*)0x20001900 = 0; *(uint8_t*)0x20001901 = 8; *(uint32_t*)0x20001902 = 1; *(uint8_t*)0x20001906 = 0xc0; *(uint64_t*)0x20001c9c = 0x20001940; *(uint8_t*)0x20001940 = 0x20; *(uint8_t*)0x20001941 = 0; *(uint32_t*)0x20001942 = 4; *(uint16_t*)0x20001946 = 3; *(uint16_t*)0x20001948 = 0xc065; *(uint64_t*)0x20001ca4 = 0x20001980; *(uint8_t*)0x20001980 = 0x20; *(uint8_t*)0x20001981 = 0; *(uint32_t*)0x20001982 = 8; *(uint16_t*)0x20001986 = 0x200; *(uint16_t*)0x20001988 = 2; *(uint32_t*)0x2000198a = 0; *(uint64_t*)0x20001cac = 0x200019c0; *(uint8_t*)0x200019c0 = 0x40; *(uint8_t*)0x200019c1 = 7; *(uint32_t*)0x200019c2 = 2; *(uint16_t*)0x200019c6 = 0; *(uint64_t*)0x20001cb4 = 0x20001a00; *(uint8_t*)0x20001a00 = 0x40; *(uint8_t*)0x20001a01 = 9; *(uint32_t*)0x20001a02 = 1; *(uint8_t*)0x20001a06 = 7; *(uint64_t*)0x20001cbc = 0x20001a40; *(uint8_t*)0x20001a40 = 0x40; *(uint8_t*)0x20001a41 = 0xb; *(uint32_t*)0x20001a42 = 2; memcpy((void*)0x20001a46, ",e", 2); *(uint64_t*)0x20001cc4 = 0x20001a80; *(uint8_t*)0x20001a80 = 0x40; *(uint8_t*)0x20001a81 = 0xf; *(uint32_t*)0x20001a82 = 2; *(uint16_t*)0x20001a86 = 0xa; *(uint64_t*)0x20001ccc = 0x20001ac0; *(uint8_t*)0x20001ac0 = 0x40; *(uint8_t*)0x20001ac1 = 0x13; *(uint32_t*)0x20001ac2 = 6; memcpy((void*)0x20001ac6, "\xcb\xa5\xd8\xd5\x17\x87", 6); *(uint64_t*)0x20001cd4 = 0x20001b00; *(uint8_t*)0x20001b00 = 0x40; *(uint8_t*)0x20001b01 = 0x17; *(uint32_t*)0x20001b02 = 6; *(uint8_t*)0x20001b06 = 0xaa; *(uint8_t*)0x20001b07 = 0xaa; *(uint8_t*)0x20001b08 = 0xaa; *(uint8_t*)0x20001b09 = 0xaa; *(uint8_t*)0x20001b0a = 0xaa; *(uint8_t*)0x20001b0b = 0x1b; *(uint64_t*)0x20001cdc = 0x20001b40; *(uint8_t*)0x20001b40 = 0x40; *(uint8_t*)0x20001b41 = 0x19; *(uint32_t*)0x20001b42 = 2; memcpy((void*)0x20001b46, "\x09\xef", 2); *(uint64_t*)0x20001ce4 = 0x20001b80; *(uint8_t*)0x20001b80 = 0x40; *(uint8_t*)0x20001b81 = 0x1a; *(uint32_t*)0x20001b82 = 2; *(uint16_t*)0x20001b86 = 0x200; *(uint64_t*)0x20001cec = 0x20001bc0; *(uint8_t*)0x20001bc0 = 0x40; *(uint8_t*)0x20001bc1 = 0x1c; *(uint32_t*)0x20001bc2 = 1; *(uint8_t*)0x20001bc6 = 0x20; *(uint64_t*)0x20001cf4 = 0x20001c00; *(uint8_t*)0x20001c00 = 0x40; *(uint8_t*)0x20001c01 = 0x1e; *(uint32_t*)0x20001c02 = 1; *(uint8_t*)0x20001c06 = 0x81; *(uint64_t*)0x20001cfc = 0x20001c40; *(uint8_t*)0x20001c40 = 0x40; *(uint8_t*)0x20001c41 = 0x21; *(uint32_t*)0x20001c42 = 1; *(uint8_t*)0x20001c46 = 0x40; syz_usb_control_io(r[11], 0x200017c0, 0x20001c80); break; case 35: *(uint8_t*)0x20001d40 = 0x12; *(uint8_t*)0x20001d41 = 1; *(uint16_t*)0x20001d42 = 0x300; *(uint8_t*)0x20001d44 = 0; *(uint8_t*)0x20001d45 = 0; *(uint8_t*)0x20001d46 = 0; *(uint8_t*)0x20001d47 = 0x40; *(uint16_t*)0x20001d48 = 0x1d6b; *(uint16_t*)0x20001d4a = 0x101; *(uint16_t*)0x20001d4c = 0x40; *(uint8_t*)0x20001d4e = 1; *(uint8_t*)0x20001d4f = 2; *(uint8_t*)0x20001d50 = 3; *(uint8_t*)0x20001d51 = 1; *(uint8_t*)0x20001d52 = 9; *(uint8_t*)0x20001d53 = 2; *(uint16_t*)0x20001d54 = 0xa4; *(uint8_t*)0x20001d56 = 3; *(uint8_t*)0x20001d57 = 1; *(uint8_t*)0x20001d58 = 8; *(uint8_t*)0x20001d59 = 0x80; *(uint8_t*)0x20001d5a = 0x1f; *(uint8_t*)0x20001d5b = 9; *(uint8_t*)0x20001d5c = 4; *(uint8_t*)0x20001d5d = 0; *(uint8_t*)0x20001d5e = 0; *(uint8_t*)0x20001d5f = 0; *(uint8_t*)0x20001d60 = 1; *(uint8_t*)0x20001d61 = 1; *(uint8_t*)0x20001d62 = 0; *(uint8_t*)0x20001d63 = 0; *(uint8_t*)0x20001d64 = 0xa; *(uint8_t*)0x20001d65 = 0x24; *(uint8_t*)0x20001d66 = 1; *(uint16_t*)0x20001d67 = 0x7f; *(uint8_t*)0x20001d69 = 0x24; *(uint8_t*)0x20001d6a = 2; *(uint8_t*)0x20001d6b = 1; *(uint8_t*)0x20001d6c = 2; *(uint8_t*)0x20001d6d = 0xb; *(uint8_t*)0x20001d6e = 0x24; *(uint8_t*)0x20001d6f = 4; *(uint8_t*)0x20001d70 = 3; *(uint8_t*)0x20001d71 = 0x3f; memcpy((void*)0x20001d72, "\xe3\xa7\xba\x11\xb7\x73", 6); *(uint8_t*)0x20001d78 = 0xc; *(uint8_t*)0x20001d79 = 0x24; *(uint8_t*)0x20001d7a = 2; *(uint8_t*)0x20001d7b = 4; *(uint16_t*)0x20001d7c = 0x203; *(uint8_t*)0x20001d7e = 1; *(uint8_t*)0x20001d7f = 2; *(uint16_t*)0x20001d80 = 7; *(uint8_t*)0x20001d82 = 0xfd; *(uint8_t*)0x20001d83 = 0; *(uint8_t*)0x20001d84 = 7; *(uint8_t*)0x20001d85 = 0x24; *(uint8_t*)0x20001d86 = 8; *(uint8_t*)0x20001d87 = 2; *(uint16_t*)0x20001d88 = 4; *(uint8_t*)0x20001d8a = 0x40; *(uint8_t*)0x20001d8b = 9; *(uint8_t*)0x20001d8c = 0x24; *(uint8_t*)0x20001d8d = 3; *(uint8_t*)0x20001d8e = 2; *(uint16_t*)0x20001d8f = 0x101; *(uint8_t*)0x20001d91 = 4; *(uint8_t*)0x20001d92 = 4; *(uint8_t*)0x20001d93 = 5; *(uint8_t*)0x20001d94 = 9; *(uint8_t*)0x20001d95 = 4; *(uint8_t*)0x20001d96 = 1; *(uint8_t*)0x20001d97 = 0; *(uint8_t*)0x20001d98 = 0; *(uint8_t*)0x20001d99 = 1; *(uint8_t*)0x20001d9a = 2; *(uint8_t*)0x20001d9b = 0; *(uint8_t*)0x20001d9c = 0; *(uint8_t*)0x20001d9d = 9; *(uint8_t*)0x20001d9e = 4; *(uint8_t*)0x20001d9f = 1; *(uint8_t*)0x20001da0 = 1; *(uint8_t*)0x20001da1 = 1; *(uint8_t*)0x20001da2 = 1; *(uint8_t*)0x20001da3 = 2; *(uint8_t*)0x20001da4 = 0; *(uint8_t*)0x20001da5 = 0; *(uint8_t*)0x20001da6 = 9; *(uint8_t*)0x20001da7 = 5; *(uint8_t*)0x20001da8 = 1; *(uint8_t*)0x20001da9 = 9; *(uint16_t*)0x20001daa = 0x200; *(uint8_t*)0x20001dac = 0xfc; *(uint8_t*)0x20001dad = 9; *(uint8_t*)0x20001dae = 7; *(uint8_t*)0x20001daf = 7; *(uint8_t*)0x20001db0 = 0x25; *(uint8_t*)0x20001db1 = 1; *(uint8_t*)0x20001db2 = 0; *(uint8_t*)0x20001db3 = 2; *(uint16_t*)0x20001db4 = 8; *(uint8_t*)0x20001db6 = 9; *(uint8_t*)0x20001db7 = 4; *(uint8_t*)0x20001db8 = 2; *(uint8_t*)0x20001db9 = 0; *(uint8_t*)0x20001dba = 0; *(uint8_t*)0x20001dbb = 1; *(uint8_t*)0x20001dbc = 2; *(uint8_t*)0x20001dbd = 0; *(uint8_t*)0x20001dbe = 0; *(uint8_t*)0x20001dbf = 9; *(uint8_t*)0x20001dc0 = 4; *(uint8_t*)0x20001dc1 = 2; *(uint8_t*)0x20001dc2 = 1; *(uint8_t*)0x20001dc3 = 1; *(uint8_t*)0x20001dc4 = 1; *(uint8_t*)0x20001dc5 = 2; *(uint8_t*)0x20001dc6 = 0; *(uint8_t*)0x20001dc7 = 0; *(uint8_t*)0x20001dc8 = 0x12; *(uint8_t*)0x20001dc9 = 0x24; *(uint8_t*)0x20001dca = 2; *(uint8_t*)0x20001dcb = 2; *(uint16_t*)0x20001dcc = 8; *(uint16_t*)0x20001dce = 7; *(uint8_t*)0x20001dd0 = -1; memcpy((void*)0x20001dd1, "\x6c\xce\x23\xa5\x1a\x59\x66\x0a\x8a", 9); *(uint8_t*)0x20001dda = 0xc; *(uint8_t*)0x20001ddb = 0x24; *(uint8_t*)0x20001ddc = 2; *(uint8_t*)0x20001ddd = 1; *(uint8_t*)0x20001dde = 7; *(uint8_t*)0x20001ddf = 2; *(uint8_t*)0x20001de0 = 0xd6; *(uint8_t*)0x20001de1 = 0x40; memcpy((void*)0x20001de2, "\xa5\xe2\x12", 3); memcpy((void*)0x20001de5, "l", 1); *(uint8_t*)0x20001de6 = 9; *(uint8_t*)0x20001de7 = 5; *(uint8_t*)0x20001de8 = 0x82; *(uint8_t*)0x20001de9 = 9; *(uint16_t*)0x20001dea = 0x3ff; *(uint8_t*)0x20001dec = 3; *(uint8_t*)0x20001ded = 0; *(uint8_t*)0x20001dee = 0xac; *(uint8_t*)0x20001def = 7; *(uint8_t*)0x20001df0 = 0x25; *(uint8_t*)0x20001df1 = 1; *(uint8_t*)0x20001df2 = 3; *(uint8_t*)0x20001df3 = 4; *(uint16_t*)0x20001df4 = 5; *(uint32_t*)0x20001f40 = 0xa; *(uint64_t*)0x20001f44 = 0x20001e00; *(uint8_t*)0x20001e00 = 0xa; *(uint8_t*)0x20001e01 = 6; *(uint16_t*)0x20001e02 = 0x200; *(uint8_t*)0x20001e04 = -1; *(uint8_t*)0x20001e05 = 2; *(uint8_t*)0x20001e06 = 7; *(uint8_t*)0x20001e07 = 0x10; *(uint8_t*)0x20001e08 = 6; *(uint8_t*)0x20001e09 = 0; *(uint32_t*)0x20001f4c = 5; *(uint64_t*)0x20001f50 = 0x20001e40; *(uint8_t*)0x20001e40 = 5; *(uint8_t*)0x20001e41 = 0xf; *(uint16_t*)0x20001e42 = 5; *(uint8_t*)0x20001e44 = 0; *(uint32_t*)0x20001f58 = 2; *(uint32_t*)0x20001f5c = 0x52; *(uint64_t*)0x20001f60 = 0x20001e80; *(uint8_t*)0x20001e80 = 0x52; *(uint8_t*)0x20001e81 = 3; memcpy((void*)0x20001e82, "\x4b\xcf\xbc\x74\x9d\x26\xd0\xfb\xc2\x0c\x2e\x20\x2a\x04\x2e\x8b\xb1\x67\xca\xdf\x5c\x2b\xcd\xbd\x07\xdd\xe6\x67\x1d\xa7\xdd\x40\x03\x06\xb2\x6f\x22\x0f\xef\x4a\x33\x97\xf0\xa9\x5a\x4b\x8c\xa5\xba\xfd\x5a\x4f\xa8\xb9\x9d\x24\x50\x5f\x7a\x27\xac\x07\xa1\x6b\xbb\x02\xd5\x24\xc0\xbb\xfa\x3a\xf8\xe3\x18\xdf\x58\xfe\xb1\x43", 80); *(uint32_t*)0x20001f68 = 4; *(uint64_t*)0x20001f6c = 0x20001f00; *(uint8_t*)0x20001f00 = 4; *(uint8_t*)0x20001f01 = 3; *(uint16_t*)0x20001f02 = 0x807; res = -1; res = syz_usb_connect(6, 0xb6, 0x20001d40, 0x20001f40); if (res != -1) r[12] = res; break; case 36: syz_usb_disconnect(r[12]); break; case 37: syz_usb_ep_read(r[10], 6, 0xd6, 0x20001f80); break; case 38: *(uint8_t*)0x20002080 = 0x12; *(uint8_t*)0x20002081 = 1; *(uint16_t*)0x20002082 = 0x110; *(uint8_t*)0x20002084 = 2; *(uint8_t*)0x20002085 = 0; *(uint8_t*)0x20002086 = 0; *(uint8_t*)0x20002087 = -1; *(uint16_t*)0x20002088 = 0x525; *(uint16_t*)0x2000208a = 0xa4a1; *(uint16_t*)0x2000208c = 0x40; *(uint8_t*)0x2000208e = 1; *(uint8_t*)0x2000208f = 2; *(uint8_t*)0x20002090 = 3; *(uint8_t*)0x20002091 = 1; *(uint8_t*)0x20002092 = 9; *(uint8_t*)0x20002093 = 2; *(uint16_t*)0x20002094 = 0x3d; *(uint8_t*)0x20002096 = 1; *(uint8_t*)0x20002097 = 1; *(uint8_t*)0x20002098 = 9; *(uint8_t*)0x20002099 = 0xc0; *(uint8_t*)0x2000209a = 0xb3; *(uint8_t*)0x2000209b = 9; *(uint8_t*)0x2000209c = 4; *(uint8_t*)0x2000209d = 0; *(uint8_t*)0x2000209e = 8; *(uint8_t*)0x2000209f = 3; *(uint8_t*)0x200020a0 = 2; *(uint8_t*)0x200020a1 = 6; *(uint8_t*)0x200020a2 = 0; *(uint8_t*)0x200020a3 = 1; *(uint8_t*)0x200020a4 = 7; *(uint8_t*)0x200020a5 = 0x24; *(uint8_t*)0x200020a6 = 6; *(uint8_t*)0x200020a7 = 0; *(uint8_t*)0x200020a8 = 0; memcpy((void*)0x200020a9, "\x93\xb5", 2); *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 0x24; *(uint8_t*)0x200020ad = 0; *(uint16_t*)0x200020ae = 1; *(uint8_t*)0x200020b0 = 0xd; *(uint8_t*)0x200020b1 = 0x24; *(uint8_t*)0x200020b2 = 0xf; *(uint8_t*)0x200020b3 = 1; *(uint32_t*)0x200020b4 = 5; *(uint16_t*)0x200020b8 = 0xdf0; *(uint16_t*)0x200020ba = 0xa5e2; *(uint8_t*)0x200020bc = -1; *(uint8_t*)0x200020bd = 9; *(uint8_t*)0x200020be = 5; *(uint8_t*)0x200020bf = 0x82; *(uint8_t*)0x200020c0 = 2; *(uint16_t*)0x200020c1 = 0x40; *(uint8_t*)0x200020c3 = 0; *(uint8_t*)0x200020c4 = 0x40; *(uint8_t*)0x200020c5 = 0x20; *(uint8_t*)0x200020c6 = 9; *(uint8_t*)0x200020c7 = 5; *(uint8_t*)0x200020c8 = 3; *(uint8_t*)0x200020c9 = 2; *(uint16_t*)0x200020ca = 8; *(uint8_t*)0x200020cc = 0x20; *(uint8_t*)0x200020cd = -1; *(uint8_t*)0x200020ce = 4; *(uint32_t*)0x20002640 = 0xa; *(uint64_t*)0x20002644 = 0x20002100; *(uint8_t*)0x20002100 = 0xa; *(uint8_t*)0x20002101 = 6; *(uint16_t*)0x20002102 = 0x250; *(uint8_t*)0x20002104 = 0; *(uint8_t*)0x20002105 = 0x81; *(uint8_t*)0x20002106 = 0x20; *(uint8_t*)0x20002107 = 0x20; *(uint8_t*)0x20002108 = 3; *(uint8_t*)0x20002109 = 0; *(uint32_t*)0x2000264c = 5; *(uint64_t*)0x20002650 = 0x20002140; *(uint8_t*)0x20002140 = 5; *(uint8_t*)0x20002141 = 0xf; *(uint16_t*)0x20002142 = 5; *(uint8_t*)0x20002144 = 0; *(uint32_t*)0x20002658 = 8; *(uint32_t*)0x2000265c = 0xcd; *(uint64_t*)0x20002660 = 0x20002180; *(uint8_t*)0x20002180 = 0xcd; *(uint8_t*)0x20002181 = 3; memcpy((void*)0x20002182, "\x2e\x83\x3d\xbc\x02\x86\x82\x12\xd3\xec\x73\x52\xfb\x0d\xe8\xa0\x5e\xcf\x66\x18\x59\xde\xbe\x23\xba\x73\x5f\xb9\x0a\x26\x85\x3e\x0d\x4c\x9b\xfc\xeb\xac\x70\xce\x40\x53\x9a\x98\xcf\x89\x47\xe0\x6b\xb7\x5d\xe0\xa9\x20\x5e\x0b\x79\x1c\xb4\xf9\xe7\xaa\x0a\xe1\x14\x9e\x93\x94\xff\xef\x26\x6f\x96\xe0\xc7\x5a\xb7\x28\xca\xdb\xc3\x12\x57\x0e\xfe\xd7\x37\x09\x0a\x62\x51\xc0\x9e\x1a\x5d\x38\xa0\xc6\xf1\xec\x4a\xe0\x55\x86\x3d\x69\xe4\xdc\xf3\x6d\x97\x4d\x2b\xe3\xe4\x87\xc7\xd2\xf1\xdb\x21\x61\xe9\x3b\x7d\x15\x2c\xe0\x46\xf0\x30\xb3\x6d\x08\x32\x89\xed\xdd\x71\x05\xed\x8e\xae\xd4\x9f\x71\x10\x17\xba\xab\xde\x9d\x5f\x01\xcd\x47\x38\x50\x3d\x32\x26\x69\x55\x4f\xcf\x3b\x5a\x65\xb0\x51\x97\x33\xb0\x7a\x7f\x3c\xff\xdc\x92\xb0\x38\x2c\x66\x12\x0c\x41\xaa\xe8\x85\x68\xc7\x52\xf7\x9d\x50\x1f\xd4\xda\x58\xe6\x87\x9e\x7e", 203); *(uint32_t*)0x20002668 = 4; *(uint64_t*)0x2000266c = 0x20002280; *(uint8_t*)0x20002280 = 4; *(uint8_t*)0x20002281 = 3; *(uint16_t*)0x20002282 = 0x3c0a; *(uint32_t*)0x20002674 = 4; *(uint64_t*)0x20002678 = 0x200022c0; *(uint8_t*)0x200022c0 = 4; *(uint8_t*)0x200022c1 = 3; *(uint16_t*)0x200022c2 = 0x3801; *(uint32_t*)0x20002680 = 0x1f; *(uint64_t*)0x20002684 = 0x20002300; *(uint8_t*)0x20002300 = 0x1f; *(uint8_t*)0x20002301 = 3; memcpy((void*)0x20002302, "\xa6\x70\xc3\x58\x2d\x38\x96\x7a\xc4\x85\x45\x5e\x8a\x40\xac\xb6\xf5\xdf\x24\xab\x49\xa4\xc6\xbb\x43\xd5\x84\xed\xf7", 29); *(uint32_t*)0x2000268c = 4; *(uint64_t*)0x20002690 = 0x20002340; *(uint8_t*)0x20002340 = 4; *(uint8_t*)0x20002341 = 3; *(uint16_t*)0x20002342 = 0x44f; *(uint32_t*)0x20002698 = 0xe1; *(uint64_t*)0x2000269c = 0x20002380; *(uint8_t*)0x20002380 = 0xe1; *(uint8_t*)0x20002381 = 3; memcpy((void*)0x20002382, "\xbe\x2c\xe1\x8f\xae\x6d\xa9\xf1\xaa\x4b\x97\x21\x97\xbe\x7a\x6c\xe4\xb2\x83\xc3\xe0\x02\x7e\x6d\xa1\x3d\x86\x39\xf6\x74\xea\x9c\x64\x28\x9b\x33\xc0\xe1\x43\x5b\x7c\x16\x54\xa5\x69\x12\x7b\x26\xad\x53\x77\x4f\x2b\x6b\x20\x57\x9f\xac\x6f\xaf\xfe\x12\x94\x9e\xe4\xb0\xd3\xcd\x2d\x89\x0c\xff\x2d\x7e\x9b\xb4\x3b\x60\x2a\x39\x4e\xfd\x49\x75\x18\x4f\x7e\xec\xab\x16\xa3\xf1\x87\xca\xb4\xc2\xca\x01\xac\x5b\xc9\xc5\x5c\x8b\xb9\x81\x32\x3d\x91\x9f\x77\x35\x5b\x3c\xe7\x42\x8d\xa6\x2a\xf8\x0c\x76\xb1\x85\xe1\x0a\xc7\xb1\xcc\x95\x0e\xcc\x71\x5c\x3e\x0a\x1e\x14\x23\x11\xb6\x29\x41\xe0\x62\x91\xb3\x0d\x2d\x3c\x7d\x46\x8d\xfb\xe2\x83\xc9\x1f\xc0\x83\x3d\xb0\x68\xe7\xbf\x39\x7c\x23\x35\x75\x79\x02\x29\xce\x51\x3b\xbd\xc4\x38\x7d\x81\xb3\x02\x7e\xf6\x8b\x20\xde\x25\xd9\xf1\xff\x32\xb9\x5c\xba\x44\x3b\x9e\x7f\xba\x49\x91\x43\xe8\x41\xa6\x19\x0c\x6e\xcb\x29\x06\xfe\x42\x30\xf8\x39\xba\x8c\x3c\x73\xea", 223); *(uint32_t*)0x200026a4 = 0xc1; *(uint64_t*)0x200026a8 = 0x20002480; *(uint8_t*)0x20002480 = 0xc1; *(uint8_t*)0x20002481 = 3; memcpy((void*)0x20002482, "\xf1\x7d\xb2\xea\x26\xd9\x0b\xa9\x3d\x1d\xbd\x3d\x94\x82\x88\x21\x72\xcc\x15\x8b\x4c\xc4\x3c\x36\xd1\x2b\xb9\x4e\x06\xfc\x7a\xba\x0d\x96\xba\x62\xa3\x8b\x39\xb7\x7b\xb6\x6a\x8b\x4b\xa6\xfe\x26\x0c\x87\x74\x64\xdc\x10\x12\x44\x9a\x3a\x6a\xb5\xb8\x0e\x66\x7a\x3a\x01\xdb\x8d\xd1\xdc\x34\x68\xb0\xd7\x28\x93\xad\xf2\x5b\xd1\xa7\xb9\xdc\xdd\xf5\x69\x12\x2a\x73\x02\x6b\x76\xfd\x0e\x25\xd7\x44\x0c\xa5\xdb\x63\x5b\x3f\xc9\x01\x3f\xd7\x90\x99\xa7\xd7\xe8\x1d\xb8\x74\x5b\xc9\xd0\xa6\xc9\x38\x79\x1d\x2c\xbf\xd1\x0f\x1c\x62\x8c\xa1\x7a\xf9\x93\xb7\x02\xc1\xed\xe3\x0d\xa1\x88\x25\x67\xce\x28\x7f\x66\xb2\x3e\xbf\x40\x8a\x2d\x9c\x63\xe1\xcb\x0b\x27\x95\x27\x3e\xfa\x81\x53\x56\x1c\x3c\x3e\xeb\x71\xd1\x2a\xa0\x87\xe9\x25\x55\x26\xb5\x28\xf5\x38\xaf\x4a\xbd\x41\xcf\x89\x01", 191); *(uint32_t*)0x200026b0 = 0xc0; *(uint64_t*)0x200026b4 = 0x20002580; *(uint8_t*)0x20002580 = 0xc0; *(uint8_t*)0x20002581 = 3; memcpy((void*)0x20002582, "\x6f\x57\xd6\xa5\x96\x20\x2e\xbf\x5a\x75\xb9\x72\x49\x11\xf9\x1a\x3d\x92\xae\x1a\xc8\x1a\xbb\x9c\x1b\x13\x4a\x76\xe6\x65\x90\xf6\xeb\x8d\xd8\x4c\xc1\x09\x60\xb8\xd2\x23\x94\x7d\x1c\x2e\x77\x1b\x94\xe7\x29\xd8\x34\x18\xf4\x14\x21\x3f\xf8\xb9\x06\x77\x03\x30\xbe\xa7\x0e\x59\xfe\x4d\x8b\xa5\x37\xfb\xcf\xd3\xc4\xbf\xc4\xea\x3b\x64\x0c\x31\x12\x92\x6d\x8c\x78\xee\xe8\x39\x72\x09\x00\xc5\x05\xcc\x01\x3c\x12\x63\xdc\xf2\x7b\x6c\x0f\x87\xfc\xb8\x7f\x40\xcb\x6b\xde\x31\x54\xcc\xd6\x3e\x65\xa4\x8c\x86\xc5\x8a\x38\x57\xf6\x8f\x88\x08\x20\x3f\xb2\x8d\x95\xe7\x4a\x18\x65\xeb\x8f\x82\xfe\x95\x35\x62\xa1\x47\x51\xed\x18\xf2\x51\xe5\x11\x53\x70\xd2\xbc\x19\x14\x5c\xcf\x3a\xbe\xae\x4c\x81\xfb\x1d\x97\xf6\x2e\x03\x5d\xb7\x3d\x11\xab\x7e\xc5\x96\xbc\x7a\x36\x86\x55\xc6", 190); res = -1; res = syz_usb_connect(4, 0x4f, 0x20002080, 0x20002640); if (res != -1) r[13] = res; break; case 39: memcpy((void*)0x200026c0, "\x01\xdf\x42\x94\xf0\x1f\xe1\xf9\x43\xb7\x80\xcc\xad\x76\xab\x8a\x48\x35\x3c\xbc\xe5\x48\x12\x83\xfb\x7d\x07\xe3\x29\x52\x05\x54\x49\xb6\x58\x1b\x36\x93\xb6\x7e\xde\xa7\xf1\x03\x54\x2f\xd1\xdc\xcf\x21\xa4\xf8\xce\x11\xf5\x24\x82\xa5\x50\xdd\x31\x99\xda\x83\x0c\x3e\x19\xff\x1a\x99\x6c\xe1\x42\x4b\x13\x49\x5e\x70\x4b\xe3\xf8\xc1\x06\xd0\x83\x38\xa6\x9d\xb2\x9c\x70\xd0\x40\xba\x40\x50\x16\xd9\x02\x55\xd8\x1d\x11\x5d\x9c\x6c\x9c\x13\xb9\x57\x89\xba\x2d\x4e\xe0\xf0\x05\xd9\x5b", 119); syz_usb_ep_write(r[13], 8, 0x77, 0x200026c0); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); setup_kcsan(); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :281:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :281:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor921011658 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/24 (0.64s) csource_test.go:120: --- FAIL: TestGenerate/linux/amd64/11 (0.64s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:true FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x8002, 0x0) io_cancel(0x0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x4c60440ee16d4a1f, 0xd548, r0, &(0x7f0000000040)="a4c6b70d40b18d2f71b9ebf1a97cc4f8bfe52c766208fe1c5ff6e6c20fb4d4104d", 0x21, 0x7, 0x0, 0x1}, &(0x7f00000000c0)) ioctl$TUNSETOFFLOAD(0xffffffffffffffff, 0x400454d0, 0x18) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/avc/cache_stats\x00', 0x0, 0x0) ioctl$DRM_IOCTL_MODE_GETGAMMA(r1, 0xc02064a4, &(0x7f0000000200)={0x6, 0x1, &(0x7f0000000140)=[0x6], &(0x7f0000000180)=[0xb572, 0x2, 0x200, 0x6126, 0xffff, 0x800b], &(0x7f00000001c0)=[0x100, 0x8001, 0x7ff, 0x56, 0x3, 0x6, 0xafa4, 0xfff]}) socket$inet6_sctp(0xa, 0x5, 0x84) r2 = syz_open_dev$vcsa(&(0x7f0000000240)='/dev/vcsa#\x00', 0x8, 0x40040) io_uring_setup(0x4a7d, &(0x7f0000000280)={0x0, 0x431f, 0x2, 0x2, 0x24c, 0x0, r2}) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(0xffffffffffffffff, 0x10e, 0x2, &(0x7f0000000300)=0x14, 0x4) socket$ipx(0x4, 0x2, 0x0) syz_emit_ethernet(0xd6, &(0x7f0000000000)={@dev={[], 0x15}, @remote, @void, {@mpls_uc={0x8847, {[{0x1}, {0x80}], @ipv4=@udp={{0x9, 0x4, 0x3, 0x8, 0xc0, 0x64, 0x0, 0x1, 0x11, 0x0, @private=0xa010102, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@timestamp={0x44, 0x10, 0x90, 0x0, 0xf, [0x3, 0x100, 0x9]}]}}, {0x4e20, 0x4e23, 0x9c, 0x0, @wg=@initiation={0x1, 0x1, "a10791f36e091a364d6a214aed3281686b2e1062e4a21dad7e7ea6823c2ad66b", "a9e3b061cb2d16f0f38c93866bab239c5e95fabc9ad7549cc53f24821564c8e31a773c62bd34e62116070c998cf80ff5", "8a6048e68f5476ba71edf7dea37145a3397262db3b25376fb9b698e1", {"108d38c5f12837a8dff49317e1fbf2b1", "6e6f91a5d2fea35b7d2aa0227b5c79de"}}}}}}}}, 0x0) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_cmd_complete={{0xe, 0x7}, @hci_rp_read_enc_key_size={{0x7}, {0x3, 0xc8, 0xfe}}}}, 0xa) syz_execute_func(&(0x7f0000000140)="ab8f2908955c4432c421b45580858a318ec4a1845756f3673664d9e064461c0dc441b55588a00ffe49f2f042808c3e2808000000c4825dde32f3420f9ade") syz_extract_tcp_res(&(0x7f0000000180), 0x47a0, 0x1ff) syz_genetlink_get_family_id$SEG6(&(0x7f00000001c0)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x2, 0xc4) r3 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x0, 0x1000, 0xffffffffffffffff, 0x0) syz_io_uring_complete(r3) syz_io_uring_setup(0x61d6, &(0x7f0000000200)={0x0, 0x19c8, 0x1, 0x0, 0x90, 0x0, 0xffffffffffffffff}, &(0x7f0000ff9000/0x4000)=nil, &(0x7f0000ff9000/0x1000)=nil, &(0x7f0000000280), &(0x7f00000002c0)) r5 = mmap$IORING_OFF_SQES(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2000004, 0x100, r4, 0x10000000) r6 = openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000300)='/selinux/checkreqprot\x00', 0x22040, 0x0) r7 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(r3, r5, &(0x7f0000000380)=@IORING_OP_EPOLL_CTL=@add={0x1d, 0x1, 0x0, r6, &(0x7f0000000340)={0xa}, r4, 0x1, 0x0, 0x1, {0x0, r7}}, 0x5) syz_kvm_setup_cpu$arm64(r6, 0xffffffffffffffff, &(0x7f0000fe7000/0x18000)=nil, &(0x7f0000000400)=[{0x0, &(0x7f00000003c0)="c66bf51c003b684cd1f56d7dbcd2dea7675293e4d016955fb884320ccefef52142eef0b61d389959e4e475075b6b11cdbe1c", 0x32}], 0x1, 0x0, &(0x7f0000000440), 0x1) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x2000000, 0x1000, 0xffffffffffffffff, 0x8000000) syz_memcpy_off$IO_URING_METADATA_FLAGS(r8, 0x114, &(0x7f0000000480)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f00000004c0)='afs\x00', &(0x7f0000000500)='./file0\x00', 0x1f, 0x7, &(0x7f00000008c0)=[{&(0x7f0000000540), 0x0, 0x32}, {&(0x7f0000000580)="3a7a72ca9b2a422afbeba2d7a84338cb03951839451af3f3031d0030db11a08c0eb2244dab7f4fd9442cd55370fbacdc330d3ee2188137d0ad9772c7ae54fae92d1941e049bdcb3b8f645ea6a7d746404286d56dfd7a41fb29e2987d8d73b3679fae427f5af08185e4ffda153228a3ac82bf94f17752ed78dfe5b9a4", 0x7c, 0xee5}, {&(0x7f0000000600)="a963e9743e9c3d092a0ab1d68a13fe85f80ed94358ab9ad4029dff3433a3223c650d6a96505ec9a3d6cd09ad3f268fcdd1248aa43ef138a79b0c4c116f7178b5fc5cc49fa303201e8c7ef4e322434105ecdc912ae672510b34c01aa3890c90f27200de2b65c4bd20", 0x68, 0x10000}, {&(0x7f0000000680)="6ac443efa9855dda4fa3a982abc060ebf1a6785feba77cd70d486a29f4", 0x1d, 0x2}, {&(0x7f00000006c0)="3229202fd13c8ab6d554d8dfb6a8661805f53c5e81671bf5d702aa4c17cad107cfc6a8fe702b26942c632a4ed0e1010440b51b99785c112a0bda8c286267ac9cb4e695376a13d9937dfe154239c4ea04f38539a8e557dbcc8909420c76b2587b42aa2d61bf395fe913bad86ddf17a8f1b3212d0f0a6bc2e7841ef2e2ee0be05901f028c7c65e1c2cb641f556508fbf322da030de7846ad39004082c128a0ffb60c1b801bfd69a0e5f37b51feb78d97240f45f3ce17a28abbd89bd16cd2d06c74488990aba36ff006e8ae3622ec18fa76b767be88f192f94af15e23d74217738a1d48ef2c3e1c0a557203045e3ba25e9cd38efa64", 0xf4, 0x6}, {&(0x7f00000007c0)="414d78403490275a206495f93cf62229596a76f622d42e737bfa148fc2385d9c82946ce95d9b7665c148bfd723f5248ffcb6a4fc8265de9da9e34ff0577dd719233d7ef9610b9b9d98d4f2cedcc5351cb7234e0a8345f81e603a002c13d898f1084656c51be00526c6b7977b287809591c51a288acec3e570a94cc77420195f2a81a77896f9f081b173c24ada23041ea2e7253698601d83769094d3489", 0x9d, 0x1}, {&(0x7f0000000880)="3cc0a154977d26882d94f1c108a6287b15e835bf2d9ebcfd925c4569c9de9d463b929158990d2f48", 0x28, 0xfffffffffffffbff}], 0x1015005, &(0x7f0000000980)={[{@flock_strict='flock=strict'}, {@flock_write='flock=write'}, {@source={'source', 0x3d, '\xeb'}}, {@autocell='autocell'}]}) syz_open_dev$I2C(&(0x7f00000009c0)='/dev/i2c-#\x00', 0x10000, 0x6840) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000a40)={0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x3, &(0x7f0000000a00)='.\\\x00'}, 0x30) syz_open_procfs(r9, &(0x7f0000000a80)='status\x00') syz_open_pts(0xffffffffffffffff, 0x8000) syz_read_part_table(0x6, 0x0, &(0x7f0000000ac0)) r10 = syz_usb_connect(0x6, 0x714, &(0x7f0000000b00)={{0x12, 0x1, 0x250, 0xa8, 0x9c, 0xcc, 0xff, 0x499, 0x150c, 0xbaf4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x702, 0x3, 0x2, 0x5, 0x80, 0x1f, [{{0x9, 0x4, 0x7d, 0x0, 0xb, 0x5c, 0x68, 0x45, 0xb8, [@generic={0x64, 0xcc88dcc324ea21e6, "25bba193734e4eb87cbd6a4c961ef01e6c960fa27de2e0b2883e73bcb56b371cc2f94a39ee59f21237d7fd38bafea3bebf15967e66fda6114d34b349e1868ef95cc0a06305d016cd2cc723334035a110f9da197afa79a6b045fac5f7d5bb639e4541"}, @uac_control={{0xa, 0x24, 0x1, 0x7, 0x80}}], [{{0x9, 0x5, 0x1, 0x3, 0x200, 0x81, 0x1, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x1000}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0xe8, 0xc6, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0x6}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0x8, 0xb4, 0x3}}, {{0x9, 0x5, 0x2, 0x1, 0x200, 0x2, 0x6, 0x20}}, {{0x9, 0x5, 0x7, 0x2, 0x3ff, 0x29, 0x4, 0x4c}}, {{0x9, 0x5, 0x5, 0x0, 0x200, 0x2, 0x22, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x27}]}}, {{0x9, 0x5, 0xe, 0xc, 0x20, 0x40, 0x9, 0x1f, [@generic={0x4f, 0x1, "f148d84407f5b8dfda7c13b68281b7d14209551093f91b2d8f891d9f3b8ff07a8c2b56bcbfa744ea1da69fb116c71d11fa13b6a2c464e65d7c706ae25e0ad836d328f30928af26fe9d4f3f1dc1"}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x18, 0xfc0}]}}, {{0x9, 0x5, 0x4, 0x0, 0x400, 0x0, 0x80, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x2}, @generic={0xf7, 0x30, "abdddd4f9b3f7c940f59ac5d6ac220f766834597348690edd45dbcad8d7200db7184991d2539df54e5ad82e5d58b0366ea3b341be9a30b4b2bd66bf00479628cb477c82938f8d3c106a7e18b0e5485a0b1611aba1d8ad3c740fc3d9accb5d7b293b90b168c3f2c69798135b562475fe2a3b8f619572251662787bf749f673a35ee80ea76edd0fc7b3177f24f50d68aced6902ecf5e0a1d3126d9530946abac7a85799194748f34eef3e249c0ede1511b67626c06322ba0b3133ad7eab46cc07a995f011d24781983c1709a03ac2ef165a9b91ed9e75e221905a932c3501d40566916d63f2fae4e9798fab8e16a1d364f019c0ebdb0"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x40, 0xfe, 0x20, 0x9, [@generic={0xed, 0x1, "97480b619ece3491718d870d1333f7f3cbe03367ac7f15be1793cf2d635af67af88cfea526ad45ea67c39ade3d19918d55ea598a7807fd2c56addfb52f42756bfc602c04560e981a38783ca3dd8ba431c267592bc004b2f53e49082dac6a7848b929dcf53f151f4c9ae6f8912fffd9199bcdcd8b95fdc2dfaa22d3a731f3c4aa3447d4183b1cb4ccceb36e6937f2275c89ce0ba83f40c2c7dbf13b41770a0f125b10ded7eefe7a1824f9eef4938310a55c121bf1a9259f551672b8a0a52feac5cbc5ab96a5491ef533d7be14764e9da531ffef82f8612a740fb58756f7cb6092abb15aa6cf0494cb7106f1"}, @generic={0xd3, 0x8, "4e8e034ee97501ac382574d2a72527c5e0c832618bc6a1ea16c3f323258971633a0333991ad99754b006c95c4de5f901ec1b8d86bd47c564bd2aef08df3c224a3e6e40846554eed2734d71ce3392967ef55c96b3da0aa5481f31c351cf1859cbee244e751c60cfadc233cb6002ee6ff4cc2c9b76378f5b6e410c014f25cb9fff68f8a6ff5b81b6d09b9c7a2aaf848bd247ed21b13aa8d35bcb7bf2fa6b8cbf55299edbce15e788d1f93cff322399249ac080f2d47bd3f27e7a6de184904811722536d0a2330e3e511146faab9864d1b183"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x2c, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc9, 0xbb}, @generic={0x1f, 0x31, "e44d51a15a720f099dadeb93262552a935424229d3f4d12edc1baa9f88"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x8, 0x49, 0x40, 0x55}}]}}, {{0x9, 0x4, 0xfe, 0x33, 0x2, 0xa2, 0x17, 0x9a, 0x2, [@cdc_ncm={{0x9, 0x24, 0x6, 0x0, 0x1, "fb7ffde8"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x4, 0x9f54, 0x267, 0x1}, {0x6, 0x24, 0x1a, 0x9, 0x9}, [@mbim={0xc, 0x24, 0x1b, 0xffff, 0x1, 0x20, 0x6, 0x6, 0x6}, @mdlm={0x15, 0x24, 0x12, 0x3}, @mbim={0xc, 0x24, 0x1b, 0x91, 0x5, 0x1, 0xff, 0x5, 0x35}, @acm={0x4, 0x24, 0x2, 0x1}]}], [{{0x9, 0x5, 0xa, 0x10, 0x8, 0x80, 0xc1, 0x4, [@generic={0xb8, 0x30, "e384dcf03ac39540e5a22199f71a53ba428c3b720290f0276bcca0cd15405f6c930497af5eb320a433cc553d6e0108edbf793ef0240ff269b4ff96d6822bcb48cebae2a5cead65786ebecd5f300c08606d3322b8360029bd21312dac493361e1b08f2adca4dc49a004fefdf7a3a525ae5de11f0a691a41b869d9b9a5d90d5a7b5ebe9e5773b97efe98e3895377a424e30ef22fd2ffa2532f1bb3c1a4e3b86afc08b2659aa2e556f190e27f83619a1618d371e102c558"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x40, 0x4, 0x0, 0x1f}}]}}, {{0x9, 0x4, 0x74, 0x90, 0xa, 0xff, 0x5d, 0x1, 0x81, [@generic={0x6c, 0x4, "deaf8476cc5855ffb6d22d6ceb2977348ba86dee7d9e22e0c46477b06c0db514bb5383a62a402cc6e0795ddda510cf4238b2c64b657a1111efc0e4aacf9e40802dd0eeb69f271c1e6fe0ee5e9f48122832e6a80a4d7a6611e3fd2dca49d351908ff9a48ca20c78a69c65"}, @hid_hid={0x9, 0x21, 0x7, 0x7, 0x1, {0x22, 0xab5}}], [{{0x9, 0x5, 0x0, 0x0, 0x200, 0x4, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x40, 0x0, 0x7f, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xff}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0xfa, 0x5}]}}, {{0x9, 0x5, 0x3, 0x3, 0x3ff, 0x80, 0x7f, 0x8}}, {{0x9, 0x5, 0x5, 0x1, 0x20, 0x4, 0x3c, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x800}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0xff, 0x14, 0x3f}}, {{0x9, 0x5, 0x4, 0x0, 0x20, 0x1, 0x1, 0x56}}, {{0x9, 0x5, 0xc, 0x10, 0x8, 0x1, 0x5, 0x2, [@generic={0x20, 0x4, "6ddd4104cef7b1f7b2dddabb24ea94be1e8ac9fbba62cd71c1a1cbfa4e73"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x10, 0x0, 0x6, 0xf8, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x3, 0x8000}, @generic={0x98, 0x21, "e7bac6d3443cdfcdf9c24b6978dbfb9dd1824a5964cbfa0fe64296d5794c6159bc30b802a59b5c7a49b534035df56bbc488652ee31c601d5326507016bd445a1c09df231cf5781190daaba0cbd84a172640327b8c1a1d90bfab18f24961ffe12a0486a239c79a259c537652603dcbd4b2b7342ae0d715a7543f4d08bb557bddcd3bca83590b57c30eee2ce95f6c7102f646af828a496"}]}}, {{0x9, 0x5, 0x2, 0x3, 0x400, 0x3, 0x2, 0x8}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xff, 0x4, 0x6}}]}}]}}]}}, &(0x7f0000001540)={0xa, &(0x7f0000001240)={0xa, 0x6, 0x300, 0xff, 0x81, 0x6, 0xf7, 0xc4}, 0xf, &(0x7f0000001280)={0x5, 0xf, 0xf, 0x1, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x8, 0x1f, 0xfff}]}, 0x5, [{0x4, &(0x7f00000012c0)=@lang_id={0x4, 0x3, 0xc07}}, {0x54, &(0x7f0000001300)=@string={0x54, 0x3, "321d457f2f5ab9fcb1118c960631fd85a75ead829136aa2a6cc0311451035fe17b956eb8fa52d495a311a6c03f0ae84c86f0ed78daebfa15db7bc5788c9724baf4582dc0ec1ba6681a76b0a1bfc5de9daecc"}}, {0xd3, &(0x7f0000001380)=@string={0xd3, 0x3, "18336fc5623ba1410634c4050bcf3b488ea41867d059dcdcd2c368d848fe5147323c0ba4e51d7cf2a3d150258f8cc2569bd79e951ea95a318de31d146c37a7cf712f1fcd440390852c8d5216f8d23a9918b0e053521eb670ad3ee0fb8a93a8d7bad7199eebe12a3b02107ac4542bc6497977e3308b407bf364982f4fc9c330f9a75ccb65c8688d5c247ad06c20ccf01465e3ab09fc777f73474c2cd053b848ad3255b5adc81e033d2a0fac5061ea52dacf46e88e8c2e388deb91d2d9fc124255909336418e743bda4cb4f73c6b75af9a9b"}}, {0x4, &(0x7f0000001480)=@lang_id={0x4, 0x3, 0x42b}}, {0x5a, &(0x7f00000014c0)=@string={0x5a, 0x3, "4d85f31420ff1ceda25d118d33a6ebbce888c12d90eb54c827d149c8dcbd99f3893b35d1da6c776b1b5d084b308cdf93474167f266199f440a03fc3e3438031b8725dde6029a629c0843bedf048b8409b153f903d657d22b"}}]}) r11 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000015c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r11, &(0x7f00000017c0)={0x2c, &(0x7f0000001640)={0x0, 0x24, 0x5e, {0x5e, 0x9, "50d3392d02ebd229338b7e7170b984d04907f9cee984f83f84c9518b9dd91785fe2d66e10426ff86d8e7d663538306240171790d7f776664bdfd68d3df43cdf6d0e3ab3d2a62953092a2d7ce2fcdfe2cf50026869a4bcd066af9ddbd"}}, &(0x7f00000016c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x449}}, &(0x7f0000001700)={0x0, 0xf, 0x19, {0x5, 0xf, 0x19, 0x1, [@ss_container_id={0x14, 0x10, 0x4, 0x3f, "0ff611988b42043bdd16f18b9b82f6cf"}]}}, &(0x7f0000001740)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x0, 0x9, 0x68, "60c511fa", "23e3f532"}}, &(0x7f0000001780)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x5, 0x0, 0x2, 0x7, 0x8, 0x5, 0x200}}}, &(0x7f0000001c80)={0x84, &(0x7f0000001800)={0x0, 0x16, 0x92, "e49c4e0fdf521d4bb83a1c78b9b6f32eb6e38fba1432727c391749727c41815dc3fc4193cf0fc247b32c61dd80f26629d7cf714fc080157701405e55e4d1ae2b758c66821044d2e8094f1bd75ccf9600454726e5df9764082d537012ad6fa00a11bf546f5d86af482a8f0b0574287a4c5640bd1a225a60d1961cd56b3b48cf69d776cd8bbac5dc1544bf6b94b3519383f9c5"}, &(0x7f00000018c0)={0x0, 0xa, 0x1, 0xea}, &(0x7f0000001900)={0x0, 0x8, 0x1, 0xc0}, &(0x7f0000001940)={0x20, 0x0, 0x4, {0x3, 0x20d99a38c1aec065}}, &(0x7f0000001980)={0x20, 0x0, 0x8, {0x200, 0x2, [0x0]}}, &(0x7f00000019c0)={0x40, 0x7, 0x2}, &(0x7f0000001a00)={0x40, 0x9, 0x1, 0x7}, &(0x7f0000001a40)={0x40, 0xb, 0x2, ',e'}, &(0x7f0000001a80)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000001ac0)={0x40, 0x13, 0x6, @random="cba5d8d51787"}, &(0x7f0000001b00)={0x40, 0x17, 0x6, @dev={[], 0x1b}}, &(0x7f0000001b40)={0x40, 0x19, 0x2, "09ef"}, &(0x7f0000001b80)={0x40, 0x1a, 0x2, 0x200}, &(0x7f0000001bc0)={0x40, 0x1c, 0x1, 0x20}, &(0x7f0000001c00)={0x40, 0x1e, 0x1, 0x81}, &(0x7f0000001c40)={0x40, 0x21, 0x1, 0x40}}) r12 = syz_usb_connect$uac1(0x6, 0xb6, &(0x7f0000001d40)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xa4, 0x3, 0x1, 0x8, 0x80, 0x1f, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x7f, 0x24}, [@mixer_unit={0xb, 0x24, 0x4, 0x3, 0x3f, "e3a7ba11b773"}, @input_terminal={0xc, 0x24, 0x2, 0x4, 0x203, 0x1, 0x2, 0x7, 0xfd}, @extension_unit={0x7, 0x24, 0x8, 0x2, 0x4, 0x40}, @output_terminal={0x9, 0x24, 0x3, 0x2, 0x101, 0x4, 0x4, 0x5}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {}, {{0x9, 0x5, 0x1, 0x9, 0x200, 0xfc, 0x9, 0x7, {0x7, 0x25, 0x1, 0x0, 0x2, 0x8}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x8, 0x7, 0xff, "6cce23a51a59660a8a"}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x7, 0x2, 0xd6, 0x40, "a5e212", 'l'}]}, {{0x9, 0x5, 0x82, 0x9, 0x3ff, 0x3, 0x0, 0xac, {0x7, 0x25, 0x1, 0x3, 0x4, 0x5}}}}}}}]}}, &(0x7f0000001f40)={0xa, &(0x7f0000001e00)={0xa, 0x6, 0x200, 0xff, 0x2, 0x7, 0x10, 0x6}, 0x5, &(0x7f0000001e40)={0x5, 0xf, 0x5}, 0x2, [{0x52, &(0x7f0000001e80)=@string={0x52, 0x3, "4bcfbc749d26d0fbc20c2e202a042e8bb167cadf5c2bcdbd07dde6671da7dd400306b26f220fef4a3397f0a95a4b8ca5bafd5a4fa8b99d24505f7a27ac07a16bbb02d524c0bbfa3af8e318df58feb143"}}, {0x4, &(0x7f0000001f00)=@lang_id={0x4, 0x3, 0x807}}]}) syz_usb_disconnect(r12) syz_usb_ep_read(r10, 0x6, 0xd6, &(0x7f0000001f80)=""/214) r13 = syz_usb_connect$cdc_ecm(0x4, 0x4f, &(0x7f0000002080)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0xff, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x3d, 0x1, 0x1, 0x9, 0xc0, 0xb3, [{{0x9, 0x4, 0x0, 0x8, 0x3, 0x2, 0x6, 0x0, 0x1, {{0x7, 0x24, 0x6, 0x0, 0x0, "93b5"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x5, 0xdf0, 0xa5e2, 0xff}}, {[], {{0x9, 0x5, 0x82, 0x2, 0x40, 0x0, 0x40, 0x20}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x20, 0xff, 0x4}}}}}]}}]}}, &(0x7f0000002640)={0xa, &(0x7f0000002100)={0xa, 0x6, 0x250, 0x0, 0x81, 0x20, 0x20, 0x3}, 0x5, &(0x7f0000002140)={0x5, 0xf, 0x5}, 0x8, [{0xcd, &(0x7f0000002180)=@string={0xcd, 0x3, "2e833dbc02868212d3ec7352fb0de8a05ecf661859debe23ba735fb90a26853e0d4c9bfcebac70ce40539a98cf8947e06bb75de0a9205e0b791cb4f9e7aa0ae1149e9394ffef266f96e0c75ab728cadbc312570efed737090a6251c09e1a5d38a0c6f1ec4ae055863d69e4dcf36d974d2be3e487c7d2f1db2161e93b7d152ce046f030b36d083289eddd7105ed8eaed49f711017baabde9d5f01cd4738503d322669554fcf3b5a65b0519733b07a7f3cffdc92b0382c66120c41aae88568c752f79d501fd4da58e6879e7e"}}, {0x4, &(0x7f0000002280)=@lang_id={0x4, 0x3, 0x3c0a}}, {0x4, &(0x7f00000022c0)=@lang_id={0x4, 0x3, 0x3801}}, {0x1f, &(0x7f0000002300)=@string={0x1f, 0x3, "a670c3582d38967ac485455e8a40acb6f5df24ab49a4c6bb43d584edf7"}}, {0x4, &(0x7f0000002340)=@lang_id={0x4, 0x3, 0x44f}}, {0xe1, &(0x7f0000002380)=@string={0xe1, 0x3, "be2ce18fae6da9f1aa4b972197be7a6ce4b283c3e0027e6da13d8639f674ea9c64289b33c0e1435b7c1654a569127b26ad53774f2b6b20579fac6faffe12949ee4b0d3cd2d890cff2d7e9bb43b602a394efd4975184f7eecab16a3f187cab4c2ca01ac5bc9c55c8bb981323d919f77355b3ce7428da62af80c76b185e10ac7b1cc950ecc715c3e0a1e142311b62941e06291b30d2d3c7d468dfbe283c91fc0833db068e7bf397c233575790229ce513bbdc4387d81b3027ef68b20de25d9f1ff32b95cba443b9e7fba499143e841a6190c6ecb2906fe4230f839ba8c3c73ea"}}, {0xc1, &(0x7f0000002480)=@string={0xc1, 0x3, "f17db2ea26d90ba93d1dbd3d9482882172cc158b4cc43c36d12bb94e06fc7aba0d96ba62a38b39b77bb66a8b4ba6fe260c877464dc1012449a3a6ab5b80e667a3a01db8dd1dc3468b0d72893adf25bd1a7b9dcddf569122a73026b76fd0e25d7440ca5db635b3fc9013fd79099a7d7e81db8745bc9d0a6c938791d2cbfd10f1c628ca17af993b702c1ede30da1882567ce287f66b23ebf408a2d9c63e1cb0b2795273efa8153561c3c3eeb71d12aa087e9255526b528f538af4abd41cf8901"}}, {0xc0, &(0x7f0000002580)=@string={0xc0, 0x3, "6f57d6a596202ebf5a75b9724911f91a3d92ae1ac81abb9c1b134a76e66590f6eb8dd84cc10960b8d223947d1c2e771b94e729d83418f414213ff8b906770330bea70e59fe4d8ba537fbcfd3c4bfc4ea3b640c3112926d8c78eee839720900c505cc013c1263dcf27b6c0f87fcb87f40cb6bde3154ccd63e65a48c86c58a3857f68f8808203fb28d95e74a1865eb8f82fe953562a14751ed18f251e5115370d2bc19145ccf3abeae4c81fb1d97f62e035db73d11ab7ec596bc7a368655c6"}}]}) syz_usb_ep_write(r13, 0x8, 0x77, &(0x7f00000026c0)="01df4294f01fe1f943b780ccad76ab8a48353cbce5481283fb7d07e32952055449b6581b3693b67edea7f103542fd1dccf21a4f8ce11f52482a550dd3199da830c3e19ff1a996ce1424b13495e704be3f8c106d08338a69db29c70d040ba405016d90255d81d115d9c6c9c13b95789ba2d4ee0f005d95b") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 #define SQ_ARRAY_OFFSET(sq_entries,cq_entries) (round_up(CQ_CQES_OFFSET + cq_entries * SIZEOF_IO_URING_CQE, 64)) uint32_t round_up(uint32_t x, uint32_t a) { return (x + a - 1) & ~(a - 1); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = SQ_ARRAY_OFFSET(sq_ring_entries, cq_ring_entries); if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth + 1); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_fault() { static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) exit(1); } } } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 40; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 26 ? 50 : 0) + (call == 32 ? 3000 : 0) + (call == 33 ? 3000 : 0) + (call == 34 ? 300 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 3000 : 0) + (call == 39 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_bpf #define __NR_bpf 321 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[14] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/dsp\000", 9); inject_fault(0); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0x8002ul, 0ul); if (res != -1) r[0] = res; break; case 1: *(uint64_t*)0x20000080 = 0; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 0; *(uint16_t*)0x20000090 = 0x4a1f; *(uint16_t*)0x20000092 = 0xd548; *(uint32_t*)0x20000094 = r[0]; *(uint64_t*)0x20000098 = 0x20000040; memcpy((void*)0x20000040, "\xa4\xc6\xb7\x0d\x40\xb1\x8d\x2f\x71\xb9\xeb\xf1\xa9\x7c\xc4\xf8\xbf\xe5\x2c\x76\x62\x08\xfe\x1c\x5f\xf6\xe6\xc2\x0f\xb4\xd4\x10\x4d", 33); *(uint64_t*)0x200000a0 = 0x21; *(uint64_t*)0x200000a8 = 7; *(uint64_t*)0x200000b0 = 0; *(uint32_t*)0x200000b8 = 1; *(uint32_t*)0x200000bc = -1; syscall(__NR_io_cancel, 0ul, 0x20000080ul, 0x200000c0ul); break; case 2: syscall(__NR_ioctl, -1, 0x400454d0, 0x18ul); break; case 3: memcpy((void*)0x20000100, "/selinux/avc/cache_stats\000", 25); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000100ul, 0ul, 0ul); if (res != -1) r[1] = res; break; case 4: *(uint32_t*)0x20000200 = 6; *(uint32_t*)0x20000204 = 1; *(uint64_t*)0x20000208 = 0x20000140; *(uint16_t*)0x20000140 = 6; *(uint64_t*)0x20000210 = 0x20000180; *(uint16_t*)0x20000180 = 0xb572; *(uint16_t*)0x20000182 = 2; *(uint16_t*)0x20000184 = 0x200; *(uint16_t*)0x20000186 = 0x6126; *(uint16_t*)0x20000188 = -1; *(uint16_t*)0x2000018a = 0x800b; *(uint64_t*)0x20000218 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x100; *(uint16_t*)0x200001c2 = 0x8001; *(uint16_t*)0x200001c4 = 0x7ff; *(uint16_t*)0x200001c6 = 0x56; *(uint16_t*)0x200001c8 = 3; *(uint16_t*)0x200001ca = 6; *(uint16_t*)0x200001cc = 0xafa4; *(uint16_t*)0x200001ce = 0xfff; syscall(__NR_ioctl, r[1], 0xc02064a4, 0x20000200ul); break; case 5: syscall(__NR_socket, 0xaul, 5ul, 0x84); break; case 6: memcpy((void*)0x20000240, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20000240, 8, 0x40040); if (res != -1) r[2] = res; break; case 7: *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0x431f; *(uint32_t*)0x20000288 = 2; *(uint32_t*)0x2000028c = 2; *(uint32_t*)0x20000290 = 0x24c; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = r[2]; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; *(uint32_t*)0x200002b8 = 0; *(uint32_t*)0x200002bc = 0; *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0; *(uint32_t*)0x200002c8 = 0; *(uint32_t*)0x200002cc = 0; *(uint32_t*)0x200002d0 = 0; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = 0; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; syscall(__NR_io_uring_setup, 0x4a7d, 0x20000280ul); break; case 8: *(uint32_t*)0x20000300 = 0x14; syscall(__NR_setsockopt, -1, 0x10e, 2, 0x20000300ul, 4ul); break; case 9: syscall(__NR_socket, 4ul, 2ul, 0); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0x15; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0x8847); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 1, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 24, 8); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0x80, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 24, 8); STORE_BY_BITMASK(uint8_t, , 0x20000016, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000017, 3, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000017, 8, 2, 6); *(uint16_t*)0x20000018 = htobe16(0xc0); *(uint16_t*)0x2000001a = htobe16(0x64); *(uint16_t*)0x2000001c = htobe16(0); *(uint8_t*)0x2000001e = 1; *(uint8_t*)0x2000001f = 0x11; *(uint16_t*)0x20000020 = htobe16(0); *(uint32_t*)0x20000022 = htobe32(0xa010102); *(uint8_t*)0x20000026 = 0xac; *(uint8_t*)0x20000027 = 0x1e; *(uint8_t*)0x20000028 = 1; *(uint8_t*)0x20000029 = 1; *(uint8_t*)0x2000002a = 0x44; *(uint8_t*)0x2000002b = 0x10; *(uint8_t*)0x2000002c = 0x90; STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0xf, 4, 4); *(uint32_t*)0x2000002e = htobe32(3); *(uint32_t*)0x20000032 = htobe32(0x100); *(uint32_t*)0x20000036 = htobe32(9); *(uint16_t*)0x2000003a = htobe16(0x4e20); *(uint16_t*)0x2000003c = htobe16(0x4e23); *(uint16_t*)0x2000003e = htobe16(0x9c); *(uint16_t*)0x20000040 = htobe16(0); *(uint32_t*)0x20000042 = 1; *(uint32_t*)0x20000046 = 1; memcpy((void*)0x2000004a, "\xa1\x07\x91\xf3\x6e\x09\x1a\x36\x4d\x6a\x21\x4a\xed\x32\x81\x68\x6b\x2e\x10\x62\xe4\xa2\x1d\xad\x7e\x7e\xa6\x82\x3c\x2a\xd6\x6b", 32); memcpy((void*)0x2000006a, "\xa9\xe3\xb0\x61\xcb\x2d\x16\xf0\xf3\x8c\x93\x86\x6b\xab\x23\x9c\x5e\x95\xfa\xbc\x9a\xd7\x54\x9c\xc5\x3f\x24\x82\x15\x64\xc8\xe3\x1a\x77\x3c\x62\xbd\x34\xe6\x21\x16\x07\x0c\x99\x8c\xf8\x0f\xf5", 48); memcpy((void*)0x2000009a, "\x8a\x60\x48\xe6\x8f\x54\x76\xba\x71\xed\xf7\xde\xa3\x71\x45\xa3\x39\x72\x62\xdb\x3b\x25\x37\x6f\xb9\xb6\x98\xe1", 28); memcpy((void*)0x200000b6, "\x10\x8d\x38\xc5\xf1\x28\x37\xa8\xdf\xf4\x93\x17\xe1\xfb\xf2\xb1", 16); memcpy((void*)0x200000c6, "\x6e\x6f\x91\xa5\xd2\xfe\xa3\x5b\x7d\x2a\xa0\x22\x7b\x5c\x79\xde", 16); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x20000022, 4); csum_inet_update(&csum_1, (const uint8_t*)0x20000026, 4); uint16_t csum_1_chunk_2 = 0x1100; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 2); uint16_t csum_1_chunk_3 = 0x9c00; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 2); csum_inet_update(&csum_1, (const uint8_t*)0x2000003a, 156); *(uint16_t*)0x20000040 = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x20000016, 36); *(uint16_t*)0x20000020 = csum_inet_digest(&csum_2); break; case 11: *(uint8_t*)0x20000100 = 4; *(uint8_t*)0x20000101 = 0xe; *(uint8_t*)0x20000102 = 7; *(uint8_t*)0x20000103 = 7; *(uint16_t*)0x20000104 = 0x1408; *(uint8_t*)0x20000106 = 3; *(uint16_t*)0x20000107 = 0xc8; *(uint8_t*)0x20000109 = 0xfe; break; case 12: memcpy((void*)0x20000140, "\xab\x8f\x29\x08\x95\x5c\x44\x32\xc4\x21\xb4\x55\x80\x85\x8a\x31\x8e\xc4\xa1\x84\x57\x56\xf3\x67\x36\x64\xd9\xe0\x64\x46\x1c\x0d\xc4\x41\xb5\x55\x88\xa0\x0f\xfe\x49\xf2\xf0\x42\x80\x8c\x3e\x28\x08\x00\x00\x00\xc4\x82\x5d\xde\x32\xf3\x42\x0f\x9a\xde", 62); syz_execute_func(0x20000140); break; case 13: break; case 14: memcpy((void*)0x200001c0, "SEG6\000", 5); syz_genetlink_get_family_id(0x200001c0); break; case 15: syz_init_net_socket(3, 2, 0xc4); break; case 16: res = syscall(__NR_mmap, 0x20ffc000ul, 0x1000ul, 0ul, 0x1000ul, -1, 0ul); if (res != -1) r[3] = res; break; case 17: syz_io_uring_complete(r[3]); break; case 18: *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0x19c8; *(uint32_t*)0x20000208 = 1; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0x90; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = -1; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; *(uint32_t*)0x20000238 = 0; *(uint32_t*)0x2000023c = 0; *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; res = -1; res = syz_io_uring_setup(0x61d6, 0x20000200, 0x20ff9000, 0x20ff9000, 0x20000280, 0x200002c0); if (res != -1) r[4] = *(uint32_t*)0x20000218; break; case 19: res = syscall(__NR_mmap, 0x20ffc000ul, 0x3000ul, 0x2000004ul, 0x100ul, r[4], 0x10000000ul); if (res != -1) r[5] = res; break; case 20: memcpy((void*)0x20000300, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000300ul, 0x22040ul, 0ul); if (res != -1) r[6] = res; break; case 21: res = syscall(__NR_io_uring_register, -1, 9ul, 0ul, 0ul); if (res != -1) r[7] = res; break; case 22: *(uint8_t*)0x20000380 = 0x1d; *(uint8_t*)0x20000381 = 1; *(uint16_t*)0x20000382 = 0; *(uint32_t*)0x20000384 = r[6]; *(uint64_t*)0x20000388 = 0x20000340; *(uint32_t*)0x20000340 = 0xa; *(uint64_t*)0x20000344 = 0; *(uint32_t*)0x20000390 = r[4]; *(uint32_t*)0x20000394 = 1; *(uint32_t*)0x20000398 = 0; *(uint64_t*)0x200003a0 = 1; *(uint16_t*)0x200003a8 = 0; *(uint16_t*)0x200003aa = r[7]; *(uint8_t*)0x200003ac = 0; *(uint8_t*)0x200003ad = 0; *(uint8_t*)0x200003ae = 0; *(uint8_t*)0x200003af = 0; *(uint8_t*)0x200003b0 = 0; *(uint8_t*)0x200003b1 = 0; *(uint8_t*)0x200003b2 = 0; *(uint8_t*)0x200003b3 = 0; *(uint8_t*)0x200003b4 = 0; *(uint8_t*)0x200003b5 = 0; *(uint8_t*)0x200003b6 = 0; *(uint8_t*)0x200003b7 = 0; *(uint8_t*)0x200003b8 = 0; *(uint8_t*)0x200003b9 = 0; *(uint8_t*)0x200003ba = 0; *(uint8_t*)0x200003bb = 0; *(uint8_t*)0x200003bc = 0; *(uint8_t*)0x200003bd = 0; *(uint8_t*)0x200003be = 0; *(uint8_t*)0x200003bf = 0; syz_io_uring_submit(r[3], r[5], 0x20000380, 5); break; case 23: *(uint64_t*)0x20000400 = 0; *(uint64_t*)0x20000408 = 0x200003c0; memcpy((void*)0x200003c0, "\xc6\x6b\xf5\x1c\x00\x3b\x68\x4c\xd1\xf5\x6d\x7d\xbc\xd2\xde\xa7\x67\x52\x93\xe4\xd0\x16\x95\x5f\xb8\x84\x32\x0c\xce\xfe\xf5\x21\x42\xee\xf0\xb6\x1d\x38\x99\x59\xe4\xe4\x75\x07\x5b\x6b\x11\xcd\xbe\x1c", 50); *(uint64_t*)0x20000410 = 0x32; *(uint64_t*)0x20000440 = 1; *(uint64_t*)0x20000448 = 0; syz_kvm_setup_cpu(r[6], -1, 0x20fe7000, 0x20000400, 1, 0, 0x20000440, 1); break; case 24: res = syscall(__NR_mmap, 0x20ffb000ul, 0x4000ul, 0x2000000ul, 0x1000ul, -1, 0x8000000ul); if (res != -1) r[8] = res; break; case 25: *(uint32_t*)0x20000480 = 1; syz_memcpy_off(r[8], 0x114, 0x20000480, 0, 4); break; case 26: memcpy((void*)0x200004c0, "afs\000", 4); memcpy((void*)0x20000500, "./file0\000", 8); *(uint64_t*)0x200008c0 = 0x20000540; *(uint64_t*)0x200008c8 = 0; *(uint64_t*)0x200008d0 = 0x32; *(uint64_t*)0x200008d8 = 0x20000580; memcpy((void*)0x20000580, "\x3a\x7a\x72\xca\x9b\x2a\x42\x2a\xfb\xeb\xa2\xd7\xa8\x43\x38\xcb\x03\x95\x18\x39\x45\x1a\xf3\xf3\x03\x1d\x00\x30\xdb\x11\xa0\x8c\x0e\xb2\x24\x4d\xab\x7f\x4f\xd9\x44\x2c\xd5\x53\x70\xfb\xac\xdc\x33\x0d\x3e\xe2\x18\x81\x37\xd0\xad\x97\x72\xc7\xae\x54\xfa\xe9\x2d\x19\x41\xe0\x49\xbd\xcb\x3b\x8f\x64\x5e\xa6\xa7\xd7\x46\x40\x42\x86\xd5\x6d\xfd\x7a\x41\xfb\x29\xe2\x98\x7d\x8d\x73\xb3\x67\x9f\xae\x42\x7f\x5a\xf0\x81\x85\xe4\xff\xda\x15\x32\x28\xa3\xac\x82\xbf\x94\xf1\x77\x52\xed\x78\xdf\xe5\xb9\xa4", 124); *(uint64_t*)0x200008e0 = 0x7c; *(uint64_t*)0x200008e8 = 0xee5; *(uint64_t*)0x200008f0 = 0x20000600; memcpy((void*)0x20000600, "\xa9\x63\xe9\x74\x3e\x9c\x3d\x09\x2a\x0a\xb1\xd6\x8a\x13\xfe\x85\xf8\x0e\xd9\x43\x58\xab\x9a\xd4\x02\x9d\xff\x34\x33\xa3\x22\x3c\x65\x0d\x6a\x96\x50\x5e\xc9\xa3\xd6\xcd\x09\xad\x3f\x26\x8f\xcd\xd1\x24\x8a\xa4\x3e\xf1\x38\xa7\x9b\x0c\x4c\x11\x6f\x71\x78\xb5\xfc\x5c\xc4\x9f\xa3\x03\x20\x1e\x8c\x7e\xf4\xe3\x22\x43\x41\x05\xec\xdc\x91\x2a\xe6\x72\x51\x0b\x34\xc0\x1a\xa3\x89\x0c\x90\xf2\x72\x00\xde\x2b\x65\xc4\xbd\x20", 104); *(uint64_t*)0x200008f8 = 0x68; *(uint64_t*)0x20000900 = 0x10000; *(uint64_t*)0x20000908 = 0x20000680; memcpy((void*)0x20000680, "\x6a\xc4\x43\xef\xa9\x85\x5d\xda\x4f\xa3\xa9\x82\xab\xc0\x60\xeb\xf1\xa6\x78\x5f\xeb\xa7\x7c\xd7\x0d\x48\x6a\x29\xf4", 29); *(uint64_t*)0x20000910 = 0x1d; *(uint64_t*)0x20000918 = 2; *(uint64_t*)0x20000920 = 0x200006c0; memcpy((void*)0x200006c0, "\x32\x29\x20\x2f\xd1\x3c\x8a\xb6\xd5\x54\xd8\xdf\xb6\xa8\x66\x18\x05\xf5\x3c\x5e\x81\x67\x1b\xf5\xd7\x02\xaa\x4c\x17\xca\xd1\x07\xcf\xc6\xa8\xfe\x70\x2b\x26\x94\x2c\x63\x2a\x4e\xd0\xe1\x01\x04\x40\xb5\x1b\x99\x78\x5c\x11\x2a\x0b\xda\x8c\x28\x62\x67\xac\x9c\xb4\xe6\x95\x37\x6a\x13\xd9\x93\x7d\xfe\x15\x42\x39\xc4\xea\x04\xf3\x85\x39\xa8\xe5\x57\xdb\xcc\x89\x09\x42\x0c\x76\xb2\x58\x7b\x42\xaa\x2d\x61\xbf\x39\x5f\xe9\x13\xba\xd8\x6d\xdf\x17\xa8\xf1\xb3\x21\x2d\x0f\x0a\x6b\xc2\xe7\x84\x1e\xf2\xe2\xee\x0b\xe0\x59\x01\xf0\x28\xc7\xc6\x5e\x1c\x2c\xb6\x41\xf5\x56\x50\x8f\xbf\x32\x2d\xa0\x30\xde\x78\x46\xad\x39\x00\x40\x82\xc1\x28\xa0\xff\xb6\x0c\x1b\x80\x1b\xfd\x69\xa0\xe5\xf3\x7b\x51\xfe\xb7\x8d\x97\x24\x0f\x45\xf3\xce\x17\xa2\x8a\xbb\xd8\x9b\xd1\x6c\xd2\xd0\x6c\x74\x48\x89\x90\xab\xa3\x6f\xf0\x06\xe8\xae\x36\x22\xec\x18\xfa\x76\xb7\x67\xbe\x88\xf1\x92\xf9\x4a\xf1\x5e\x23\xd7\x42\x17\x73\x8a\x1d\x48\xef\x2c\x3e\x1c\x0a\x55\x72\x03\x04\x5e\x3b\xa2\x5e\x9c\xd3\x8e\xfa\x64", 244); *(uint64_t*)0x20000928 = 0xf4; *(uint64_t*)0x20000930 = 6; *(uint64_t*)0x20000938 = 0x200007c0; memcpy((void*)0x200007c0, "\x41\x4d\x78\x40\x34\x90\x27\x5a\x20\x64\x95\xf9\x3c\xf6\x22\x29\x59\x6a\x76\xf6\x22\xd4\x2e\x73\x7b\xfa\x14\x8f\xc2\x38\x5d\x9c\x82\x94\x6c\xe9\x5d\x9b\x76\x65\xc1\x48\xbf\xd7\x23\xf5\x24\x8f\xfc\xb6\xa4\xfc\x82\x65\xde\x9d\xa9\xe3\x4f\xf0\x57\x7d\xd7\x19\x23\x3d\x7e\xf9\x61\x0b\x9b\x9d\x98\xd4\xf2\xce\xdc\xc5\x35\x1c\xb7\x23\x4e\x0a\x83\x45\xf8\x1e\x60\x3a\x00\x2c\x13\xd8\x98\xf1\x08\x46\x56\xc5\x1b\xe0\x05\x26\xc6\xb7\x97\x7b\x28\x78\x09\x59\x1c\x51\xa2\x88\xac\xec\x3e\x57\x0a\x94\xcc\x77\x42\x01\x95\xf2\xa8\x1a\x77\x89\x6f\x9f\x08\x1b\x17\x3c\x24\xad\xa2\x30\x41\xea\x2e\x72\x53\x69\x86\x01\xd8\x37\x69\x09\x4d\x34\x89", 157); *(uint64_t*)0x20000940 = 0x9d; *(uint64_t*)0x20000948 = 1; *(uint64_t*)0x20000950 = 0x20000880; memcpy((void*)0x20000880, "\x3c\xc0\xa1\x54\x97\x7d\x26\x88\x2d\x94\xf1\xc1\x08\xa6\x28\x7b\x15\xe8\x35\xbf\x2d\x9e\xbc\xfd\x92\x5c\x45\x69\xc9\xde\x9d\x46\x3b\x92\x91\x58\x99\x0d\x2f\x48", 40); *(uint64_t*)0x20000958 = 0x28; *(uint64_t*)0x20000960 = 0xfffffffffffffbff; memcpy((void*)0x20000980, "flock=strict", 12); *(uint8_t*)0x2000098c = 0x2c; memcpy((void*)0x2000098d, "flock=write", 11); *(uint8_t*)0x20000998 = 0x2c; memcpy((void*)0x20000999, "source", 6); *(uint8_t*)0x2000099f = 0x3d; memcpy((void*)0x200009a0, "\353", 1); *(uint8_t*)0x200009a1 = 0x2c; memcpy((void*)0x200009a2, "autocell", 8); *(uint8_t*)0x200009aa = 0x2c; *(uint8_t*)0x200009ab = 0; syz_mount_image(0x200004c0, 0x20000500, 0x1f, 7, 0x200008c0, 0x1015005, 0x20000980); break; case 27: memcpy((void*)0x200009c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200009c0, 0x10000, 0x6840); break; case 28: *(uint32_t*)0x20000a40 = -1; *(uint32_t*)0x20000a44 = -1; *(uint32_t*)0x20000a48 = 0; *(uint32_t*)0x20000a4c = 3; *(uint64_t*)0x20000a50 = 0x20000a00; memcpy((void*)0x20000a00, ".\\\000", 3); *(uint32_t*)0x20000a58 = 0; *(uint32_t*)0x20000a5c = 0; *(uint64_t*)0x20000a60 = 0; *(uint64_t*)0x20000a68 = 0; res = syscall(__NR_bpf, 0x14ul, 0x20000a40ul, 0x30ul); if (res != -1) r[9] = *(uint32_t*)0x20000a40; break; case 29: memcpy((void*)0x20000a80, "status\000", 7); syz_open_procfs(r[9], 0x20000a80); break; case 30: syz_open_pts(-1, 0x8000); break; case 31: syz_read_part_table(6, 0, 0x20000ac0); break; case 32: *(uint8_t*)0x20000b00 = 0x12; *(uint8_t*)0x20000b01 = 1; *(uint16_t*)0x20000b02 = 0x250; *(uint8_t*)0x20000b04 = 0xa8; *(uint8_t*)0x20000b05 = 0x9c; *(uint8_t*)0x20000b06 = 0xcc; *(uint8_t*)0x20000b07 = -1; *(uint16_t*)0x20000b08 = 0x499; *(uint16_t*)0x20000b0a = 0x150c; *(uint16_t*)0x20000b0c = 0xbaf4; *(uint8_t*)0x20000b0e = 1; *(uint8_t*)0x20000b0f = 2; *(uint8_t*)0x20000b10 = 3; *(uint8_t*)0x20000b11 = 1; *(uint8_t*)0x20000b12 = 9; *(uint8_t*)0x20000b13 = 2; *(uint16_t*)0x20000b14 = 0x702; *(uint8_t*)0x20000b16 = 3; *(uint8_t*)0x20000b17 = 2; *(uint8_t*)0x20000b18 = 5; *(uint8_t*)0x20000b19 = 0x80; *(uint8_t*)0x20000b1a = 0x1f; *(uint8_t*)0x20000b1b = 9; *(uint8_t*)0x20000b1c = 4; *(uint8_t*)0x20000b1d = 0x7d; *(uint8_t*)0x20000b1e = 0; *(uint8_t*)0x20000b1f = 0xb; *(uint8_t*)0x20000b20 = 0x5c; *(uint8_t*)0x20000b21 = 0x68; *(uint8_t*)0x20000b22 = 0x45; *(uint8_t*)0x20000b23 = 0xb8; *(uint8_t*)0x20000b24 = 0x64; *(uint8_t*)0x20000b25 = 0xe6; memcpy((void*)0x20000b26, "\x25\xbb\xa1\x93\x73\x4e\x4e\xb8\x7c\xbd\x6a\x4c\x96\x1e\xf0\x1e\x6c\x96\x0f\xa2\x7d\xe2\xe0\xb2\x88\x3e\x73\xbc\xb5\x6b\x37\x1c\xc2\xf9\x4a\x39\xee\x59\xf2\x12\x37\xd7\xfd\x38\xba\xfe\xa3\xbe\xbf\x15\x96\x7e\x66\xfd\xa6\x11\x4d\x34\xb3\x49\xe1\x86\x8e\xf9\x5c\xc0\xa0\x63\x05\xd0\x16\xcd\x2c\xc7\x23\x33\x40\x35\xa1\x10\xf9\xda\x19\x7a\xfa\x79\xa6\xb0\x45\xfa\xc5\xf7\xd5\xbb\x63\x9e\x45\x41", 98); *(uint8_t*)0x20000b88 = 0xa; *(uint8_t*)0x20000b89 = 0x24; *(uint8_t*)0x20000b8a = 1; *(uint16_t*)0x20000b8b = 7; *(uint8_t*)0x20000b8d = 0x80; *(uint8_t*)0x20000b8e = 2; *(uint8_t*)0x20000b8f = 1; *(uint8_t*)0x20000b90 = 2; *(uint8_t*)0x20000b91 = 9; *(uint8_t*)0x20000b92 = 5; *(uint8_t*)0x20000b93 = 1; *(uint8_t*)0x20000b94 = 3; *(uint16_t*)0x20000b95 = 0x200; *(uint8_t*)0x20000b97 = 0x81; *(uint8_t*)0x20000b98 = 1; *(uint8_t*)0x20000b99 = 9; *(uint8_t*)0x20000b9a = 7; *(uint8_t*)0x20000b9b = 0x25; *(uint8_t*)0x20000b9c = 1; *(uint8_t*)0x20000b9d = 1; *(uint8_t*)0x20000b9e = 9; *(uint16_t*)0x20000b9f = 0x1000; *(uint8_t*)0x20000ba1 = 9; *(uint8_t*)0x20000ba2 = 5; *(uint8_t*)0x20000ba3 = 6; *(uint8_t*)0x20000ba4 = 8; *(uint16_t*)0x20000ba5 = 0x400; *(uint8_t*)0x20000ba7 = 0xe8; *(uint8_t*)0x20000ba8 = 0xc6; *(uint8_t*)0x20000ba9 = -1; *(uint8_t*)0x20000baa = 7; *(uint8_t*)0x20000bab = 0x25; *(uint8_t*)0x20000bac = 1; *(uint8_t*)0x20000bad = 1; *(uint8_t*)0x20000bae = 0x81; *(uint16_t*)0x20000baf = 6; *(uint8_t*)0x20000bb1 = 9; *(uint8_t*)0x20000bb2 = 5; *(uint8_t*)0x20000bb3 = 0xd; *(uint8_t*)0x20000bb4 = 0; *(uint16_t*)0x20000bb5 = 0x20; *(uint8_t*)0x20000bb7 = 8; *(uint8_t*)0x20000bb8 = 0xb4; *(uint8_t*)0x20000bb9 = 3; *(uint8_t*)0x20000bba = 9; *(uint8_t*)0x20000bbb = 5; *(uint8_t*)0x20000bbc = 2; *(uint8_t*)0x20000bbd = 1; *(uint16_t*)0x20000bbe = 0x200; *(uint8_t*)0x20000bc0 = 2; *(uint8_t*)0x20000bc1 = 6; *(uint8_t*)0x20000bc2 = 0x20; *(uint8_t*)0x20000bc3 = 9; *(uint8_t*)0x20000bc4 = 5; *(uint8_t*)0x20000bc5 = 7; *(uint8_t*)0x20000bc6 = 2; *(uint16_t*)0x20000bc7 = 0x3ff; *(uint8_t*)0x20000bc9 = 0x29; *(uint8_t*)0x20000bca = 4; *(uint8_t*)0x20000bcb = 0x4c; *(uint8_t*)0x20000bcc = 9; *(uint8_t*)0x20000bcd = 5; *(uint8_t*)0x20000bce = 5; *(uint8_t*)0x20000bcf = 0; *(uint16_t*)0x20000bd0 = 0x200; *(uint8_t*)0x20000bd2 = 2; *(uint8_t*)0x20000bd3 = 0x22; *(uint8_t*)0x20000bd4 = 5; *(uint8_t*)0x20000bd5 = 7; *(uint8_t*)0x20000bd6 = 0x25; *(uint8_t*)0x20000bd7 = 1; *(uint8_t*)0x20000bd8 = 0; *(uint8_t*)0x20000bd9 = 7; *(uint16_t*)0x20000bda = 0x27; *(uint8_t*)0x20000bdc = 9; *(uint8_t*)0x20000bdd = 5; *(uint8_t*)0x20000bde = 0xe; *(uint8_t*)0x20000bdf = 0xc; *(uint16_t*)0x20000be0 = 0x20; *(uint8_t*)0x20000be2 = 0x40; *(uint8_t*)0x20000be3 = 9; *(uint8_t*)0x20000be4 = 0x1f; *(uint8_t*)0x20000be5 = 0x4f; *(uint8_t*)0x20000be6 = 1; memcpy((void*)0x20000be7, "\xf1\x48\xd8\x44\x07\xf5\xb8\xdf\xda\x7c\x13\xb6\x82\x81\xb7\xd1\x42\x09\x55\x10\x93\xf9\x1b\x2d\x8f\x89\x1d\x9f\x3b\x8f\xf0\x7a\x8c\x2b\x56\xbc\xbf\xa7\x44\xea\x1d\xa6\x9f\xb1\x16\xc7\x1d\x11\xfa\x13\xb6\xa2\xc4\x64\xe6\x5d\x7c\x70\x6a\xe2\x5e\x0a\xd8\x36\xd3\x28\xf3\x09\x28\xaf\x26\xfe\x9d\x4f\x3f\x1d\xc1", 77); *(uint8_t*)0x20000c34 = 7; *(uint8_t*)0x20000c35 = 0x25; *(uint8_t*)0x20000c36 = 1; *(uint8_t*)0x20000c37 = 0x82; *(uint8_t*)0x20000c38 = 0x18; *(uint16_t*)0x20000c39 = 0xfc0; *(uint8_t*)0x20000c3b = 9; *(uint8_t*)0x20000c3c = 5; *(uint8_t*)0x20000c3d = 4; *(uint8_t*)0x20000c3e = 0; *(uint16_t*)0x20000c3f = 0x400; *(uint8_t*)0x20000c41 = 0; *(uint8_t*)0x20000c42 = 0x80; *(uint8_t*)0x20000c43 = 7; *(uint8_t*)0x20000c44 = 7; *(uint8_t*)0x20000c45 = 0x25; *(uint8_t*)0x20000c46 = 1; *(uint8_t*)0x20000c47 = 2; *(uint8_t*)0x20000c48 = 4; *(uint16_t*)0x20000c49 = 2; *(uint8_t*)0x20000c4b = 0xf7; *(uint8_t*)0x20000c4c = 0x30; memcpy((void*)0x20000c4d, "\xab\xdd\xdd\x4f\x9b\x3f\x7c\x94\x0f\x59\xac\x5d\x6a\xc2\x20\xf7\x66\x83\x45\x97\x34\x86\x90\xed\xd4\x5d\xbc\xad\x8d\x72\x00\xdb\x71\x84\x99\x1d\x25\x39\xdf\x54\xe5\xad\x82\xe5\xd5\x8b\x03\x66\xea\x3b\x34\x1b\xe9\xa3\x0b\x4b\x2b\xd6\x6b\xf0\x04\x79\x62\x8c\xb4\x77\xc8\x29\x38\xf8\xd3\xc1\x06\xa7\xe1\x8b\x0e\x54\x85\xa0\xb1\x61\x1a\xba\x1d\x8a\xd3\xc7\x40\xfc\x3d\x9a\xcc\xb5\xd7\xb2\x93\xb9\x0b\x16\x8c\x3f\x2c\x69\x79\x81\x35\xb5\x62\x47\x5f\xe2\xa3\xb8\xf6\x19\x57\x22\x51\x66\x27\x87\xbf\x74\x9f\x67\x3a\x35\xee\x80\xea\x76\xed\xd0\xfc\x7b\x31\x77\xf2\x4f\x50\xd6\x8a\xce\xd6\x90\x2e\xcf\x5e\x0a\x1d\x31\x26\xd9\x53\x09\x46\xab\xac\x7a\x85\x79\x91\x94\x74\x8f\x34\xee\xf3\xe2\x49\xc0\xed\xe1\x51\x1b\x67\x62\x6c\x06\x32\x2b\xa0\xb3\x13\x3a\xd7\xea\xb4\x6c\xc0\x7a\x99\x5f\x01\x1d\x24\x78\x19\x83\xc1\x70\x9a\x03\xac\x2e\xf1\x65\xa9\xb9\x1e\xd9\xe7\x5e\x22\x19\x05\xa9\x32\xc3\x50\x1d\x40\x56\x69\x16\xd6\x3f\x2f\xae\x4e\x97\x98\xfa\xb8\xe1\x6a\x1d\x36\x4f\x01\x9c\x0e\xbd\xb0", 245); *(uint8_t*)0x20000d42 = 9; *(uint8_t*)0x20000d43 = 5; *(uint8_t*)0x20000d44 = 2; *(uint8_t*)0x20000d45 = 0; *(uint16_t*)0x20000d46 = 0x40; *(uint8_t*)0x20000d48 = 0xfe; *(uint8_t*)0x20000d49 = 0x20; *(uint8_t*)0x20000d4a = 9; *(uint8_t*)0x20000d4b = 0xed; *(uint8_t*)0x20000d4c = 1; memcpy((void*)0x20000d4d, "\x97\x48\x0b\x61\x9e\xce\x34\x91\x71\x8d\x87\x0d\x13\x33\xf7\xf3\xcb\xe0\x33\x67\xac\x7f\x15\xbe\x17\x93\xcf\x2d\x63\x5a\xf6\x7a\xf8\x8c\xfe\xa5\x26\xad\x45\xea\x67\xc3\x9a\xde\x3d\x19\x91\x8d\x55\xea\x59\x8a\x78\x07\xfd\x2c\x56\xad\xdf\xb5\x2f\x42\x75\x6b\xfc\x60\x2c\x04\x56\x0e\x98\x1a\x38\x78\x3c\xa3\xdd\x8b\xa4\x31\xc2\x67\x59\x2b\xc0\x04\xb2\xf5\x3e\x49\x08\x2d\xac\x6a\x78\x48\xb9\x29\xdc\xf5\x3f\x15\x1f\x4c\x9a\xe6\xf8\x91\x2f\xff\xd9\x19\x9b\xcd\xcd\x8b\x95\xfd\xc2\xdf\xaa\x22\xd3\xa7\x31\xf3\xc4\xaa\x34\x47\xd4\x18\x3b\x1c\xb4\xcc\xce\xb3\x6e\x69\x37\xf2\x27\x5c\x89\xce\x0b\xa8\x3f\x40\xc2\xc7\xdb\xf1\x3b\x41\x77\x0a\x0f\x12\x5b\x10\xde\xd7\xee\xfe\x7a\x18\x24\xf9\xee\xf4\x93\x83\x10\xa5\x5c\x12\x1b\xf1\xa9\x25\x9f\x55\x16\x72\xb8\xa0\xa5\x2f\xea\xc5\xcb\xc5\xab\x96\xa5\x49\x1e\xf5\x33\xd7\xbe\x14\x76\x4e\x9d\xa5\x31\xff\xef\x82\xf8\x61\x2a\x74\x0f\xb5\x87\x56\xf7\xcb\x60\x92\xab\xb1\x5a\xa6\xcf\x04\x94\xcb\x71\x06\xf1", 235); *(uint8_t*)0x20000e38 = 0xd3; *(uint8_t*)0x20000e39 = 8; memcpy((void*)0x20000e3a, "\x4e\x8e\x03\x4e\xe9\x75\x01\xac\x38\x25\x74\xd2\xa7\x25\x27\xc5\xe0\xc8\x32\x61\x8b\xc6\xa1\xea\x16\xc3\xf3\x23\x25\x89\x71\x63\x3a\x03\x33\x99\x1a\xd9\x97\x54\xb0\x06\xc9\x5c\x4d\xe5\xf9\x01\xec\x1b\x8d\x86\xbd\x47\xc5\x64\xbd\x2a\xef\x08\xdf\x3c\x22\x4a\x3e\x6e\x40\x84\x65\x54\xee\xd2\x73\x4d\x71\xce\x33\x92\x96\x7e\xf5\x5c\x96\xb3\xda\x0a\xa5\x48\x1f\x31\xc3\x51\xcf\x18\x59\xcb\xee\x24\x4e\x75\x1c\x60\xcf\xad\xc2\x33\xcb\x60\x02\xee\x6f\xf4\xcc\x2c\x9b\x76\x37\x8f\x5b\x6e\x41\x0c\x01\x4f\x25\xcb\x9f\xff\x68\xf8\xa6\xff\x5b\x81\xb6\xd0\x9b\x9c\x7a\x2a\xaf\x84\x8b\xd2\x47\xed\x21\xb1\x3a\xa8\xd3\x5b\xcb\x7b\xf2\xfa\x6b\x8c\xbf\x55\x29\x9e\xdb\xce\x15\xe7\x88\xd1\xf9\x3c\xff\x32\x23\x99\x24\x9a\xc0\x80\xf2\xd4\x7b\xd3\xf2\x7e\x7a\x6d\xe1\x84\x90\x48\x11\x72\x25\x36\xd0\xa2\x33\x0e\x3e\x51\x11\x46\xfa\xab\x98\x64\xd1\xb1\x83", 209); *(uint8_t*)0x20000f0b = 9; *(uint8_t*)0x20000f0c = 5; *(uint8_t*)0x20000f0d = 0xb; *(uint8_t*)0x20000f0e = 0; *(uint16_t*)0x20000f0f = 0x10; *(uint8_t*)0x20000f11 = 0x2c; *(uint8_t*)0x20000f12 = 9; *(uint8_t*)0x20000f13 = 6; *(uint8_t*)0x20000f14 = 7; *(uint8_t*)0x20000f15 = 0x25; *(uint8_t*)0x20000f16 = 1; *(uint8_t*)0x20000f17 = 0x80; *(uint8_t*)0x20000f18 = 0xc9; *(uint16_t*)0x20000f19 = 0xbb; *(uint8_t*)0x20000f1b = 0x1f; *(uint8_t*)0x20000f1c = 0x31; memcpy((void*)0x20000f1d, "\xe4\x4d\x51\xa1\x5a\x72\x0f\x09\x9d\xad\xeb\x93\x26\x25\x52\xa9\x35\x42\x42\x29\xd3\xf4\xd1\x2e\xdc\x1b\xaa\x9f\x88", 29); *(uint8_t*)0x20000f3a = 9; *(uint8_t*)0x20000f3b = 5; *(uint8_t*)0x20000f3c = 0xc; *(uint8_t*)0x20000f3d = 0; *(uint16_t*)0x20000f3e = 8; *(uint8_t*)0x20000f40 = 0x49; *(uint8_t*)0x20000f41 = 0x40; *(uint8_t*)0x20000f42 = 0x55; *(uint8_t*)0x20000f43 = 9; *(uint8_t*)0x20000f44 = 4; *(uint8_t*)0x20000f45 = 0xfe; *(uint8_t*)0x20000f46 = 0x33; *(uint8_t*)0x20000f47 = 2; *(uint8_t*)0x20000f48 = 0xa2; *(uint8_t*)0x20000f49 = 0x17; *(uint8_t*)0x20000f4a = 0x9a; *(uint8_t*)0x20000f4b = 2; *(uint8_t*)0x20000f4c = 9; *(uint8_t*)0x20000f4d = 0x24; *(uint8_t*)0x20000f4e = 6; *(uint8_t*)0x20000f4f = 0; *(uint8_t*)0x20000f50 = 1; memcpy((void*)0x20000f51, "\xfb\x7f\xfd\xe8", 4); *(uint8_t*)0x20000f55 = 5; *(uint8_t*)0x20000f56 = 0x24; *(uint8_t*)0x20000f57 = 0; *(uint16_t*)0x20000f58 = 1; *(uint8_t*)0x20000f5a = 0xd; *(uint8_t*)0x20000f5b = 0x24; *(uint8_t*)0x20000f5c = 0xf; *(uint8_t*)0x20000f5d = 1; *(uint32_t*)0x20000f5e = 4; *(uint16_t*)0x20000f62 = 0x9f54; *(uint16_t*)0x20000f64 = 0x267; *(uint8_t*)0x20000f66 = 1; *(uint8_t*)0x20000f67 = 6; *(uint8_t*)0x20000f68 = 0x24; *(uint8_t*)0x20000f69 = 0x1a; *(uint16_t*)0x20000f6a = 9; *(uint8_t*)0x20000f6c = 9; *(uint8_t*)0x20000f6d = 0xc; *(uint8_t*)0x20000f6e = 0x24; *(uint8_t*)0x20000f6f = 0x1b; *(uint16_t*)0x20000f70 = -1; *(uint16_t*)0x20000f72 = 1; *(uint8_t*)0x20000f74 = 0x20; *(uint8_t*)0x20000f75 = 6; *(uint16_t*)0x20000f76 = 6; *(uint8_t*)0x20000f78 = 6; *(uint8_t*)0x20000f79 = 0x15; *(uint8_t*)0x20000f7a = 0x24; *(uint8_t*)0x20000f7b = 0x12; *(uint16_t*)0x20000f7c = 3; *(uint64_t*)0x20000f7e = 0x14f5e048ba817a3; *(uint64_t*)0x20000f86 = 0x2a397ecbffc007a6; *(uint8_t*)0x20000f8e = 0xc; *(uint8_t*)0x20000f8f = 0x24; *(uint8_t*)0x20000f90 = 0x1b; *(uint16_t*)0x20000f91 = 0x91; *(uint16_t*)0x20000f93 = 5; *(uint8_t*)0x20000f95 = 1; *(uint8_t*)0x20000f96 = -1; *(uint16_t*)0x20000f97 = 5; *(uint8_t*)0x20000f99 = 0x35; *(uint8_t*)0x20000f9a = 4; *(uint8_t*)0x20000f9b = 0x24; *(uint8_t*)0x20000f9c = 2; *(uint8_t*)0x20000f9d = 1; *(uint8_t*)0x20000f9e = 9; *(uint8_t*)0x20000f9f = 5; *(uint8_t*)0x20000fa0 = 0xa; *(uint8_t*)0x20000fa1 = 0x10; *(uint16_t*)0x20000fa2 = 8; *(uint8_t*)0x20000fa4 = 0x80; *(uint8_t*)0x20000fa5 = 0xc1; *(uint8_t*)0x20000fa6 = 4; *(uint8_t*)0x20000fa7 = 0xb8; *(uint8_t*)0x20000fa8 = 0x30; memcpy((void*)0x20000fa9, "\xe3\x84\xdc\xf0\x3a\xc3\x95\x40\xe5\xa2\x21\x99\xf7\x1a\x53\xba\x42\x8c\x3b\x72\x02\x90\xf0\x27\x6b\xcc\xa0\xcd\x15\x40\x5f\x6c\x93\x04\x97\xaf\x5e\xb3\x20\xa4\x33\xcc\x55\x3d\x6e\x01\x08\xed\xbf\x79\x3e\xf0\x24\x0f\xf2\x69\xb4\xff\x96\xd6\x82\x2b\xcb\x48\xce\xba\xe2\xa5\xce\xad\x65\x78\x6e\xbe\xcd\x5f\x30\x0c\x08\x60\x6d\x33\x22\xb8\x36\x00\x29\xbd\x21\x31\x2d\xac\x49\x33\x61\xe1\xb0\x8f\x2a\xdc\xa4\xdc\x49\xa0\x04\xfe\xfd\xf7\xa3\xa5\x25\xae\x5d\xe1\x1f\x0a\x69\x1a\x41\xb8\x69\xd9\xb9\xa5\xd9\x0d\x5a\x7b\x5e\xbe\x9e\x57\x73\xb9\x7e\xfe\x98\xe3\x89\x53\x77\xa4\x24\xe3\x0e\xf2\x2f\xd2\xff\xa2\x53\x2f\x1b\xb3\xc1\xa4\xe3\xb8\x6a\xfc\x08\xb2\x65\x9a\xa2\xe5\x56\xf1\x90\xe2\x7f\x83\x61\x9a\x16\x18\xd3\x71\xe1\x02\xc5\x58", 182); *(uint8_t*)0x2000105f = 9; *(uint8_t*)0x20001060 = 5; *(uint8_t*)0x20001061 = 0x80; *(uint8_t*)0x20001062 = 1; *(uint16_t*)0x20001063 = 0x40; *(uint8_t*)0x20001065 = 4; *(uint8_t*)0x20001066 = 0; *(uint8_t*)0x20001067 = 0x1f; *(uint8_t*)0x20001068 = 9; *(uint8_t*)0x20001069 = 4; *(uint8_t*)0x2000106a = 0x74; *(uint8_t*)0x2000106b = 0x90; *(uint8_t*)0x2000106c = 0xa; *(uint8_t*)0x2000106d = -1; *(uint8_t*)0x2000106e = 0x5d; *(uint8_t*)0x2000106f = 1; *(uint8_t*)0x20001070 = 0x81; *(uint8_t*)0x20001071 = 0x6c; *(uint8_t*)0x20001072 = 4; memcpy((void*)0x20001073, "\xde\xaf\x84\x76\xcc\x58\x55\xff\xb6\xd2\x2d\x6c\xeb\x29\x77\x34\x8b\xa8\x6d\xee\x7d\x9e\x22\xe0\xc4\x64\x77\xb0\x6c\x0d\xb5\x14\xbb\x53\x83\xa6\x2a\x40\x2c\xc6\xe0\x79\x5d\xdd\xa5\x10\xcf\x42\x38\xb2\xc6\x4b\x65\x7a\x11\x11\xef\xc0\xe4\xaa\xcf\x9e\x40\x80\x2d\xd0\xee\xb6\x9f\x27\x1c\x1e\x6f\xe0\xee\x5e\x9f\x48\x12\x28\x32\xe6\xa8\x0a\x4d\x7a\x66\x11\xe3\xfd\x2d\xca\x49\xd3\x51\x90\x8f\xf9\xa4\x8c\xa2\x0c\x78\xa6\x9c\x65", 106); *(uint8_t*)0x200010dd = 9; *(uint8_t*)0x200010de = 0x21; *(uint16_t*)0x200010df = 7; *(uint8_t*)0x200010e1 = 7; *(uint8_t*)0x200010e2 = 1; *(uint8_t*)0x200010e3 = 0x22; *(uint16_t*)0x200010e4 = 0xab5; *(uint8_t*)0x200010e6 = 9; *(uint8_t*)0x200010e7 = 5; *(uint8_t*)0x200010e8 = 0; *(uint8_t*)0x200010e9 = 0; *(uint16_t*)0x200010ea = 0x200; *(uint8_t*)0x200010ec = 4; *(uint8_t*)0x200010ed = 7; *(uint8_t*)0x200010ee = 0; *(uint8_t*)0x200010ef = 9; *(uint8_t*)0x200010f0 = 5; *(uint8_t*)0x200010f1 = 0x80; *(uint8_t*)0x200010f2 = 0xc; *(uint16_t*)0x200010f3 = 0x40; *(uint8_t*)0x200010f5 = 0; *(uint8_t*)0x200010f6 = 0x7f; *(uint8_t*)0x200010f7 = -1; *(uint8_t*)0x200010f8 = 7; *(uint8_t*)0x200010f9 = 0x25; *(uint8_t*)0x200010fa = 1; *(uint8_t*)0x200010fb = 0; *(uint8_t*)0x200010fc = 0; *(uint16_t*)0x200010fd = 0xff; *(uint8_t*)0x200010ff = 7; *(uint8_t*)0x20001100 = 0x25; *(uint8_t*)0x20001101 = 1; *(uint8_t*)0x20001102 = 2; *(uint8_t*)0x20001103 = 0xfa; *(uint16_t*)0x20001104 = 5; *(uint8_t*)0x20001106 = 9; *(uint8_t*)0x20001107 = 5; *(uint8_t*)0x20001108 = 3; *(uint8_t*)0x20001109 = 3; *(uint16_t*)0x2000110a = 0x3ff; *(uint8_t*)0x2000110c = 0x80; *(uint8_t*)0x2000110d = 0x7f; *(uint8_t*)0x2000110e = 8; *(uint8_t*)0x2000110f = 9; *(uint8_t*)0x20001110 = 5; *(uint8_t*)0x20001111 = 5; *(uint8_t*)0x20001112 = 1; *(uint16_t*)0x20001113 = 0x20; *(uint8_t*)0x20001115 = 4; *(uint8_t*)0x20001116 = 0x3c; *(uint8_t*)0x20001117 = 4; *(uint8_t*)0x20001118 = 7; *(uint8_t*)0x20001119 = 0x25; *(uint8_t*)0x2000111a = 1; *(uint8_t*)0x2000111b = 0x80; *(uint8_t*)0x2000111c = 0x40; *(uint16_t*)0x2000111d = 0x800; *(uint8_t*)0x2000111f = 9; *(uint8_t*)0x20001120 = 5; *(uint8_t*)0x20001121 = 0xd; *(uint8_t*)0x20001122 = 0; *(uint16_t*)0x20001123 = 0x20; *(uint8_t*)0x20001125 = -1; *(uint8_t*)0x20001126 = 0x14; *(uint8_t*)0x20001127 = 0x3f; *(uint8_t*)0x20001128 = 9; *(uint8_t*)0x20001129 = 5; *(uint8_t*)0x2000112a = 4; *(uint8_t*)0x2000112b = 0; *(uint16_t*)0x2000112c = 0x20; *(uint8_t*)0x2000112e = 1; *(uint8_t*)0x2000112f = 1; *(uint8_t*)0x20001130 = 0x56; *(uint8_t*)0x20001131 = 9; *(uint8_t*)0x20001132 = 5; *(uint8_t*)0x20001133 = 0xc; *(uint8_t*)0x20001134 = 0x10; *(uint16_t*)0x20001135 = 8; *(uint8_t*)0x20001137 = 1; *(uint8_t*)0x20001138 = 5; *(uint8_t*)0x20001139 = 2; *(uint8_t*)0x2000113a = 0x20; *(uint8_t*)0x2000113b = 4; memcpy((void*)0x2000113c, "\x6d\xdd\x41\x04\xce\xf7\xb1\xf7\xb2\xdd\xda\xbb\x24\xea\x94\xbe\x1e\x8a\xc9\xfb\xba\x62\xcd\x71\xc1\xa1\xcb\xfa\x4e\x73", 30); *(uint8_t*)0x2000115a = 9; *(uint8_t*)0x2000115b = 5; *(uint8_t*)0x2000115c = 7; *(uint8_t*)0x2000115d = 4; *(uint16_t*)0x2000115e = 0x10; *(uint8_t*)0x20001160 = 0; *(uint8_t*)0x20001161 = 6; *(uint8_t*)0x20001162 = 0xf8; *(uint8_t*)0x20001163 = 7; *(uint8_t*)0x20001164 = 0x25; *(uint8_t*)0x20001165 = 1; *(uint8_t*)0x20001166 = 0x80; *(uint8_t*)0x20001167 = 3; *(uint16_t*)0x20001168 = 0x8000; *(uint8_t*)0x2000116a = 0x98; *(uint8_t*)0x2000116b = 0x21; memcpy((void*)0x2000116c, "\xe7\xba\xc6\xd3\x44\x3c\xdf\xcd\xf9\xc2\x4b\x69\x78\xdb\xfb\x9d\xd1\x82\x4a\x59\x64\xcb\xfa\x0f\xe6\x42\x96\xd5\x79\x4c\x61\x59\xbc\x30\xb8\x02\xa5\x9b\x5c\x7a\x49\xb5\x34\x03\x5d\xf5\x6b\xbc\x48\x86\x52\xee\x31\xc6\x01\xd5\x32\x65\x07\x01\x6b\xd4\x45\xa1\xc0\x9d\xf2\x31\xcf\x57\x81\x19\x0d\xaa\xba\x0c\xbd\x84\xa1\x72\x64\x03\x27\xb8\xc1\xa1\xd9\x0b\xfa\xb1\x8f\x24\x96\x1f\xfe\x12\xa0\x48\x6a\x23\x9c\x79\xa2\x59\xc5\x37\x65\x26\x03\xdc\xbd\x4b\x2b\x73\x42\xae\x0d\x71\x5a\x75\x43\xf4\xd0\x8b\xb5\x57\xbd\xdc\xd3\xbc\xa8\x35\x90\xb5\x7c\x30\xee\xe2\xce\x95\xf6\xc7\x10\x2f\x64\x6a\xf8\x28\xa4\x96", 150); *(uint8_t*)0x20001202 = 9; *(uint8_t*)0x20001203 = 5; *(uint8_t*)0x20001204 = 2; *(uint8_t*)0x20001205 = 3; *(uint16_t*)0x20001206 = 0x400; *(uint8_t*)0x20001208 = 3; *(uint8_t*)0x20001209 = 2; *(uint8_t*)0x2000120a = 8; *(uint8_t*)0x2000120b = 9; *(uint8_t*)0x2000120c = 5; *(uint8_t*)0x2000120d = 6; *(uint8_t*)0x2000120e = 0x10; *(uint16_t*)0x2000120f = 0x20; *(uint8_t*)0x20001211 = -1; *(uint8_t*)0x20001212 = 4; *(uint8_t*)0x20001213 = 6; *(uint32_t*)0x20001540 = 0xa; *(uint64_t*)0x20001544 = 0x20001240; *(uint8_t*)0x20001240 = 0xa; *(uint8_t*)0x20001241 = 6; *(uint16_t*)0x20001242 = 0x300; *(uint8_t*)0x20001244 = -1; *(uint8_t*)0x20001245 = 0x81; *(uint8_t*)0x20001246 = 6; *(uint8_t*)0x20001247 = 0xf7; *(uint8_t*)0x20001248 = 0xc4; *(uint8_t*)0x20001249 = 0; *(uint32_t*)0x2000154c = 0xf; *(uint64_t*)0x20001550 = 0x20001280; *(uint8_t*)0x20001280 = 5; *(uint8_t*)0x20001281 = 0xf; *(uint16_t*)0x20001282 = 0xf; *(uint8_t*)0x20001284 = 1; *(uint8_t*)0x20001285 = 0xa; *(uint8_t*)0x20001286 = 0x10; *(uint8_t*)0x20001287 = 3; *(uint8_t*)0x20001288 = 0; *(uint16_t*)0x20001289 = 0; *(uint8_t*)0x2000128b = 8; *(uint8_t*)0x2000128c = 0x1f; *(uint16_t*)0x2000128d = 0xfff; *(uint32_t*)0x20001558 = 5; *(uint32_t*)0x2000155c = 4; *(uint64_t*)0x20001560 = 0x200012c0; *(uint8_t*)0x200012c0 = 4; *(uint8_t*)0x200012c1 = 3; *(uint16_t*)0x200012c2 = 0xc07; *(uint32_t*)0x20001568 = 0x54; *(uint64_t*)0x2000156c = 0x20001300; *(uint8_t*)0x20001300 = 0x54; *(uint8_t*)0x20001301 = 3; memcpy((void*)0x20001302, "\x32\x1d\x45\x7f\x2f\x5a\xb9\xfc\xb1\x11\x8c\x96\x06\x31\xfd\x85\xa7\x5e\xad\x82\x91\x36\xaa\x2a\x6c\xc0\x31\x14\x51\x03\x5f\xe1\x7b\x95\x6e\xb8\xfa\x52\xd4\x95\xa3\x11\xa6\xc0\x3f\x0a\xe8\x4c\x86\xf0\xed\x78\xda\xeb\xfa\x15\xdb\x7b\xc5\x78\x8c\x97\x24\xba\xf4\x58\x2d\xc0\xec\x1b\xa6\x68\x1a\x76\xb0\xa1\xbf\xc5\xde\x9d\xae\xcc", 82); *(uint32_t*)0x20001574 = 0xd3; *(uint64_t*)0x20001578 = 0x20001380; *(uint8_t*)0x20001380 = 0xd3; *(uint8_t*)0x20001381 = 3; memcpy((void*)0x20001382, "\x18\x33\x6f\xc5\x62\x3b\xa1\x41\x06\x34\xc4\x05\x0b\xcf\x3b\x48\x8e\xa4\x18\x67\xd0\x59\xdc\xdc\xd2\xc3\x68\xd8\x48\xfe\x51\x47\x32\x3c\x0b\xa4\xe5\x1d\x7c\xf2\xa3\xd1\x50\x25\x8f\x8c\xc2\x56\x9b\xd7\x9e\x95\x1e\xa9\x5a\x31\x8d\xe3\x1d\x14\x6c\x37\xa7\xcf\x71\x2f\x1f\xcd\x44\x03\x90\x85\x2c\x8d\x52\x16\xf8\xd2\x3a\x99\x18\xb0\xe0\x53\x52\x1e\xb6\x70\xad\x3e\xe0\xfb\x8a\x93\xa8\xd7\xba\xd7\x19\x9e\xeb\xe1\x2a\x3b\x02\x10\x7a\xc4\x54\x2b\xc6\x49\x79\x77\xe3\x30\x8b\x40\x7b\xf3\x64\x98\x2f\x4f\xc9\xc3\x30\xf9\xa7\x5c\xcb\x65\xc8\x68\x8d\x5c\x24\x7a\xd0\x6c\x20\xcc\xf0\x14\x65\xe3\xab\x09\xfc\x77\x7f\x73\x47\x4c\x2c\xd0\x53\xb8\x48\xad\x32\x55\xb5\xad\xc8\x1e\x03\x3d\x2a\x0f\xac\x50\x61\xea\x52\xda\xcf\x46\xe8\x8e\x8c\x2e\x38\x8d\xeb\x91\xd2\xd9\xfc\x12\x42\x55\x90\x93\x36\x41\x8e\x74\x3b\xda\x4c\xb4\xf7\x3c\x6b\x75\xaf\x9a\x9b", 209); *(uint32_t*)0x20001580 = 4; *(uint64_t*)0x20001584 = 0x20001480; *(uint8_t*)0x20001480 = 4; *(uint8_t*)0x20001481 = 3; *(uint16_t*)0x20001482 = 0x42b; *(uint32_t*)0x2000158c = 0x5a; *(uint64_t*)0x20001590 = 0x200014c0; *(uint8_t*)0x200014c0 = 0x5a; *(uint8_t*)0x200014c1 = 3; memcpy((void*)0x200014c2, "\x4d\x85\xf3\x14\x20\xff\x1c\xed\xa2\x5d\x11\x8d\x33\xa6\xeb\xbc\xe8\x88\xc1\x2d\x90\xeb\x54\xc8\x27\xd1\x49\xc8\xdc\xbd\x99\xf3\x89\x3b\x35\xd1\xda\x6c\x77\x6b\x1b\x5d\x08\x4b\x30\x8c\xdf\x93\x47\x41\x67\xf2\x66\x19\x9f\x44\x0a\x03\xfc\x3e\x34\x38\x03\x1b\x87\x25\xdd\xe6\x02\x9a\x62\x9c\x08\x43\xbe\xdf\x04\x8b\x84\x09\xb1\x53\xf9\x03\xd6\x57\xd2\x2b", 88); res = -1; res = syz_usb_connect(6, 0x714, 0x20000b00, 0x20001540); if (res != -1) r[10] = res; break; case 33: *(uint8_t*)0x200015c0 = 0x12; *(uint8_t*)0x200015c1 = 1; *(uint16_t*)0x200015c2 = 0x200; *(uint8_t*)0x200015c4 = -1; *(uint8_t*)0x200015c5 = -1; *(uint8_t*)0x200015c6 = -1; *(uint8_t*)0x200015c7 = 0x40; *(uint16_t*)0x200015c8 = 0xcf3; *(uint16_t*)0x200015ca = 0x9271; *(uint16_t*)0x200015cc = 0x108; *(uint8_t*)0x200015ce = 1; *(uint8_t*)0x200015cf = 2; *(uint8_t*)0x200015d0 = 3; *(uint8_t*)0x200015d1 = 1; *(uint8_t*)0x200015d2 = 9; *(uint8_t*)0x200015d3 = 2; *(uint16_t*)0x200015d4 = 0x48; *(uint8_t*)0x200015d6 = 1; *(uint8_t*)0x200015d7 = 1; *(uint8_t*)0x200015d8 = 0; *(uint8_t*)0x200015d9 = 0x80; *(uint8_t*)0x200015da = 0xfa; *(uint8_t*)0x200015db = 9; *(uint8_t*)0x200015dc = 4; *(uint8_t*)0x200015dd = 0; *(uint8_t*)0x200015de = 0; *(uint8_t*)0x200015df = 6; *(uint8_t*)0x200015e0 = -1; *(uint8_t*)0x200015e1 = 0; *(uint8_t*)0x200015e2 = 0; *(uint8_t*)0x200015e3 = 0; *(uint8_t*)0x200015e4 = 9; *(uint8_t*)0x200015e5 = 5; *(uint8_t*)0x200015e6 = 1; *(uint8_t*)0x200015e7 = 2; *(uint16_t*)0x200015e8 = 0x200; *(uint8_t*)0x200015ea = 0; *(uint8_t*)0x200015eb = 0; *(uint8_t*)0x200015ec = 0; *(uint8_t*)0x200015ed = 9; *(uint8_t*)0x200015ee = 5; *(uint8_t*)0x200015ef = 0x82; *(uint8_t*)0x200015f0 = 2; *(uint16_t*)0x200015f1 = 0x200; *(uint8_t*)0x200015f3 = 0; *(uint8_t*)0x200015f4 = 0; *(uint8_t*)0x200015f5 = 0; *(uint8_t*)0x200015f6 = 9; *(uint8_t*)0x200015f7 = 5; *(uint8_t*)0x200015f8 = 0x83; *(uint8_t*)0x200015f9 = 3; *(uint16_t*)0x200015fa = 0x40; *(uint8_t*)0x200015fc = 1; *(uint8_t*)0x200015fd = 0; *(uint8_t*)0x200015fe = 0; *(uint8_t*)0x200015ff = 9; *(uint8_t*)0x20001600 = 5; *(uint8_t*)0x20001601 = 4; *(uint8_t*)0x20001602 = 3; *(uint16_t*)0x20001603 = 0x40; *(uint8_t*)0x20001605 = 1; *(uint8_t*)0x20001606 = 0; *(uint8_t*)0x20001607 = 0; *(uint8_t*)0x20001608 = 9; *(uint8_t*)0x20001609 = 5; *(uint8_t*)0x2000160a = 5; *(uint8_t*)0x2000160b = 2; *(uint16_t*)0x2000160c = 0x200; *(uint8_t*)0x2000160e = 0; *(uint8_t*)0x2000160f = 0; *(uint8_t*)0x20001610 = 0; *(uint8_t*)0x20001611 = 9; *(uint8_t*)0x20001612 = 5; *(uint8_t*)0x20001613 = 6; *(uint8_t*)0x20001614 = 2; *(uint16_t*)0x20001615 = 0x200; *(uint8_t*)0x20001617 = 0; *(uint8_t*)0x20001618 = 0; *(uint8_t*)0x20001619 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200015c0, 0); if (res != -1) r[11] = res; break; case 34: *(uint32_t*)0x200017c0 = 0x2c; *(uint64_t*)0x200017c4 = 0x20001640; *(uint8_t*)0x20001640 = 0; *(uint8_t*)0x20001641 = 0x24; *(uint32_t*)0x20001642 = 0x5e; *(uint8_t*)0x20001646 = 0x5e; *(uint8_t*)0x20001647 = 9; memcpy((void*)0x20001648, "\x50\xd3\x39\x2d\x02\xeb\xd2\x29\x33\x8b\x7e\x71\x70\xb9\x84\xd0\x49\x07\xf9\xce\xe9\x84\xf8\x3f\x84\xc9\x51\x8b\x9d\xd9\x17\x85\xfe\x2d\x66\xe1\x04\x26\xff\x86\xd8\xe7\xd6\x63\x53\x83\x06\x24\x01\x71\x79\x0d\x7f\x77\x66\x64\xbd\xfd\x68\xd3\xdf\x43\xcd\xf6\xd0\xe3\xab\x3d\x2a\x62\x95\x30\x92\xa2\xd7\xce\x2f\xcd\xfe\x2c\xf5\x00\x26\x86\x9a\x4b\xcd\x06\x6a\xf9\xdd\xbd", 92); *(uint64_t*)0x200017cc = 0x200016c0; *(uint8_t*)0x200016c0 = 0; *(uint8_t*)0x200016c1 = 3; *(uint32_t*)0x200016c2 = 4; *(uint8_t*)0x200016c6 = 4; *(uint8_t*)0x200016c7 = 3; *(uint16_t*)0x200016c8 = 0x449; *(uint64_t*)0x200017d4 = 0x20001700; *(uint8_t*)0x20001700 = 0; *(uint8_t*)0x20001701 = 0xf; *(uint32_t*)0x20001702 = 0x19; *(uint8_t*)0x20001706 = 5; *(uint8_t*)0x20001707 = 0xf; *(uint16_t*)0x20001708 = 0x19; *(uint8_t*)0x2000170a = 1; *(uint8_t*)0x2000170b = 0x14; *(uint8_t*)0x2000170c = 0x10; *(uint8_t*)0x2000170d = 4; *(uint8_t*)0x2000170e = 0x3f; memcpy((void*)0x2000170f, "\x0f\xf6\x11\x98\x8b\x42\x04\x3b\xdd\x16\xf1\x8b\x9b\x82\xf6\xcf", 16); *(uint64_t*)0x200017dc = 0x20001740; *(uint8_t*)0x20001740 = 0x20; *(uint8_t*)0x20001741 = 0x29; *(uint32_t*)0x20001742 = 0xf; *(uint8_t*)0x20001746 = 0xf; *(uint8_t*)0x20001747 = 0x29; *(uint8_t*)0x20001748 = 0; *(uint16_t*)0x20001749 = 0; *(uint8_t*)0x2000174b = 9; *(uint8_t*)0x2000174c = 0x68; memcpy((void*)0x2000174d, "\x60\xc5\x11\xfa", 4); memcpy((void*)0x20001751, "\x23\xe3\xf5\x32", 4); *(uint64_t*)0x200017e4 = 0x20001780; *(uint8_t*)0x20001780 = 0x20; *(uint8_t*)0x20001781 = 0x2a; *(uint32_t*)0x20001782 = 0xc; *(uint8_t*)0x20001786 = 0xc; *(uint8_t*)0x20001787 = 0x2a; *(uint8_t*)0x20001788 = 5; *(uint16_t*)0x20001789 = 0; *(uint8_t*)0x2000178b = 2; *(uint8_t*)0x2000178c = 7; *(uint8_t*)0x2000178d = 8; *(uint16_t*)0x2000178e = 5; *(uint16_t*)0x20001790 = 0x200; *(uint32_t*)0x20001c80 = 0x84; *(uint64_t*)0x20001c84 = 0x20001800; *(uint8_t*)0x20001800 = 0; *(uint8_t*)0x20001801 = 0x16; *(uint32_t*)0x20001802 = 0x92; memcpy((void*)0x20001806, "\xe4\x9c\x4e\x0f\xdf\x52\x1d\x4b\xb8\x3a\x1c\x78\xb9\xb6\xf3\x2e\xb6\xe3\x8f\xba\x14\x32\x72\x7c\x39\x17\x49\x72\x7c\x41\x81\x5d\xc3\xfc\x41\x93\xcf\x0f\xc2\x47\xb3\x2c\x61\xdd\x80\xf2\x66\x29\xd7\xcf\x71\x4f\xc0\x80\x15\x77\x01\x40\x5e\x55\xe4\xd1\xae\x2b\x75\x8c\x66\x82\x10\x44\xd2\xe8\x09\x4f\x1b\xd7\x5c\xcf\x96\x00\x45\x47\x26\xe5\xdf\x97\x64\x08\x2d\x53\x70\x12\xad\x6f\xa0\x0a\x11\xbf\x54\x6f\x5d\x86\xaf\x48\x2a\x8f\x0b\x05\x74\x28\x7a\x4c\x56\x40\xbd\x1a\x22\x5a\x60\xd1\x96\x1c\xd5\x6b\x3b\x48\xcf\x69\xd7\x76\xcd\x8b\xba\xc5\xdc\x15\x44\xbf\x6b\x94\xb3\x51\x93\x83\xf9\xc5", 146); *(uint64_t*)0x20001c8c = 0x200018c0; *(uint8_t*)0x200018c0 = 0; *(uint8_t*)0x200018c1 = 0xa; *(uint32_t*)0x200018c2 = 1; *(uint8_t*)0x200018c6 = 0xea; *(uint64_t*)0x20001c94 = 0x20001900; *(uint8_t*)0x20001900 = 0; *(uint8_t*)0x20001901 = 8; *(uint32_t*)0x20001902 = 1; *(uint8_t*)0x20001906 = 0xc0; *(uint64_t*)0x20001c9c = 0x20001940; *(uint8_t*)0x20001940 = 0x20; *(uint8_t*)0x20001941 = 0; *(uint32_t*)0x20001942 = 4; *(uint16_t*)0x20001946 = 3; *(uint16_t*)0x20001948 = 0xc065; *(uint64_t*)0x20001ca4 = 0x20001980; *(uint8_t*)0x20001980 = 0x20; *(uint8_t*)0x20001981 = 0; *(uint32_t*)0x20001982 = 8; *(uint16_t*)0x20001986 = 0x200; *(uint16_t*)0x20001988 = 2; *(uint32_t*)0x2000198a = 0; *(uint64_t*)0x20001cac = 0x200019c0; *(uint8_t*)0x200019c0 = 0x40; *(uint8_t*)0x200019c1 = 7; *(uint32_t*)0x200019c2 = 2; *(uint16_t*)0x200019c6 = 0; *(uint64_t*)0x20001cb4 = 0x20001a00; *(uint8_t*)0x20001a00 = 0x40; *(uint8_t*)0x20001a01 = 9; *(uint32_t*)0x20001a02 = 1; *(uint8_t*)0x20001a06 = 7; *(uint64_t*)0x20001cbc = 0x20001a40; *(uint8_t*)0x20001a40 = 0x40; *(uint8_t*)0x20001a41 = 0xb; *(uint32_t*)0x20001a42 = 2; memcpy((void*)0x20001a46, ",e", 2); *(uint64_t*)0x20001cc4 = 0x20001a80; *(uint8_t*)0x20001a80 = 0x40; *(uint8_t*)0x20001a81 = 0xf; *(uint32_t*)0x20001a82 = 2; *(uint16_t*)0x20001a86 = 0xa; *(uint64_t*)0x20001ccc = 0x20001ac0; *(uint8_t*)0x20001ac0 = 0x40; *(uint8_t*)0x20001ac1 = 0x13; *(uint32_t*)0x20001ac2 = 6; memcpy((void*)0x20001ac6, "\xcb\xa5\xd8\xd5\x17\x87", 6); *(uint64_t*)0x20001cd4 = 0x20001b00; *(uint8_t*)0x20001b00 = 0x40; *(uint8_t*)0x20001b01 = 0x17; *(uint32_t*)0x20001b02 = 6; *(uint8_t*)0x20001b06 = 0xaa; *(uint8_t*)0x20001b07 = 0xaa; *(uint8_t*)0x20001b08 = 0xaa; *(uint8_t*)0x20001b09 = 0xaa; *(uint8_t*)0x20001b0a = 0xaa; *(uint8_t*)0x20001b0b = 0x1b; *(uint64_t*)0x20001cdc = 0x20001b40; *(uint8_t*)0x20001b40 = 0x40; *(uint8_t*)0x20001b41 = 0x19; *(uint32_t*)0x20001b42 = 2; memcpy((void*)0x20001b46, "\x09\xef", 2); *(uint64_t*)0x20001ce4 = 0x20001b80; *(uint8_t*)0x20001b80 = 0x40; *(uint8_t*)0x20001b81 = 0x1a; *(uint32_t*)0x20001b82 = 2; *(uint16_t*)0x20001b86 = 0x200; *(uint64_t*)0x20001cec = 0x20001bc0; *(uint8_t*)0x20001bc0 = 0x40; *(uint8_t*)0x20001bc1 = 0x1c; *(uint32_t*)0x20001bc2 = 1; *(uint8_t*)0x20001bc6 = 0x20; *(uint64_t*)0x20001cf4 = 0x20001c00; *(uint8_t*)0x20001c00 = 0x40; *(uint8_t*)0x20001c01 = 0x1e; *(uint32_t*)0x20001c02 = 1; *(uint8_t*)0x20001c06 = 0x81; *(uint64_t*)0x20001cfc = 0x20001c40; *(uint8_t*)0x20001c40 = 0x40; *(uint8_t*)0x20001c41 = 0x21; *(uint32_t*)0x20001c42 = 1; *(uint8_t*)0x20001c46 = 0x40; syz_usb_control_io(r[11], 0x200017c0, 0x20001c80); break; case 35: *(uint8_t*)0x20001d40 = 0x12; *(uint8_t*)0x20001d41 = 1; *(uint16_t*)0x20001d42 = 0x300; *(uint8_t*)0x20001d44 = 0; *(uint8_t*)0x20001d45 = 0; *(uint8_t*)0x20001d46 = 0; *(uint8_t*)0x20001d47 = 0x40; *(uint16_t*)0x20001d48 = 0x1d6b; *(uint16_t*)0x20001d4a = 0x101; *(uint16_t*)0x20001d4c = 0x40; *(uint8_t*)0x20001d4e = 1; *(uint8_t*)0x20001d4f = 2; *(uint8_t*)0x20001d50 = 3; *(uint8_t*)0x20001d51 = 1; *(uint8_t*)0x20001d52 = 9; *(uint8_t*)0x20001d53 = 2; *(uint16_t*)0x20001d54 = 0xa4; *(uint8_t*)0x20001d56 = 3; *(uint8_t*)0x20001d57 = 1; *(uint8_t*)0x20001d58 = 8; *(uint8_t*)0x20001d59 = 0x80; *(uint8_t*)0x20001d5a = 0x1f; *(uint8_t*)0x20001d5b = 9; *(uint8_t*)0x20001d5c = 4; *(uint8_t*)0x20001d5d = 0; *(uint8_t*)0x20001d5e = 0; *(uint8_t*)0x20001d5f = 0; *(uint8_t*)0x20001d60 = 1; *(uint8_t*)0x20001d61 = 1; *(uint8_t*)0x20001d62 = 0; *(uint8_t*)0x20001d63 = 0; *(uint8_t*)0x20001d64 = 0xa; *(uint8_t*)0x20001d65 = 0x24; *(uint8_t*)0x20001d66 = 1; *(uint16_t*)0x20001d67 = 0x7f; *(uint8_t*)0x20001d69 = 0x24; *(uint8_t*)0x20001d6a = 2; *(uint8_t*)0x20001d6b = 1; *(uint8_t*)0x20001d6c = 2; *(uint8_t*)0x20001d6d = 0xb; *(uint8_t*)0x20001d6e = 0x24; *(uint8_t*)0x20001d6f = 4; *(uint8_t*)0x20001d70 = 3; *(uint8_t*)0x20001d71 = 0x3f; memcpy((void*)0x20001d72, "\xe3\xa7\xba\x11\xb7\x73", 6); *(uint8_t*)0x20001d78 = 0xc; *(uint8_t*)0x20001d79 = 0x24; *(uint8_t*)0x20001d7a = 2; *(uint8_t*)0x20001d7b = 4; *(uint16_t*)0x20001d7c = 0x203; *(uint8_t*)0x20001d7e = 1; *(uint8_t*)0x20001d7f = 2; *(uint16_t*)0x20001d80 = 7; *(uint8_t*)0x20001d82 = 0xfd; *(uint8_t*)0x20001d83 = 0; *(uint8_t*)0x20001d84 = 7; *(uint8_t*)0x20001d85 = 0x24; *(uint8_t*)0x20001d86 = 8; *(uint8_t*)0x20001d87 = 2; *(uint16_t*)0x20001d88 = 4; *(uint8_t*)0x20001d8a = 0x40; *(uint8_t*)0x20001d8b = 9; *(uint8_t*)0x20001d8c = 0x24; *(uint8_t*)0x20001d8d = 3; *(uint8_t*)0x20001d8e = 2; *(uint16_t*)0x20001d8f = 0x101; *(uint8_t*)0x20001d91 = 4; *(uint8_t*)0x20001d92 = 4; *(uint8_t*)0x20001d93 = 5; *(uint8_t*)0x20001d94 = 9; *(uint8_t*)0x20001d95 = 4; *(uint8_t*)0x20001d96 = 1; *(uint8_t*)0x20001d97 = 0; *(uint8_t*)0x20001d98 = 0; *(uint8_t*)0x20001d99 = 1; *(uint8_t*)0x20001d9a = 2; *(uint8_t*)0x20001d9b = 0; *(uint8_t*)0x20001d9c = 0; *(uint8_t*)0x20001d9d = 9; *(uint8_t*)0x20001d9e = 4; *(uint8_t*)0x20001d9f = 1; *(uint8_t*)0x20001da0 = 1; *(uint8_t*)0x20001da1 = 1; *(uint8_t*)0x20001da2 = 1; *(uint8_t*)0x20001da3 = 2; *(uint8_t*)0x20001da4 = 0; *(uint8_t*)0x20001da5 = 0; *(uint8_t*)0x20001da6 = 9; *(uint8_t*)0x20001da7 = 5; *(uint8_t*)0x20001da8 = 1; *(uint8_t*)0x20001da9 = 9; *(uint16_t*)0x20001daa = 0x200; *(uint8_t*)0x20001dac = 0xfc; *(uint8_t*)0x20001dad = 9; *(uint8_t*)0x20001dae = 7; *(uint8_t*)0x20001daf = 7; *(uint8_t*)0x20001db0 = 0x25; *(uint8_t*)0x20001db1 = 1; *(uint8_t*)0x20001db2 = 0; *(uint8_t*)0x20001db3 = 2; *(uint16_t*)0x20001db4 = 8; *(uint8_t*)0x20001db6 = 9; *(uint8_t*)0x20001db7 = 4; *(uint8_t*)0x20001db8 = 2; *(uint8_t*)0x20001db9 = 0; *(uint8_t*)0x20001dba = 0; *(uint8_t*)0x20001dbb = 1; *(uint8_t*)0x20001dbc = 2; *(uint8_t*)0x20001dbd = 0; *(uint8_t*)0x20001dbe = 0; *(uint8_t*)0x20001dbf = 9; *(uint8_t*)0x20001dc0 = 4; *(uint8_t*)0x20001dc1 = 2; *(uint8_t*)0x20001dc2 = 1; *(uint8_t*)0x20001dc3 = 1; *(uint8_t*)0x20001dc4 = 1; *(uint8_t*)0x20001dc5 = 2; *(uint8_t*)0x20001dc6 = 0; *(uint8_t*)0x20001dc7 = 0; *(uint8_t*)0x20001dc8 = 0x12; *(uint8_t*)0x20001dc9 = 0x24; *(uint8_t*)0x20001dca = 2; *(uint8_t*)0x20001dcb = 2; *(uint16_t*)0x20001dcc = 8; *(uint16_t*)0x20001dce = 7; *(uint8_t*)0x20001dd0 = -1; memcpy((void*)0x20001dd1, "\x6c\xce\x23\xa5\x1a\x59\x66\x0a\x8a", 9); *(uint8_t*)0x20001dda = 0xc; *(uint8_t*)0x20001ddb = 0x24; *(uint8_t*)0x20001ddc = 2; *(uint8_t*)0x20001ddd = 1; *(uint8_t*)0x20001dde = 7; *(uint8_t*)0x20001ddf = 2; *(uint8_t*)0x20001de0 = 0xd6; *(uint8_t*)0x20001de1 = 0x40; memcpy((void*)0x20001de2, "\xa5\xe2\x12", 3); memcpy((void*)0x20001de5, "l", 1); *(uint8_t*)0x20001de6 = 9; *(uint8_t*)0x20001de7 = 5; *(uint8_t*)0x20001de8 = 0x82; *(uint8_t*)0x20001de9 = 9; *(uint16_t*)0x20001dea = 0x3ff; *(uint8_t*)0x20001dec = 3; *(uint8_t*)0x20001ded = 0; *(uint8_t*)0x20001dee = 0xac; *(uint8_t*)0x20001def = 7; *(uint8_t*)0x20001df0 = 0x25; *(uint8_t*)0x20001df1 = 1; *(uint8_t*)0x20001df2 = 3; *(uint8_t*)0x20001df3 = 4; *(uint16_t*)0x20001df4 = 5; *(uint32_t*)0x20001f40 = 0xa; *(uint64_t*)0x20001f44 = 0x20001e00; *(uint8_t*)0x20001e00 = 0xa; *(uint8_t*)0x20001e01 = 6; *(uint16_t*)0x20001e02 = 0x200; *(uint8_t*)0x20001e04 = -1; *(uint8_t*)0x20001e05 = 2; *(uint8_t*)0x20001e06 = 7; *(uint8_t*)0x20001e07 = 0x10; *(uint8_t*)0x20001e08 = 6; *(uint8_t*)0x20001e09 = 0; *(uint32_t*)0x20001f4c = 5; *(uint64_t*)0x20001f50 = 0x20001e40; *(uint8_t*)0x20001e40 = 5; *(uint8_t*)0x20001e41 = 0xf; *(uint16_t*)0x20001e42 = 5; *(uint8_t*)0x20001e44 = 0; *(uint32_t*)0x20001f58 = 2; *(uint32_t*)0x20001f5c = 0x52; *(uint64_t*)0x20001f60 = 0x20001e80; *(uint8_t*)0x20001e80 = 0x52; *(uint8_t*)0x20001e81 = 3; memcpy((void*)0x20001e82, "\x4b\xcf\xbc\x74\x9d\x26\xd0\xfb\xc2\x0c\x2e\x20\x2a\x04\x2e\x8b\xb1\x67\xca\xdf\x5c\x2b\xcd\xbd\x07\xdd\xe6\x67\x1d\xa7\xdd\x40\x03\x06\xb2\x6f\x22\x0f\xef\x4a\x33\x97\xf0\xa9\x5a\x4b\x8c\xa5\xba\xfd\x5a\x4f\xa8\xb9\x9d\x24\x50\x5f\x7a\x27\xac\x07\xa1\x6b\xbb\x02\xd5\x24\xc0\xbb\xfa\x3a\xf8\xe3\x18\xdf\x58\xfe\xb1\x43", 80); *(uint32_t*)0x20001f68 = 4; *(uint64_t*)0x20001f6c = 0x20001f00; *(uint8_t*)0x20001f00 = 4; *(uint8_t*)0x20001f01 = 3; *(uint16_t*)0x20001f02 = 0x807; res = -1; res = syz_usb_connect(6, 0xb6, 0x20001d40, 0x20001f40); if (res != -1) r[12] = res; break; case 36: syz_usb_disconnect(r[12]); break; case 37: syz_usb_ep_read(r[10], 6, 0xd6, 0x20001f80); break; case 38: *(uint8_t*)0x20002080 = 0x12; *(uint8_t*)0x20002081 = 1; *(uint16_t*)0x20002082 = 0x110; *(uint8_t*)0x20002084 = 2; *(uint8_t*)0x20002085 = 0; *(uint8_t*)0x20002086 = 0; *(uint8_t*)0x20002087 = -1; *(uint16_t*)0x20002088 = 0x525; *(uint16_t*)0x2000208a = 0xa4a1; *(uint16_t*)0x2000208c = 0x40; *(uint8_t*)0x2000208e = 1; *(uint8_t*)0x2000208f = 2; *(uint8_t*)0x20002090 = 3; *(uint8_t*)0x20002091 = 1; *(uint8_t*)0x20002092 = 9; *(uint8_t*)0x20002093 = 2; *(uint16_t*)0x20002094 = 0x3d; *(uint8_t*)0x20002096 = 1; *(uint8_t*)0x20002097 = 1; *(uint8_t*)0x20002098 = 9; *(uint8_t*)0x20002099 = 0xc0; *(uint8_t*)0x2000209a = 0xb3; *(uint8_t*)0x2000209b = 9; *(uint8_t*)0x2000209c = 4; *(uint8_t*)0x2000209d = 0; *(uint8_t*)0x2000209e = 8; *(uint8_t*)0x2000209f = 3; *(uint8_t*)0x200020a0 = 2; *(uint8_t*)0x200020a1 = 6; *(uint8_t*)0x200020a2 = 0; *(uint8_t*)0x200020a3 = 1; *(uint8_t*)0x200020a4 = 7; *(uint8_t*)0x200020a5 = 0x24; *(uint8_t*)0x200020a6 = 6; *(uint8_t*)0x200020a7 = 0; *(uint8_t*)0x200020a8 = 0; memcpy((void*)0x200020a9, "\x93\xb5", 2); *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 0x24; *(uint8_t*)0x200020ad = 0; *(uint16_t*)0x200020ae = 1; *(uint8_t*)0x200020b0 = 0xd; *(uint8_t*)0x200020b1 = 0x24; *(uint8_t*)0x200020b2 = 0xf; *(uint8_t*)0x200020b3 = 1; *(uint32_t*)0x200020b4 = 5; *(uint16_t*)0x200020b8 = 0xdf0; *(uint16_t*)0x200020ba = 0xa5e2; *(uint8_t*)0x200020bc = -1; *(uint8_t*)0x200020bd = 9; *(uint8_t*)0x200020be = 5; *(uint8_t*)0x200020bf = 0x82; *(uint8_t*)0x200020c0 = 2; *(uint16_t*)0x200020c1 = 0x40; *(uint8_t*)0x200020c3 = 0; *(uint8_t*)0x200020c4 = 0x40; *(uint8_t*)0x200020c5 = 0x20; *(uint8_t*)0x200020c6 = 9; *(uint8_t*)0x200020c7 = 5; *(uint8_t*)0x200020c8 = 3; *(uint8_t*)0x200020c9 = 2; *(uint16_t*)0x200020ca = 8; *(uint8_t*)0x200020cc = 0x20; *(uint8_t*)0x200020cd = -1; *(uint8_t*)0x200020ce = 4; *(uint32_t*)0x20002640 = 0xa; *(uint64_t*)0x20002644 = 0x20002100; *(uint8_t*)0x20002100 = 0xa; *(uint8_t*)0x20002101 = 6; *(uint16_t*)0x20002102 = 0x250; *(uint8_t*)0x20002104 = 0; *(uint8_t*)0x20002105 = 0x81; *(uint8_t*)0x20002106 = 0x20; *(uint8_t*)0x20002107 = 0x20; *(uint8_t*)0x20002108 = 3; *(uint8_t*)0x20002109 = 0; *(uint32_t*)0x2000264c = 5; *(uint64_t*)0x20002650 = 0x20002140; *(uint8_t*)0x20002140 = 5; *(uint8_t*)0x20002141 = 0xf; *(uint16_t*)0x20002142 = 5; *(uint8_t*)0x20002144 = 0; *(uint32_t*)0x20002658 = 8; *(uint32_t*)0x2000265c = 0xcd; *(uint64_t*)0x20002660 = 0x20002180; *(uint8_t*)0x20002180 = 0xcd; *(uint8_t*)0x20002181 = 3; memcpy((void*)0x20002182, "\x2e\x83\x3d\xbc\x02\x86\x82\x12\xd3\xec\x73\x52\xfb\x0d\xe8\xa0\x5e\xcf\x66\x18\x59\xde\xbe\x23\xba\x73\x5f\xb9\x0a\x26\x85\x3e\x0d\x4c\x9b\xfc\xeb\xac\x70\xce\x40\x53\x9a\x98\xcf\x89\x47\xe0\x6b\xb7\x5d\xe0\xa9\x20\x5e\x0b\x79\x1c\xb4\xf9\xe7\xaa\x0a\xe1\x14\x9e\x93\x94\xff\xef\x26\x6f\x96\xe0\xc7\x5a\xb7\x28\xca\xdb\xc3\x12\x57\x0e\xfe\xd7\x37\x09\x0a\x62\x51\xc0\x9e\x1a\x5d\x38\xa0\xc6\xf1\xec\x4a\xe0\x55\x86\x3d\x69\xe4\xdc\xf3\x6d\x97\x4d\x2b\xe3\xe4\x87\xc7\xd2\xf1\xdb\x21\x61\xe9\x3b\x7d\x15\x2c\xe0\x46\xf0\x30\xb3\x6d\x08\x32\x89\xed\xdd\x71\x05\xed\x8e\xae\xd4\x9f\x71\x10\x17\xba\xab\xde\x9d\x5f\x01\xcd\x47\x38\x50\x3d\x32\x26\x69\x55\x4f\xcf\x3b\x5a\x65\xb0\x51\x97\x33\xb0\x7a\x7f\x3c\xff\xdc\x92\xb0\x38\x2c\x66\x12\x0c\x41\xaa\xe8\x85\x68\xc7\x52\xf7\x9d\x50\x1f\xd4\xda\x58\xe6\x87\x9e\x7e", 203); *(uint32_t*)0x20002668 = 4; *(uint64_t*)0x2000266c = 0x20002280; *(uint8_t*)0x20002280 = 4; *(uint8_t*)0x20002281 = 3; *(uint16_t*)0x20002282 = 0x3c0a; *(uint32_t*)0x20002674 = 4; *(uint64_t*)0x20002678 = 0x200022c0; *(uint8_t*)0x200022c0 = 4; *(uint8_t*)0x200022c1 = 3; *(uint16_t*)0x200022c2 = 0x3801; *(uint32_t*)0x20002680 = 0x1f; *(uint64_t*)0x20002684 = 0x20002300; *(uint8_t*)0x20002300 = 0x1f; *(uint8_t*)0x20002301 = 3; memcpy((void*)0x20002302, "\xa6\x70\xc3\x58\x2d\x38\x96\x7a\xc4\x85\x45\x5e\x8a\x40\xac\xb6\xf5\xdf\x24\xab\x49\xa4\xc6\xbb\x43\xd5\x84\xed\xf7", 29); *(uint32_t*)0x2000268c = 4; *(uint64_t*)0x20002690 = 0x20002340; *(uint8_t*)0x20002340 = 4; *(uint8_t*)0x20002341 = 3; *(uint16_t*)0x20002342 = 0x44f; *(uint32_t*)0x20002698 = 0xe1; *(uint64_t*)0x2000269c = 0x20002380; *(uint8_t*)0x20002380 = 0xe1; *(uint8_t*)0x20002381 = 3; memcpy((void*)0x20002382, "\xbe\x2c\xe1\x8f\xae\x6d\xa9\xf1\xaa\x4b\x97\x21\x97\xbe\x7a\x6c\xe4\xb2\x83\xc3\xe0\x02\x7e\x6d\xa1\x3d\x86\x39\xf6\x74\xea\x9c\x64\x28\x9b\x33\xc0\xe1\x43\x5b\x7c\x16\x54\xa5\x69\x12\x7b\x26\xad\x53\x77\x4f\x2b\x6b\x20\x57\x9f\xac\x6f\xaf\xfe\x12\x94\x9e\xe4\xb0\xd3\xcd\x2d\x89\x0c\xff\x2d\x7e\x9b\xb4\x3b\x60\x2a\x39\x4e\xfd\x49\x75\x18\x4f\x7e\xec\xab\x16\xa3\xf1\x87\xca\xb4\xc2\xca\x01\xac\x5b\xc9\xc5\x5c\x8b\xb9\x81\x32\x3d\x91\x9f\x77\x35\x5b\x3c\xe7\x42\x8d\xa6\x2a\xf8\x0c\x76\xb1\x85\xe1\x0a\xc7\xb1\xcc\x95\x0e\xcc\x71\x5c\x3e\x0a\x1e\x14\x23\x11\xb6\x29\x41\xe0\x62\x91\xb3\x0d\x2d\x3c\x7d\x46\x8d\xfb\xe2\x83\xc9\x1f\xc0\x83\x3d\xb0\x68\xe7\xbf\x39\x7c\x23\x35\x75\x79\x02\x29\xce\x51\x3b\xbd\xc4\x38\x7d\x81\xb3\x02\x7e\xf6\x8b\x20\xde\x25\xd9\xf1\xff\x32\xb9\x5c\xba\x44\x3b\x9e\x7f\xba\x49\x91\x43\xe8\x41\xa6\x19\x0c\x6e\xcb\x29\x06\xfe\x42\x30\xf8\x39\xba\x8c\x3c\x73\xea", 223); *(uint32_t*)0x200026a4 = 0xc1; *(uint64_t*)0x200026a8 = 0x20002480; *(uint8_t*)0x20002480 = 0xc1; *(uint8_t*)0x20002481 = 3; memcpy((void*)0x20002482, "\xf1\x7d\xb2\xea\x26\xd9\x0b\xa9\x3d\x1d\xbd\x3d\x94\x82\x88\x21\x72\xcc\x15\x8b\x4c\xc4\x3c\x36\xd1\x2b\xb9\x4e\x06\xfc\x7a\xba\x0d\x96\xba\x62\xa3\x8b\x39\xb7\x7b\xb6\x6a\x8b\x4b\xa6\xfe\x26\x0c\x87\x74\x64\xdc\x10\x12\x44\x9a\x3a\x6a\xb5\xb8\x0e\x66\x7a\x3a\x01\xdb\x8d\xd1\xdc\x34\x68\xb0\xd7\x28\x93\xad\xf2\x5b\xd1\xa7\xb9\xdc\xdd\xf5\x69\x12\x2a\x73\x02\x6b\x76\xfd\x0e\x25\xd7\x44\x0c\xa5\xdb\x63\x5b\x3f\xc9\x01\x3f\xd7\x90\x99\xa7\xd7\xe8\x1d\xb8\x74\x5b\xc9\xd0\xa6\xc9\x38\x79\x1d\x2c\xbf\xd1\x0f\x1c\x62\x8c\xa1\x7a\xf9\x93\xb7\x02\xc1\xed\xe3\x0d\xa1\x88\x25\x67\xce\x28\x7f\x66\xb2\x3e\xbf\x40\x8a\x2d\x9c\x63\xe1\xcb\x0b\x27\x95\x27\x3e\xfa\x81\x53\x56\x1c\x3c\x3e\xeb\x71\xd1\x2a\xa0\x87\xe9\x25\x55\x26\xb5\x28\xf5\x38\xaf\x4a\xbd\x41\xcf\x89\x01", 191); *(uint32_t*)0x200026b0 = 0xc0; *(uint64_t*)0x200026b4 = 0x20002580; *(uint8_t*)0x20002580 = 0xc0; *(uint8_t*)0x20002581 = 3; memcpy((void*)0x20002582, "\x6f\x57\xd6\xa5\x96\x20\x2e\xbf\x5a\x75\xb9\x72\x49\x11\xf9\x1a\x3d\x92\xae\x1a\xc8\x1a\xbb\x9c\x1b\x13\x4a\x76\xe6\x65\x90\xf6\xeb\x8d\xd8\x4c\xc1\x09\x60\xb8\xd2\x23\x94\x7d\x1c\x2e\x77\x1b\x94\xe7\x29\xd8\x34\x18\xf4\x14\x21\x3f\xf8\xb9\x06\x77\x03\x30\xbe\xa7\x0e\x59\xfe\x4d\x8b\xa5\x37\xfb\xcf\xd3\xc4\xbf\xc4\xea\x3b\x64\x0c\x31\x12\x92\x6d\x8c\x78\xee\xe8\x39\x72\x09\x00\xc5\x05\xcc\x01\x3c\x12\x63\xdc\xf2\x7b\x6c\x0f\x87\xfc\xb8\x7f\x40\xcb\x6b\xde\x31\x54\xcc\xd6\x3e\x65\xa4\x8c\x86\xc5\x8a\x38\x57\xf6\x8f\x88\x08\x20\x3f\xb2\x8d\x95\xe7\x4a\x18\x65\xeb\x8f\x82\xfe\x95\x35\x62\xa1\x47\x51\xed\x18\xf2\x51\xe5\x11\x53\x70\xd2\xbc\x19\x14\x5c\xcf\x3a\xbe\xae\x4c\x81\xfb\x1d\x97\xf6\x2e\x03\x5d\xb7\x3d\x11\xab\x7e\xc5\x96\xbc\x7a\x36\x86\x55\xc6", 190); res = -1; res = syz_usb_connect(4, 0x4f, 0x20002080, 0x20002640); if (res != -1) r[13] = res; break; case 39: memcpy((void*)0x200026c0, "\x01\xdf\x42\x94\xf0\x1f\xe1\xf9\x43\xb7\x80\xcc\xad\x76\xab\x8a\x48\x35\x3c\xbc\xe5\x48\x12\x83\xfb\x7d\x07\xe3\x29\x52\x05\x54\x49\xb6\x58\x1b\x36\x93\xb6\x7e\xde\xa7\xf1\x03\x54\x2f\xd1\xdc\xcf\x21\xa4\xf8\xce\x11\xf5\x24\x82\xa5\x50\xdd\x31\x99\xda\x83\x0c\x3e\x19\xff\x1a\x99\x6c\xe1\x42\x4b\x13\x49\x5e\x70\x4b\xe3\xf8\xc1\x06\xd0\x83\x38\xa6\x9d\xb2\x9c\x70\xd0\x40\xba\x40\x50\x16\xd9\x02\x55\xd8\x1d\x11\x5d\x9c\x6c\x9c\x13\xb9\x57\x89\xba\x2d\x4e\xe0\xf0\x05\xd9\x5b", 119); syz_usb_ep_write(r[13], 8, 0x77, 0x200026c0); break; } } int main(void) { inject_fault(0); syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_io_uring_setup’: :281:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :281:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor181178747 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/9 (0.65s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:namespace Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x8002, 0x0) io_cancel(0x0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x4c60440ee16d4a1f, 0xd548, r0, &(0x7f0000000040)="a4c6b70d40b18d2f71b9ebf1a97cc4f8bfe52c766208fe1c5ff6e6c20fb4d4104d", 0x21, 0x7, 0x0, 0x1}, &(0x7f00000000c0)) ioctl$TUNSETOFFLOAD(0xffffffffffffffff, 0x400454d0, 0x18) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/avc/cache_stats\x00', 0x0, 0x0) ioctl$DRM_IOCTL_MODE_GETGAMMA(r1, 0xc02064a4, &(0x7f0000000200)={0x6, 0x1, &(0x7f0000000140)=[0x6], &(0x7f0000000180)=[0xb572, 0x2, 0x200, 0x6126, 0xffff, 0x800b], &(0x7f00000001c0)=[0x100, 0x8001, 0x7ff, 0x56, 0x3, 0x6, 0xafa4, 0xfff]}) socket$inet6_sctp(0xa, 0x5, 0x84) r2 = syz_open_dev$vcsa(&(0x7f0000000240)='/dev/vcsa#\x00', 0x8, 0x40040) io_uring_setup(0x4a7d, &(0x7f0000000280)={0x0, 0x431f, 0x2, 0x2, 0x24c, 0x0, r2}) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(0xffffffffffffffff, 0x10e, 0x2, &(0x7f0000000300)=0x14, 0x4) socket$ipx(0x4, 0x2, 0x0) syz_emit_ethernet(0xd6, &(0x7f0000000000)={@dev={[], 0x15}, @remote, @void, {@mpls_uc={0x8847, {[{0x1}, {0x80}], @ipv4=@udp={{0x9, 0x4, 0x3, 0x8, 0xc0, 0x64, 0x0, 0x1, 0x11, 0x0, @private=0xa010102, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@timestamp={0x44, 0x10, 0x90, 0x0, 0xf, [0x3, 0x100, 0x9]}]}}, {0x4e20, 0x4e23, 0x9c, 0x0, @wg=@initiation={0x1, 0x1, "a10791f36e091a364d6a214aed3281686b2e1062e4a21dad7e7ea6823c2ad66b", "a9e3b061cb2d16f0f38c93866bab239c5e95fabc9ad7549cc53f24821564c8e31a773c62bd34e62116070c998cf80ff5", "8a6048e68f5476ba71edf7dea37145a3397262db3b25376fb9b698e1", {"108d38c5f12837a8dff49317e1fbf2b1", "6e6f91a5d2fea35b7d2aa0227b5c79de"}}}}}}}}, 0x0) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_cmd_complete={{0xe, 0x7}, @hci_rp_read_enc_key_size={{0x7}, {0x3, 0xc8, 0xfe}}}}, 0xa) syz_execute_func(&(0x7f0000000140)="ab8f2908955c4432c421b45580858a318ec4a1845756f3673664d9e064461c0dc441b55588a00ffe49f2f042808c3e2808000000c4825dde32f3420f9ade") syz_extract_tcp_res(&(0x7f0000000180), 0x47a0, 0x1ff) syz_genetlink_get_family_id$SEG6(&(0x7f00000001c0)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x2, 0xc4) r3 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x0, 0x1000, 0xffffffffffffffff, 0x0) syz_io_uring_complete(r3) syz_io_uring_setup(0x61d6, &(0x7f0000000200)={0x0, 0x19c8, 0x1, 0x0, 0x90, 0x0, 0xffffffffffffffff}, &(0x7f0000ff9000/0x4000)=nil, &(0x7f0000ff9000/0x1000)=nil, &(0x7f0000000280), &(0x7f00000002c0)) r5 = mmap$IORING_OFF_SQES(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2000004, 0x100, r4, 0x10000000) r6 = openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000300)='/selinux/checkreqprot\x00', 0x22040, 0x0) r7 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(r3, r5, &(0x7f0000000380)=@IORING_OP_EPOLL_CTL=@add={0x1d, 0x1, 0x0, r6, &(0x7f0000000340)={0xa}, r4, 0x1, 0x0, 0x1, {0x0, r7}}, 0x5) syz_kvm_setup_cpu$arm64(r6, 0xffffffffffffffff, &(0x7f0000fe7000/0x18000)=nil, &(0x7f0000000400)=[{0x0, &(0x7f00000003c0)="c66bf51c003b684cd1f56d7dbcd2dea7675293e4d016955fb884320ccefef52142eef0b61d389959e4e475075b6b11cdbe1c", 0x32}], 0x1, 0x0, &(0x7f0000000440), 0x1) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x2000000, 0x1000, 0xffffffffffffffff, 0x8000000) syz_memcpy_off$IO_URING_METADATA_FLAGS(r8, 0x114, &(0x7f0000000480)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f00000004c0)='afs\x00', &(0x7f0000000500)='./file0\x00', 0x1f, 0x7, &(0x7f00000008c0)=[{&(0x7f0000000540), 0x0, 0x32}, {&(0x7f0000000580)="3a7a72ca9b2a422afbeba2d7a84338cb03951839451af3f3031d0030db11a08c0eb2244dab7f4fd9442cd55370fbacdc330d3ee2188137d0ad9772c7ae54fae92d1941e049bdcb3b8f645ea6a7d746404286d56dfd7a41fb29e2987d8d73b3679fae427f5af08185e4ffda153228a3ac82bf94f17752ed78dfe5b9a4", 0x7c, 0xee5}, {&(0x7f0000000600)="a963e9743e9c3d092a0ab1d68a13fe85f80ed94358ab9ad4029dff3433a3223c650d6a96505ec9a3d6cd09ad3f268fcdd1248aa43ef138a79b0c4c116f7178b5fc5cc49fa303201e8c7ef4e322434105ecdc912ae672510b34c01aa3890c90f27200de2b65c4bd20", 0x68, 0x10000}, {&(0x7f0000000680)="6ac443efa9855dda4fa3a982abc060ebf1a6785feba77cd70d486a29f4", 0x1d, 0x2}, {&(0x7f00000006c0)="3229202fd13c8ab6d554d8dfb6a8661805f53c5e81671bf5d702aa4c17cad107cfc6a8fe702b26942c632a4ed0e1010440b51b99785c112a0bda8c286267ac9cb4e695376a13d9937dfe154239c4ea04f38539a8e557dbcc8909420c76b2587b42aa2d61bf395fe913bad86ddf17a8f1b3212d0f0a6bc2e7841ef2e2ee0be05901f028c7c65e1c2cb641f556508fbf322da030de7846ad39004082c128a0ffb60c1b801bfd69a0e5f37b51feb78d97240f45f3ce17a28abbd89bd16cd2d06c74488990aba36ff006e8ae3622ec18fa76b767be88f192f94af15e23d74217738a1d48ef2c3e1c0a557203045e3ba25e9cd38efa64", 0xf4, 0x6}, {&(0x7f00000007c0)="414d78403490275a206495f93cf62229596a76f622d42e737bfa148fc2385d9c82946ce95d9b7665c148bfd723f5248ffcb6a4fc8265de9da9e34ff0577dd719233d7ef9610b9b9d98d4f2cedcc5351cb7234e0a8345f81e603a002c13d898f1084656c51be00526c6b7977b287809591c51a288acec3e570a94cc77420195f2a81a77896f9f081b173c24ada23041ea2e7253698601d83769094d3489", 0x9d, 0x1}, {&(0x7f0000000880)="3cc0a154977d26882d94f1c108a6287b15e835bf2d9ebcfd925c4569c9de9d463b929158990d2f48", 0x28, 0xfffffffffffffbff}], 0x1015005, &(0x7f0000000980)={[{@flock_strict='flock=strict'}, {@flock_write='flock=write'}, {@source={'source', 0x3d, '\xeb'}}, {@autocell='autocell'}]}) syz_open_dev$I2C(&(0x7f00000009c0)='/dev/i2c-#\x00', 0x10000, 0x6840) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000a40)={0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x3, &(0x7f0000000a00)='.\\\x00'}, 0x30) syz_open_procfs(r9, &(0x7f0000000a80)='status\x00') syz_open_pts(0xffffffffffffffff, 0x8000) syz_read_part_table(0x6, 0x0, &(0x7f0000000ac0)) r10 = syz_usb_connect(0x6, 0x714, &(0x7f0000000b00)={{0x12, 0x1, 0x250, 0xa8, 0x9c, 0xcc, 0xff, 0x499, 0x150c, 0xbaf4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x702, 0x3, 0x2, 0x5, 0x80, 0x1f, [{{0x9, 0x4, 0x7d, 0x0, 0xb, 0x5c, 0x68, 0x45, 0xb8, [@generic={0x64, 0xcc88dcc324ea21e6, "25bba193734e4eb87cbd6a4c961ef01e6c960fa27de2e0b2883e73bcb56b371cc2f94a39ee59f21237d7fd38bafea3bebf15967e66fda6114d34b349e1868ef95cc0a06305d016cd2cc723334035a110f9da197afa79a6b045fac5f7d5bb639e4541"}, @uac_control={{0xa, 0x24, 0x1, 0x7, 0x80}}], [{{0x9, 0x5, 0x1, 0x3, 0x200, 0x81, 0x1, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x1000}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0xe8, 0xc6, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0x6}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0x8, 0xb4, 0x3}}, {{0x9, 0x5, 0x2, 0x1, 0x200, 0x2, 0x6, 0x20}}, {{0x9, 0x5, 0x7, 0x2, 0x3ff, 0x29, 0x4, 0x4c}}, {{0x9, 0x5, 0x5, 0x0, 0x200, 0x2, 0x22, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x27}]}}, {{0x9, 0x5, 0xe, 0xc, 0x20, 0x40, 0x9, 0x1f, [@generic={0x4f, 0x1, "f148d84407f5b8dfda7c13b68281b7d14209551093f91b2d8f891d9f3b8ff07a8c2b56bcbfa744ea1da69fb116c71d11fa13b6a2c464e65d7c706ae25e0ad836d328f30928af26fe9d4f3f1dc1"}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x18, 0xfc0}]}}, {{0x9, 0x5, 0x4, 0x0, 0x400, 0x0, 0x80, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x2}, @generic={0xf7, 0x30, "abdddd4f9b3f7c940f59ac5d6ac220f766834597348690edd45dbcad8d7200db7184991d2539df54e5ad82e5d58b0366ea3b341be9a30b4b2bd66bf00479628cb477c82938f8d3c106a7e18b0e5485a0b1611aba1d8ad3c740fc3d9accb5d7b293b90b168c3f2c69798135b562475fe2a3b8f619572251662787bf749f673a35ee80ea76edd0fc7b3177f24f50d68aced6902ecf5e0a1d3126d9530946abac7a85799194748f34eef3e249c0ede1511b67626c06322ba0b3133ad7eab46cc07a995f011d24781983c1709a03ac2ef165a9b91ed9e75e221905a932c3501d40566916d63f2fae4e9798fab8e16a1d364f019c0ebdb0"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x40, 0xfe, 0x20, 0x9, [@generic={0xed, 0x1, "97480b619ece3491718d870d1333f7f3cbe03367ac7f15be1793cf2d635af67af88cfea526ad45ea67c39ade3d19918d55ea598a7807fd2c56addfb52f42756bfc602c04560e981a38783ca3dd8ba431c267592bc004b2f53e49082dac6a7848b929dcf53f151f4c9ae6f8912fffd9199bcdcd8b95fdc2dfaa22d3a731f3c4aa3447d4183b1cb4ccceb36e6937f2275c89ce0ba83f40c2c7dbf13b41770a0f125b10ded7eefe7a1824f9eef4938310a55c121bf1a9259f551672b8a0a52feac5cbc5ab96a5491ef533d7be14764e9da531ffef82f8612a740fb58756f7cb6092abb15aa6cf0494cb7106f1"}, @generic={0xd3, 0x8, "4e8e034ee97501ac382574d2a72527c5e0c832618bc6a1ea16c3f323258971633a0333991ad99754b006c95c4de5f901ec1b8d86bd47c564bd2aef08df3c224a3e6e40846554eed2734d71ce3392967ef55c96b3da0aa5481f31c351cf1859cbee244e751c60cfadc233cb6002ee6ff4cc2c9b76378f5b6e410c014f25cb9fff68f8a6ff5b81b6d09b9c7a2aaf848bd247ed21b13aa8d35bcb7bf2fa6b8cbf55299edbce15e788d1f93cff322399249ac080f2d47bd3f27e7a6de184904811722536d0a2330e3e511146faab9864d1b183"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x2c, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc9, 0xbb}, @generic={0x1f, 0x31, "e44d51a15a720f099dadeb93262552a935424229d3f4d12edc1baa9f88"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x8, 0x49, 0x40, 0x55}}]}}, {{0x9, 0x4, 0xfe, 0x33, 0x2, 0xa2, 0x17, 0x9a, 0x2, [@cdc_ncm={{0x9, 0x24, 0x6, 0x0, 0x1, "fb7ffde8"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x4, 0x9f54, 0x267, 0x1}, {0x6, 0x24, 0x1a, 0x9, 0x9}, [@mbim={0xc, 0x24, 0x1b, 0xffff, 0x1, 0x20, 0x6, 0x6, 0x6}, @mdlm={0x15, 0x24, 0x12, 0x3}, @mbim={0xc, 0x24, 0x1b, 0x91, 0x5, 0x1, 0xff, 0x5, 0x35}, @acm={0x4, 0x24, 0x2, 0x1}]}], [{{0x9, 0x5, 0xa, 0x10, 0x8, 0x80, 0xc1, 0x4, [@generic={0xb8, 0x30, "e384dcf03ac39540e5a22199f71a53ba428c3b720290f0276bcca0cd15405f6c930497af5eb320a433cc553d6e0108edbf793ef0240ff269b4ff96d6822bcb48cebae2a5cead65786ebecd5f300c08606d3322b8360029bd21312dac493361e1b08f2adca4dc49a004fefdf7a3a525ae5de11f0a691a41b869d9b9a5d90d5a7b5ebe9e5773b97efe98e3895377a424e30ef22fd2ffa2532f1bb3c1a4e3b86afc08b2659aa2e556f190e27f83619a1618d371e102c558"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x40, 0x4, 0x0, 0x1f}}]}}, {{0x9, 0x4, 0x74, 0x90, 0xa, 0xff, 0x5d, 0x1, 0x81, [@generic={0x6c, 0x4, "deaf8476cc5855ffb6d22d6ceb2977348ba86dee7d9e22e0c46477b06c0db514bb5383a62a402cc6e0795ddda510cf4238b2c64b657a1111efc0e4aacf9e40802dd0eeb69f271c1e6fe0ee5e9f48122832e6a80a4d7a6611e3fd2dca49d351908ff9a48ca20c78a69c65"}, @hid_hid={0x9, 0x21, 0x7, 0x7, 0x1, {0x22, 0xab5}}], [{{0x9, 0x5, 0x0, 0x0, 0x200, 0x4, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x40, 0x0, 0x7f, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xff}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0xfa, 0x5}]}}, {{0x9, 0x5, 0x3, 0x3, 0x3ff, 0x80, 0x7f, 0x8}}, {{0x9, 0x5, 0x5, 0x1, 0x20, 0x4, 0x3c, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x800}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0xff, 0x14, 0x3f}}, {{0x9, 0x5, 0x4, 0x0, 0x20, 0x1, 0x1, 0x56}}, {{0x9, 0x5, 0xc, 0x10, 0x8, 0x1, 0x5, 0x2, [@generic={0x20, 0x4, "6ddd4104cef7b1f7b2dddabb24ea94be1e8ac9fbba62cd71c1a1cbfa4e73"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x10, 0x0, 0x6, 0xf8, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x3, 0x8000}, @generic={0x98, 0x21, "e7bac6d3443cdfcdf9c24b6978dbfb9dd1824a5964cbfa0fe64296d5794c6159bc30b802a59b5c7a49b534035df56bbc488652ee31c601d5326507016bd445a1c09df231cf5781190daaba0cbd84a172640327b8c1a1d90bfab18f24961ffe12a0486a239c79a259c537652603dcbd4b2b7342ae0d715a7543f4d08bb557bddcd3bca83590b57c30eee2ce95f6c7102f646af828a496"}]}}, {{0x9, 0x5, 0x2, 0x3, 0x400, 0x3, 0x2, 0x8}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xff, 0x4, 0x6}}]}}]}}]}}, &(0x7f0000001540)={0xa, &(0x7f0000001240)={0xa, 0x6, 0x300, 0xff, 0x81, 0x6, 0xf7, 0xc4}, 0xf, &(0x7f0000001280)={0x5, 0xf, 0xf, 0x1, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x8, 0x1f, 0xfff}]}, 0x5, [{0x4, &(0x7f00000012c0)=@lang_id={0x4, 0x3, 0xc07}}, {0x54, &(0x7f0000001300)=@string={0x54, 0x3, "321d457f2f5ab9fcb1118c960631fd85a75ead829136aa2a6cc0311451035fe17b956eb8fa52d495a311a6c03f0ae84c86f0ed78daebfa15db7bc5788c9724baf4582dc0ec1ba6681a76b0a1bfc5de9daecc"}}, {0xd3, &(0x7f0000001380)=@string={0xd3, 0x3, "18336fc5623ba1410634c4050bcf3b488ea41867d059dcdcd2c368d848fe5147323c0ba4e51d7cf2a3d150258f8cc2569bd79e951ea95a318de31d146c37a7cf712f1fcd440390852c8d5216f8d23a9918b0e053521eb670ad3ee0fb8a93a8d7bad7199eebe12a3b02107ac4542bc6497977e3308b407bf364982f4fc9c330f9a75ccb65c8688d5c247ad06c20ccf01465e3ab09fc777f73474c2cd053b848ad3255b5adc81e033d2a0fac5061ea52dacf46e88e8c2e388deb91d2d9fc124255909336418e743bda4cb4f73c6b75af9a9b"}}, {0x4, &(0x7f0000001480)=@lang_id={0x4, 0x3, 0x42b}}, {0x5a, &(0x7f00000014c0)=@string={0x5a, 0x3, "4d85f31420ff1ceda25d118d33a6ebbce888c12d90eb54c827d149c8dcbd99f3893b35d1da6c776b1b5d084b308cdf93474167f266199f440a03fc3e3438031b8725dde6029a629c0843bedf048b8409b153f903d657d22b"}}]}) r11 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000015c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r11, &(0x7f00000017c0)={0x2c, &(0x7f0000001640)={0x0, 0x24, 0x5e, {0x5e, 0x9, "50d3392d02ebd229338b7e7170b984d04907f9cee984f83f84c9518b9dd91785fe2d66e10426ff86d8e7d663538306240171790d7f776664bdfd68d3df43cdf6d0e3ab3d2a62953092a2d7ce2fcdfe2cf50026869a4bcd066af9ddbd"}}, &(0x7f00000016c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x449}}, &(0x7f0000001700)={0x0, 0xf, 0x19, {0x5, 0xf, 0x19, 0x1, [@ss_container_id={0x14, 0x10, 0x4, 0x3f, "0ff611988b42043bdd16f18b9b82f6cf"}]}}, &(0x7f0000001740)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x0, 0x9, 0x68, "60c511fa", "23e3f532"}}, &(0x7f0000001780)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x5, 0x0, 0x2, 0x7, 0x8, 0x5, 0x200}}}, &(0x7f0000001c80)={0x84, &(0x7f0000001800)={0x0, 0x16, 0x92, "e49c4e0fdf521d4bb83a1c78b9b6f32eb6e38fba1432727c391749727c41815dc3fc4193cf0fc247b32c61dd80f26629d7cf714fc080157701405e55e4d1ae2b758c66821044d2e8094f1bd75ccf9600454726e5df9764082d537012ad6fa00a11bf546f5d86af482a8f0b0574287a4c5640bd1a225a60d1961cd56b3b48cf69d776cd8bbac5dc1544bf6b94b3519383f9c5"}, &(0x7f00000018c0)={0x0, 0xa, 0x1, 0xea}, &(0x7f0000001900)={0x0, 0x8, 0x1, 0xc0}, &(0x7f0000001940)={0x20, 0x0, 0x4, {0x3, 0x20d99a38c1aec065}}, &(0x7f0000001980)={0x20, 0x0, 0x8, {0x200, 0x2, [0x0]}}, &(0x7f00000019c0)={0x40, 0x7, 0x2}, &(0x7f0000001a00)={0x40, 0x9, 0x1, 0x7}, &(0x7f0000001a40)={0x40, 0xb, 0x2, ',e'}, &(0x7f0000001a80)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000001ac0)={0x40, 0x13, 0x6, @random="cba5d8d51787"}, &(0x7f0000001b00)={0x40, 0x17, 0x6, @dev={[], 0x1b}}, &(0x7f0000001b40)={0x40, 0x19, 0x2, "09ef"}, &(0x7f0000001b80)={0x40, 0x1a, 0x2, 0x200}, &(0x7f0000001bc0)={0x40, 0x1c, 0x1, 0x20}, &(0x7f0000001c00)={0x40, 0x1e, 0x1, 0x81}, &(0x7f0000001c40)={0x40, 0x21, 0x1, 0x40}}) r12 = syz_usb_connect$uac1(0x6, 0xb6, &(0x7f0000001d40)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xa4, 0x3, 0x1, 0x8, 0x80, 0x1f, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x7f, 0x24}, [@mixer_unit={0xb, 0x24, 0x4, 0x3, 0x3f, "e3a7ba11b773"}, @input_terminal={0xc, 0x24, 0x2, 0x4, 0x203, 0x1, 0x2, 0x7, 0xfd}, @extension_unit={0x7, 0x24, 0x8, 0x2, 0x4, 0x40}, @output_terminal={0x9, 0x24, 0x3, 0x2, 0x101, 0x4, 0x4, 0x5}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {}, {{0x9, 0x5, 0x1, 0x9, 0x200, 0xfc, 0x9, 0x7, {0x7, 0x25, 0x1, 0x0, 0x2, 0x8}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x8, 0x7, 0xff, "6cce23a51a59660a8a"}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x7, 0x2, 0xd6, 0x40, "a5e212", 'l'}]}, {{0x9, 0x5, 0x82, 0x9, 0x3ff, 0x3, 0x0, 0xac, {0x7, 0x25, 0x1, 0x3, 0x4, 0x5}}}}}}}]}}, &(0x7f0000001f40)={0xa, &(0x7f0000001e00)={0xa, 0x6, 0x200, 0xff, 0x2, 0x7, 0x10, 0x6}, 0x5, &(0x7f0000001e40)={0x5, 0xf, 0x5}, 0x2, [{0x52, &(0x7f0000001e80)=@string={0x52, 0x3, "4bcfbc749d26d0fbc20c2e202a042e8bb167cadf5c2bcdbd07dde6671da7dd400306b26f220fef4a3397f0a95a4b8ca5bafd5a4fa8b99d24505f7a27ac07a16bbb02d524c0bbfa3af8e318df58feb143"}}, {0x4, &(0x7f0000001f00)=@lang_id={0x4, 0x3, 0x807}}]}) syz_usb_disconnect(r12) syz_usb_ep_read(r10, 0x6, 0xd6, &(0x7f0000001f80)=""/214) r13 = syz_usb_connect$cdc_ecm(0x4, 0x4f, &(0x7f0000002080)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0xff, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x3d, 0x1, 0x1, 0x9, 0xc0, 0xb3, [{{0x9, 0x4, 0x0, 0x8, 0x3, 0x2, 0x6, 0x0, 0x1, {{0x7, 0x24, 0x6, 0x0, 0x0, "93b5"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x5, 0xdf0, 0xa5e2, 0xff}}, {[], {{0x9, 0x5, 0x82, 0x2, 0x40, 0x0, 0x40, 0x20}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x20, 0xff, 0x4}}}}}]}}]}}, &(0x7f0000002640)={0xa, &(0x7f0000002100)={0xa, 0x6, 0x250, 0x0, 0x81, 0x20, 0x20, 0x3}, 0x5, &(0x7f0000002140)={0x5, 0xf, 0x5}, 0x8, [{0xcd, &(0x7f0000002180)=@string={0xcd, 0x3, "2e833dbc02868212d3ec7352fb0de8a05ecf661859debe23ba735fb90a26853e0d4c9bfcebac70ce40539a98cf8947e06bb75de0a9205e0b791cb4f9e7aa0ae1149e9394ffef266f96e0c75ab728cadbc312570efed737090a6251c09e1a5d38a0c6f1ec4ae055863d69e4dcf36d974d2be3e487c7d2f1db2161e93b7d152ce046f030b36d083289eddd7105ed8eaed49f711017baabde9d5f01cd4738503d322669554fcf3b5a65b0519733b07a7f3cffdc92b0382c66120c41aae88568c752f79d501fd4da58e6879e7e"}}, {0x4, &(0x7f0000002280)=@lang_id={0x4, 0x3, 0x3c0a}}, {0x4, &(0x7f00000022c0)=@lang_id={0x4, 0x3, 0x3801}}, {0x1f, &(0x7f0000002300)=@string={0x1f, 0x3, "a670c3582d38967ac485455e8a40acb6f5df24ab49a4c6bb43d584edf7"}}, {0x4, &(0x7f0000002340)=@lang_id={0x4, 0x3, 0x44f}}, {0xe1, &(0x7f0000002380)=@string={0xe1, 0x3, "be2ce18fae6da9f1aa4b972197be7a6ce4b283c3e0027e6da13d8639f674ea9c64289b33c0e1435b7c1654a569127b26ad53774f2b6b20579fac6faffe12949ee4b0d3cd2d890cff2d7e9bb43b602a394efd4975184f7eecab16a3f187cab4c2ca01ac5bc9c55c8bb981323d919f77355b3ce7428da62af80c76b185e10ac7b1cc950ecc715c3e0a1e142311b62941e06291b30d2d3c7d468dfbe283c91fc0833db068e7bf397c233575790229ce513bbdc4387d81b3027ef68b20de25d9f1ff32b95cba443b9e7fba499143e841a6190c6ecb2906fe4230f839ba8c3c73ea"}}, {0xc1, &(0x7f0000002480)=@string={0xc1, 0x3, "f17db2ea26d90ba93d1dbd3d9482882172cc158b4cc43c36d12bb94e06fc7aba0d96ba62a38b39b77bb66a8b4ba6fe260c877464dc1012449a3a6ab5b80e667a3a01db8dd1dc3468b0d72893adf25bd1a7b9dcddf569122a73026b76fd0e25d7440ca5db635b3fc9013fd79099a7d7e81db8745bc9d0a6c938791d2cbfd10f1c628ca17af993b702c1ede30da1882567ce287f66b23ebf408a2d9c63e1cb0b2795273efa8153561c3c3eeb71d12aa087e9255526b528f538af4abd41cf8901"}}, {0xc0, &(0x7f0000002580)=@string={0xc0, 0x3, "6f57d6a596202ebf5a75b9724911f91a3d92ae1ac81abb9c1b134a76e66590f6eb8dd84cc10960b8d223947d1c2e771b94e729d83418f414213ff8b906770330bea70e59fe4d8ba537fbcfd3c4bfc4ea3b640c3112926d8c78eee839720900c505cc013c1263dcf27b6c0f87fcb87f40cb6bde3154ccd63e65a48c86c58a3857f68f8808203fb28d95e74a1865eb8f82fe953562a14751ed18f251e5115370d2bc19145ccf3abeae4c81fb1d97f62e035db73d11ab7ec596bc7a368655c6"}}]}) syz_usb_ep_write(r13, 0x8, 0x77, &(0x7f00000026c0)="01df4294f01fe1f943b780ccad76ab8a48353cbce5481283fb7d07e32952055449b6581b3693b67edea7f103542fd1dccf21a4f8ce11f52482a550dd3199da830c3e19ff1a996ce1424b13495e704be3f8c106d08338a69db29c70d040ba405016d90255d81d115d9c6c9c13b95789ba2d4ee0f005d95b") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 #define SQ_ARRAY_OFFSET(sq_entries,cq_entries) (round_up(CQ_CQES_OFFSET + cq_entries * SIZEOF_IO_URING_CQE, 64)) uint32_t round_up(uint32_t x, uint32_t a) { return (x + a - 1) & ~(a - 1); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = SQ_ARRAY_OFFSET(sq_ring_entries, cq_ring_entries); if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int real_uid; static int real_gid; __attribute__((aligned(64 << 10))) static char sandbox_stack[1 << 20]; static int namespace_sandbox_proc(void* arg) { sandbox_common(); write_file("/proc/self/setgroups", "deny"); if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)) exit(1); if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) exit(1); if (unshare(CLONE_NEWNET)) exit(1); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount(NULL, "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); drop_caps(); loop(); exit(1); } static int do_sandbox_namespace(void) { int pid; setup_common(); real_uid = getuid(); real_gid = getgid(); mprotect(sandbox_stack, 4096, PROT_NONE); pid = clone(namespace_sandbox_proc, &sandbox_stack[sizeof(sandbox_stack) - 64], CLONE_NEWUSER | CLONE_NEWPID, 0); return wait_for_loop(pid); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 40; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 26 ? 50 : 0) + (call == 32 ? 3000 : 0) + (call == 33 ? 3000 : 0) + (call == 34 ? 300 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 3000 : 0) + (call == 39 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_bpf #define __NR_bpf 321 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[14] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/dsp\000", 9); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0x8002ul, 0ul); if (res != -1) r[0] = res; break; case 1: *(uint64_t*)0x20000080 = 0; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 0; *(uint16_t*)0x20000090 = 0x4a1f; *(uint16_t*)0x20000092 = 0xd548; *(uint32_t*)0x20000094 = r[0]; *(uint64_t*)0x20000098 = 0x20000040; memcpy((void*)0x20000040, "\xa4\xc6\xb7\x0d\x40\xb1\x8d\x2f\x71\xb9\xeb\xf1\xa9\x7c\xc4\xf8\xbf\xe5\x2c\x76\x62\x08\xfe\x1c\x5f\xf6\xe6\xc2\x0f\xb4\xd4\x10\x4d", 33); *(uint64_t*)0x200000a0 = 0x21; *(uint64_t*)0x200000a8 = 7; *(uint64_t*)0x200000b0 = 0; *(uint32_t*)0x200000b8 = 1; *(uint32_t*)0x200000bc = -1; syscall(__NR_io_cancel, 0ul, 0x20000080ul, 0x200000c0ul); break; case 2: syscall(__NR_ioctl, -1, 0x400454d0, 0x18ul); break; case 3: memcpy((void*)0x20000100, "/selinux/avc/cache_stats\000", 25); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000100ul, 0ul, 0ul); if (res != -1) r[1] = res; break; case 4: *(uint32_t*)0x20000200 = 6; *(uint32_t*)0x20000204 = 1; *(uint64_t*)0x20000208 = 0x20000140; *(uint16_t*)0x20000140 = 6; *(uint64_t*)0x20000210 = 0x20000180; *(uint16_t*)0x20000180 = 0xb572; *(uint16_t*)0x20000182 = 2; *(uint16_t*)0x20000184 = 0x200; *(uint16_t*)0x20000186 = 0x6126; *(uint16_t*)0x20000188 = -1; *(uint16_t*)0x2000018a = 0x800b; *(uint64_t*)0x20000218 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x100; *(uint16_t*)0x200001c2 = 0x8001; *(uint16_t*)0x200001c4 = 0x7ff; *(uint16_t*)0x200001c6 = 0x56; *(uint16_t*)0x200001c8 = 3; *(uint16_t*)0x200001ca = 6; *(uint16_t*)0x200001cc = 0xafa4; *(uint16_t*)0x200001ce = 0xfff; syscall(__NR_ioctl, r[1], 0xc02064a4, 0x20000200ul); break; case 5: syscall(__NR_socket, 0xaul, 5ul, 0x84); break; case 6: memcpy((void*)0x20000240, "/dev/vcsa#\000", 11); res = -1; res = syz_open_dev(0x20000240, 8, 0x40040); if (res != -1) r[2] = res; break; case 7: *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0x431f; *(uint32_t*)0x20000288 = 2; *(uint32_t*)0x2000028c = 2; *(uint32_t*)0x20000290 = 0x24c; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = r[2]; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; *(uint32_t*)0x200002b8 = 0; *(uint32_t*)0x200002bc = 0; *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0; *(uint32_t*)0x200002c8 = 0; *(uint32_t*)0x200002cc = 0; *(uint32_t*)0x200002d0 = 0; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = 0; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; syscall(__NR_io_uring_setup, 0x4a7d, 0x20000280ul); break; case 8: *(uint32_t*)0x20000300 = 0x14; syscall(__NR_setsockopt, -1, 0x10e, 2, 0x20000300ul, 4ul); break; case 9: syscall(__NR_socket, 4ul, 2ul, 0); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0x15; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0x8847); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 1, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 24, 8); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0x80, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 24, 8); STORE_BY_BITMASK(uint8_t, , 0x20000016, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000017, 3, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000017, 8, 2, 6); *(uint16_t*)0x20000018 = htobe16(0xc0); *(uint16_t*)0x2000001a = htobe16(0x64); *(uint16_t*)0x2000001c = htobe16(0); *(uint8_t*)0x2000001e = 1; *(uint8_t*)0x2000001f = 0x11; *(uint16_t*)0x20000020 = htobe16(0); *(uint32_t*)0x20000022 = htobe32(0xa010102); *(uint8_t*)0x20000026 = 0xac; *(uint8_t*)0x20000027 = 0x1e; *(uint8_t*)0x20000028 = 1; *(uint8_t*)0x20000029 = 1; *(uint8_t*)0x2000002a = 0x44; *(uint8_t*)0x2000002b = 0x10; *(uint8_t*)0x2000002c = 0x90; STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0xf, 4, 4); *(uint32_t*)0x2000002e = htobe32(3); *(uint32_t*)0x20000032 = htobe32(0x100); *(uint32_t*)0x20000036 = htobe32(9); *(uint16_t*)0x2000003a = htobe16(0x4e20); *(uint16_t*)0x2000003c = htobe16(0x4e23); *(uint16_t*)0x2000003e = htobe16(0x9c); *(uint16_t*)0x20000040 = htobe16(0); *(uint32_t*)0x20000042 = 1; *(uint32_t*)0x20000046 = 1; memcpy((void*)0x2000004a, "\xa1\x07\x91\xf3\x6e\x09\x1a\x36\x4d\x6a\x21\x4a\xed\x32\x81\x68\x6b\x2e\x10\x62\xe4\xa2\x1d\xad\x7e\x7e\xa6\x82\x3c\x2a\xd6\x6b", 32); memcpy((void*)0x2000006a, "\xa9\xe3\xb0\x61\xcb\x2d\x16\xf0\xf3\x8c\x93\x86\x6b\xab\x23\x9c\x5e\x95\xfa\xbc\x9a\xd7\x54\x9c\xc5\x3f\x24\x82\x15\x64\xc8\xe3\x1a\x77\x3c\x62\xbd\x34\xe6\x21\x16\x07\x0c\x99\x8c\xf8\x0f\xf5", 48); memcpy((void*)0x2000009a, "\x8a\x60\x48\xe6\x8f\x54\x76\xba\x71\xed\xf7\xde\xa3\x71\x45\xa3\x39\x72\x62\xdb\x3b\x25\x37\x6f\xb9\xb6\x98\xe1", 28); memcpy((void*)0x200000b6, "\x10\x8d\x38\xc5\xf1\x28\x37\xa8\xdf\xf4\x93\x17\xe1\xfb\xf2\xb1", 16); memcpy((void*)0x200000c6, "\x6e\x6f\x91\xa5\xd2\xfe\xa3\x5b\x7d\x2a\xa0\x22\x7b\x5c\x79\xde", 16); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x20000022, 4); csum_inet_update(&csum_1, (const uint8_t*)0x20000026, 4); uint16_t csum_1_chunk_2 = 0x1100; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 2); uint16_t csum_1_chunk_3 = 0x9c00; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 2); csum_inet_update(&csum_1, (const uint8_t*)0x2000003a, 156); *(uint16_t*)0x20000040 = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x20000016, 36); *(uint16_t*)0x20000020 = csum_inet_digest(&csum_2); break; case 11: *(uint8_t*)0x20000100 = 4; *(uint8_t*)0x20000101 = 0xe; *(uint8_t*)0x20000102 = 7; *(uint8_t*)0x20000103 = 7; *(uint16_t*)0x20000104 = 0x1408; *(uint8_t*)0x20000106 = 3; *(uint16_t*)0x20000107 = 0xc8; *(uint8_t*)0x20000109 = 0xfe; break; case 12: memcpy((void*)0x20000140, "\xab\x8f\x29\x08\x95\x5c\x44\x32\xc4\x21\xb4\x55\x80\x85\x8a\x31\x8e\xc4\xa1\x84\x57\x56\xf3\x67\x36\x64\xd9\xe0\x64\x46\x1c\x0d\xc4\x41\xb5\x55\x88\xa0\x0f\xfe\x49\xf2\xf0\x42\x80\x8c\x3e\x28\x08\x00\x00\x00\xc4\x82\x5d\xde\x32\xf3\x42\x0f\x9a\xde", 62); syz_execute_func(0x20000140); break; case 13: break; case 14: memcpy((void*)0x200001c0, "SEG6\000", 5); syz_genetlink_get_family_id(0x200001c0); break; case 15: syz_init_net_socket(3, 2, 0xc4); break; case 16: res = syscall(__NR_mmap, 0x20ffc000ul, 0x1000ul, 0ul, 0x1000ul, -1, 0ul); if (res != -1) r[3] = res; break; case 17: syz_io_uring_complete(r[3]); break; case 18: *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0x19c8; *(uint32_t*)0x20000208 = 1; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0x90; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = -1; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; *(uint32_t*)0x20000238 = 0; *(uint32_t*)0x2000023c = 0; *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; res = -1; res = syz_io_uring_setup(0x61d6, 0x20000200, 0x20ff9000, 0x20ff9000, 0x20000280, 0x200002c0); if (res != -1) r[4] = *(uint32_t*)0x20000218; break; case 19: res = syscall(__NR_mmap, 0x20ffc000ul, 0x3000ul, 0x2000004ul, 0x100ul, r[4], 0x10000000ul); if (res != -1) r[5] = res; break; case 20: memcpy((void*)0x20000300, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000300ul, 0x22040ul, 0ul); if (res != -1) r[6] = res; break; case 21: res = syscall(__NR_io_uring_register, -1, 9ul, 0ul, 0ul); if (res != -1) r[7] = res; break; case 22: *(uint8_t*)0x20000380 = 0x1d; *(uint8_t*)0x20000381 = 1; *(uint16_t*)0x20000382 = 0; *(uint32_t*)0x20000384 = r[6]; *(uint64_t*)0x20000388 = 0x20000340; *(uint32_t*)0x20000340 = 0xa; *(uint64_t*)0x20000344 = 0; *(uint32_t*)0x20000390 = r[4]; *(uint32_t*)0x20000394 = 1; *(uint32_t*)0x20000398 = 0; *(uint64_t*)0x200003a0 = 1; *(uint16_t*)0x200003a8 = 0; *(uint16_t*)0x200003aa = r[7]; *(uint8_t*)0x200003ac = 0; *(uint8_t*)0x200003ad = 0; *(uint8_t*)0x200003ae = 0; *(uint8_t*)0x200003af = 0; *(uint8_t*)0x200003b0 = 0; *(uint8_t*)0x200003b1 = 0; *(uint8_t*)0x200003b2 = 0; *(uint8_t*)0x200003b3 = 0; *(uint8_t*)0x200003b4 = 0; *(uint8_t*)0x200003b5 = 0; *(uint8_t*)0x200003b6 = 0; *(uint8_t*)0x200003b7 = 0; *(uint8_t*)0x200003b8 = 0; *(uint8_t*)0x200003b9 = 0; *(uint8_t*)0x200003ba = 0; *(uint8_t*)0x200003bb = 0; *(uint8_t*)0x200003bc = 0; *(uint8_t*)0x200003bd = 0; *(uint8_t*)0x200003be = 0; *(uint8_t*)0x200003bf = 0; syz_io_uring_submit(r[3], r[5], 0x20000380, 5); break; case 23: *(uint64_t*)0x20000400 = 0; *(uint64_t*)0x20000408 = 0x200003c0; memcpy((void*)0x200003c0, "\xc6\x6b\xf5\x1c\x00\x3b\x68\x4c\xd1\xf5\x6d\x7d\xbc\xd2\xde\xa7\x67\x52\x93\xe4\xd0\x16\x95\x5f\xb8\x84\x32\x0c\xce\xfe\xf5\x21\x42\xee\xf0\xb6\x1d\x38\x99\x59\xe4\xe4\x75\x07\x5b\x6b\x11\xcd\xbe\x1c", 50); *(uint64_t*)0x20000410 = 0x32; *(uint64_t*)0x20000440 = 1; *(uint64_t*)0x20000448 = 0; syz_kvm_setup_cpu(r[6], -1, 0x20fe7000, 0x20000400, 1, 0, 0x20000440, 1); break; case 24: res = syscall(__NR_mmap, 0x20ffb000ul, 0x4000ul, 0x2000000ul, 0x1000ul, -1, 0x8000000ul); if (res != -1) r[8] = res; break; case 25: *(uint32_t*)0x20000480 = 1; syz_memcpy_off(r[8], 0x114, 0x20000480, 0, 4); break; case 26: memcpy((void*)0x200004c0, "afs\000", 4); memcpy((void*)0x20000500, "./file0\000", 8); *(uint64_t*)0x200008c0 = 0x20000540; *(uint64_t*)0x200008c8 = 0; *(uint64_t*)0x200008d0 = 0x32; *(uint64_t*)0x200008d8 = 0x20000580; memcpy((void*)0x20000580, "\x3a\x7a\x72\xca\x9b\x2a\x42\x2a\xfb\xeb\xa2\xd7\xa8\x43\x38\xcb\x03\x95\x18\x39\x45\x1a\xf3\xf3\x03\x1d\x00\x30\xdb\x11\xa0\x8c\x0e\xb2\x24\x4d\xab\x7f\x4f\xd9\x44\x2c\xd5\x53\x70\xfb\xac\xdc\x33\x0d\x3e\xe2\x18\x81\x37\xd0\xad\x97\x72\xc7\xae\x54\xfa\xe9\x2d\x19\x41\xe0\x49\xbd\xcb\x3b\x8f\x64\x5e\xa6\xa7\xd7\x46\x40\x42\x86\xd5\x6d\xfd\x7a\x41\xfb\x29\xe2\x98\x7d\x8d\x73\xb3\x67\x9f\xae\x42\x7f\x5a\xf0\x81\x85\xe4\xff\xda\x15\x32\x28\xa3\xac\x82\xbf\x94\xf1\x77\x52\xed\x78\xdf\xe5\xb9\xa4", 124); *(uint64_t*)0x200008e0 = 0x7c; *(uint64_t*)0x200008e8 = 0xee5; *(uint64_t*)0x200008f0 = 0x20000600; memcpy((void*)0x20000600, "\xa9\x63\xe9\x74\x3e\x9c\x3d\x09\x2a\x0a\xb1\xd6\x8a\x13\xfe\x85\xf8\x0e\xd9\x43\x58\xab\x9a\xd4\x02\x9d\xff\x34\x33\xa3\x22\x3c\x65\x0d\x6a\x96\x50\x5e\xc9\xa3\xd6\xcd\x09\xad\x3f\x26\x8f\xcd\xd1\x24\x8a\xa4\x3e\xf1\x38\xa7\x9b\x0c\x4c\x11\x6f\x71\x78\xb5\xfc\x5c\xc4\x9f\xa3\x03\x20\x1e\x8c\x7e\xf4\xe3\x22\x43\x41\x05\xec\xdc\x91\x2a\xe6\x72\x51\x0b\x34\xc0\x1a\xa3\x89\x0c\x90\xf2\x72\x00\xde\x2b\x65\xc4\xbd\x20", 104); *(uint64_t*)0x200008f8 = 0x68; *(uint64_t*)0x20000900 = 0x10000; *(uint64_t*)0x20000908 = 0x20000680; memcpy((void*)0x20000680, "\x6a\xc4\x43\xef\xa9\x85\x5d\xda\x4f\xa3\xa9\x82\xab\xc0\x60\xeb\xf1\xa6\x78\x5f\xeb\xa7\x7c\xd7\x0d\x48\x6a\x29\xf4", 29); *(uint64_t*)0x20000910 = 0x1d; *(uint64_t*)0x20000918 = 2; *(uint64_t*)0x20000920 = 0x200006c0; memcpy((void*)0x200006c0, "\x32\x29\x20\x2f\xd1\x3c\x8a\xb6\xd5\x54\xd8\xdf\xb6\xa8\x66\x18\x05\xf5\x3c\x5e\x81\x67\x1b\xf5\xd7\x02\xaa\x4c\x17\xca\xd1\x07\xcf\xc6\xa8\xfe\x70\x2b\x26\x94\x2c\x63\x2a\x4e\xd0\xe1\x01\x04\x40\xb5\x1b\x99\x78\x5c\x11\x2a\x0b\xda\x8c\x28\x62\x67\xac\x9c\xb4\xe6\x95\x37\x6a\x13\xd9\x93\x7d\xfe\x15\x42\x39\xc4\xea\x04\xf3\x85\x39\xa8\xe5\x57\xdb\xcc\x89\x09\x42\x0c\x76\xb2\x58\x7b\x42\xaa\x2d\x61\xbf\x39\x5f\xe9\x13\xba\xd8\x6d\xdf\x17\xa8\xf1\xb3\x21\x2d\x0f\x0a\x6b\xc2\xe7\x84\x1e\xf2\xe2\xee\x0b\xe0\x59\x01\xf0\x28\xc7\xc6\x5e\x1c\x2c\xb6\x41\xf5\x56\x50\x8f\xbf\x32\x2d\xa0\x30\xde\x78\x46\xad\x39\x00\x40\x82\xc1\x28\xa0\xff\xb6\x0c\x1b\x80\x1b\xfd\x69\xa0\xe5\xf3\x7b\x51\xfe\xb7\x8d\x97\x24\x0f\x45\xf3\xce\x17\xa2\x8a\xbb\xd8\x9b\xd1\x6c\xd2\xd0\x6c\x74\x48\x89\x90\xab\xa3\x6f\xf0\x06\xe8\xae\x36\x22\xec\x18\xfa\x76\xb7\x67\xbe\x88\xf1\x92\xf9\x4a\xf1\x5e\x23\xd7\x42\x17\x73\x8a\x1d\x48\xef\x2c\x3e\x1c\x0a\x55\x72\x03\x04\x5e\x3b\xa2\x5e\x9c\xd3\x8e\xfa\x64", 244); *(uint64_t*)0x20000928 = 0xf4; *(uint64_t*)0x20000930 = 6; *(uint64_t*)0x20000938 = 0x200007c0; memcpy((void*)0x200007c0, "\x41\x4d\x78\x40\x34\x90\x27\x5a\x20\x64\x95\xf9\x3c\xf6\x22\x29\x59\x6a\x76\xf6\x22\xd4\x2e\x73\x7b\xfa\x14\x8f\xc2\x38\x5d\x9c\x82\x94\x6c\xe9\x5d\x9b\x76\x65\xc1\x48\xbf\xd7\x23\xf5\x24\x8f\xfc\xb6\xa4\xfc\x82\x65\xde\x9d\xa9\xe3\x4f\xf0\x57\x7d\xd7\x19\x23\x3d\x7e\xf9\x61\x0b\x9b\x9d\x98\xd4\xf2\xce\xdc\xc5\x35\x1c\xb7\x23\x4e\x0a\x83\x45\xf8\x1e\x60\x3a\x00\x2c\x13\xd8\x98\xf1\x08\x46\x56\xc5\x1b\xe0\x05\x26\xc6\xb7\x97\x7b\x28\x78\x09\x59\x1c\x51\xa2\x88\xac\xec\x3e\x57\x0a\x94\xcc\x77\x42\x01\x95\xf2\xa8\x1a\x77\x89\x6f\x9f\x08\x1b\x17\x3c\x24\xad\xa2\x30\x41\xea\x2e\x72\x53\x69\x86\x01\xd8\x37\x69\x09\x4d\x34\x89", 157); *(uint64_t*)0x20000940 = 0x9d; *(uint64_t*)0x20000948 = 1; *(uint64_t*)0x20000950 = 0x20000880; memcpy((void*)0x20000880, "\x3c\xc0\xa1\x54\x97\x7d\x26\x88\x2d\x94\xf1\xc1\x08\xa6\x28\x7b\x15\xe8\x35\xbf\x2d\x9e\xbc\xfd\x92\x5c\x45\x69\xc9\xde\x9d\x46\x3b\x92\x91\x58\x99\x0d\x2f\x48", 40); *(uint64_t*)0x20000958 = 0x28; *(uint64_t*)0x20000960 = 0xfffffffffffffbff; memcpy((void*)0x20000980, "flock=strict", 12); *(uint8_t*)0x2000098c = 0x2c; memcpy((void*)0x2000098d, "flock=write", 11); *(uint8_t*)0x20000998 = 0x2c; memcpy((void*)0x20000999, "source", 6); *(uint8_t*)0x2000099f = 0x3d; memcpy((void*)0x200009a0, "\353", 1); *(uint8_t*)0x200009a1 = 0x2c; memcpy((void*)0x200009a2, "autocell", 8); *(uint8_t*)0x200009aa = 0x2c; *(uint8_t*)0x200009ab = 0; syz_mount_image(0x200004c0, 0x20000500, 0x1f, 7, 0x200008c0, 0x1015005, 0x20000980); break; case 27: memcpy((void*)0x200009c0, "/dev/i2c-#\000", 11); syz_open_dev(0x200009c0, 0x10000, 0x6840); break; case 28: *(uint32_t*)0x20000a40 = -1; *(uint32_t*)0x20000a44 = -1; *(uint32_t*)0x20000a48 = 0; *(uint32_t*)0x20000a4c = 3; *(uint64_t*)0x20000a50 = 0x20000a00; memcpy((void*)0x20000a00, ".\\\000", 3); *(uint32_t*)0x20000a58 = 0; *(uint32_t*)0x20000a5c = 0; *(uint64_t*)0x20000a60 = 0; *(uint64_t*)0x20000a68 = 0; res = syscall(__NR_bpf, 0x14ul, 0x20000a40ul, 0x30ul); if (res != -1) r[9] = *(uint32_t*)0x20000a40; break; case 29: memcpy((void*)0x20000a80, "status\000", 7); syz_open_procfs(r[9], 0x20000a80); break; case 30: syz_open_pts(-1, 0x8000); break; case 31: syz_read_part_table(6, 0, 0x20000ac0); break; case 32: *(uint8_t*)0x20000b00 = 0x12; *(uint8_t*)0x20000b01 = 1; *(uint16_t*)0x20000b02 = 0x250; *(uint8_t*)0x20000b04 = 0xa8; *(uint8_t*)0x20000b05 = 0x9c; *(uint8_t*)0x20000b06 = 0xcc; *(uint8_t*)0x20000b07 = -1; *(uint16_t*)0x20000b08 = 0x499; *(uint16_t*)0x20000b0a = 0x150c; *(uint16_t*)0x20000b0c = 0xbaf4; *(uint8_t*)0x20000b0e = 1; *(uint8_t*)0x20000b0f = 2; *(uint8_t*)0x20000b10 = 3; *(uint8_t*)0x20000b11 = 1; *(uint8_t*)0x20000b12 = 9; *(uint8_t*)0x20000b13 = 2; *(uint16_t*)0x20000b14 = 0x702; *(uint8_t*)0x20000b16 = 3; *(uint8_t*)0x20000b17 = 2; *(uint8_t*)0x20000b18 = 5; *(uint8_t*)0x20000b19 = 0x80; *(uint8_t*)0x20000b1a = 0x1f; *(uint8_t*)0x20000b1b = 9; *(uint8_t*)0x20000b1c = 4; *(uint8_t*)0x20000b1d = 0x7d; *(uint8_t*)0x20000b1e = 0; *(uint8_t*)0x20000b1f = 0xb; *(uint8_t*)0x20000b20 = 0x5c; *(uint8_t*)0x20000b21 = 0x68; *(uint8_t*)0x20000b22 = 0x45; *(uint8_t*)0x20000b23 = 0xb8; *(uint8_t*)0x20000b24 = 0x64; *(uint8_t*)0x20000b25 = 0xe6; memcpy((void*)0x20000b26, "\x25\xbb\xa1\x93\x73\x4e\x4e\xb8\x7c\xbd\x6a\x4c\x96\x1e\xf0\x1e\x6c\x96\x0f\xa2\x7d\xe2\xe0\xb2\x88\x3e\x73\xbc\xb5\x6b\x37\x1c\xc2\xf9\x4a\x39\xee\x59\xf2\x12\x37\xd7\xfd\x38\xba\xfe\xa3\xbe\xbf\x15\x96\x7e\x66\xfd\xa6\x11\x4d\x34\xb3\x49\xe1\x86\x8e\xf9\x5c\xc0\xa0\x63\x05\xd0\x16\xcd\x2c\xc7\x23\x33\x40\x35\xa1\x10\xf9\xda\x19\x7a\xfa\x79\xa6\xb0\x45\xfa\xc5\xf7\xd5\xbb\x63\x9e\x45\x41", 98); *(uint8_t*)0x20000b88 = 0xa; *(uint8_t*)0x20000b89 = 0x24; *(uint8_t*)0x20000b8a = 1; *(uint16_t*)0x20000b8b = 7; *(uint8_t*)0x20000b8d = 0x80; *(uint8_t*)0x20000b8e = 2; *(uint8_t*)0x20000b8f = 1; *(uint8_t*)0x20000b90 = 2; *(uint8_t*)0x20000b91 = 9; *(uint8_t*)0x20000b92 = 5; *(uint8_t*)0x20000b93 = 1; *(uint8_t*)0x20000b94 = 3; *(uint16_t*)0x20000b95 = 0x200; *(uint8_t*)0x20000b97 = 0x81; *(uint8_t*)0x20000b98 = 1; *(uint8_t*)0x20000b99 = 9; *(uint8_t*)0x20000b9a = 7; *(uint8_t*)0x20000b9b = 0x25; *(uint8_t*)0x20000b9c = 1; *(uint8_t*)0x20000b9d = 1; *(uint8_t*)0x20000b9e = 9; *(uint16_t*)0x20000b9f = 0x1000; *(uint8_t*)0x20000ba1 = 9; *(uint8_t*)0x20000ba2 = 5; *(uint8_t*)0x20000ba3 = 6; *(uint8_t*)0x20000ba4 = 8; *(uint16_t*)0x20000ba5 = 0x400; *(uint8_t*)0x20000ba7 = 0xe8; *(uint8_t*)0x20000ba8 = 0xc6; *(uint8_t*)0x20000ba9 = -1; *(uint8_t*)0x20000baa = 7; *(uint8_t*)0x20000bab = 0x25; *(uint8_t*)0x20000bac = 1; *(uint8_t*)0x20000bad = 1; *(uint8_t*)0x20000bae = 0x81; *(uint16_t*)0x20000baf = 6; *(uint8_t*)0x20000bb1 = 9; *(uint8_t*)0x20000bb2 = 5; *(uint8_t*)0x20000bb3 = 0xd; *(uint8_t*)0x20000bb4 = 0; *(uint16_t*)0x20000bb5 = 0x20; *(uint8_t*)0x20000bb7 = 8; *(uint8_t*)0x20000bb8 = 0xb4; *(uint8_t*)0x20000bb9 = 3; *(uint8_t*)0x20000bba = 9; *(uint8_t*)0x20000bbb = 5; *(uint8_t*)0x20000bbc = 2; *(uint8_t*)0x20000bbd = 1; *(uint16_t*)0x20000bbe = 0x200; *(uint8_t*)0x20000bc0 = 2; *(uint8_t*)0x20000bc1 = 6; *(uint8_t*)0x20000bc2 = 0x20; *(uint8_t*)0x20000bc3 = 9; *(uint8_t*)0x20000bc4 = 5; *(uint8_t*)0x20000bc5 = 7; *(uint8_t*)0x20000bc6 = 2; *(uint16_t*)0x20000bc7 = 0x3ff; *(uint8_t*)0x20000bc9 = 0x29; *(uint8_t*)0x20000bca = 4; *(uint8_t*)0x20000bcb = 0x4c; *(uint8_t*)0x20000bcc = 9; *(uint8_t*)0x20000bcd = 5; *(uint8_t*)0x20000bce = 5; *(uint8_t*)0x20000bcf = 0; *(uint16_t*)0x20000bd0 = 0x200; *(uint8_t*)0x20000bd2 = 2; *(uint8_t*)0x20000bd3 = 0x22; *(uint8_t*)0x20000bd4 = 5; *(uint8_t*)0x20000bd5 = 7; *(uint8_t*)0x20000bd6 = 0x25; *(uint8_t*)0x20000bd7 = 1; *(uint8_t*)0x20000bd8 = 0; *(uint8_t*)0x20000bd9 = 7; *(uint16_t*)0x20000bda = 0x27; *(uint8_t*)0x20000bdc = 9; *(uint8_t*)0x20000bdd = 5; *(uint8_t*)0x20000bde = 0xe; *(uint8_t*)0x20000bdf = 0xc; *(uint16_t*)0x20000be0 = 0x20; *(uint8_t*)0x20000be2 = 0x40; *(uint8_t*)0x20000be3 = 9; *(uint8_t*)0x20000be4 = 0x1f; *(uint8_t*)0x20000be5 = 0x4f; *(uint8_t*)0x20000be6 = 1; memcpy((void*)0x20000be7, "\xf1\x48\xd8\x44\x07\xf5\xb8\xdf\xda\x7c\x13\xb6\x82\x81\xb7\xd1\x42\x09\x55\x10\x93\xf9\x1b\x2d\x8f\x89\x1d\x9f\x3b\x8f\xf0\x7a\x8c\x2b\x56\xbc\xbf\xa7\x44\xea\x1d\xa6\x9f\xb1\x16\xc7\x1d\x11\xfa\x13\xb6\xa2\xc4\x64\xe6\x5d\x7c\x70\x6a\xe2\x5e\x0a\xd8\x36\xd3\x28\xf3\x09\x28\xaf\x26\xfe\x9d\x4f\x3f\x1d\xc1", 77); *(uint8_t*)0x20000c34 = 7; *(uint8_t*)0x20000c35 = 0x25; *(uint8_t*)0x20000c36 = 1; *(uint8_t*)0x20000c37 = 0x82; *(uint8_t*)0x20000c38 = 0x18; *(uint16_t*)0x20000c39 = 0xfc0; *(uint8_t*)0x20000c3b = 9; *(uint8_t*)0x20000c3c = 5; *(uint8_t*)0x20000c3d = 4; *(uint8_t*)0x20000c3e = 0; *(uint16_t*)0x20000c3f = 0x400; *(uint8_t*)0x20000c41 = 0; *(uint8_t*)0x20000c42 = 0x80; *(uint8_t*)0x20000c43 = 7; *(uint8_t*)0x20000c44 = 7; *(uint8_t*)0x20000c45 = 0x25; *(uint8_t*)0x20000c46 = 1; *(uint8_t*)0x20000c47 = 2; *(uint8_t*)0x20000c48 = 4; *(uint16_t*)0x20000c49 = 2; *(uint8_t*)0x20000c4b = 0xf7; *(uint8_t*)0x20000c4c = 0x30; memcpy((void*)0x20000c4d, "\xab\xdd\xdd\x4f\x9b\x3f\x7c\x94\x0f\x59\xac\x5d\x6a\xc2\x20\xf7\x66\x83\x45\x97\x34\x86\x90\xed\xd4\x5d\xbc\xad\x8d\x72\x00\xdb\x71\x84\x99\x1d\x25\x39\xdf\x54\xe5\xad\x82\xe5\xd5\x8b\x03\x66\xea\x3b\x34\x1b\xe9\xa3\x0b\x4b\x2b\xd6\x6b\xf0\x04\x79\x62\x8c\xb4\x77\xc8\x29\x38\xf8\xd3\xc1\x06\xa7\xe1\x8b\x0e\x54\x85\xa0\xb1\x61\x1a\xba\x1d\x8a\xd3\xc7\x40\xfc\x3d\x9a\xcc\xb5\xd7\xb2\x93\xb9\x0b\x16\x8c\x3f\x2c\x69\x79\x81\x35\xb5\x62\x47\x5f\xe2\xa3\xb8\xf6\x19\x57\x22\x51\x66\x27\x87\xbf\x74\x9f\x67\x3a\x35\xee\x80\xea\x76\xed\xd0\xfc\x7b\x31\x77\xf2\x4f\x50\xd6\x8a\xce\xd6\x90\x2e\xcf\x5e\x0a\x1d\x31\x26\xd9\x53\x09\x46\xab\xac\x7a\x85\x79\x91\x94\x74\x8f\x34\xee\xf3\xe2\x49\xc0\xed\xe1\x51\x1b\x67\x62\x6c\x06\x32\x2b\xa0\xb3\x13\x3a\xd7\xea\xb4\x6c\xc0\x7a\x99\x5f\x01\x1d\x24\x78\x19\x83\xc1\x70\x9a\x03\xac\x2e\xf1\x65\xa9\xb9\x1e\xd9\xe7\x5e\x22\x19\x05\xa9\x32\xc3\x50\x1d\x40\x56\x69\x16\xd6\x3f\x2f\xae\x4e\x97\x98\xfa\xb8\xe1\x6a\x1d\x36\x4f\x01\x9c\x0e\xbd\xb0", 245); *(uint8_t*)0x20000d42 = 9; *(uint8_t*)0x20000d43 = 5; *(uint8_t*)0x20000d44 = 2; *(uint8_t*)0x20000d45 = 0; *(uint16_t*)0x20000d46 = 0x40; *(uint8_t*)0x20000d48 = 0xfe; *(uint8_t*)0x20000d49 = 0x20; *(uint8_t*)0x20000d4a = 9; *(uint8_t*)0x20000d4b = 0xed; *(uint8_t*)0x20000d4c = 1; memcpy((void*)0x20000d4d, "\x97\x48\x0b\x61\x9e\xce\x34\x91\x71\x8d\x87\x0d\x13\x33\xf7\xf3\xcb\xe0\x33\x67\xac\x7f\x15\xbe\x17\x93\xcf\x2d\x63\x5a\xf6\x7a\xf8\x8c\xfe\xa5\x26\xad\x45\xea\x67\xc3\x9a\xde\x3d\x19\x91\x8d\x55\xea\x59\x8a\x78\x07\xfd\x2c\x56\xad\xdf\xb5\x2f\x42\x75\x6b\xfc\x60\x2c\x04\x56\x0e\x98\x1a\x38\x78\x3c\xa3\xdd\x8b\xa4\x31\xc2\x67\x59\x2b\xc0\x04\xb2\xf5\x3e\x49\x08\x2d\xac\x6a\x78\x48\xb9\x29\xdc\xf5\x3f\x15\x1f\x4c\x9a\xe6\xf8\x91\x2f\xff\xd9\x19\x9b\xcd\xcd\x8b\x95\xfd\xc2\xdf\xaa\x22\xd3\xa7\x31\xf3\xc4\xaa\x34\x47\xd4\x18\x3b\x1c\xb4\xcc\xce\xb3\x6e\x69\x37\xf2\x27\x5c\x89\xce\x0b\xa8\x3f\x40\xc2\xc7\xdb\xf1\x3b\x41\x77\x0a\x0f\x12\x5b\x10\xde\xd7\xee\xfe\x7a\x18\x24\xf9\xee\xf4\x93\x83\x10\xa5\x5c\x12\x1b\xf1\xa9\x25\x9f\x55\x16\x72\xb8\xa0\xa5\x2f\xea\xc5\xcb\xc5\xab\x96\xa5\x49\x1e\xf5\x33\xd7\xbe\x14\x76\x4e\x9d\xa5\x31\xff\xef\x82\xf8\x61\x2a\x74\x0f\xb5\x87\x56\xf7\xcb\x60\x92\xab\xb1\x5a\xa6\xcf\x04\x94\xcb\x71\x06\xf1", 235); *(uint8_t*)0x20000e38 = 0xd3; *(uint8_t*)0x20000e39 = 8; memcpy((void*)0x20000e3a, "\x4e\x8e\x03\x4e\xe9\x75\x01\xac\x38\x25\x74\xd2\xa7\x25\x27\xc5\xe0\xc8\x32\x61\x8b\xc6\xa1\xea\x16\xc3\xf3\x23\x25\x89\x71\x63\x3a\x03\x33\x99\x1a\xd9\x97\x54\xb0\x06\xc9\x5c\x4d\xe5\xf9\x01\xec\x1b\x8d\x86\xbd\x47\xc5\x64\xbd\x2a\xef\x08\xdf\x3c\x22\x4a\x3e\x6e\x40\x84\x65\x54\xee\xd2\x73\x4d\x71\xce\x33\x92\x96\x7e\xf5\x5c\x96\xb3\xda\x0a\xa5\x48\x1f\x31\xc3\x51\xcf\x18\x59\xcb\xee\x24\x4e\x75\x1c\x60\xcf\xad\xc2\x33\xcb\x60\x02\xee\x6f\xf4\xcc\x2c\x9b\x76\x37\x8f\x5b\x6e\x41\x0c\x01\x4f\x25\xcb\x9f\xff\x68\xf8\xa6\xff\x5b\x81\xb6\xd0\x9b\x9c\x7a\x2a\xaf\x84\x8b\xd2\x47\xed\x21\xb1\x3a\xa8\xd3\x5b\xcb\x7b\xf2\xfa\x6b\x8c\xbf\x55\x29\x9e\xdb\xce\x15\xe7\x88\xd1\xf9\x3c\xff\x32\x23\x99\x24\x9a\xc0\x80\xf2\xd4\x7b\xd3\xf2\x7e\x7a\x6d\xe1\x84\x90\x48\x11\x72\x25\x36\xd0\xa2\x33\x0e\x3e\x51\x11\x46\xfa\xab\x98\x64\xd1\xb1\x83", 209); *(uint8_t*)0x20000f0b = 9; *(uint8_t*)0x20000f0c = 5; *(uint8_t*)0x20000f0d = 0xb; *(uint8_t*)0x20000f0e = 0; *(uint16_t*)0x20000f0f = 0x10; *(uint8_t*)0x20000f11 = 0x2c; *(uint8_t*)0x20000f12 = 9; *(uint8_t*)0x20000f13 = 6; *(uint8_t*)0x20000f14 = 7; *(uint8_t*)0x20000f15 = 0x25; *(uint8_t*)0x20000f16 = 1; *(uint8_t*)0x20000f17 = 0x80; *(uint8_t*)0x20000f18 = 0xc9; *(uint16_t*)0x20000f19 = 0xbb; *(uint8_t*)0x20000f1b = 0x1f; *(uint8_t*)0x20000f1c = 0x31; memcpy((void*)0x20000f1d, "\xe4\x4d\x51\xa1\x5a\x72\x0f\x09\x9d\xad\xeb\x93\x26\x25\x52\xa9\x35\x42\x42\x29\xd3\xf4\xd1\x2e\xdc\x1b\xaa\x9f\x88", 29); *(uint8_t*)0x20000f3a = 9; *(uint8_t*)0x20000f3b = 5; *(uint8_t*)0x20000f3c = 0xc; *(uint8_t*)0x20000f3d = 0; *(uint16_t*)0x20000f3e = 8; *(uint8_t*)0x20000f40 = 0x49; *(uint8_t*)0x20000f41 = 0x40; *(uint8_t*)0x20000f42 = 0x55; *(uint8_t*)0x20000f43 = 9; *(uint8_t*)0x20000f44 = 4; *(uint8_t*)0x20000f45 = 0xfe; *(uint8_t*)0x20000f46 = 0x33; *(uint8_t*)0x20000f47 = 2; *(uint8_t*)0x20000f48 = 0xa2; *(uint8_t*)0x20000f49 = 0x17; *(uint8_t*)0x20000f4a = 0x9a; *(uint8_t*)0x20000f4b = 2; *(uint8_t*)0x20000f4c = 9; *(uint8_t*)0x20000f4d = 0x24; *(uint8_t*)0x20000f4e = 6; *(uint8_t*)0x20000f4f = 0; *(uint8_t*)0x20000f50 = 1; memcpy((void*)0x20000f51, "\xfb\x7f\xfd\xe8", 4); *(uint8_t*)0x20000f55 = 5; *(uint8_t*)0x20000f56 = 0x24; *(uint8_t*)0x20000f57 = 0; *(uint16_t*)0x20000f58 = 1; *(uint8_t*)0x20000f5a = 0xd; *(uint8_t*)0x20000f5b = 0x24; *(uint8_t*)0x20000f5c = 0xf; *(uint8_t*)0x20000f5d = 1; *(uint32_t*)0x20000f5e = 4; *(uint16_t*)0x20000f62 = 0x9f54; *(uint16_t*)0x20000f64 = 0x267; *(uint8_t*)0x20000f66 = 1; *(uint8_t*)0x20000f67 = 6; *(uint8_t*)0x20000f68 = 0x24; *(uint8_t*)0x20000f69 = 0x1a; *(uint16_t*)0x20000f6a = 9; *(uint8_t*)0x20000f6c = 9; *(uint8_t*)0x20000f6d = 0xc; *(uint8_t*)0x20000f6e = 0x24; *(uint8_t*)0x20000f6f = 0x1b; *(uint16_t*)0x20000f70 = -1; *(uint16_t*)0x20000f72 = 1; *(uint8_t*)0x20000f74 = 0x20; *(uint8_t*)0x20000f75 = 6; *(uint16_t*)0x20000f76 = 6; *(uint8_t*)0x20000f78 = 6; *(uint8_t*)0x20000f79 = 0x15; *(uint8_t*)0x20000f7a = 0x24; *(uint8_t*)0x20000f7b = 0x12; *(uint16_t*)0x20000f7c = 3; *(uint64_t*)0x20000f7e = 0x14f5e048ba817a3; *(uint64_t*)0x20000f86 = 0x2a397ecbffc007a6; *(uint8_t*)0x20000f8e = 0xc; *(uint8_t*)0x20000f8f = 0x24; *(uint8_t*)0x20000f90 = 0x1b; *(uint16_t*)0x20000f91 = 0x91; *(uint16_t*)0x20000f93 = 5; *(uint8_t*)0x20000f95 = 1; *(uint8_t*)0x20000f96 = -1; *(uint16_t*)0x20000f97 = 5; *(uint8_t*)0x20000f99 = 0x35; *(uint8_t*)0x20000f9a = 4; *(uint8_t*)0x20000f9b = 0x24; *(uint8_t*)0x20000f9c = 2; *(uint8_t*)0x20000f9d = 1; *(uint8_t*)0x20000f9e = 9; *(uint8_t*)0x20000f9f = 5; *(uint8_t*)0x20000fa0 = 0xa; *(uint8_t*)0x20000fa1 = 0x10; *(uint16_t*)0x20000fa2 = 8; *(uint8_t*)0x20000fa4 = 0x80; *(uint8_t*)0x20000fa5 = 0xc1; *(uint8_t*)0x20000fa6 = 4; *(uint8_t*)0x20000fa7 = 0xb8; *(uint8_t*)0x20000fa8 = 0x30; memcpy((void*)0x20000fa9, "\xe3\x84\xdc\xf0\x3a\xc3\x95\x40\xe5\xa2\x21\x99\xf7\x1a\x53\xba\x42\x8c\x3b\x72\x02\x90\xf0\x27\x6b\xcc\xa0\xcd\x15\x40\x5f\x6c\x93\x04\x97\xaf\x5e\xb3\x20\xa4\x33\xcc\x55\x3d\x6e\x01\x08\xed\xbf\x79\x3e\xf0\x24\x0f\xf2\x69\xb4\xff\x96\xd6\x82\x2b\xcb\x48\xce\xba\xe2\xa5\xce\xad\x65\x78\x6e\xbe\xcd\x5f\x30\x0c\x08\x60\x6d\x33\x22\xb8\x36\x00\x29\xbd\x21\x31\x2d\xac\x49\x33\x61\xe1\xb0\x8f\x2a\xdc\xa4\xdc\x49\xa0\x04\xfe\xfd\xf7\xa3\xa5\x25\xae\x5d\xe1\x1f\x0a\x69\x1a\x41\xb8\x69\xd9\xb9\xa5\xd9\x0d\x5a\x7b\x5e\xbe\x9e\x57\x73\xb9\x7e\xfe\x98\xe3\x89\x53\x77\xa4\x24\xe3\x0e\xf2\x2f\xd2\xff\xa2\x53\x2f\x1b\xb3\xc1\xa4\xe3\xb8\x6a\xfc\x08\xb2\x65\x9a\xa2\xe5\x56\xf1\x90\xe2\x7f\x83\x61\x9a\x16\x18\xd3\x71\xe1\x02\xc5\x58", 182); *(uint8_t*)0x2000105f = 9; *(uint8_t*)0x20001060 = 5; *(uint8_t*)0x20001061 = 0x80; *(uint8_t*)0x20001062 = 1; *(uint16_t*)0x20001063 = 0x40; *(uint8_t*)0x20001065 = 4; *(uint8_t*)0x20001066 = 0; *(uint8_t*)0x20001067 = 0x1f; *(uint8_t*)0x20001068 = 9; *(uint8_t*)0x20001069 = 4; *(uint8_t*)0x2000106a = 0x74; *(uint8_t*)0x2000106b = 0x90; *(uint8_t*)0x2000106c = 0xa; *(uint8_t*)0x2000106d = -1; *(uint8_t*)0x2000106e = 0x5d; *(uint8_t*)0x2000106f = 1; *(uint8_t*)0x20001070 = 0x81; *(uint8_t*)0x20001071 = 0x6c; *(uint8_t*)0x20001072 = 4; memcpy((void*)0x20001073, "\xde\xaf\x84\x76\xcc\x58\x55\xff\xb6\xd2\x2d\x6c\xeb\x29\x77\x34\x8b\xa8\x6d\xee\x7d\x9e\x22\xe0\xc4\x64\x77\xb0\x6c\x0d\xb5\x14\xbb\x53\x83\xa6\x2a\x40\x2c\xc6\xe0\x79\x5d\xdd\xa5\x10\xcf\x42\x38\xb2\xc6\x4b\x65\x7a\x11\x11\xef\xc0\xe4\xaa\xcf\x9e\x40\x80\x2d\xd0\xee\xb6\x9f\x27\x1c\x1e\x6f\xe0\xee\x5e\x9f\x48\x12\x28\x32\xe6\xa8\x0a\x4d\x7a\x66\x11\xe3\xfd\x2d\xca\x49\xd3\x51\x90\x8f\xf9\xa4\x8c\xa2\x0c\x78\xa6\x9c\x65", 106); *(uint8_t*)0x200010dd = 9; *(uint8_t*)0x200010de = 0x21; *(uint16_t*)0x200010df = 7; *(uint8_t*)0x200010e1 = 7; *(uint8_t*)0x200010e2 = 1; *(uint8_t*)0x200010e3 = 0x22; *(uint16_t*)0x200010e4 = 0xab5; *(uint8_t*)0x200010e6 = 9; *(uint8_t*)0x200010e7 = 5; *(uint8_t*)0x200010e8 = 0; *(uint8_t*)0x200010e9 = 0; *(uint16_t*)0x200010ea = 0x200; *(uint8_t*)0x200010ec = 4; *(uint8_t*)0x200010ed = 7; *(uint8_t*)0x200010ee = 0; *(uint8_t*)0x200010ef = 9; *(uint8_t*)0x200010f0 = 5; *(uint8_t*)0x200010f1 = 0x80; *(uint8_t*)0x200010f2 = 0xc; *(uint16_t*)0x200010f3 = 0x40; *(uint8_t*)0x200010f5 = 0; *(uint8_t*)0x200010f6 = 0x7f; *(uint8_t*)0x200010f7 = -1; *(uint8_t*)0x200010f8 = 7; *(uint8_t*)0x200010f9 = 0x25; *(uint8_t*)0x200010fa = 1; *(uint8_t*)0x200010fb = 0; *(uint8_t*)0x200010fc = 0; *(uint16_t*)0x200010fd = 0xff; *(uint8_t*)0x200010ff = 7; *(uint8_t*)0x20001100 = 0x25; *(uint8_t*)0x20001101 = 1; *(uint8_t*)0x20001102 = 2; *(uint8_t*)0x20001103 = 0xfa; *(uint16_t*)0x20001104 = 5; *(uint8_t*)0x20001106 = 9; *(uint8_t*)0x20001107 = 5; *(uint8_t*)0x20001108 = 3; *(uint8_t*)0x20001109 = 3; *(uint16_t*)0x2000110a = 0x3ff; *(uint8_t*)0x2000110c = 0x80; *(uint8_t*)0x2000110d = 0x7f; *(uint8_t*)0x2000110e = 8; *(uint8_t*)0x2000110f = 9; *(uint8_t*)0x20001110 = 5; *(uint8_t*)0x20001111 = 5; *(uint8_t*)0x20001112 = 1; *(uint16_t*)0x20001113 = 0x20; *(uint8_t*)0x20001115 = 4; *(uint8_t*)0x20001116 = 0x3c; *(uint8_t*)0x20001117 = 4; *(uint8_t*)0x20001118 = 7; *(uint8_t*)0x20001119 = 0x25; *(uint8_t*)0x2000111a = 1; *(uint8_t*)0x2000111b = 0x80; *(uint8_t*)0x2000111c = 0x40; *(uint16_t*)0x2000111d = 0x800; *(uint8_t*)0x2000111f = 9; *(uint8_t*)0x20001120 = 5; *(uint8_t*)0x20001121 = 0xd; *(uint8_t*)0x20001122 = 0; *(uint16_t*)0x20001123 = 0x20; *(uint8_t*)0x20001125 = -1; *(uint8_t*)0x20001126 = 0x14; *(uint8_t*)0x20001127 = 0x3f; *(uint8_t*)0x20001128 = 9; *(uint8_t*)0x20001129 = 5; *(uint8_t*)0x2000112a = 4; *(uint8_t*)0x2000112b = 0; *(uint16_t*)0x2000112c = 0x20; *(uint8_t*)0x2000112e = 1; *(uint8_t*)0x2000112f = 1; *(uint8_t*)0x20001130 = 0x56; *(uint8_t*)0x20001131 = 9; *(uint8_t*)0x20001132 = 5; *(uint8_t*)0x20001133 = 0xc; *(uint8_t*)0x20001134 = 0x10; *(uint16_t*)0x20001135 = 8; *(uint8_t*)0x20001137 = 1; *(uint8_t*)0x20001138 = 5; *(uint8_t*)0x20001139 = 2; *(uint8_t*)0x2000113a = 0x20; *(uint8_t*)0x2000113b = 4; memcpy((void*)0x2000113c, "\x6d\xdd\x41\x04\xce\xf7\xb1\xf7\xb2\xdd\xda\xbb\x24\xea\x94\xbe\x1e\x8a\xc9\xfb\xba\x62\xcd\x71\xc1\xa1\xcb\xfa\x4e\x73", 30); *(uint8_t*)0x2000115a = 9; *(uint8_t*)0x2000115b = 5; *(uint8_t*)0x2000115c = 7; *(uint8_t*)0x2000115d = 4; *(uint16_t*)0x2000115e = 0x10; *(uint8_t*)0x20001160 = 0; *(uint8_t*)0x20001161 = 6; *(uint8_t*)0x20001162 = 0xf8; *(uint8_t*)0x20001163 = 7; *(uint8_t*)0x20001164 = 0x25; *(uint8_t*)0x20001165 = 1; *(uint8_t*)0x20001166 = 0x80; *(uint8_t*)0x20001167 = 3; *(uint16_t*)0x20001168 = 0x8000; *(uint8_t*)0x2000116a = 0x98; *(uint8_t*)0x2000116b = 0x21; memcpy((void*)0x2000116c, "\xe7\xba\xc6\xd3\x44\x3c\xdf\xcd\xf9\xc2\x4b\x69\x78\xdb\xfb\x9d\xd1\x82\x4a\x59\x64\xcb\xfa\x0f\xe6\x42\x96\xd5\x79\x4c\x61\x59\xbc\x30\xb8\x02\xa5\x9b\x5c\x7a\x49\xb5\x34\x03\x5d\xf5\x6b\xbc\x48\x86\x52\xee\x31\xc6\x01\xd5\x32\x65\x07\x01\x6b\xd4\x45\xa1\xc0\x9d\xf2\x31\xcf\x57\x81\x19\x0d\xaa\xba\x0c\xbd\x84\xa1\x72\x64\x03\x27\xb8\xc1\xa1\xd9\x0b\xfa\xb1\x8f\x24\x96\x1f\xfe\x12\xa0\x48\x6a\x23\x9c\x79\xa2\x59\xc5\x37\x65\x26\x03\xdc\xbd\x4b\x2b\x73\x42\xae\x0d\x71\x5a\x75\x43\xf4\xd0\x8b\xb5\x57\xbd\xdc\xd3\xbc\xa8\x35\x90\xb5\x7c\x30\xee\xe2\xce\x95\xf6\xc7\x10\x2f\x64\x6a\xf8\x28\xa4\x96", 150); *(uint8_t*)0x20001202 = 9; *(uint8_t*)0x20001203 = 5; *(uint8_t*)0x20001204 = 2; *(uint8_t*)0x20001205 = 3; *(uint16_t*)0x20001206 = 0x400; *(uint8_t*)0x20001208 = 3; *(uint8_t*)0x20001209 = 2; *(uint8_t*)0x2000120a = 8; *(uint8_t*)0x2000120b = 9; *(uint8_t*)0x2000120c = 5; *(uint8_t*)0x2000120d = 6; *(uint8_t*)0x2000120e = 0x10; *(uint16_t*)0x2000120f = 0x20; *(uint8_t*)0x20001211 = -1; *(uint8_t*)0x20001212 = 4; *(uint8_t*)0x20001213 = 6; *(uint32_t*)0x20001540 = 0xa; *(uint64_t*)0x20001544 = 0x20001240; *(uint8_t*)0x20001240 = 0xa; *(uint8_t*)0x20001241 = 6; *(uint16_t*)0x20001242 = 0x300; *(uint8_t*)0x20001244 = -1; *(uint8_t*)0x20001245 = 0x81; *(uint8_t*)0x20001246 = 6; *(uint8_t*)0x20001247 = 0xf7; *(uint8_t*)0x20001248 = 0xc4; *(uint8_t*)0x20001249 = 0; *(uint32_t*)0x2000154c = 0xf; *(uint64_t*)0x20001550 = 0x20001280; *(uint8_t*)0x20001280 = 5; *(uint8_t*)0x20001281 = 0xf; *(uint16_t*)0x20001282 = 0xf; *(uint8_t*)0x20001284 = 1; *(uint8_t*)0x20001285 = 0xa; *(uint8_t*)0x20001286 = 0x10; *(uint8_t*)0x20001287 = 3; *(uint8_t*)0x20001288 = 0; *(uint16_t*)0x20001289 = 0; *(uint8_t*)0x2000128b = 8; *(uint8_t*)0x2000128c = 0x1f; *(uint16_t*)0x2000128d = 0xfff; *(uint32_t*)0x20001558 = 5; *(uint32_t*)0x2000155c = 4; *(uint64_t*)0x20001560 = 0x200012c0; *(uint8_t*)0x200012c0 = 4; *(uint8_t*)0x200012c1 = 3; *(uint16_t*)0x200012c2 = 0xc07; *(uint32_t*)0x20001568 = 0x54; *(uint64_t*)0x2000156c = 0x20001300; *(uint8_t*)0x20001300 = 0x54; *(uint8_t*)0x20001301 = 3; memcpy((void*)0x20001302, "\x32\x1d\x45\x7f\x2f\x5a\xb9\xfc\xb1\x11\x8c\x96\x06\x31\xfd\x85\xa7\x5e\xad\x82\x91\x36\xaa\x2a\x6c\xc0\x31\x14\x51\x03\x5f\xe1\x7b\x95\x6e\xb8\xfa\x52\xd4\x95\xa3\x11\xa6\xc0\x3f\x0a\xe8\x4c\x86\xf0\xed\x78\xda\xeb\xfa\x15\xdb\x7b\xc5\x78\x8c\x97\x24\xba\xf4\x58\x2d\xc0\xec\x1b\xa6\x68\x1a\x76\xb0\xa1\xbf\xc5\xde\x9d\xae\xcc", 82); *(uint32_t*)0x20001574 = 0xd3; *(uint64_t*)0x20001578 = 0x20001380; *(uint8_t*)0x20001380 = 0xd3; *(uint8_t*)0x20001381 = 3; memcpy((void*)0x20001382, "\x18\x33\x6f\xc5\x62\x3b\xa1\x41\x06\x34\xc4\x05\x0b\xcf\x3b\x48\x8e\xa4\x18\x67\xd0\x59\xdc\xdc\xd2\xc3\x68\xd8\x48\xfe\x51\x47\x32\x3c\x0b\xa4\xe5\x1d\x7c\xf2\xa3\xd1\x50\x25\x8f\x8c\xc2\x56\x9b\xd7\x9e\x95\x1e\xa9\x5a\x31\x8d\xe3\x1d\x14\x6c\x37\xa7\xcf\x71\x2f\x1f\xcd\x44\x03\x90\x85\x2c\x8d\x52\x16\xf8\xd2\x3a\x99\x18\xb0\xe0\x53\x52\x1e\xb6\x70\xad\x3e\xe0\xfb\x8a\x93\xa8\xd7\xba\xd7\x19\x9e\xeb\xe1\x2a\x3b\x02\x10\x7a\xc4\x54\x2b\xc6\x49\x79\x77\xe3\x30\x8b\x40\x7b\xf3\x64\x98\x2f\x4f\xc9\xc3\x30\xf9\xa7\x5c\xcb\x65\xc8\x68\x8d\x5c\x24\x7a\xd0\x6c\x20\xcc\xf0\x14\x65\xe3\xab\x09\xfc\x77\x7f\x73\x47\x4c\x2c\xd0\x53\xb8\x48\xad\x32\x55\xb5\xad\xc8\x1e\x03\x3d\x2a\x0f\xac\x50\x61\xea\x52\xda\xcf\x46\xe8\x8e\x8c\x2e\x38\x8d\xeb\x91\xd2\xd9\xfc\x12\x42\x55\x90\x93\x36\x41\x8e\x74\x3b\xda\x4c\xb4\xf7\x3c\x6b\x75\xaf\x9a\x9b", 209); *(uint32_t*)0x20001580 = 4; *(uint64_t*)0x20001584 = 0x20001480; *(uint8_t*)0x20001480 = 4; *(uint8_t*)0x20001481 = 3; *(uint16_t*)0x20001482 = 0x42b; *(uint32_t*)0x2000158c = 0x5a; *(uint64_t*)0x20001590 = 0x200014c0; *(uint8_t*)0x200014c0 = 0x5a; *(uint8_t*)0x200014c1 = 3; memcpy((void*)0x200014c2, "\x4d\x85\xf3\x14\x20\xff\x1c\xed\xa2\x5d\x11\x8d\x33\xa6\xeb\xbc\xe8\x88\xc1\x2d\x90\xeb\x54\xc8\x27\xd1\x49\xc8\xdc\xbd\x99\xf3\x89\x3b\x35\xd1\xda\x6c\x77\x6b\x1b\x5d\x08\x4b\x30\x8c\xdf\x93\x47\x41\x67\xf2\x66\x19\x9f\x44\x0a\x03\xfc\x3e\x34\x38\x03\x1b\x87\x25\xdd\xe6\x02\x9a\x62\x9c\x08\x43\xbe\xdf\x04\x8b\x84\x09\xb1\x53\xf9\x03\xd6\x57\xd2\x2b", 88); res = -1; res = syz_usb_connect(6, 0x714, 0x20000b00, 0x20001540); if (res != -1) r[10] = res; break; case 33: *(uint8_t*)0x200015c0 = 0x12; *(uint8_t*)0x200015c1 = 1; *(uint16_t*)0x200015c2 = 0x200; *(uint8_t*)0x200015c4 = -1; *(uint8_t*)0x200015c5 = -1; *(uint8_t*)0x200015c6 = -1; *(uint8_t*)0x200015c7 = 0x40; *(uint16_t*)0x200015c8 = 0xcf3; *(uint16_t*)0x200015ca = 0x9271; *(uint16_t*)0x200015cc = 0x108; *(uint8_t*)0x200015ce = 1; *(uint8_t*)0x200015cf = 2; *(uint8_t*)0x200015d0 = 3; *(uint8_t*)0x200015d1 = 1; *(uint8_t*)0x200015d2 = 9; *(uint8_t*)0x200015d3 = 2; *(uint16_t*)0x200015d4 = 0x48; *(uint8_t*)0x200015d6 = 1; *(uint8_t*)0x200015d7 = 1; *(uint8_t*)0x200015d8 = 0; *(uint8_t*)0x200015d9 = 0x80; *(uint8_t*)0x200015da = 0xfa; *(uint8_t*)0x200015db = 9; *(uint8_t*)0x200015dc = 4; *(uint8_t*)0x200015dd = 0; *(uint8_t*)0x200015de = 0; *(uint8_t*)0x200015df = 6; *(uint8_t*)0x200015e0 = -1; *(uint8_t*)0x200015e1 = 0; *(uint8_t*)0x200015e2 = 0; *(uint8_t*)0x200015e3 = 0; *(uint8_t*)0x200015e4 = 9; *(uint8_t*)0x200015e5 = 5; *(uint8_t*)0x200015e6 = 1; *(uint8_t*)0x200015e7 = 2; *(uint16_t*)0x200015e8 = 0x200; *(uint8_t*)0x200015ea = 0; *(uint8_t*)0x200015eb = 0; *(uint8_t*)0x200015ec = 0; *(uint8_t*)0x200015ed = 9; *(uint8_t*)0x200015ee = 5; *(uint8_t*)0x200015ef = 0x82; *(uint8_t*)0x200015f0 = 2; *(uint16_t*)0x200015f1 = 0x200; *(uint8_t*)0x200015f3 = 0; *(uint8_t*)0x200015f4 = 0; *(uint8_t*)0x200015f5 = 0; *(uint8_t*)0x200015f6 = 9; *(uint8_t*)0x200015f7 = 5; *(uint8_t*)0x200015f8 = 0x83; *(uint8_t*)0x200015f9 = 3; *(uint16_t*)0x200015fa = 0x40; *(uint8_t*)0x200015fc = 1; *(uint8_t*)0x200015fd = 0; *(uint8_t*)0x200015fe = 0; *(uint8_t*)0x200015ff = 9; *(uint8_t*)0x20001600 = 5; *(uint8_t*)0x20001601 = 4; *(uint8_t*)0x20001602 = 3; *(uint16_t*)0x20001603 = 0x40; *(uint8_t*)0x20001605 = 1; *(uint8_t*)0x20001606 = 0; *(uint8_t*)0x20001607 = 0; *(uint8_t*)0x20001608 = 9; *(uint8_t*)0x20001609 = 5; *(uint8_t*)0x2000160a = 5; *(uint8_t*)0x2000160b = 2; *(uint16_t*)0x2000160c = 0x200; *(uint8_t*)0x2000160e = 0; *(uint8_t*)0x2000160f = 0; *(uint8_t*)0x20001610 = 0; *(uint8_t*)0x20001611 = 9; *(uint8_t*)0x20001612 = 5; *(uint8_t*)0x20001613 = 6; *(uint8_t*)0x20001614 = 2; *(uint16_t*)0x20001615 = 0x200; *(uint8_t*)0x20001617 = 0; *(uint8_t*)0x20001618 = 0; *(uint8_t*)0x20001619 = 0; res = -1; res = syz_usb_connect_ath9k(3, 0x5a, 0x200015c0, 0); if (res != -1) r[11] = res; break; case 34: *(uint32_t*)0x200017c0 = 0x2c; *(uint64_t*)0x200017c4 = 0x20001640; *(uint8_t*)0x20001640 = 0; *(uint8_t*)0x20001641 = 0x24; *(uint32_t*)0x20001642 = 0x5e; *(uint8_t*)0x20001646 = 0x5e; *(uint8_t*)0x20001647 = 9; memcpy((void*)0x20001648, "\x50\xd3\x39\x2d\x02\xeb\xd2\x29\x33\x8b\x7e\x71\x70\xb9\x84\xd0\x49\x07\xf9\xce\xe9\x84\xf8\x3f\x84\xc9\x51\x8b\x9d\xd9\x17\x85\xfe\x2d\x66\xe1\x04\x26\xff\x86\xd8\xe7\xd6\x63\x53\x83\x06\x24\x01\x71\x79\x0d\x7f\x77\x66\x64\xbd\xfd\x68\xd3\xdf\x43\xcd\xf6\xd0\xe3\xab\x3d\x2a\x62\x95\x30\x92\xa2\xd7\xce\x2f\xcd\xfe\x2c\xf5\x00\x26\x86\x9a\x4b\xcd\x06\x6a\xf9\xdd\xbd", 92); *(uint64_t*)0x200017cc = 0x200016c0; *(uint8_t*)0x200016c0 = 0; *(uint8_t*)0x200016c1 = 3; *(uint32_t*)0x200016c2 = 4; *(uint8_t*)0x200016c6 = 4; *(uint8_t*)0x200016c7 = 3; *(uint16_t*)0x200016c8 = 0x449; *(uint64_t*)0x200017d4 = 0x20001700; *(uint8_t*)0x20001700 = 0; *(uint8_t*)0x20001701 = 0xf; *(uint32_t*)0x20001702 = 0x19; *(uint8_t*)0x20001706 = 5; *(uint8_t*)0x20001707 = 0xf; *(uint16_t*)0x20001708 = 0x19; *(uint8_t*)0x2000170a = 1; *(uint8_t*)0x2000170b = 0x14; *(uint8_t*)0x2000170c = 0x10; *(uint8_t*)0x2000170d = 4; *(uint8_t*)0x2000170e = 0x3f; memcpy((void*)0x2000170f, "\x0f\xf6\x11\x98\x8b\x42\x04\x3b\xdd\x16\xf1\x8b\x9b\x82\xf6\xcf", 16); *(uint64_t*)0x200017dc = 0x20001740; *(uint8_t*)0x20001740 = 0x20; *(uint8_t*)0x20001741 = 0x29; *(uint32_t*)0x20001742 = 0xf; *(uint8_t*)0x20001746 = 0xf; *(uint8_t*)0x20001747 = 0x29; *(uint8_t*)0x20001748 = 0; *(uint16_t*)0x20001749 = 0; *(uint8_t*)0x2000174b = 9; *(uint8_t*)0x2000174c = 0x68; memcpy((void*)0x2000174d, "\x60\xc5\x11\xfa", 4); memcpy((void*)0x20001751, "\x23\xe3\xf5\x32", 4); *(uint64_t*)0x200017e4 = 0x20001780; *(uint8_t*)0x20001780 = 0x20; *(uint8_t*)0x20001781 = 0x2a; *(uint32_t*)0x20001782 = 0xc; *(uint8_t*)0x20001786 = 0xc; *(uint8_t*)0x20001787 = 0x2a; *(uint8_t*)0x20001788 = 5; *(uint16_t*)0x20001789 = 0; *(uint8_t*)0x2000178b = 2; *(uint8_t*)0x2000178c = 7; *(uint8_t*)0x2000178d = 8; *(uint16_t*)0x2000178e = 5; *(uint16_t*)0x20001790 = 0x200; *(uint32_t*)0x20001c80 = 0x84; *(uint64_t*)0x20001c84 = 0x20001800; *(uint8_t*)0x20001800 = 0; *(uint8_t*)0x20001801 = 0x16; *(uint32_t*)0x20001802 = 0x92; memcpy((void*)0x20001806, "\xe4\x9c\x4e\x0f\xdf\x52\x1d\x4b\xb8\x3a\x1c\x78\xb9\xb6\xf3\x2e\xb6\xe3\x8f\xba\x14\x32\x72\x7c\x39\x17\x49\x72\x7c\x41\x81\x5d\xc3\xfc\x41\x93\xcf\x0f\xc2\x47\xb3\x2c\x61\xdd\x80\xf2\x66\x29\xd7\xcf\x71\x4f\xc0\x80\x15\x77\x01\x40\x5e\x55\xe4\xd1\xae\x2b\x75\x8c\x66\x82\x10\x44\xd2\xe8\x09\x4f\x1b\xd7\x5c\xcf\x96\x00\x45\x47\x26\xe5\xdf\x97\x64\x08\x2d\x53\x70\x12\xad\x6f\xa0\x0a\x11\xbf\x54\x6f\x5d\x86\xaf\x48\x2a\x8f\x0b\x05\x74\x28\x7a\x4c\x56\x40\xbd\x1a\x22\x5a\x60\xd1\x96\x1c\xd5\x6b\x3b\x48\xcf\x69\xd7\x76\xcd\x8b\xba\xc5\xdc\x15\x44\xbf\x6b\x94\xb3\x51\x93\x83\xf9\xc5", 146); *(uint64_t*)0x20001c8c = 0x200018c0; *(uint8_t*)0x200018c0 = 0; *(uint8_t*)0x200018c1 = 0xa; *(uint32_t*)0x200018c2 = 1; *(uint8_t*)0x200018c6 = 0xea; *(uint64_t*)0x20001c94 = 0x20001900; *(uint8_t*)0x20001900 = 0; *(uint8_t*)0x20001901 = 8; *(uint32_t*)0x20001902 = 1; *(uint8_t*)0x20001906 = 0xc0; *(uint64_t*)0x20001c9c = 0x20001940; *(uint8_t*)0x20001940 = 0x20; *(uint8_t*)0x20001941 = 0; *(uint32_t*)0x20001942 = 4; *(uint16_t*)0x20001946 = 3; *(uint16_t*)0x20001948 = 0xc065; *(uint64_t*)0x20001ca4 = 0x20001980; *(uint8_t*)0x20001980 = 0x20; *(uint8_t*)0x20001981 = 0; *(uint32_t*)0x20001982 = 8; *(uint16_t*)0x20001986 = 0x200; *(uint16_t*)0x20001988 = 2; *(uint32_t*)0x2000198a = 0; *(uint64_t*)0x20001cac = 0x200019c0; *(uint8_t*)0x200019c0 = 0x40; *(uint8_t*)0x200019c1 = 7; *(uint32_t*)0x200019c2 = 2; *(uint16_t*)0x200019c6 = 0; *(uint64_t*)0x20001cb4 = 0x20001a00; *(uint8_t*)0x20001a00 = 0x40; *(uint8_t*)0x20001a01 = 9; *(uint32_t*)0x20001a02 = 1; *(uint8_t*)0x20001a06 = 7; *(uint64_t*)0x20001cbc = 0x20001a40; *(uint8_t*)0x20001a40 = 0x40; *(uint8_t*)0x20001a41 = 0xb; *(uint32_t*)0x20001a42 = 2; memcpy((void*)0x20001a46, ",e", 2); *(uint64_t*)0x20001cc4 = 0x20001a80; *(uint8_t*)0x20001a80 = 0x40; *(uint8_t*)0x20001a81 = 0xf; *(uint32_t*)0x20001a82 = 2; *(uint16_t*)0x20001a86 = 0xa; *(uint64_t*)0x20001ccc = 0x20001ac0; *(uint8_t*)0x20001ac0 = 0x40; *(uint8_t*)0x20001ac1 = 0x13; *(uint32_t*)0x20001ac2 = 6; memcpy((void*)0x20001ac6, "\xcb\xa5\xd8\xd5\x17\x87", 6); *(uint64_t*)0x20001cd4 = 0x20001b00; *(uint8_t*)0x20001b00 = 0x40; *(uint8_t*)0x20001b01 = 0x17; *(uint32_t*)0x20001b02 = 6; *(uint8_t*)0x20001b06 = 0xaa; *(uint8_t*)0x20001b07 = 0xaa; *(uint8_t*)0x20001b08 = 0xaa; *(uint8_t*)0x20001b09 = 0xaa; *(uint8_t*)0x20001b0a = 0xaa; *(uint8_t*)0x20001b0b = 0x1b; *(uint64_t*)0x20001cdc = 0x20001b40; *(uint8_t*)0x20001b40 = 0x40; *(uint8_t*)0x20001b41 = 0x19; *(uint32_t*)0x20001b42 = 2; memcpy((void*)0x20001b46, "\x09\xef", 2); *(uint64_t*)0x20001ce4 = 0x20001b80; *(uint8_t*)0x20001b80 = 0x40; *(uint8_t*)0x20001b81 = 0x1a; *(uint32_t*)0x20001b82 = 2; *(uint16_t*)0x20001b86 = 0x200; *(uint64_t*)0x20001cec = 0x20001bc0; *(uint8_t*)0x20001bc0 = 0x40; *(uint8_t*)0x20001bc1 = 0x1c; *(uint32_t*)0x20001bc2 = 1; *(uint8_t*)0x20001bc6 = 0x20; *(uint64_t*)0x20001cf4 = 0x20001c00; *(uint8_t*)0x20001c00 = 0x40; *(uint8_t*)0x20001c01 = 0x1e; *(uint32_t*)0x20001c02 = 1; *(uint8_t*)0x20001c06 = 0x81; *(uint64_t*)0x20001cfc = 0x20001c40; *(uint8_t*)0x20001c40 = 0x40; *(uint8_t*)0x20001c41 = 0x21; *(uint32_t*)0x20001c42 = 1; *(uint8_t*)0x20001c46 = 0x40; syz_usb_control_io(r[11], 0x200017c0, 0x20001c80); break; case 35: *(uint8_t*)0x20001d40 = 0x12; *(uint8_t*)0x20001d41 = 1; *(uint16_t*)0x20001d42 = 0x300; *(uint8_t*)0x20001d44 = 0; *(uint8_t*)0x20001d45 = 0; *(uint8_t*)0x20001d46 = 0; *(uint8_t*)0x20001d47 = 0x40; *(uint16_t*)0x20001d48 = 0x1d6b; *(uint16_t*)0x20001d4a = 0x101; *(uint16_t*)0x20001d4c = 0x40; *(uint8_t*)0x20001d4e = 1; *(uint8_t*)0x20001d4f = 2; *(uint8_t*)0x20001d50 = 3; *(uint8_t*)0x20001d51 = 1; *(uint8_t*)0x20001d52 = 9; *(uint8_t*)0x20001d53 = 2; *(uint16_t*)0x20001d54 = 0xa4; *(uint8_t*)0x20001d56 = 3; *(uint8_t*)0x20001d57 = 1; *(uint8_t*)0x20001d58 = 8; *(uint8_t*)0x20001d59 = 0x80; *(uint8_t*)0x20001d5a = 0x1f; *(uint8_t*)0x20001d5b = 9; *(uint8_t*)0x20001d5c = 4; *(uint8_t*)0x20001d5d = 0; *(uint8_t*)0x20001d5e = 0; *(uint8_t*)0x20001d5f = 0; *(uint8_t*)0x20001d60 = 1; *(uint8_t*)0x20001d61 = 1; *(uint8_t*)0x20001d62 = 0; *(uint8_t*)0x20001d63 = 0; *(uint8_t*)0x20001d64 = 0xa; *(uint8_t*)0x20001d65 = 0x24; *(uint8_t*)0x20001d66 = 1; *(uint16_t*)0x20001d67 = 0x7f; *(uint8_t*)0x20001d69 = 0x24; *(uint8_t*)0x20001d6a = 2; *(uint8_t*)0x20001d6b = 1; *(uint8_t*)0x20001d6c = 2; *(uint8_t*)0x20001d6d = 0xb; *(uint8_t*)0x20001d6e = 0x24; *(uint8_t*)0x20001d6f = 4; *(uint8_t*)0x20001d70 = 3; *(uint8_t*)0x20001d71 = 0x3f; memcpy((void*)0x20001d72, "\xe3\xa7\xba\x11\xb7\x73", 6); *(uint8_t*)0x20001d78 = 0xc; *(uint8_t*)0x20001d79 = 0x24; *(uint8_t*)0x20001d7a = 2; *(uint8_t*)0x20001d7b = 4; *(uint16_t*)0x20001d7c = 0x203; *(uint8_t*)0x20001d7e = 1; *(uint8_t*)0x20001d7f = 2; *(uint16_t*)0x20001d80 = 7; *(uint8_t*)0x20001d82 = 0xfd; *(uint8_t*)0x20001d83 = 0; *(uint8_t*)0x20001d84 = 7; *(uint8_t*)0x20001d85 = 0x24; *(uint8_t*)0x20001d86 = 8; *(uint8_t*)0x20001d87 = 2; *(uint16_t*)0x20001d88 = 4; *(uint8_t*)0x20001d8a = 0x40; *(uint8_t*)0x20001d8b = 9; *(uint8_t*)0x20001d8c = 0x24; *(uint8_t*)0x20001d8d = 3; *(uint8_t*)0x20001d8e = 2; *(uint16_t*)0x20001d8f = 0x101; *(uint8_t*)0x20001d91 = 4; *(uint8_t*)0x20001d92 = 4; *(uint8_t*)0x20001d93 = 5; *(uint8_t*)0x20001d94 = 9; *(uint8_t*)0x20001d95 = 4; *(uint8_t*)0x20001d96 = 1; *(uint8_t*)0x20001d97 = 0; *(uint8_t*)0x20001d98 = 0; *(uint8_t*)0x20001d99 = 1; *(uint8_t*)0x20001d9a = 2; *(uint8_t*)0x20001d9b = 0; *(uint8_t*)0x20001d9c = 0; *(uint8_t*)0x20001d9d = 9; *(uint8_t*)0x20001d9e = 4; *(uint8_t*)0x20001d9f = 1; *(uint8_t*)0x20001da0 = 1; *(uint8_t*)0x20001da1 = 1; *(uint8_t*)0x20001da2 = 1; *(uint8_t*)0x20001da3 = 2; *(uint8_t*)0x20001da4 = 0; *(uint8_t*)0x20001da5 = 0; *(uint8_t*)0x20001da6 = 9; *(uint8_t*)0x20001da7 = 5; *(uint8_t*)0x20001da8 = 1; *(uint8_t*)0x20001da9 = 9; *(uint16_t*)0x20001daa = 0x200; *(uint8_t*)0x20001dac = 0xfc; *(uint8_t*)0x20001dad = 9; *(uint8_t*)0x20001dae = 7; *(uint8_t*)0x20001daf = 7; *(uint8_t*)0x20001db0 = 0x25; *(uint8_t*)0x20001db1 = 1; *(uint8_t*)0x20001db2 = 0; *(uint8_t*)0x20001db3 = 2; *(uint16_t*)0x20001db4 = 8; *(uint8_t*)0x20001db6 = 9; *(uint8_t*)0x20001db7 = 4; *(uint8_t*)0x20001db8 = 2; *(uint8_t*)0x20001db9 = 0; *(uint8_t*)0x20001dba = 0; *(uint8_t*)0x20001dbb = 1; *(uint8_t*)0x20001dbc = 2; *(uint8_t*)0x20001dbd = 0; *(uint8_t*)0x20001dbe = 0; *(uint8_t*)0x20001dbf = 9; *(uint8_t*)0x20001dc0 = 4; *(uint8_t*)0x20001dc1 = 2; *(uint8_t*)0x20001dc2 = 1; *(uint8_t*)0x20001dc3 = 1; *(uint8_t*)0x20001dc4 = 1; *(uint8_t*)0x20001dc5 = 2; *(uint8_t*)0x20001dc6 = 0; *(uint8_t*)0x20001dc7 = 0; *(uint8_t*)0x20001dc8 = 0x12; *(uint8_t*)0x20001dc9 = 0x24; *(uint8_t*)0x20001dca = 2; *(uint8_t*)0x20001dcb = 2; *(uint16_t*)0x20001dcc = 8; *(uint16_t*)0x20001dce = 7; *(uint8_t*)0x20001dd0 = -1; memcpy((void*)0x20001dd1, "\x6c\xce\x23\xa5\x1a\x59\x66\x0a\x8a", 9); *(uint8_t*)0x20001dda = 0xc; *(uint8_t*)0x20001ddb = 0x24; *(uint8_t*)0x20001ddc = 2; *(uint8_t*)0x20001ddd = 1; *(uint8_t*)0x20001dde = 7; *(uint8_t*)0x20001ddf = 2; *(uint8_t*)0x20001de0 = 0xd6; *(uint8_t*)0x20001de1 = 0x40; memcpy((void*)0x20001de2, "\xa5\xe2\x12", 3); memcpy((void*)0x20001de5, "l", 1); *(uint8_t*)0x20001de6 = 9; *(uint8_t*)0x20001de7 = 5; *(uint8_t*)0x20001de8 = 0x82; *(uint8_t*)0x20001de9 = 9; *(uint16_t*)0x20001dea = 0x3ff; *(uint8_t*)0x20001dec = 3; *(uint8_t*)0x20001ded = 0; *(uint8_t*)0x20001dee = 0xac; *(uint8_t*)0x20001def = 7; *(uint8_t*)0x20001df0 = 0x25; *(uint8_t*)0x20001df1 = 1; *(uint8_t*)0x20001df2 = 3; *(uint8_t*)0x20001df3 = 4; *(uint16_t*)0x20001df4 = 5; *(uint32_t*)0x20001f40 = 0xa; *(uint64_t*)0x20001f44 = 0x20001e00; *(uint8_t*)0x20001e00 = 0xa; *(uint8_t*)0x20001e01 = 6; *(uint16_t*)0x20001e02 = 0x200; *(uint8_t*)0x20001e04 = -1; *(uint8_t*)0x20001e05 = 2; *(uint8_t*)0x20001e06 = 7; *(uint8_t*)0x20001e07 = 0x10; *(uint8_t*)0x20001e08 = 6; *(uint8_t*)0x20001e09 = 0; *(uint32_t*)0x20001f4c = 5; *(uint64_t*)0x20001f50 = 0x20001e40; *(uint8_t*)0x20001e40 = 5; *(uint8_t*)0x20001e41 = 0xf; *(uint16_t*)0x20001e42 = 5; *(uint8_t*)0x20001e44 = 0; *(uint32_t*)0x20001f58 = 2; *(uint32_t*)0x20001f5c = 0x52; *(uint64_t*)0x20001f60 = 0x20001e80; *(uint8_t*)0x20001e80 = 0x52; *(uint8_t*)0x20001e81 = 3; memcpy((void*)0x20001e82, "\x4b\xcf\xbc\x74\x9d\x26\xd0\xfb\xc2\x0c\x2e\x20\x2a\x04\x2e\x8b\xb1\x67\xca\xdf\x5c\x2b\xcd\xbd\x07\xdd\xe6\x67\x1d\xa7\xdd\x40\x03\x06\xb2\x6f\x22\x0f\xef\x4a\x33\x97\xf0\xa9\x5a\x4b\x8c\xa5\xba\xfd\x5a\x4f\xa8\xb9\x9d\x24\x50\x5f\x7a\x27\xac\x07\xa1\x6b\xbb\x02\xd5\x24\xc0\xbb\xfa\x3a\xf8\xe3\x18\xdf\x58\xfe\xb1\x43", 80); *(uint32_t*)0x20001f68 = 4; *(uint64_t*)0x20001f6c = 0x20001f00; *(uint8_t*)0x20001f00 = 4; *(uint8_t*)0x20001f01 = 3; *(uint16_t*)0x20001f02 = 0x807; res = -1; res = syz_usb_connect(6, 0xb6, 0x20001d40, 0x20001f40); if (res != -1) r[12] = res; break; case 36: syz_usb_disconnect(r[12]); break; case 37: syz_usb_ep_read(r[10], 6, 0xd6, 0x20001f80); break; case 38: *(uint8_t*)0x20002080 = 0x12; *(uint8_t*)0x20002081 = 1; *(uint16_t*)0x20002082 = 0x110; *(uint8_t*)0x20002084 = 2; *(uint8_t*)0x20002085 = 0; *(uint8_t*)0x20002086 = 0; *(uint8_t*)0x20002087 = -1; *(uint16_t*)0x20002088 = 0x525; *(uint16_t*)0x2000208a = 0xa4a1; *(uint16_t*)0x2000208c = 0x40; *(uint8_t*)0x2000208e = 1; *(uint8_t*)0x2000208f = 2; *(uint8_t*)0x20002090 = 3; *(uint8_t*)0x20002091 = 1; *(uint8_t*)0x20002092 = 9; *(uint8_t*)0x20002093 = 2; *(uint16_t*)0x20002094 = 0x3d; *(uint8_t*)0x20002096 = 1; *(uint8_t*)0x20002097 = 1; *(uint8_t*)0x20002098 = 9; *(uint8_t*)0x20002099 = 0xc0; *(uint8_t*)0x2000209a = 0xb3; *(uint8_t*)0x2000209b = 9; *(uint8_t*)0x2000209c = 4; *(uint8_t*)0x2000209d = 0; *(uint8_t*)0x2000209e = 8; *(uint8_t*)0x2000209f = 3; *(uint8_t*)0x200020a0 = 2; *(uint8_t*)0x200020a1 = 6; *(uint8_t*)0x200020a2 = 0; *(uint8_t*)0x200020a3 = 1; *(uint8_t*)0x200020a4 = 7; *(uint8_t*)0x200020a5 = 0x24; *(uint8_t*)0x200020a6 = 6; *(uint8_t*)0x200020a7 = 0; *(uint8_t*)0x200020a8 = 0; memcpy((void*)0x200020a9, "\x93\xb5", 2); *(uint8_t*)0x200020ab = 5; *(uint8_t*)0x200020ac = 0x24; *(uint8_t*)0x200020ad = 0; *(uint16_t*)0x200020ae = 1; *(uint8_t*)0x200020b0 = 0xd; *(uint8_t*)0x200020b1 = 0x24; *(uint8_t*)0x200020b2 = 0xf; *(uint8_t*)0x200020b3 = 1; *(uint32_t*)0x200020b4 = 5; *(uint16_t*)0x200020b8 = 0xdf0; *(uint16_t*)0x200020ba = 0xa5e2; *(uint8_t*)0x200020bc = -1; *(uint8_t*)0x200020bd = 9; *(uint8_t*)0x200020be = 5; *(uint8_t*)0x200020bf = 0x82; *(uint8_t*)0x200020c0 = 2; *(uint16_t*)0x200020c1 = 0x40; *(uint8_t*)0x200020c3 = 0; *(uint8_t*)0x200020c4 = 0x40; *(uint8_t*)0x200020c5 = 0x20; *(uint8_t*)0x200020c6 = 9; *(uint8_t*)0x200020c7 = 5; *(uint8_t*)0x200020c8 = 3; *(uint8_t*)0x200020c9 = 2; *(uint16_t*)0x200020ca = 8; *(uint8_t*)0x200020cc = 0x20; *(uint8_t*)0x200020cd = -1; *(uint8_t*)0x200020ce = 4; *(uint32_t*)0x20002640 = 0xa; *(uint64_t*)0x20002644 = 0x20002100; *(uint8_t*)0x20002100 = 0xa; *(uint8_t*)0x20002101 = 6; *(uint16_t*)0x20002102 = 0x250; *(uint8_t*)0x20002104 = 0; *(uint8_t*)0x20002105 = 0x81; *(uint8_t*)0x20002106 = 0x20; *(uint8_t*)0x20002107 = 0x20; *(uint8_t*)0x20002108 = 3; *(uint8_t*)0x20002109 = 0; *(uint32_t*)0x2000264c = 5; *(uint64_t*)0x20002650 = 0x20002140; *(uint8_t*)0x20002140 = 5; *(uint8_t*)0x20002141 = 0xf; *(uint16_t*)0x20002142 = 5; *(uint8_t*)0x20002144 = 0; *(uint32_t*)0x20002658 = 8; *(uint32_t*)0x2000265c = 0xcd; *(uint64_t*)0x20002660 = 0x20002180; *(uint8_t*)0x20002180 = 0xcd; *(uint8_t*)0x20002181 = 3; memcpy((void*)0x20002182, "\x2e\x83\x3d\xbc\x02\x86\x82\x12\xd3\xec\x73\x52\xfb\x0d\xe8\xa0\x5e\xcf\x66\x18\x59\xde\xbe\x23\xba\x73\x5f\xb9\x0a\x26\x85\x3e\x0d\x4c\x9b\xfc\xeb\xac\x70\xce\x40\x53\x9a\x98\xcf\x89\x47\xe0\x6b\xb7\x5d\xe0\xa9\x20\x5e\x0b\x79\x1c\xb4\xf9\xe7\xaa\x0a\xe1\x14\x9e\x93\x94\xff\xef\x26\x6f\x96\xe0\xc7\x5a\xb7\x28\xca\xdb\xc3\x12\x57\x0e\xfe\xd7\x37\x09\x0a\x62\x51\xc0\x9e\x1a\x5d\x38\xa0\xc6\xf1\xec\x4a\xe0\x55\x86\x3d\x69\xe4\xdc\xf3\x6d\x97\x4d\x2b\xe3\xe4\x87\xc7\xd2\xf1\xdb\x21\x61\xe9\x3b\x7d\x15\x2c\xe0\x46\xf0\x30\xb3\x6d\x08\x32\x89\xed\xdd\x71\x05\xed\x8e\xae\xd4\x9f\x71\x10\x17\xba\xab\xde\x9d\x5f\x01\xcd\x47\x38\x50\x3d\x32\x26\x69\x55\x4f\xcf\x3b\x5a\x65\xb0\x51\x97\x33\xb0\x7a\x7f\x3c\xff\xdc\x92\xb0\x38\x2c\x66\x12\x0c\x41\xaa\xe8\x85\x68\xc7\x52\xf7\x9d\x50\x1f\xd4\xda\x58\xe6\x87\x9e\x7e", 203); *(uint32_t*)0x20002668 = 4; *(uint64_t*)0x2000266c = 0x20002280; *(uint8_t*)0x20002280 = 4; *(uint8_t*)0x20002281 = 3; *(uint16_t*)0x20002282 = 0x3c0a; *(uint32_t*)0x20002674 = 4; *(uint64_t*)0x20002678 = 0x200022c0; *(uint8_t*)0x200022c0 = 4; *(uint8_t*)0x200022c1 = 3; *(uint16_t*)0x200022c2 = 0x3801; *(uint32_t*)0x20002680 = 0x1f; *(uint64_t*)0x20002684 = 0x20002300; *(uint8_t*)0x20002300 = 0x1f; *(uint8_t*)0x20002301 = 3; memcpy((void*)0x20002302, "\xa6\x70\xc3\x58\x2d\x38\x96\x7a\xc4\x85\x45\x5e\x8a\x40\xac\xb6\xf5\xdf\x24\xab\x49\xa4\xc6\xbb\x43\xd5\x84\xed\xf7", 29); *(uint32_t*)0x2000268c = 4; *(uint64_t*)0x20002690 = 0x20002340; *(uint8_t*)0x20002340 = 4; *(uint8_t*)0x20002341 = 3; *(uint16_t*)0x20002342 = 0x44f; *(uint32_t*)0x20002698 = 0xe1; *(uint64_t*)0x2000269c = 0x20002380; *(uint8_t*)0x20002380 = 0xe1; *(uint8_t*)0x20002381 = 3; memcpy((void*)0x20002382, "\xbe\x2c\xe1\x8f\xae\x6d\xa9\xf1\xaa\x4b\x97\x21\x97\xbe\x7a\x6c\xe4\xb2\x83\xc3\xe0\x02\x7e\x6d\xa1\x3d\x86\x39\xf6\x74\xea\x9c\x64\x28\x9b\x33\xc0\xe1\x43\x5b\x7c\x16\x54\xa5\x69\x12\x7b\x26\xad\x53\x77\x4f\x2b\x6b\x20\x57\x9f\xac\x6f\xaf\xfe\x12\x94\x9e\xe4\xb0\xd3\xcd\x2d\x89\x0c\xff\x2d\x7e\x9b\xb4\x3b\x60\x2a\x39\x4e\xfd\x49\x75\x18\x4f\x7e\xec\xab\x16\xa3\xf1\x87\xca\xb4\xc2\xca\x01\xac\x5b\xc9\xc5\x5c\x8b\xb9\x81\x32\x3d\x91\x9f\x77\x35\x5b\x3c\xe7\x42\x8d\xa6\x2a\xf8\x0c\x76\xb1\x85\xe1\x0a\xc7\xb1\xcc\x95\x0e\xcc\x71\x5c\x3e\x0a\x1e\x14\x23\x11\xb6\x29\x41\xe0\x62\x91\xb3\x0d\x2d\x3c\x7d\x46\x8d\xfb\xe2\x83\xc9\x1f\xc0\x83\x3d\xb0\x68\xe7\xbf\x39\x7c\x23\x35\x75\x79\x02\x29\xce\x51\x3b\xbd\xc4\x38\x7d\x81\xb3\x02\x7e\xf6\x8b\x20\xde\x25\xd9\xf1\xff\x32\xb9\x5c\xba\x44\x3b\x9e\x7f\xba\x49\x91\x43\xe8\x41\xa6\x19\x0c\x6e\xcb\x29\x06\xfe\x42\x30\xf8\x39\xba\x8c\x3c\x73\xea", 223); *(uint32_t*)0x200026a4 = 0xc1; *(uint64_t*)0x200026a8 = 0x20002480; *(uint8_t*)0x20002480 = 0xc1; *(uint8_t*)0x20002481 = 3; memcpy((void*)0x20002482, "\xf1\x7d\xb2\xea\x26\xd9\x0b\xa9\x3d\x1d\xbd\x3d\x94\x82\x88\x21\x72\xcc\x15\x8b\x4c\xc4\x3c\x36\xd1\x2b\xb9\x4e\x06\xfc\x7a\xba\x0d\x96\xba\x62\xa3\x8b\x39\xb7\x7b\xb6\x6a\x8b\x4b\xa6\xfe\x26\x0c\x87\x74\x64\xdc\x10\x12\x44\x9a\x3a\x6a\xb5\xb8\x0e\x66\x7a\x3a\x01\xdb\x8d\xd1\xdc\x34\x68\xb0\xd7\x28\x93\xad\xf2\x5b\xd1\xa7\xb9\xdc\xdd\xf5\x69\x12\x2a\x73\x02\x6b\x76\xfd\x0e\x25\xd7\x44\x0c\xa5\xdb\x63\x5b\x3f\xc9\x01\x3f\xd7\x90\x99\xa7\xd7\xe8\x1d\xb8\x74\x5b\xc9\xd0\xa6\xc9\x38\x79\x1d\x2c\xbf\xd1\x0f\x1c\x62\x8c\xa1\x7a\xf9\x93\xb7\x02\xc1\xed\xe3\x0d\xa1\x88\x25\x67\xce\x28\x7f\x66\xb2\x3e\xbf\x40\x8a\x2d\x9c\x63\xe1\xcb\x0b\x27\x95\x27\x3e\xfa\x81\x53\x56\x1c\x3c\x3e\xeb\x71\xd1\x2a\xa0\x87\xe9\x25\x55\x26\xb5\x28\xf5\x38\xaf\x4a\xbd\x41\xcf\x89\x01", 191); *(uint32_t*)0x200026b0 = 0xc0; *(uint64_t*)0x200026b4 = 0x20002580; *(uint8_t*)0x20002580 = 0xc0; *(uint8_t*)0x20002581 = 3; memcpy((void*)0x20002582, "\x6f\x57\xd6\xa5\x96\x20\x2e\xbf\x5a\x75\xb9\x72\x49\x11\xf9\x1a\x3d\x92\xae\x1a\xc8\x1a\xbb\x9c\x1b\x13\x4a\x76\xe6\x65\x90\xf6\xeb\x8d\xd8\x4c\xc1\x09\x60\xb8\xd2\x23\x94\x7d\x1c\x2e\x77\x1b\x94\xe7\x29\xd8\x34\x18\xf4\x14\x21\x3f\xf8\xb9\x06\x77\x03\x30\xbe\xa7\x0e\x59\xfe\x4d\x8b\xa5\x37\xfb\xcf\xd3\xc4\xbf\xc4\xea\x3b\x64\x0c\x31\x12\x92\x6d\x8c\x78\xee\xe8\x39\x72\x09\x00\xc5\x05\xcc\x01\x3c\x12\x63\xdc\xf2\x7b\x6c\x0f\x87\xfc\xb8\x7f\x40\xcb\x6b\xde\x31\x54\xcc\xd6\x3e\x65\xa4\x8c\x86\xc5\x8a\x38\x57\xf6\x8f\x88\x08\x20\x3f\xb2\x8d\x95\xe7\x4a\x18\x65\xeb\x8f\x82\xfe\x95\x35\x62\xa1\x47\x51\xed\x18\xf2\x51\xe5\x11\x53\x70\xd2\xbc\x19\x14\x5c\xcf\x3a\xbe\xae\x4c\x81\xfb\x1d\x97\xf6\x2e\x03\x5d\xb7\x3d\x11\xab\x7e\xc5\x96\xbc\x7a\x36\x86\x55\xc6", 190); res = -1; res = syz_usb_connect(4, 0x4f, 0x20002080, 0x20002640); if (res != -1) r[13] = res; break; case 39: memcpy((void*)0x200026c0, "\x01\xdf\x42\x94\xf0\x1f\xe1\xf9\x43\xb7\x80\xcc\xad\x76\xab\x8a\x48\x35\x3c\xbc\xe5\x48\x12\x83\xfb\x7d\x07\xe3\x29\x52\x05\x54\x49\xb6\x58\x1b\x36\x93\xb6\x7e\xde\xa7\xf1\x03\x54\x2f\xd1\xdc\xcf\x21\xa4\xf8\xce\x11\xf5\x24\x82\xa5\x50\xdd\x31\x99\xda\x83\x0c\x3e\x19\xff\x1a\x99\x6c\xe1\x42\x4b\x13\x49\x5e\x70\x4b\xe3\xf8\xc1\x06\xd0\x83\x38\xa6\x9d\xb2\x9c\x70\xd0\x40\xba\x40\x50\x16\xd9\x02\x55\xd8\x1d\x11\x5d\x9c\x6c\x9c\x13\xb9\x57\x89\xba\x2d\x4e\xe0\xf0\x05\xd9\x5b", 119); syz_usb_ep_write(r[13], 8, 0x77, 0x200026c0); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); use_temporary_dir(); do_sandbox_namespace(); return 0; } : In function ‘syz_io_uring_setup’: :281:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function) :281:33: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor102659762 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -static] --- FAIL: TestGenerate/linux/amd64/26 (0.64s) csource_test.go:122: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false UseTmpDir:true HandleSegv:false Repro:false Trace:true} program: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x8002, 0x0) io_cancel(0x0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x4c60440ee16d4a1f, 0xd548, r0, &(0x7f0000000040)="a4c6b70d40b18d2f71b9ebf1a97cc4f8bfe52c766208fe1c5ff6e6c20fb4d4104d", 0x21, 0x7, 0x0, 0x1}, &(0x7f00000000c0)) ioctl$TUNSETOFFLOAD(0xffffffffffffffff, 0x400454d0, 0x18) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/avc/cache_stats\x00', 0x0, 0x0) ioctl$DRM_IOCTL_MODE_GETGAMMA(r1, 0xc02064a4, &(0x7f0000000200)={0x6, 0x1, &(0x7f0000000140)=[0x6], &(0x7f0000000180)=[0xb572, 0x2, 0x200, 0x6126, 0xffff, 0x800b], &(0x7f00000001c0)=[0x100, 0x8001, 0x7ff, 0x56, 0x3, 0x6, 0xafa4, 0xfff]}) socket$inet6_sctp(0xa, 0x5, 0x84) r2 = syz_open_dev$vcsa(&(0x7f0000000240)='/dev/vcsa#\x00', 0x8, 0x40040) io_uring_setup(0x4a7d, &(0x7f0000000280)={0x0, 0x431f, 0x2, 0x2, 0x24c, 0x0, r2}) setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(0xffffffffffffffff, 0x10e, 0x2, &(0x7f0000000300)=0x14, 0x4) socket$ipx(0x4, 0x2, 0x0) syz_emit_ethernet(0xd6, &(0x7f0000000000)={@dev={[], 0x15}, @remote, @void, {@mpls_uc={0x8847, {[{0x1}, {0x80}], @ipv4=@udp={{0x9, 0x4, 0x3, 0x8, 0xc0, 0x64, 0x0, 0x1, 0x11, 0x0, @private=0xa010102, @initdev={0xac, 0x1e, 0x1, 0x0}, {[@timestamp={0x44, 0x10, 0x90, 0x0, 0xf, [0x3, 0x100, 0x9]}]}}, {0x4e20, 0x4e23, 0x9c, 0x0, @wg=@initiation={0x1, 0x1, "a10791f36e091a364d6a214aed3281686b2e1062e4a21dad7e7ea6823c2ad66b", "a9e3b061cb2d16f0f38c93866bab239c5e95fabc9ad7549cc53f24821564c8e31a773c62bd34e62116070c998cf80ff5", "8a6048e68f5476ba71edf7dea37145a3397262db3b25376fb9b698e1", {"108d38c5f12837a8dff49317e1fbf2b1", "6e6f91a5d2fea35b7d2aa0227b5c79de"}}}}}}}}, 0x0) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_cmd_complete={{0xe, 0x7}, @hci_rp_read_enc_key_size={{0x7}, {0x3, 0xc8, 0xfe}}}}, 0xa) syz_execute_func(&(0x7f0000000140)="ab8f2908955c4432c421b45580858a318ec4a1845756f3673664d9e064461c0dc441b55588a00ffe49f2f042808c3e2808000000c4825dde32f3420f9ade") syz_extract_tcp_res(&(0x7f0000000180), 0x47a0, 0x1ff) syz_genetlink_get_family_id$SEG6(&(0x7f00000001c0)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x2, 0xc4) r3 = mmap$IORING_OFF_SQ_RING(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x0, 0x1000, 0xffffffffffffffff, 0x0) syz_io_uring_complete(r3) syz_io_uring_setup(0x61d6, &(0x7f0000000200)={0x0, 0x19c8, 0x1, 0x0, 0x90, 0x0, 0xffffffffffffffff}, &(0x7f0000ff9000/0x4000)=nil, &(0x7f0000ff9000/0x1000)=nil, &(0x7f0000000280), &(0x7f00000002c0)) r5 = mmap$IORING_OFF_SQES(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x2000004, 0x100, r4, 0x10000000) r6 = openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000300)='/selinux/checkreqprot\x00', 0x22040, 0x0) r7 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(r3, r5, &(0x7f0000000380)=@IORING_OP_EPOLL_CTL=@add={0x1d, 0x1, 0x0, r6, &(0x7f0000000340)={0xa}, r4, 0x1, 0x0, 0x1, {0x0, r7}}, 0x5) syz_kvm_setup_cpu$arm64(r6, 0xffffffffffffffff, &(0x7f0000fe7000/0x18000)=nil, &(0x7f0000000400)=[{0x0, &(0x7f00000003c0)="c66bf51c003b684cd1f56d7dbcd2dea7675293e4d016955fb884320ccefef52142eef0b61d389959e4e475075b6b11cdbe1c", 0x32}], 0x1, 0x0, &(0x7f0000000440), 0x1) r8 = mmap$IORING_OFF_CQ_RING(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x2000000, 0x1000, 0xffffffffffffffff, 0x8000000) syz_memcpy_off$IO_URING_METADATA_FLAGS(r8, 0x114, &(0x7f0000000480)=0x1, 0x0, 0x4) syz_mount_image$afs(&(0x7f00000004c0)='afs\x00', &(0x7f0000000500)='./file0\x00', 0x1f, 0x7, &(0x7f00000008c0)=[{&(0x7f0000000540), 0x0, 0x32}, {&(0x7f0000000580)="3a7a72ca9b2a422afbeba2d7a84338cb03951839451af3f3031d0030db11a08c0eb2244dab7f4fd9442cd55370fbacdc330d3ee2188137d0ad9772c7ae54fae92d1941e049bdcb3b8f645ea6a7d746404286d56dfd7a41fb29e2987d8d73b3679fae427f5af08185e4ffda153228a3ac82bf94f17752ed78dfe5b9a4", 0x7c, 0xee5}, {&(0x7f0000000600)="a963e9743e9c3d092a0ab1d68a13fe85f80ed94358ab9ad4029dff3433a3223c650d6a96505ec9a3d6cd09ad3f268fcdd1248aa43ef138a79b0c4c116f7178b5fc5cc49fa303201e8c7ef4e322434105ecdc912ae672510b34c01aa3890c90f27200de2b65c4bd20", 0x68, 0x10000}, {&(0x7f0000000680)="6ac443efa9855dda4fa3a982abc060ebf1a6785feba77cd70d486a29f4", 0x1d, 0x2}, {&(0x7f00000006c0)="3229202fd13c8ab6d554d8dfb6a8661805f53c5e81671bf5d702aa4c17cad107cfc6a8fe702b26942c632a4ed0e1010440b51b99785c112a0bda8c286267ac9cb4e695376a13d9937dfe154239c4ea04f38539a8e557dbcc8909420c76b2587b42aa2d61bf395fe913bad86ddf17a8f1b3212d0f0a6bc2e7841ef2e2ee0be05901f028c7c65e1c2cb641f556508fbf322da030de7846ad39004082c128a0ffb60c1b801bfd69a0e5f37b51feb78d97240f45f3ce17a28abbd89bd16cd2d06c74488990aba36ff006e8ae3622ec18fa76b767be88f192f94af15e23d74217738a1d48ef2c3e1c0a557203045e3ba25e9cd38efa64", 0xf4, 0x6}, {&(0x7f00000007c0)="414d78403490275a206495f93cf62229596a76f622d42e737bfa148fc2385d9c82946ce95d9b7665c148bfd723f5248ffcb6a4fc8265de9da9e34ff0577dd719233d7ef9610b9b9d98d4f2cedcc5351cb7234e0a8345f81e603a002c13d898f1084656c51be00526c6b7977b287809591c51a288acec3e570a94cc77420195f2a81a77896f9f081b173c24ada23041ea2e7253698601d83769094d3489", 0x9d, 0x1}, {&(0x7f0000000880)="3cc0a154977d26882d94f1c108a6287b15e835bf2d9ebcfd925c4569c9de9d463b929158990d2f48", 0x28, 0xfffffffffffffbff}], 0x1015005, &(0x7f0000000980)={[{@flock_strict='flock=strict'}, {@flock_write='flock=write'}, {@source={'source', 0x3d, '\xeb'}}, {@autocell='autocell'}]}) syz_open_dev$I2C(&(0x7f00000009c0)='/dev/i2c-#\x00', 0x10000, 0x6840) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000a40)={0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x3, &(0x7f0000000a00)='.\\\x00'}, 0x30) syz_open_procfs(r9, &(0x7f0000000a80)='status\x00') syz_open_pts(0xffffffffffffffff, 0x8000) syz_read_part_table(0x6, 0x0, &(0x7f0000000ac0)) r10 = syz_usb_connect(0x6, 0x714, &(0x7f0000000b00)={{0x12, 0x1, 0x250, 0xa8, 0x9c, 0xcc, 0xff, 0x499, 0x150c, 0xbaf4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x702, 0x3, 0x2, 0x5, 0x80, 0x1f, [{{0x9, 0x4, 0x7d, 0x0, 0xb, 0x5c, 0x68, 0x45, 0xb8, [@generic={0x64, 0xcc88dcc324ea21e6, "25bba193734e4eb87cbd6a4c961ef01e6c960fa27de2e0b2883e73bcb56b371cc2f94a39ee59f21237d7fd38bafea3bebf15967e66fda6114d34b349e1868ef95cc0a06305d016cd2cc723334035a110f9da197afa79a6b045fac5f7d5bb639e4541"}, @uac_control={{0xa, 0x24, 0x1, 0x7, 0x80}}], [{{0x9, 0x5, 0x1, 0x3, 0x200, 0x81, 0x1, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x1000}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0xe8, 0xc6, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0x6}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0x8, 0xb4, 0x3}}, {{0x9, 0x5, 0x2, 0x1, 0x200, 0x2, 0x6, 0x20}}, {{0x9, 0x5, 0x7, 0x2, 0x3ff, 0x29, 0x4, 0x4c}}, {{0x9, 0x5, 0x5, 0x0, 0x200, 0x2, 0x22, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x27}]}}, {{0x9, 0x5, 0xe, 0xc, 0x20, 0x40, 0x9, 0x1f, [@generic={0x4f, 0x1, "f148d84407f5b8dfda7c13b68281b7d14209551093f91b2d8f891d9f3b8ff07a8c2b56bcbfa744ea1da69fb116c71d11fa13b6a2c464e65d7c706ae25e0ad836d328f30928af26fe9d4f3f1dc1"}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x18, 0xfc0}]}}, {{0x9, 0x5, 0x4, 0x0, 0x400, 0x0, 0x80, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x2}, @generic={0xf7, 0x30, "abdddd4f9b3f7c940f59ac5d6ac220f766834597348690edd45dbcad8d7200db7184991d2539df54e5ad82e5d58b0366ea3b341be9a30b4b2bd66bf00479628cb477c82938f8d3c106a7e18b0e5485a0b1611aba1d8ad3c740fc3d9accb5d7b293b90b168c3f2c69798135b562475fe2a3b8f619572251662787bf749f673a35ee80ea76edd0fc7b3177f24f50d68aced6902ecf5e0a1d3126d9530946abac7a85799194748f34eef3e249c0ede1511b67626c06322ba0b3133ad7eab46cc07a995f011d24781983c1709a03ac2ef165a9b91ed9e75e221905a932c3501d40566916d63f2fae4e9798fab8e16a1d364f019c0ebdb0"}]}}, {{0x9, 0x5, 0x2, 0x0, 0x40, 0xfe, 0x20, 0x9, [@generic={0xed, 0x1, "97480b619ece3491718d870d1333f7f3cbe03367ac7f15be1793cf2d635af67af88cfea526ad45ea67c39ade3d19918d55ea598a7807fd2c56addfb52f42756bfc602c04560e981a38783ca3dd8ba431c267592bc004b2f53e49082dac6a7848b929dcf53f151f4c9ae6f8912fffd9199bcdcd8b95fdc2dfaa22d3a731f3c4aa3447d4183b1cb4ccceb36e6937f2275c89ce0ba83f40c2c7dbf13b41770a0f125b10ded7eefe7a1824f9eef4938310a55c121bf1a9259f551672b8a0a52feac5cbc5ab96a5491ef533d7be14764e9da531ffef82f8612a740fb58756f7cb6092abb15aa6cf0494cb7106f1"}, @generic={0xd3, 0x8, "4e8e034ee97501ac382574d2a72527c5e0c832618bc6a1ea16c3f323258971633a0333991ad99754b006c95c4de5f901ec1b8d86bd47c564bd2aef08df3c224a3e6e40846554eed2734d71ce3392967ef55c96b3da0aa5481f31c351cf1859cbee244e751c60cfadc233cb6002ee6ff4cc2c9b76378f5b6e410c014f25cb9fff68f8a6ff5b81b6d09b9c7a2aaf848bd247ed21b13aa8d35bcb7bf2fa6b8cbf55299edbce15e788d1f93cff322399249ac080f2d47bd3f27e7a6de184904811722536d0a2330e3e511146faab9864d1b183"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x2c, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0xc9, 0xbb}, @generic={0x1f, 0x31, "e44d51a15a720f099dadeb93262552a935424229d3f4d12edc1baa9f88"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x8, 0x49, 0x40, 0x55}}]}}, {{0x9, 0x4, 0xfe, 0x33, 0x2, 0xa2, 0x17, 0x9a, 0x2, [@cdc_ncm={{0x9, 0x24, 0x6, 0x0, 0x1, "fb7ffde8"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x4, 0x9f54, 0x267, 0x1}, {0x6, 0x24, 0x1a, 0x9, 0x9}, [@mbim={0xc, 0x24, 0x1b, 0xffff, 0x1, 0x20, 0x6, 0x6, 0x6}, @mdlm={0x15, 0x24, 0x12, 0x3}, @mbim={0xc, 0x24, 0x1b, 0x91, 0x5, 0x1, 0xff, 0x5, 0x35}, @acm={0x4, 0x24, 0x2, 0x1}]}], [{{0x9, 0x5, 0xa, 0x10, 0x8, 0x80, 0xc1, 0x4, [@generic={0xb8, 0x30, "e384dcf03ac39540e5a22199f71a53ba428c3b720290f0276bcca0cd15405f6c930497af5eb320a433cc553d6e0108edbf793ef0240ff269b4ff96d6822bcb48cebae2a5cead65786ebecd5f300c08606d3322b8360029bd21312dac493361e1b08f2adca4dc49a004fefdf7a3a525ae5de11f0a691a41b869d9b9a5d90d5a7b5ebe9e5773b97efe98e3895377a424e30ef22fd2ffa2532f1bb3c1a4e3b86afc08b2659aa2e556f190e27f83619a1618d371e102c558"}]}}, {{0x9, 0x5, 0x80, 0x1, 0x40, 0x4, 0x0, 0x1f}}]}}, {{0x9, 0x4, 0x74, 0x90, 0xa, 0xff, 0x5d, 0x1, 0x81, [@generic={0x6c, 0x4, "deaf8476cc5855ffb6d22d6ceb2977348ba86dee7d9e22e0c46477b06c0db514bb5383a62a402cc6e0795ddda510cf4238b2c64b657a1111efc0e4aacf9e40802dd0eeb69f271c1e6fe0ee5e9f48122832e6a80a4d7a6611e3fd2dca49d351908ff9a48ca20c78a69c65"}, @hid_hid={0x9, 0x21, 0x7, 0x7, 0x1, {0x22, 0xab5}}], [{{0x9, 0x5, 0x0, 0x0, 0x200, 0x4, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x40, 0x0, 0x7f, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x0, 0xff}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0xfa, 0x5}]}}, {{0x9, 0x5, 0x3, 0x3, 0x3ff, 0x80, 0x7f, 0x8}}, {{0x9, 0x5, 0x5, 0x1, 0x20, 0x4, 0x3c, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x800}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0xff, 0x14, 0x3f}}, {{0x9, 0x5, 0x4, 0x0, 0x20, 0x1, 0x1, 0x56}}, {{0x9, 0x5, 0xc, 0x10, 0x8, 0x1, 0x5, 0x2, [@generic={0x20, 0x4, "6ddd4104cef7b1f7b2dddabb24ea94be1e8ac9fbba62cd71c1a1cbfa4e73"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x10, 0x0, 0x6, 0xf8, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x3, 0x8000}, @generic={0x98, 0x21, "e7bac6d3443cdfcdf9c24b6978dbfb9dd1824a5964cbfa0fe64296d5794c6159bc30b802a59b5c7a49b534035df56bbc488652ee31c601d5326507016bd445a1c09df231cf5781190daaba0cbd84a172640327b8c1a1d90bfab18f24961ffe12a0486a239c79a259c537652603dcbd4b2b7342ae0d715a7543f4d08bb557bddcd3bca83590b57c30eee2ce95f6c7102f646af828a496"}]}}, {{0x9, 0x5, 0x2, 0x3, 0x400, 0x3, 0x2, 0x8}}, {{0x9, 0x5, 0x6, 0x10, 0x20, 0xff, 0x4, 0x6}}]}}]}}]}}, &(0x7f0000001540)={0xa, &(0x7f0000001240)={0xa, 0x6, 0x300, 0xff, 0x81, 0x6, 0xf7, 0xc4}, 0xf, &(0x7f0000001280)={0x5, 0xf, 0xf, 0x1, [@ss_cap={0xa, 0x10, 0x3, 0x0, 0x0, 0x8, 0x1f, 0xfff}]}, 0x5, [{0x4, &(0x7f00000012c0)=@lang_id={0x4, 0x3, 0xc07}}, {0x54, &(0x7f0000001300)=@string={0x54, 0x3, "321d457f2f5ab9fcb1118c960631fd85a75ead829136aa2a6cc0311451035fe17b956eb8fa52d495a311a6c03f0ae84c86f0ed78daebfa15db7bc5788c9724baf4582dc0ec1ba6681a76b0a1bfc5de9daecc"}}, {0xd3, &(0x7f0000001380)=@string={0xd3, 0x3, "18336fc5623ba1410634c4050bcf3b488ea41867d059dcdcd2c368d848fe5147323c0ba4e51d7cf2a3d150258f8cc2569bd79e951ea95a318de31d146c37a7cf712f1fcd440390852c8d5216f8d23a9918b0e053521eb670ad3ee0fb8a93a8d7bad7199eebe12a3b02107ac4542bc6497977e3308b407bf364982f4fc9c330f9a75ccb65c8688d5c247ad06c20ccf01465e3ab09fc777f73474c2cd053b848ad3255b5adc81e033d2a0fac5061ea52dacf46e88e8c2e388deb91d2d9fc124255909336418e743bda4cb4f73c6b75af9a9b"}}, {0x4, &(0x7f0000001480)=@lang_id={0x4, 0x3, 0x42b}}, {0x5a, &(0x7f00000014c0)=@string={0x5a, 0x3, "4d85f31420ff1ceda25d118d33a6ebbce888c12d90eb54c827d149c8dcbd99f3893b35d1da6c776b1b5d084b308cdf93474167f266199f440a03fc3e3438031b8725dde6029a629c0843bedf048b8409b153f903d657d22b"}}]}) r11 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000015c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r11, &(0x7f00000017c0)={0x2c, &(0x7f0000001640)={0x0, 0x24, 0x5e, {0x5e, 0x9, "50d3392d02ebd229338b7e7170b984d04907f9cee984f83f84c9518b9dd91785fe2d66e10426ff86d8e7d663538306240171790d7f776664bdfd68d3df43cdf6d0e3ab3d2a62953092a2d7ce2fcdfe2cf50026869a4bcd066af9ddbd"}}, &(0x7f00000016c0)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x449}}, &(0x7f0000001700)={0x0, 0xf, 0x19, {0x5, 0xf, 0x19, 0x1, [@ss_container_id={0x14, 0x10, 0x4, 0x3f, "0ff611988b42043bdd16f18b9b82f6cf"}]}}, &(0x7f0000001740)={0x20, 0x29, 0xf, {0xf, 0x29, 0x0, 0x0, 0x9, 0x68, "60c511fa", "23e3f532"}}, &(0x7f0000001780)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x5, 0x0, 0x2, 0x7, 0x8, 0x5, 0x200}}}, &(0x7f0000001c80)={0x84, &(0x7f0000001800)={0x0, 0x16, 0x92, "e49c4e0fdf521d4bb83a1c78b9b6f32eb6e38fba1432727c391749727c41815dc3fc4193cf0fc247b32c61dd80f26629d7cf714fc080157701405e55e4d1ae2b758c66821044d2e8094f1bd75ccf9600454726e5df9764082d537012ad6fa00a11bf546f5d86af482a8f0b0574287a4c5640bd1a225a60d1961cd56b3b48cf69d776cd8bbac5dc1544bf6b94b3519383f9c5"}, &(0x7f00000018c0)={0x0, 0xa, 0x1, 0xea}, &(0x7f0000001900)={0x0, 0x8, 0x1, 0xc0}, &(0x7f0000001940)={0x20, 0x0, 0x4, {0x3, 0x20d99a38c1aec065}}, &(0x7f0000001980)={0x20, 0x0, 0x8, {0x200, 0x2, [0x0]}}, &(0x7f00000019c0)={0x40, 0x7, 0x2}, &(0x7f0000001a00)={0x40, 0x9, 0x1, 0x7}, &(0x7f0000001a40)={0x40, 0xb, 0x2, ',e'}, &(0x7f0000001a80)={0x40, 0xf, 0x2, 0xa}, &(0x7f0000001ac0)={0x40, 0x13, 0x6, @random="cba5d8d51787"}, &(0x7f0000001b00)={0x40, 0x17, 0x6, @dev={[], 0x1b}}, &(0x7f0000001b40)={0x40, 0x19, 0x2, "09ef"}, &(0x7f0000001b80)={0x40, 0x1a, 0x2, 0x200}, &(0x7f0000001bc0)={0x40, 0x1c, 0x1, 0x20}, &(0x7f0000001c00)={0x40, 0x1e, 0x1, 0x81}, &(0x7f0000001c40)={0x40, 0x21, 0x1, 0x40}}) r12 = syz_usb_connect$uac1(0x6, 0xb6, &(0x7f0000001d40)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x40, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xa4, 0x3, 0x1, 0x8, 0x80, 0x1f, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x7f, 0x24}, [@mixer_unit={0xb, 0x24, 0x4, 0x3, 0x3f, "e3a7ba11b773"}, @input_terminal={0xc, 0x24, 0x2, 0x4, 0x203, 0x1, 0x2, 0x7, 0xfd}, @extension_unit={0x7, 0x24, 0x8, 0x2, 0x4, 0x40}, @output_terminal={0x9, 0x24, 0x3, 0x2, 0x101, 0x4, 0x4, 0x5}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {}, {{0x9, 0x5, 0x1, 0x9, 0x200, 0xfc, 0x9, 0x7, {0x7, 0x25, 0x1, 0x0, 0x2, 0x8}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x8, 0x7, 0xff, "6cce23a51a59660a8a"}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x7, 0x2, 0xd6, 0x40, "a5e212", 'l'}]}, {{0x9, 0x5, 0x82, 0x9, 0x3ff, 0x3, 0x0, 0xac, {0x7, 0x25, 0x1, 0x3, 0x4, 0x5}}}}}}}]}}, &(0x7f0000001f40)={0xa, &(0x7f0000001e00)={0xa, 0x6, 0x200, 0xff, 0x2, 0x7, 0x10, 0x6}, 0x5, &(0x7f0000001e40)={0x5, 0xf, 0x5}, 0x2, [{0x52, &(0x7f0000001e80)=@string={0x52, 0x3, "4bcfbc749d26d0fbc20c2e202a042e8bb167cadf5c2bcdbd07dde6671da7dd400306b26f220fef4a3397f0a95a4b8ca5bafd5a4fa8b99d24505f7a27ac07a16bbb02d524c0bbfa3af8e318df58feb143"}}, {0x4, &(0x7f0000001f00)=@lang_id={0x4, 0x3, 0x807}}]}) syz_usb_disconnect(r12) syz_usb_ep_read(r10, 0x6, 0xd6, &(0x7f0000001f80)=""/214) r13 = syz_usb_connect$cdc_ecm(0x4, 0x4f, &(0x7f0000002080)={{0x12, 0x1, 0x110, 0x2, 0x0, 0x0, 0xff, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x3d, 0x1, 0x1, 0x9, 0xc0, 0xb3, [{{0x9, 0x4, 0x0, 0x8, 0x3, 0x2, 0x6, 0x0, 0x1, {{0x7, 0x24, 0x6, 0x0, 0x0, "93b5"}, {0x5, 0x24, 0x0, 0x1}, {0xd, 0x24, 0xf, 0x1, 0x5, 0xdf0, 0xa5e2, 0xff}}, {[], {{0x9, 0x5, 0x82, 0x2, 0x40, 0x0, 0x40, 0x20}}, {{0x9, 0x5, 0x3, 0x2, 0x8, 0x20, 0xff, 0x4}}}}}]}}]}}, &(0x7f0000002640)={0xa, &(0x7f0000002100)={0xa, 0x6, 0x250, 0x0, 0x81, 0x20, 0x20, 0x3}, 0x5, &(0x7f0000002140)={0x5, 0xf, 0x5}, 0x8, [{0xcd, &(0x7f0000002180)=@string={0xcd, 0x3, "2e833dbc02868212d3ec7352fb0de8a05ecf661859debe23ba735fb90a26853e0d4c9bfcebac70ce40539a98cf8947e06bb75de0a9205e0b791cb4f9e7aa0ae1149e9394ffef266f96e0c75ab728cadbc312570efed737090a6251c09e1a5d38a0c6f1ec4ae055863d69e4dcf36d974d2be3e487c7d2f1db2161e93b7d152ce046f030b36d083289eddd7105ed8eaed49f711017baabde9d5f01cd4738503d322669554fcf3b5a65b0519733b07a7f3cffdc92b0382c66120c41aae88568c752f79d501fd4da58e6879e7e"}}, {0x4, &(0x7f0000002280)=@lang_id={0x4, 0x3, 0x3c0a}}, {0x4, &(0x7f00000022c0)=@lang_id={0x4, 0x3, 0x3801}}, {0x1f, &(0x7f0000002300)=@string={0x1f, 0x3, "a670c3582d38967ac485455e8a40acb6f5df24ab49a4c6bb43d584edf7"}}, {0x4, &(0x7f0000002340)=@lang_id={0x4, 0x3, 0x44f}}, {0xe1, &(0x7f0000002380)=@string={0xe1, 0x3, "be2ce18fae6da9f1aa4b972197be7a6ce4b283c3e0027e6da13d8639f674ea9c64289b33c0e1435b7c1654a569127b26ad53774f2b6b20579fac6faffe12949ee4b0d3cd2d890cff2d7e9bb43b602a394efd4975184f7eecab16a3f187cab4c2ca01ac5bc9c55c8bb981323d919f77355b3ce7428da62af80c76b185e10ac7b1cc950ecc715c3e0a1e142311b62941e06291b30d2d3c7d468dfbe283c91fc0833db068e7bf397c233575790229ce513bbdc4387d81b3027ef68b20de25d9f1ff32b95cba443b9e7fba499143e841a6190c6ecb2906fe4230f839ba8c3c73ea"}}, {0xc1, &(0x7f0000002480)=@string={0xc1, 0x3, "f17db2ea26d90ba93d1dbd3d9482882172cc158b4cc43c36d12bb94e06fc7aba0d96ba62a38b39b77bb66a8b4ba6fe260c877464dc1012449a3a6ab5b80e667a3a01db8dd1dc3468b0d72893adf25bd1a7b9dcddf569122a73026b76fd0e25d7440ca5db635b3fc9013fd79099a7d7e81db8745bc9d0a6c938791d2cbfd10f1c628ca17af993b702c1ede30da1882567ce287f66b23ebf408a2d9c63e1cb0b2795273efa8153561c3c3eeb71d12aa087e9255526b528f538af4abd41cf8901"}}, {0xc0, &(0x7f0000002580)=@string={0xc0, 0x3, "6f57d6a596202ebf5a75b9724911f91a3d92ae1ac81abb9c1b134a76e66590f6eb8dd84cc10960b8d223947d1c2e771b94e729d83418f414213ff8b906770330bea70e59fe4d8ba537fbcfd3c4bfc4ea3b640c3112926d8c78eee839720900c505cc013c1263dcf27b6c0f87fcb87f40cb6bde3154ccd63e65a48c86c58a3857f68f8808203fb28d95e74a1865eb8f82fe953562a14751ed18f251e5115370d2bc19145ccf3abeae4c81fb1d97f62e035db73d11ab7ec596bc7a368655c6"}}]}) syz_usb_ep_write(r13, 0x8, 0x77, &(0x7f00000026c0)="01df4294f01fe1f943b780ccad76ab8a48353cbce5481283fb7d07e32952055449b6581b3693b67edea7f103542fd1dccf21a4f8ce11f52482a550dd3199da830c3e19ff1a996ce1424b13495e704be3f8c106d08338a69db29c70d040ba405016d90255d81d115d9c6c9c13b95789ba2d4ee0f005d95b") csource_test.go:123: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 239; #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 #define SQ_ARRAY_OFFSET(sq_entries,cq_entries) (round_up(CQ_CQES_OFFSET + cq_entries * SIZEOF_IO_URING_CQE, 64)) uint32_t round_up(uint32_t x, uint32_t a) { return (x + a - 1) & ~(a - 1); } struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = SQ_ARRAY_OFFSET(sq_ring_entries, cq_ring_entries); if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { int i; for (i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) { return &usb_devices[i].index; } } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { struct usb_qualifier_descriptor* qual = (struct usb_qualifier_descriptor*)response_data; qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); int i; if (!index) return -1; for (i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return -1; if (index->iface_cur < 0) return -1; for (ep = 0; index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); int ep; if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define sys_memfd_create 319 static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; return size; } static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; size = fs_image_segment_check(size, nsegs, segments); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); strncpy(fs, (char*)fsarg, sizeof(fs) - 1); memset(opts, 0, sizeof(opts)); strncpy(opts, (char*)optsarg, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { fprintf(stderr, "### start\n"); int i, call, thread; for (call = 0; call < 40; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45 + (call == 26 ? 50 : 0) + (call == 32 ? 3000 : 0) + (call == 33 ? 3000 : 0) + (call == 34 ? 300 : 0) + (call == 35 ? 3000 : 0) + (call == 36 ? 300 : 0) + (call == 37 ? 300 : 0) + (call == 38 ? 3000 : 0) + (call == 39 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_bpf #define __NR_bpf 321 #endif #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[14] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/dsp\000", 9); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0x8002ul, 0ul); fprintf(stderr, "### call=0 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[0] = res; break; case 1: *(uint64_t*)0x20000080 = 0; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 0; *(uint16_t*)0x20000090 = 0x4a1f; *(uint16_t*)0x20000092 = 0xd548; *(uint32_t*)0x20000094 = r[0]; *(uint64_t*)0x20000098 = 0x20000040; memcpy((void*)0x20000040, "\xa4\xc6\xb7\x0d\x40\xb1\x8d\x2f\x71\xb9\xeb\xf1\xa9\x7c\xc4\xf8\xbf\xe5\x2c\x76\x62\x08\xfe\x1c\x5f\xf6\xe6\xc2\x0f\xb4\xd4\x10\x4d", 33); *(uint64_t*)0x200000a0 = 0x21; *(uint64_t*)0x200000a8 = 7; *(uint64_t*)0x200000b0 = 0; *(uint32_t*)0x200000b8 = 1; *(uint32_t*)0x200000bc = -1; res = syscall(__NR_io_cancel, 0ul, 0x20000080ul, 0x200000c0ul); fprintf(stderr, "### call=1 errno=%u\n", res == -1 ? errno : 0); break; case 2: res = syscall(__NR_ioctl, -1, 0x400454d0, 0x18ul); fprintf(stderr, "### call=2 errno=%u\n", res == -1 ? errno : 0); break; case 3: memcpy((void*)0x20000100, "/selinux/avc/cache_stats\000", 25); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000100ul, 0ul, 0ul); fprintf(stderr, "### call=3 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[1] = res; break; case 4: *(uint32_t*)0x20000200 = 6; *(uint32_t*)0x20000204 = 1; *(uint64_t*)0x20000208 = 0x20000140; *(uint16_t*)0x20000140 = 6; *(uint64_t*)0x20000210 = 0x20000180; *(uint16_t*)0x20000180 = 0xb572; *(uint16_t*)0x20000182 = 2; *(uint16_t*)0x20000184 = 0x200; *(uint16_t*)0x20000186 = 0x6126; *(uint16_t*)0x20000188 = -1; *(uint16_t*)0x2000018a = 0x800b; *(uint64_t*)0x20000218 = 0x200001c0; *(uint16_t*)0x200001c0 = 0x100; *(uint16_t*)0x200001c2 = 0x8001; *(uint16_t*)0x200001c4 = 0x7ff; *(uint16_t*)0x200001c6 = 0x56; *(uint16_t*)0x200001c8 = 3; *(uint16_t*)0x200001ca = 6; *(uint16_t*)0x200001cc = 0xafa4; *(uint16_t*)0x200001ce = 0xfff; res = syscall(__NR_ioctl, r[1], 0xc02064a4, 0x20000200ul); fprintf(stderr, "### call=4 errno=%u\n", res == -1 ? errno : 0); break; case 5: res = syscall(__NR_socket, 0xaul, 5ul, 0x84); fprintf(stderr, "### call=5 errno=%u\n", res == -1 ? errno : 0); break; case 6: memcpy((void*)0x20000240, "/dev/vcsa#\000", 11); res = -1; errno = EFAULT; res = syz_open_dev(0x20000240, 8, 0x40040); fprintf(stderr, "### call=6 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[2] = res; break; case 7: *(uint32_t*)0x20000280 = 0; *(uint32_t*)0x20000284 = 0x431f; *(uint32_t*)0x20000288 = 2; *(uint32_t*)0x2000028c = 2; *(uint32_t*)0x20000290 = 0x24c; *(uint32_t*)0x20000294 = 0; *(uint32_t*)0x20000298 = r[2]; *(uint32_t*)0x2000029c = 0; *(uint32_t*)0x200002a0 = 0; *(uint32_t*)0x200002a4 = 0; *(uint32_t*)0x200002a8 = 0; *(uint32_t*)0x200002ac = 0; *(uint32_t*)0x200002b0 = 0; *(uint32_t*)0x200002b4 = 0; *(uint32_t*)0x200002b8 = 0; *(uint32_t*)0x200002bc = 0; *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0; *(uint32_t*)0x200002c8 = 0; *(uint32_t*)0x200002cc = 0; *(uint32_t*)0x200002d0 = 0; *(uint32_t*)0x200002d4 = 0; *(uint32_t*)0x200002d8 = 0; *(uint32_t*)0x200002dc = 0; *(uint32_t*)0x200002e0 = 0; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint32_t*)0x200002f0 = 0; *(uint32_t*)0x200002f4 = 0; res = syscall(__NR_io_uring_setup, 0x4a7d, 0x20000280ul); fprintf(stderr, "### call=7 errno=%u\n", res == -1 ? errno : 0); break; case 8: *(uint32_t*)0x20000300 = 0x14; res = syscall(__NR_setsockopt, -1, 0x10e, 2, 0x20000300ul, 4ul); fprintf(stderr, "### call=8 errno=%u\n", res == -1 ? errno : 0); break; case 9: res = syscall(__NR_socket, 4ul, 2ul, 0); fprintf(stderr, "### call=9 errno=%u\n", res == -1 ? errno : 0); break; case 10: *(uint8_t*)0x20000000 = 0xaa; *(uint8_t*)0x20000001 = 0xaa; *(uint8_t*)0x20000002 = 0xaa; *(uint8_t*)0x20000003 = 0xaa; *(uint8_t*)0x20000004 = 0xaa; *(uint8_t*)0x20000005 = 0x15; *(uint8_t*)0x20000006 = 0xaa; *(uint8_t*)0x20000007 = 0xaa; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xbb; *(uint16_t*)0x2000000c = htobe16(0x8847); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 1, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x2000000e, 0, 24, 8); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0x80, 0, 20); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 20, 3); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 23, 1); STORE_BY_BITMASK(uint32_t, htobe32, 0x20000012, 0, 24, 8); STORE_BY_BITMASK(uint8_t, , 0x20000016, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000017, 3, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000017, 8, 2, 6); *(uint16_t*)0x20000018 = htobe16(0xc0); *(uint16_t*)0x2000001a = htobe16(0x64); *(uint16_t*)0x2000001c = htobe16(0); *(uint8_t*)0x2000001e = 1; *(uint8_t*)0x2000001f = 0x11; *(uint16_t*)0x20000020 = htobe16(0); *(uint32_t*)0x20000022 = htobe32(0xa010102); *(uint8_t*)0x20000026 = 0xac; *(uint8_t*)0x20000027 = 0x1e; *(uint8_t*)0x20000028 = 1; *(uint8_t*)0x20000029 = 1; *(uint8_t*)0x2000002a = 0x44; *(uint8_t*)0x2000002b = 0x10; *(uint8_t*)0x2000002c = 0x90; STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x2000002d, 0xf, 4, 4); *(uint32_t*)0x2000002e = htobe32(3); *(uint32_t*)0x20000032 = htobe32(0x100); *(uint32_t*)0x20000036 = htobe32(9); *(uint16_t*)0x2000003a = htobe16(0x4e20); *(uint16_t*)0x2000003c = htobe16(0x4e23); *(uint16_t*)0x2000003e = htobe16(0x9c); *(uint16_t*)0x20000040 = htobe16(0); *(uint32_t*)0x20000042 = 1; *(uint32_t*)0x20000046 = 1; memcpy((void*)0x2000004a, "\xa1\x07\x91\xf3\x6e\x09\x1a\x36\x4d\x6a\x21\x4a\xed\x32\x81\x68\x6b\x2e\x10\x62\xe4\xa2\x1d\xad\x7e\x7e\xa6\x82\x3c\x2a\xd6\x6b", 32); memcpy((void*)0x2000006a, "\xa9\xe3\xb0\x61\xcb\x2d\x16\xf0\xf3\x8c\x93\x86\x6b\xab\x23\x9c\x5e\x95\xfa\xbc\x9a\xd7\x54\x9c\xc5\x3f\x24\x82\x15\x64\xc8\xe3\x1a\x77\x3c\x62\xbd\x34\xe6\x21\x16\x07\x0c\x99\x8c\xf8\x0f\xf5", 48); memcpy((void*)0x2000009a, "\x8a\x60\x48\xe6\x8f\x54\x76\xba\x71\xed\xf7\xde\xa3\x71\x45\xa3\x39\x72\x62\xdb\x3b\x25\x37\x6f\xb9\xb6\x98\xe1", 28); memcpy((void*)0x200000b6, "\x10\x8d\x38\xc5\xf1\x28\x37\xa8\xdf\xf4\x93\x17\xe1\xfb\xf2\xb1", 16); memcpy((void*)0x200000c6, "\x6e\x6f\x91\xa5\xd2\xfe\xa3\x5b\x7d\x2a\xa0\x22\x7b\x5c\x79\xde", 16); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x20000022, 4); csum_inet_update(&csum_1, (const uint8_t*)0x20000026, 4); uint16_t csum_1_chunk_2 = 0x1100; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 2); uint16_t csum_1_chunk_3 = 0x9c00; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 2); csum_inet_update(&csum_1, (const uint8_t*)0x2000003a, 156); *(uint16_t*)0x20000040 = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x20000016, 36); *(uint16_t*)0x20000020 = csum_inet_digest(&csum_2); (void)res; break; case 11: *(uint8_t*)0x20000100 = 4; *(uint8_t*)0x20000101 = 0xe; *(uint8_t*)0x20000102 = 7; *(uint8_t*)0x20000103 = 7; *(uint16_t*)0x20000104 = 0x1408; *(uint8_t*)0x20000106 = 3; *(uint16_t*)0x20000107 = 0xc8; *(uint8_t*)0x20000109 = 0xfe; (void)res; break; case 12: memcpy((void*)0x20000140, "\xab\x8f\x29\x08\x95\x5c\x44\x32\xc4\x21\xb4\x55\x80\x85\x8a\x31\x8e\xc4\xa1\x84\x57\x56\xf3\x67\x36\x64\xd9\xe0\x64\x46\x1c\x0d\xc4\x41\xb5\x55\x88\xa0\x0f\xfe\x49\xf2\xf0\x42\x80\x8c\x3e\x28\x08\x00\x00\x00\xc4\x82\x5d\xde\x32\xf3\x42\x0f\x9a\xde", 62); res = -1; errno = EFAULT; res = syz_execute_func(0x20000140); fprintf(stderr, "### call=12 errno=%u\n", res == -1 ? errno : 0); break; case 13: (void)res; break; case 14: memcpy((void*)0x200001c0, "SEG6\000", 5); res = -1; errno = EFAULT; res = syz_genetlink_get_family_id(0x200001c0); fprintf(stderr, "### call=14 errno=%u\n", res == -1 ? errno : 0); break; case 15: res = -1; errno = EFAULT; res = syz_init_net_socket(3, 2, 0xc4); fprintf(stderr, "### call=15 errno=%u\n", res == -1 ? errno : 0); break; case 16: res = syscall(__NR_mmap, 0x20ffc000ul, 0x1000ul, 0ul, 0x1000ul, -1, 0ul); fprintf(stderr, "### call=16 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[3] = res; break; case 17: res = -1; errno = EFAULT; res = syz_io_uring_complete(r[3]); fprintf(stderr, "### call=17 errno=%u\n", res == -1 ? errno : 0); break; case 18: *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0x19c8; *(uint32_t*)0x20000208 = 1; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0x90; *(uint32_t*)0x20000214 = 0; *(uint32_t*)0x20000218 = -1; *(uint32_t*)0x2000021c = 0; *(uint32_t*)0x20000220 = 0; *(uint32_t*)0x20000224 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint32_t*)0x20000230 = 0; *(uint32_t*)0x20000234 = 0; *(uint32_t*)0x20000238 = 0; *(uint32_t*)0x2000023c = 0; *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0; *(uint32_t*)0x20000260 = 0; *(uint32_t*)0x20000264 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; res = -1; errno = EFAULT; res = syz_io_uring_setup(0x61d6, 0x20000200, 0x20ff9000, 0x20ff9000, 0x20000280, 0x200002c0); fprintf(stderr, "### call=18 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[4] = *(uint32_t*)0x20000218; break; case 19: res = syscall(__NR_mmap, 0x20ffc000ul, 0x3000ul, 0x2000004ul, 0x100ul, r[4], 0x10000000ul); fprintf(stderr, "### call=19 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[5] = res; break; case 20: memcpy((void*)0x20000300, "/selinux/checkreqprot\000", 22); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000300ul, 0x22040ul, 0ul); fprintf(stderr, "### call=20 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[6] = res; break; case 21: res = syscall(__NR_io_uring_register, -1, 9ul, 0ul, 0ul); fprintf(stderr, "### call=21 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[7] = res; break; case 22: *(uint8_t*)0x20000380 = 0x1d; *(uint8_t*)0x20000381 = 1; *(uint16_t*)0x20000382 = 0; *(uint32_t*)0x20000384 = r[6]; *(uint64_t*)0x20000388 = 0x20000340; *(uint32_t*)0x20000340 = 0xa; *(uint64_t*)0x20000344 = 0; *(uint32_t*)0x20000390 = r[4]; *(uint